Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Systemfix infection won't clear + MBAM won't run


  • This topic is locked This topic is locked
12 replies to this topic

#1 chrismw1

chrismw1

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:12 PM

Posted 08 December 2011 - 10:50 AM

Hi

My PC appers to be infected by Systemfix malware.

I followed Broni's instructions - see below

http://www.bleepingcomputer.com/forums/topic430730.html

but when I try to run MBAM I get the message popup - Setup - Access is Denied, then a 2nd popup - Error - Setup was not completed, please correct the problem and run setup again. Then it says Rolling back...

I've now followed the steps in the guide as instructed in the previous topic.

Ran Defogger - was not instructed to reboot

Ran DDS.scr:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by Chris at 19:00:35 on 2011-12-07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2296 [GMT 0:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Documents and Settings\All Users\Application Data\XYRqQgvDYPoUCvX.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Mobipocket.com\Mobipocket Reader\readernotify.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\All Users\Application Data\FhNQTs5mR57zx7.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wuauclt.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.virginmedia.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://mysearch.myway.com/jsp/dellsidebar.jsp?p=DK
uDefault_Page_URL = hxxp://www.dell.co.uk/myway
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111122211952.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Mobipocket Reader Notifications] c:\program files\mobipocket.com\mobipocket reader\readernotify.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [strwin] c:\windows\system32\yvqvazox.exe
uRun: [22yRT3Hn0D] c:\documents and settings\all users\application data\rsdqvqli\ngnmrgfk.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [CTSysVol] c:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe /r
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [AOL Spyware Protection] "c:\progra~1\common~1\aol\aolspy~1\AOLSP Scheduler.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [five Media Manager Tray] "c:\program files\entriq\mediasphere\EntriqMediaTray.exe" /CustomId:five
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Lexmark X74-X75] "c:\program files\lexmark x74-x75\lxbbbmgr.exe"
mRun: [Trend Micro RUBotted V2.0 Beta] c:\program files\trend micro\rubotted\RUBottedGUI.exe
mRun: [XYRqQgvDYPoUCvX.exe] c:\documents and settings\all users\application data\XYRqQgvDYPoUCvX.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mExplorerRun: [22yRT3Hn0D] c:\documents and settings\all users\application data\rsdqvqli\ngnmrgfk.exe
uPolicies-explorer: NoDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: mswsock.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} - hxxp://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {FD0EBBED-0C42-4D0F-82DA-44399B5C420A} - hxxp://downloads.virginmedia.com/CST/ver1/xp_mail.cab
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
TCP: Interfaces\{1F0B45E9-54DC-411E-A72D-CFB56015C840} : DhcpNameServer = 10.145.0.1
TCP: Interfaces\{5D31ADD9-3557-40C7-8150-E1E0FEF5F664} : DhcpNameServer = 194.168.4.100 194.168.8.100
Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - c:\program files\tiscali\tiscali internet\dlls\tiscalifilter.dll
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SmartWeb - {62853C44-EA8E-B691-B4D7-03DE4E256A30} - No File
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\chris\application data\mozilla\firefox\profiles\jap0ojsd.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ig
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\entriq\mediasphere\3.8.2.9\npEntriqMediaMozillaPlugin.dll
FF - plugin: c:\program files\entriq\mediasphere\3.8.2.9\npEntriqVersionCheckMozillaPlugin.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Amazon Toolbar: amznUWL@amazon.com - %profile%\extensions\amznUWL@amazon.com
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-5-31 464176]
R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);c:\windows\system32\drivers\sfsync03.sys [2005-12-6 35328]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-7-11 89792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-7-11 57600]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-7-11 180816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-7-11 59456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-7-11 338176]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-7-11 83856]
R3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
R3 pmxscan;Memorex USB Kernel;c:\windows\system32\drivers\usbscan.sys [2007-2-8 15104]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-7-11 83856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-7-11 87656]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-2-23 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-2-23 40552]
S3 n_r9b9bu.sys;n_r9b9bu.sys;\??\c:\windows\system32\drivers\n_r9b9bu.sys --> c:\windows\system32\drivers\n_r9b9bu.sys [?]
S3 xcpip;TCP/IP Protocol Driver;c:\windows\system32\drivers\xcpip.sys --> c:\windows\system32\drivers\xcpip.sys [?]
S3 xpsec;IPSEC driver;c:\windows\system32\drivers\xpsec.sys --> c:\windows\system32\drivers\xpsec.sys [?]
.
=============== Created Last 30 ================
.
2011-12-04 12:29:48 -------- d--h--w- c:\documents and settings\chris\application data\Malwarebytes
2011-12-04 12:29:43 -------- d--h--w- c:\documents and settings\all users\application data\Malwarebytes
2011-12-04 12:29:40 22216 ---ha-w- c:\windows\system32\drivers\mbam.sys
2011-12-04 12:29:40 -------- d--h--w- c:\program files\Malwarebytes' Anti-Malware
2011-12-03 09:01:42 351368 ---ha-w- c:\documents and settings\all users\application data\FhNQTs5mR57zx7.exe
2011-12-03 08:51:58 444040 ---ha-w- c:\documents and settings\all users\application data\XYRqQgvDYPoUCvX.exe
2011-11-26 10:30:37 309320 ---ha-w- c:\windows\system32\drivers\Trufos.sys
2011-11-24 22:34:52 -------- d--h--w- c:\program files\WinPcap
2011-11-24 22:31:45 -------- d--h--w- c:\documents and settings\all users\application data\Trend Micro
2011-11-24 22:21:48 -------- d--h--w- c:\program files\Trend Micro
2011-11-24 19:40:29 -------- d--h--w- c:\documents and settings\chris\application data\Qyopi
2011-11-24 19:40:29 -------- d--h--w- c:\documents and settings\chris\application data\Paveinb
2011-11-12 08:03:20 -------- d--h--w- c:\documents and settings\chris\application data\Tyyc
2011-11-12 08:03:20 -------- d--h--w- c:\documents and settings\chris\application data\Nitu
2011-11-11 19:47:19 281104 ---ha-w- c:\windows\system32\wpcap.dll
2011-11-11 19:47:18 100880 ---ha-w- c:\windows\system32\Packet.dll
.
==================== Find3M ====================
.
2011-11-26 10:38:51 162816 ---ha-w- c:\windows\system32\drivers\netbt.sys
2011-11-26 09:19:38 414368 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-15 13:16:16 9608 ---ha-w- c:\windows\system32\drivers\mfeclnk.sys
2011-10-15 13:16:16 89792 ---ha-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-10-15 13:16:16 87656 ---ha-w- c:\windows\system32\drivers\mferkdet.sys
2011-10-15 13:16:16 83856 ---ha-w- c:\windows\system32\drivers\mfendisk.sys
2011-10-15 13:16:16 59456 ---ha-w- c:\windows\system32\drivers\mfebopk.sys
2011-10-15 13:16:16 57600 ---ha-w- c:\windows\system32\drivers\cfwids.sys
2011-10-15 13:16:16 464176 ---ha-w- c:\windows\system32\drivers\mfehidk.sys
2011-10-15 13:16:16 338176 ---ha-w- c:\windows\system32\drivers\mfefirek.sys
2011-10-15 13:16:16 180816 ---ha-w- c:\windows\system32\drivers\mfeavfk.sys
2011-10-15 13:16:16 121256 ---ha-w- c:\windows\system32\drivers\mfeapfk.sys
2011-10-10 14:22:41 692736 ---ha-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50 599040 ---ha-w- c:\windows\system32\crypt32.dll
2011-09-26 10:41:20 611328 ---ha-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 10:41:20 220160 ---ha-w- c:\windows\system32\oleacc.dll
2011-09-26 10:41:14 20480 ---ha-w- c:\windows\system32\oleaccrc.dll
2008-06-28 12:37:07 380208128 ---ha-w- c:\program files\mtgodl2.exe
.
============= FINISH: 19:01:11.54 ===============

see also attach.zip below

then I ran GMER:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-08 00:38:10
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 Intel___ rev.1.0.
Running: gmer.exe; Driver: C:\DOCUME~1\Chris\LOCALS~1\Temp\kgryraow.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9DE94C0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9DE94D4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9DE9500]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9DE9556]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9DE94AC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9DE9484]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9DE9498]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9DE94EA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB9DE952C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9DE9516]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9DE9580]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9DE956C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9DE9540]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504B08 7 Bytes JMP B9DE9544 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B203A 7 Bytes JMP B9DE955A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E48 5 Bytes JMP B9DE9570 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetSecurityObject 805C062E 5 Bytes JMP B9DE9530 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB440 5 Bytes JMP B9DE9488 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB6CC 5 Bytes JMP B9DE949C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29E2 5 Bytes JMP B9DE9584 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80622662 7 Bytes JMP B9DE951A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80623B12 7 Bytes JMP B9DE94EE mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806240F0 5 Bytes JMP B9DE94C4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 8062458C 7 Bytes JMP B9DE94D8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8062475C 7 Bytes JMP B9DE9504 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 806254CE 5 Bytes JMP B9DE94B0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.sfrelocÿÿÿÿsfsync04unknown last section [0xB9F67000, 0xBC6, 0x40000040] C:\WINDOWS\system32\drivers\sfsync04.sys unknown last section [0xB9F67000, 0xBC6, 0x40000040]
.sfrelocÿÿÿÿsfsync03unknown last section [0xBA0D5000, 0xA20, 0x40000040] C:\WINDOWS\system32\drivers\sfsync03.sys unknown last section [0xBA0D5000, 0xA20, 0x40000040]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB9045360, 0x1DE5ED, 0xE8000020]
init C:\WINDOWS\system32\DRIVERS\mohfilt.sys entry point in "init" section [0xBA3D3760]
? C:\DOCUME~1\Chris\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[168] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C00000
.text C:\WINDOWS\system32\svchost.exe[168] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C00040
.text C:\WINDOWS\system32\svchost.exe[168] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C00025
.text C:\WINDOWS\system32\svchost.exe[168] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\svchost.exe[168] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BF0F63
.text C:\WINDOWS\system32\svchost.exe[168] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BF0F7E
.text C:\WINDOWS\system32\svchost.exe[168] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BF0F9B
.text C:\WINDOWS\system32\svchost.exe[168] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BF0058
.text C:\WINDOWS\system32\svchost.exe[168] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BF0FC0
.text C:\WINDOWS\system32\svchost.exe[168] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BF0F35
.text C:\WINDOWS\system32\svchost.exe[168] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BF0F52
.text C:\WINDOWS\system32\svchost.exe[168] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BF0EFF
.text C:\WINDOWS\system32\svchost.exe[168] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BF0F10
.text C:\WINDOWS\system32\svchost.exe[168] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BF00B3
.text C:\WINDOWS\system32\svchost.exe[168] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BF0047
.text C:\WINDOWS\system32\svchost.exe[168] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\system32\svchost.exe[168] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BF007D
.text C:\WINDOWS\system32\svchost.exe[168] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BF002C
.text C:\WINDOWS\system32\svchost.exe[168] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BF001B
.text C:\WINDOWS\system32\svchost.exe[168] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BF0098
.text C:\WINDOWS\system32\svchost.exe[168] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00930FB2
.text C:\WINDOWS\system32\svchost.exe[168] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00930065
.text C:\WINDOWS\system32\svchost.exe[168] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00930FC3
.text C:\WINDOWS\system32\svchost.exe[168] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00930FD4
.text C:\WINDOWS\system32\svchost.exe[168] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0093004A
.text C:\WINDOWS\system32\svchost.exe[168] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930FEF
.text C:\WINDOWS\system32\svchost.exe[168] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00930039
.text C:\WINDOWS\system32\svchost.exe[168] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00930028
.text C:\WINDOWS\system32\svchost.exe[168] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0092003D
.text C:\WINDOWS\system32\svchost.exe[168] msvcrt.dll!system 77C293C7 5 Bytes JMP 0092002C
.text C:\WINDOWS\system32\svchost.exe[168] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00920011
.text C:\WINDOWS\system32\svchost.exe[168] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920FE3
.text C:\WINDOWS\system32\svchost.exe[168] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00920FBC
.text C:\WINDOWS\system32\svchost.exe[168] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00920000
.text C:\WINDOWS\system32\svchost.exe[168] WININET.dll!InternetOpenA 3D95D698 5 Bytes JMP 00900000
.text C:\WINDOWS\system32\svchost.exe[168] WININET.dll!InternetOpenW 3D95DB11 5 Bytes JMP 00900FE5
.text C:\WINDOWS\system32\svchost.exe[168] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 0090001B
.text C:\WINDOWS\system32\svchost.exe[168] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 00900036
.text C:\WINDOWS\system32\svchost.exe[168] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00910FE5
.text C:\Program Files\Mozilla Firefox\firefox.exe[248] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 0040131F C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\WINDOWS\system32\svchost.exe[432] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00B90000
.text C:\WINDOWS\system32\svchost.exe[432] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B90FD4
.text C:\WINDOWS\system32\svchost.exe[432] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B90FE5
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B80FEF
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B80F81
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B80F92
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B8006C
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B8005B
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B80025
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B80F53
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B80F64
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B80F16
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B80F27
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B80F05
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B80040
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B80FDE
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B80091
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B8000A
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B80FC3
.text C:\WINDOWS\system32\svchost.exe[432] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B80F38
.text C:\WINDOWS\system32\svchost.exe[432] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B70FD4
.text C:\WINDOWS\system32\svchost.exe[432] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B70062
.text C:\WINDOWS\system32\svchost.exe[432] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B70FE5
.text C:\WINDOWS\system32\svchost.exe[432] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B70011
.text C:\WINDOWS\system32\svchost.exe[432] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B70051
.text C:\WINDOWS\system32\svchost.exe[432] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B70000
.text C:\WINDOWS\system32\svchost.exe[432] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B70FAF
.text C:\WINDOWS\system32\svchost.exe[432] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D7, 88]
.text C:\WINDOWS\system32\svchost.exe[432] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B70036
.text C:\WINDOWS\system32\svchost.exe[432] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B60045
.text C:\WINDOWS\system32\svchost.exe[432] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B6002A
.text C:\WINDOWS\system32\svchost.exe[432] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B60FC1
.text C:\WINDOWS\system32\svchost.exe[432] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B60FEF
.text C:\WINDOWS\system32\svchost.exe[432] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B60FB0
.text C:\WINDOWS\system32\svchost.exe[432] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B60FD2
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[760] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 624199A1 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[760] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419A63 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\services.exe[1068] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 010E0000
.text C:\WINDOWS\system32\services.exe[1068] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 010E0040
.text C:\WINDOWS\system32\services.exe[1068] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 010E001B
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FF0091
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FF0F9C
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FF0FAD
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FF0076
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FF0040
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FF00D1
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FF00B6
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FF00EC
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FF0F49
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FF0107
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FF005B
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FF0014
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FF0F8B
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FF0025
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FF0FDE
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FF0F64
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01110FDB
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01110FAF
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01110036
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0111001B
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01110062
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01110000
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01110047
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01110FC0
.text C:\WINDOWS\system32\services.exe[1068] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01100047
.text C:\WINDOWS\system32\services.exe[1068] msvcrt.dll!system 77C293C7 5 Bytes JMP 0110002C
.text C:\WINDOWS\system32\services.exe[1068] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01100FCD
.text C:\WINDOWS\system32\services.exe[1068] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01100FEF
.text C:\WINDOWS\system32\services.exe[1068] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01100FBC
.text C:\WINDOWS\system32\services.exe[1068] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01100FDE
.text C:\WINDOWS\system32\services.exe[1068] WS2_32.dll!socket 71AB4211 5 Bytes JMP 010F0000
.text C:\WINDOWS\system32\lsass.exe[1080] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F20FE5
.text C:\WINDOWS\system32\lsass.exe[1080] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F2001B
.text C:\WINDOWS\system32\lsass.exe[1080] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F2000A
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E40FEF
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E40F6F
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E40F8A
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E40058
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E40047
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E40FC0
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E40090
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E40F48
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E400A1
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E40F12
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E400B2
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E40FAF
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E40000
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E4007F
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E4002C
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E4001B
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E40F2D
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F5002C
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F50FAF
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F5001B
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F50FEF
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F50062
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F5000A
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F50047
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F50FC0
.text C:\WINDOWS\system32\lsass.exe[1080] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F40044
.text C:\WINDOWS\system32\lsass.exe[1080] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F40FB9
.text C:\WINDOWS\system32\lsass.exe[1080] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F40FD4
.text C:\WINDOWS\system32\lsass.exe[1080] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F40000
.text C:\WINDOWS\system32\lsass.exe[1080] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F40029
.text C:\WINDOWS\system32\lsass.exe[1080] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F40FEF
.text C:\WINDOWS\system32\lsass.exe[1080] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F30000
.text C:\WINDOWS\system32\svchost.exe[1276] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00AC0000
.text C:\WINDOWS\system32\svchost.exe[1276] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00AC0FCA
.text C:\WINDOWS\system32\svchost.exe[1276] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00AC0FDB
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AB0FEF
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AB0F66
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AB0F77
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AB005B
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AB004A
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AB0FC3
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AB0098
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AB0087
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AB0F1A
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AB00BD
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00AB00CE
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00AB0FA8
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00AB000A
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00AB0076
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00AB002F
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00AB0FD4
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00AB0F35
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AF0FEF
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AF009B
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AF0036
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AF0025
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AF0080
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AF0000
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00AF0FDE
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [CF, 88]
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AF005B
.text C:\WINDOWS\system32\svchost.exe[1276] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AE004C
.text C:\WINDOWS\system32\svchost.exe[1276] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AE0031
.text C:\WINDOWS\system32\svchost.exe[1276] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AE0FD2
.text C:\WINDOWS\system32\svchost.exe[1276] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AE0000
.text C:\WINDOWS\system32\svchost.exe[1276] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AE0FC1
.text C:\WINDOWS\system32\svchost.exe[1276] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AE0FE3
.text C:\WINDOWS\system32\svchost.exe[1276] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AD0000
.text C:\WINDOWS\system32\svchost.exe[1328] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C60000
.text C:\WINDOWS\system32\svchost.exe[1328] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C60011
.text C:\WINDOWS\system32\svchost.exe[1328] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C60FE5
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C50FEF
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C50064
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C50053
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C50036
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C50F79
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C50025
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C500A1
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C50086
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C50F19
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C500B2
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C50F08
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C50F94
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C50FD4
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C50075
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C50014
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C50FC3
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C50F3E
.text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C90FB9
.text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C90F83
.text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C90FCA
.text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C90000
.text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C90040
.text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C90FE5
.text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C9002F
.text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C90FA8
.text C:\WINDOWS\system32\svchost.exe[1328] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C8004E
.text C:\WINDOWS\system32\svchost.exe[1328] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C80033
.text C:\WINDOWS\system32\svchost.exe[1328] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C80018
.text C:\WINDOWS\system32\svchost.exe[1328] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C80FEF
.text C:\WINDOWS\system32\svchost.exe[1328] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C80FC3
.text C:\WINDOWS\system32\svchost.exe[1328] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C80FDE
.text C:\WINDOWS\system32\svchost.exe[1328] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C7000A
.text C:\WINDOWS\System32\svchost.exe[1452] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 026E0000
.text C:\WINDOWS\System32\svchost.exe[1452] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 026E0FD4
.text C:\WINDOWS\System32\svchost.exe[1452] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 026E0FE5
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02180000
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 021800A7
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0218008C
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02180FB2
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02180FC3
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02180051
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 021800D5
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 021800B8
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02180F5E
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 021800F7
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02180112
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02180FD4
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02180FE5
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02180F97
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02180040
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02180025
.text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 021800E6
.text C:\WINDOWS\System32\svchost.exe[1452] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02170FB9
.text C:\WINDOWS\System32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02170F68
.text C:\WINDOWS\System32\svchost.exe[1452] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02170FD4
.text C:\WINDOWS\System32\svchost.exe[1452] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0217000A
.text C:\WINDOWS\System32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0217002F
.text C:\WINDOWS\System32\svchost.exe[1452] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02170FEF
.text C:\WINDOWS\System32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02170F8D
.text C:\WINDOWS\System32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [37, 8A]
.text C:\WINDOWS\System32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02170F9E
.text C:\WINDOWS\System32\svchost.exe[1452] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02810049
.text C:\WINDOWS\System32\svchost.exe[1452] msvcrt.dll!system 77C293C7 5 Bytes JMP 02810FC8
.text C:\WINDOWS\System32\svchost.exe[1452] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02810FE3
.text C:\WINDOWS\System32\svchost.exe[1452] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02810000
.text C:\WINDOWS\System32\svchost.exe[1452] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02810038
.text C:\WINDOWS\System32\svchost.exe[1452] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02810011
.text C:\WINDOWS\System32\svchost.exe[1452] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0280000A
.text C:\WINDOWS\System32\svchost.exe[1452] WININET.dll!InternetOpenA 3D95D698 5 Bytes JMP 026F0FEF
.text C:\WINDOWS\System32\svchost.exe[1452] WININET.dll!InternetOpenW 3D95DB11 5 Bytes JMP 026F0FDE
.text C:\WINDOWS\System32\svchost.exe[1452] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 026F0FB9
.text C:\WINDOWS\System32\svchost.exe[1452] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 026F0014
.text C:\WINDOWS\system32\svchost.exe[1520] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 007A0FEF
.text C:\WINDOWS\system32\svchost.exe[1520] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 007A0014
.text C:\WINDOWS\system32\svchost.exe[1520] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007A0FDE
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00790000
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00790F52
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00790F63
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!LoadLibraryExW 7C801AF5 3 Bytes JMP 0079003D
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!LoadLibraryExW + 4 7C801AF9 1 Byte [83]
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00790F80
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0079001B
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00790F15
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00790F26
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00790ED5
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00790078
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00790089
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0079002C
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00790FE5
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00790F37
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00790FAF
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00790FD4
.text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00790EFA
.text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00780025
.text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00780F8A
.text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00780FD4
.text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0078000A
.text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00780047
.text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00780FEF
.text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00780FAF
.text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [98, 88]
.text C:\WINDOWS\system32\svchost.exe[1520] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00780036
.text C:\WINDOWS\system32\svchost.exe[1520] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007C0FA4
.text C:\WINDOWS\system32\svchost.exe[1520] msvcrt.dll!system 77C293C7 5 Bytes JMP 007C0FB5
.text C:\WINDOWS\system32\svchost.exe[1520] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007C0FC6
.text C:\WINDOWS\system32\svchost.exe[1520] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007C0000
.text C:\WINDOWS\system32\svchost.exe[1520] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007C0025
.text C:\WINDOWS\system32\svchost.exe[1520] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007C0FE3
.text C:\WINDOWS\system32\svchost.exe[1520] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007B0FE5
.text C:\WINDOWS\system32\svchost.exe[1660] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 009F0000
.text C:\WINDOWS\system32\svchost.exe[1660] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 009F0FC0
.text C:\WINDOWS\system32\svchost.exe[1660] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009F0FE5
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009E0000
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009E0091
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009E0076
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009E005B
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009E004A
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009E0025
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009E0F81
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009E00BD
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009E0F66
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009E00FF
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009E0F4B
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009E0F9E
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009E0FEF
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009E00AC
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009E0FB9
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009E0FD4
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009E00E4
.text C:\WINDOWS\system32\svchost.exe[1660] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009D0022
.text C:\WINDOWS\system32\svchost.exe[1660] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009D0058
.text C:\WINDOWS\system32\svchost.exe[1660] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009D0FDB
.text C:\WINDOWS\system32\svchost.exe[1660] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009D0011
.text C:\WINDOWS\system32\svchost.exe[1660] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009D0F91
.text C:\WINDOWS\system32\svchost.exe[1660] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009D0000
.text C:\WINDOWS\system32\svchost.exe[1660] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 009D0033
.text C:\WINDOWS\system32\svchost.exe[1660] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009D0FB6
.text C:\WINDOWS\system32\svchost.exe[1660] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A10040
.text C:\WINDOWS\system32\svchost.exe[1660] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A10025
.text C:\WINDOWS\system32\svchost.exe[1660] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A10FC6
.text C:\WINDOWS\system32\svchost.exe[1660] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A10000
.text C:\WINDOWS\system32\svchost.exe[1660] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A10FB5
.text C:\WINDOWS\system32\svchost.exe[1660] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A10FE3
.text C:\WINDOWS\system32\svchost.exe[1660] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A00FEF
.text C:\WINDOWS\Explorer.EXE[2484] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00090000
.text C:\WINDOWS\Explorer.EXE[2484] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00090FE5
.text C:\WINDOWS\Explorer.EXE[2484] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0009001B
.text C:\WINDOWS\Explorer.EXE[2484] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\Explorer.EXE[2484] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0F9B
.text C:\WINDOWS\Explorer.EXE[2484] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0090
.text C:\WINDOWS\Explorer.EXE[2484] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0069
.text C:\WINDOWS\Explorer.EXE[2484] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0058
.text C:\WINDOWS\Explorer.EXE[2484] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B002C
.text C:\WINDOWS\Explorer.EXE[2484] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B00A1
.text C:\WINDOWS\Explorer.EXE[2484] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0F59
.text C:\WINDOWS\Explorer.EXE[2484] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B00D7
.text C:\WINDOWS\Explorer.EXE[2484] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B0F3E
.text C:\WINDOWS\Explorer.EXE[2484] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B00E8
.text C:\WINDOWS\Explorer.EXE[2484] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B003D
.text C:\WINDOWS\Explorer.EXE[2484] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B0000
.text C:\WINDOWS\Explorer.EXE[2484] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B0F76
.text C:\WINDOWS\Explorer.EXE[2484] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B0FC0
.text C:\WINDOWS\Explorer.EXE[2484] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B0011
.text C:\WINDOWS\Explorer.EXE[2484] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B00BC
.text C:\WINDOWS\Explorer.EXE[2484] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A002F
.text C:\WINDOWS\Explorer.EXE[2484] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A0073
.text C:\WINDOWS\Explorer.EXE[2484] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A0FD4
.text C:\WINDOWS\Explorer.EXE[2484] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A000A
.text C:\WINDOWS\Explorer.EXE[2484] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002A0062
.text C:\WINDOWS\Explorer.EXE[2484] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\Explorer.EXE[2484] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002A0051
.text C:\WINDOWS\Explorer.EXE[2484] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002A0040
.text C:\WINDOWS\Explorer.EXE[2484] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002B0F8B
.text C:\WINDOWS\Explorer.EXE[2484] msvcrt.dll!system 77C293C7 5 Bytes JMP 002B0F9C
.text C:\WINDOWS\Explorer.EXE[2484] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002B0FC1
.text C:\WINDOWS\Explorer.EXE[2484] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002B0FE3
.text C:\WINDOWS\Explorer.EXE[2484] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002B000C
.text C:\WINDOWS\Explorer.EXE[2484] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002B0FD2
.text C:\WINDOWS\Explorer.EXE[2484] WININET.dll!InternetOpenA 3D95D698 5 Bytes JMP 002D0000
.text C:\WINDOWS\Explorer.EXE[2484] WININET.dll!InternetOpenW 3D95DB11 5 Bytes JMP 002D0FE5
.text C:\WINDOWS\Explorer.EXE[2484] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 002D0025
.text C:\WINDOWS\Explorer.EXE[2484] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 002D0036
.text C:\WINDOWS\Explorer.EXE[2484] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01B90FEF
.text C:\Documents and Settings\All Users\Application Data\FhNQTs5mR57zx7.exe[4012] explorer.exe 01941986 1 Byte [03]
.text C:\Documents and Settings\All Users\Application Data\FhNQTs5mR57zx7.exe[4012] explorer.exe 0194198A 1 Byte [00]
.text C:\Documents and Settings\All Users\Application Data\FhNQTs5mR57zx7.exe[4012] explorer.exe 0194198E 1 Byte [01]
.text C:\Documents and Settings\All Users\Application Data\FhNQTs5mR57zx7.exe[4012] explorer.exe 01941992 1 Byte [00]
.text C:\Documents and Settings\All Users\Application Data\FhNQTs5mR57zx7.exe[4012] explorer.exe 01941996 1 Byte [00]
.text ...
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[5228] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 105D6996 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\iastor \Device\Ide\iaStor0 sfsync03.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort0 sfsync03.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 sfsync03.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c sfsync03.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\iastor \Device\Ide\IAAStorageDevice-0 sfsync03.sys (StarForce Protection Synchronization Driver/Protection Technology)

AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat 97376D20

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 malicious Win32:MBRoot code @ sector 312480318
Disk \Device\Harddisk0\DR0 PE file @ sector 312480340

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Chris\Local Settings\Temp\si146.tmp 0 bytes
File C:\WINDOWS\Installer\{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}\Installer.ico 2238 bytes
File C:\WINDOWS\Installer\{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}\PrntWzrdIco.exe 86016 bytes executable

---- EOF - GMER 1.0.15 ----

Attached Files


Edited by Orange Blossom, 09 December 2011 - 04:22 PM.
Revealed link. ~ OB


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:12 PM

Posted 13 December 2011 - 10:55 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/431335 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:12 PM

Posted 13 December 2011 - 07:53 PM

Hi,

Please do the following:

Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)


NEXT



Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#4 chrismw1

chrismw1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:12 PM

Posted 14 December 2011 - 04:12 PM

Hi

Thanks for your help

TDSS log

19:30:45.0734 3152 TDSS rootkit removing tool 2.6.23.0 Dec 13 2011 10:39:31
19:30:46.0796 3152 ============================================================
19:30:46.0796 3152 Current date / time: 2011/12/14 19:30:46.0796
19:30:46.0796 3152 SystemInfo:
19:30:46.0796 3152
19:30:46.0796 3152 OS Version: 5.1.2600 ServicePack: 3.0
19:30:46.0796 3152 Product type: Workstation
19:30:46.0796 3152 ComputerName: CHRISTOPHER3
19:30:46.0796 3152 UserName: Chris
19:30:46.0796 3152 Windows directory: C:\WINDOWS
19:30:46.0796 3152 System windows directory: C:\WINDOWS
19:30:46.0796 3152 Processor architecture: Intel x86
19:30:46.0796 3152 Number of processors: 2
19:30:46.0796 3152 Page size: 0x1000
19:30:46.0796 3152 Boot type: Normal boot
19:30:46.0796 3152 ============================================================
19:30:47.0312 3152 Initialize success
19:30:49.0609 3172 ============================================================
19:30:49.0609 3172 Scan started
19:30:49.0609 3172 Mode: Manual;
19:30:49.0609 3172 ============================================================
19:30:50.0250 3172 Abiosdsk - ok
19:30:50.0281 3172 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
19:30:50.0359 3172 abp480n5 - ok
19:30:50.0437 3172 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
19:30:50.0437 3172 ACPI - ok
19:30:50.0468 3172 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
19:30:50.0468 3172 ACPIEC - ok
19:30:50.0578 3172 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
19:30:50.0640 3172 adpu160m - ok
19:30:50.0906 3172 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
19:30:50.0921 3172 aec - ok
19:30:50.0984 3172 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
19:30:51.0062 3172 AFD - ok
19:30:51.0109 3172 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
19:30:51.0109 3172 agp440 - ok
19:30:51.0156 3172 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
19:30:51.0171 3172 agpCPQ - ok
19:30:51.0203 3172 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
19:30:51.0265 3172 Aha154x - ok
19:30:51.0328 3172 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
19:30:51.0406 3172 aic78u2 - ok
19:30:51.0453 3172 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
19:30:51.0531 3172 aic78xx - ok
19:30:51.0578 3172 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
19:30:51.0656 3172 AliIde - ok
19:30:51.0750 3172 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
19:30:51.0750 3172 alim1541 - ok
19:30:51.0765 3172 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
19:30:51.0781 3172 amdagp - ok
19:30:51.0796 3172 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
19:30:51.0875 3172 amsint - ok
19:30:51.0906 3172 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
19:30:51.0984 3172 asc - ok
19:30:52.0031 3172 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
19:30:52.0109 3172 asc3350p - ok
19:30:52.0234 3172 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
19:30:52.0312 3172 asc3550 - ok
19:30:52.0359 3172 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
19:30:52.0359 3172 AsyncMac - ok
19:30:52.0406 3172 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
19:30:52.0406 3172 atapi - ok
19:30:52.0421 3172 Atdisk - ok
19:30:52.0515 3172 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
19:30:52.0531 3172 Atmarpc - ok
19:30:52.0562 3172 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
19:30:52.0578 3172 audstub - ok
19:30:52.0640 3172 BANTExt (5d7be7b19e827125e016325334e58ff1) C:\WINDOWS\System32\Drivers\BANTExt.sys
19:30:52.0703 3172 BANTExt - ok
19:30:52.0750 3172 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
19:30:52.0765 3172 Beep - ok
19:30:52.0781 3172 bvrp_pci - ok
19:30:52.0796 3172 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
19:30:52.0812 3172 cbidf - ok
19:30:52.0828 3172 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
19:30:52.0828 3172 cbidf2k - ok
19:30:52.0843 3172 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
19:30:52.0921 3172 cd20xrnt - ok
19:30:52.0953 3172 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
19:30:52.0953 3172 Cdaudio - ok
19:30:52.0984 3172 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
19:30:53.0000 3172 Cdfs - ok
19:30:53.0031 3172 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
19:30:53.0046 3172 Cdrom - ok
19:30:53.0093 3172 cfwids (1dcb5209601a70e36c70fe8d197d62cb) C:\WINDOWS\system32\drivers\cfwids.sys
19:30:53.0156 3172 cfwids - ok
19:30:53.0171 3172 Changer - ok
19:30:53.0203 3172 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
19:30:53.0218 3172 CmdIde - ok
19:30:53.0250 3172 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
19:30:53.0265 3172 Cpqarray - ok
19:30:53.0312 3172 ctsfm2k (8db84de3aab34a8b4c2f644eff41cd76) C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys
19:30:53.0390 3172 ctsfm2k - ok
19:30:53.0437 3172 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
19:30:53.0453 3172 dac2w2k - ok
19:30:53.0484 3172 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
19:30:53.0562 3172 dac960nt - ok
19:30:53.0625 3172 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
19:30:53.0625 3172 Disk - ok
19:30:53.0687 3172 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
19:30:53.0703 3172 dmboot - ok
19:30:53.0750 3172 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
19:30:53.0750 3172 dmio - ok
19:30:53.0781 3172 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
19:30:53.0781 3172 dmload - ok
19:30:53.0812 3172 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
19:30:53.0812 3172 DMusic - ok
19:30:53.0859 3172 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
19:30:53.0875 3172 dpti2o - ok
19:30:53.0890 3172 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
19:30:53.0890 3172 drmkaud - ok
19:30:53.0953 3172 drvmcdb (96bc8f872f0270c10edc3931f1c03776) C:\WINDOWS\system32\drivers\drvmcdb.sys
19:30:54.0046 3172 drvmcdb - ok
19:30:54.0093 3172 drvnddm (5afbec7a6ac61b211633dfdb1d9e0c89) C:\WINDOWS\system32\drivers\drvnddm.sys
19:30:54.0171 3172 drvnddm - ok
19:30:54.0390 3172 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
19:30:54.0453 3172 DSproct - ok
19:30:54.0500 3172 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
19:30:54.0515 3172 dsunidrv - ok
19:30:54.0562 3172 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
19:30:54.0656 3172 E100B - ok
19:30:54.0687 3172 e1express (0849eacdc01487573add86f5e470806c) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
19:30:54.0765 3172 e1express - ok
19:30:54.0812 3172 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
19:30:54.0812 3172 Fastfat - ok
19:30:54.0843 3172 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
19:30:54.0859 3172 Fdc - ok
19:30:54.0875 3172 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
19:30:54.0875 3172 Fips - ok
19:30:54.0906 3172 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
19:30:54.0906 3172 Flpydisk - ok
19:30:54.0921 3172 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
19:30:54.0921 3172 FltMgr - ok
19:30:54.0953 3172 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
19:30:54.0953 3172 Fs_Rec - ok
19:30:54.0968 3172 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
19:30:54.0984 3172 Ftdisk - ok
19:30:55.0000 3172 GEARAspiWDM (ab8a6a87d9d7255c3884d5b9541a6e80) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
19:30:55.0078 3172 GEARAspiWDM - ok
19:30:55.0125 3172 gmer (35b24c17f8aea65cabc4a4e63e88ac45) C:\WINDOWS\system32\DRIVERS\gmer.sys
19:30:55.0203 3172 gmer - ok
19:30:55.0250 3172 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
19:30:55.0250 3172 Gpc - ok
19:30:55.0281 3172 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
19:30:55.0281 3172 HidUsb - ok
19:30:55.0343 3172 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
19:30:55.0406 3172 hpn - ok
19:30:55.0468 3172 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
19:30:55.0468 3172 HTTP - ok
19:30:55.0484 3172 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
19:30:55.0500 3172 i2omgmt - ok
19:30:55.0562 3172 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
19:30:55.0562 3172 i2omp - ok
19:30:55.0640 3172 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
19:30:55.0656 3172 i8042prt - ok
19:30:55.0718 3172 iastor (9a65e42664d1534b68512caad0efe963) C:\WINDOWS\system32\drivers\iastor.sys
19:30:55.0718 3172 iastor - ok
19:30:55.0750 3172 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
19:30:55.0750 3172 Imapi - ok
19:30:55.0781 3172 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
19:30:55.0843 3172 ini910u - ok
19:30:55.0921 3172 IntelC51 (7509c548400f4c9e0211e3f6e66abbe6) C:\WINDOWS\system32\DRIVERS\IntelC51.sys
19:30:56.0000 3172 IntelC51 - ok
19:30:56.0031 3172 IntelC52 (9584ffdd41d37f2c239681d0dac2513e) C:\WINDOWS\system32\DRIVERS\IntelC52.sys
19:30:56.0109 3172 IntelC52 - ok
19:30:56.0140 3172 IntelC53 (cf0b937710cec6ef39416edecd803cbb) C:\WINDOWS\system32\DRIVERS\IntelC53.sys
19:30:56.0218 3172 IntelC53 - ok
19:30:56.0250 3172 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
19:30:56.0250 3172 IntelIde - ok
19:30:56.0296 3172 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
19:30:56.0296 3172 intelppm - ok
19:30:56.0328 3172 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
19:30:56.0328 3172 Ip6Fw - ok
19:30:56.0359 3172 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
19:30:56.0359 3172 IpFilterDriver - ok
19:30:56.0406 3172 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
19:30:56.0406 3172 IpInIp - ok
19:30:56.0453 3172 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
19:30:56.0453 3172 IpNat - ok
19:30:56.0484 3172 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
19:30:56.0484 3172 IPSec - ok
19:30:56.0531 3172 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
19:30:56.0531 3172 IRENUM - ok
19:30:56.0578 3172 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
19:30:56.0578 3172 isapnp - ok
19:30:56.0625 3172 Jukebox3 (c4d1e49a7d853a6fdfe8ec2906ae5aaa) C:\WINDOWS\system32\DRIVERS\ctpdusb.sys
19:30:56.0703 3172 Jukebox3 - ok
19:30:56.0734 3172 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
19:30:56.0750 3172 Kbdclass - ok
19:30:56.0765 3172 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
19:30:56.0765 3172 kbdhid - ok
19:30:56.0781 3172 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
19:30:56.0796 3172 kmixer - ok
19:30:56.0828 3172 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
19:30:56.0828 3172 KSecDD - ok
19:30:56.0843 3172 lbrtfdc - ok
19:30:56.0875 3172 MBAMSwissArmy - ok
19:30:56.0953 3172 mfeapfk (36b47b1e9c537f8f2b4481084b8f7d22) C:\WINDOWS\system32\drivers\mfeapfk.sys
19:30:57.0031 3172 mfeapfk - ok
19:30:57.0078 3172 mfeavfk (cde41293db871a75cd99eb0ce781356b) C:\WINDOWS\system32\drivers\mfeavfk.sys
19:30:57.0156 3172 mfeavfk - ok
19:30:57.0171 3172 mfeavfk01 - ok
19:30:57.0203 3172 mfebopk (e22385f64bdf0ad81157479496e33c4a) C:\WINDOWS\system32\drivers\mfebopk.sys
19:30:57.0296 3172 mfebopk - ok
19:30:57.0359 3172 mfefirek (215666a8a85023ef019b510cbb67f678) C:\WINDOWS\system32\drivers\mfefirek.sys
19:30:57.0437 3172 mfefirek - ok
19:30:57.0500 3172 mfehidk (56d330981866a72f061dd16cc5004513) C:\WINDOWS\system32\drivers\mfehidk.sys
19:30:57.0656 3172 mfehidk - ok
19:30:57.0687 3172 mfendisk (62acda4e958e2a392557ba3c6c754a58) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
19:30:57.0765 3172 mfendisk - ok
19:30:57.0765 3172 mfendiskmp (62acda4e958e2a392557ba3c6c754a58) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
19:30:57.0765 3172 mfendiskmp - ok
19:30:57.0812 3172 mferkdet (89b564d63c53fc0c6782ab07eea63acf) C:\WINDOWS\system32\drivers\mferkdet.sys
19:30:57.0890 3172 mferkdet - ok
19:30:57.0937 3172 mferkdk (41fe2f288e05a6c8ab85dd56770ffbad) C:\WINDOWS\system32\drivers\mferkdk.sys
19:30:58.0015 3172 mferkdk - ok
19:30:58.0078 3172 mfesmfk (096b52ea918aa909ba5903d79e129005) C:\WINDOWS\system32\drivers\mfesmfk.sys
19:30:58.0156 3172 mfesmfk - ok
19:30:58.0218 3172 mfetdi2k (922e64ca38e38106498fb3435a8e399d) C:\WINDOWS\system32\drivers\mfetdi2k.sys
19:30:58.0296 3172 mfetdi2k - ok
19:30:58.0343 3172 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
19:30:58.0343 3172 mnmdd - ok
19:30:58.0359 3172 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
19:30:58.0375 3172 Modem - ok
19:30:58.0406 3172 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
19:30:58.0484 3172 MODEMCSA - ok
19:30:58.0500 3172 mohfilt (59b8b11ff70728eec60e72131c58b716) C:\WINDOWS\system32\DRIVERS\mohfilt.sys
19:30:58.0500 3172 mohfilt - ok
19:30:58.0546 3172 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
19:30:58.0562 3172 Mouclass - ok
19:30:58.0625 3172 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
19:30:58.0625 3172 mouhid - ok
19:30:58.0656 3172 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
19:30:58.0656 3172 MountMgr - ok
19:30:58.0671 3172 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
19:30:58.0750 3172 mraid35x - ok
19:30:58.0765 3172 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
19:30:58.0765 3172 MRxDAV - ok
19:30:58.0828 3172 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
19:30:58.0984 3172 MRxSmb - ok
19:30:59.0015 3172 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
19:30:59.0031 3172 Msfs - ok
19:30:59.0062 3172 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
19:30:59.0078 3172 MSKSSRV - ok
19:30:59.0093 3172 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
19:30:59.0093 3172 MSPCLOCK - ok
19:30:59.0109 3172 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
19:30:59.0125 3172 MSPQM - ok
19:30:59.0140 3172 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
19:30:59.0140 3172 mssmbios - ok
19:30:59.0187 3172 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
19:30:59.0250 3172 Mup - ok
19:30:59.0312 3172 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
19:30:59.0312 3172 NDIS - ok
19:30:59.0359 3172 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
19:30:59.0437 3172 NdisTapi - ok
19:30:59.0468 3172 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
19:30:59.0468 3172 Ndisuio - ok
19:30:59.0500 3172 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
19:30:59.0500 3172 NdisWan - ok
19:30:59.0593 3172 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
19:30:59.0656 3172 NDProxy - ok
19:30:59.0718 3172 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
19:30:59.0718 3172 NetBIOS - ok
19:30:59.0750 3172 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
19:30:59.0750 3172 NetBT - ok
19:30:59.0812 3172 NPF (b9730495e0cf674680121e34bd95a73b) C:\WINDOWS\system32\drivers\NPF.sys
19:30:59.0968 3172 NPF - ok
19:30:59.0984 3172 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
19:30:59.0984 3172 Npfs - ok
19:31:00.0031 3172 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
19:31:00.0046 3172 Ntfs - ok
19:31:00.0093 3172 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
19:31:00.0093 3172 Null - ok
19:31:00.0250 3172 nv (0a83977b8909fda12e45112575a59ba7) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
19:31:00.0343 3172 nv - ok
19:31:00.0375 3172 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
19:31:00.0375 3172 NwlnkFlt - ok
19:31:00.0421 3172 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
19:31:00.0421 3172 NwlnkFwd - ok
19:31:00.0453 3172 n_r9b9bu.sys - ok
19:31:00.0515 3172 ossrv (103a9b117a7d9903111955cdafe65ac6) C:\WINDOWS\system32\DRIVERS\ctoss2k.sys
19:31:00.0578 3172 ossrv - ok
19:31:00.0640 3172 P17 (df886ffed69aead0cf608b89b18c3f6f) C:\WINDOWS\system32\drivers\P17.sys
19:31:00.0796 3172 P17 - ok
19:31:00.0843 3172 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
19:31:00.0843 3172 Parport - ok
19:31:00.0875 3172 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
19:31:00.0875 3172 PartMgr - ok
19:31:00.0921 3172 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
19:31:00.0921 3172 ParVdm - ok
19:31:00.0937 3172 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
19:31:00.0953 3172 PCI - ok
19:31:00.0968 3172 PCIDump - ok
19:31:00.0984 3172 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
19:31:01.0000 3172 PCIIde - ok
19:31:01.0031 3172 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
19:31:01.0046 3172 Pcmcia - ok
19:31:01.0062 3172 PDCOMP - ok
19:31:01.0078 3172 PDFRAME - ok
19:31:01.0093 3172 PDRELI - ok
19:31:01.0109 3172 PDRFRAME - ok
19:31:01.0140 3172 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
19:31:01.0203 3172 perc2 - ok
19:31:01.0218 3172 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
19:31:01.0234 3172 perc2hib - ok
19:31:01.0296 3172 pmxscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
19:31:01.0296 3172 pmxscan - ok
19:31:01.0343 3172 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
19:31:01.0343 3172 PptpMiniport - ok
19:31:01.0359 3172 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
19:31:01.0375 3172 PSched - ok
19:31:01.0390 3172 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
19:31:01.0390 3172 Ptilink - ok
19:31:01.0437 3172 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
19:31:01.0437 3172 PxHelp20 - ok
19:31:01.0468 3172 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
19:31:01.0484 3172 ql1080 - ok
19:31:01.0500 3172 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
19:31:01.0515 3172 Ql10wnt - ok
19:31:01.0562 3172 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
19:31:01.0562 3172 ql12160 - ok
19:31:01.0593 3172 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
19:31:01.0593 3172 ql1240 - ok
19:31:01.0625 3172 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
19:31:01.0640 3172 ql1280 - ok
19:31:01.0671 3172 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
19:31:01.0671 3172 RasAcd - ok
19:31:01.0687 3172 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
19:31:01.0703 3172 Rasl2tp - ok
19:31:01.0718 3172 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
19:31:01.0718 3172 RasPppoe - ok
19:31:01.0734 3172 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
19:31:01.0750 3172 Raspti - ok
19:31:01.0765 3172 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
19:31:01.0781 3172 Rdbss - ok
19:31:01.0796 3172 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
19:31:01.0796 3172 RDPCDD - ok
19:31:01.0843 3172 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
19:31:01.0843 3172 rdpdr - ok
19:31:01.0890 3172 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
19:31:02.0062 3172 RDPWD - ok
19:31:02.0078 3172 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
19:31:02.0093 3172 redbook - ok
19:31:02.0171 3172 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
19:31:02.0171 3172 Secdrv - ok
19:31:02.0218 3172 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
19:31:02.0234 3172 serenum - ok
19:31:02.0250 3172 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
19:31:02.0250 3172 Serial - ok
19:31:02.0312 3172 sfdrv01 (9e7dee11fd5a4355941a45f13c0ed59a) C:\WINDOWS\system32\drivers\sfdrv01.sys
19:31:02.0375 3172 sfdrv01 - ok
19:31:02.0406 3172 sfhlp02 (ecefb59d2206d281e6d317af0ea0d8bd) C:\WINDOWS\system32\drivers\sfhlp02.sys
19:31:02.0484 3172 sfhlp02 - ok
19:31:02.0484 3172 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
19:31:02.0500 3172 Sfloppy - ok
19:31:02.0531 3172 sfsync03 (b27f70092a84b2a381d1fcdbbb82f876) C:\WINDOWS\system32\drivers\sfsync03.sys
19:31:02.0625 3172 sfsync03 - ok
19:31:02.0640 3172 sfsync04 (05e3038180cd846b0bca0e915163606a) C:\WINDOWS\system32\drivers\sfsync04.sys
19:31:02.0718 3172 sfsync04 - ok
19:31:02.0734 3172 Simbad - ok
19:31:02.0781 3172 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
19:31:02.0781 3172 sisagp - ok
19:31:02.0828 3172 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
19:31:02.0828 3172 Sparrow - ok
19:31:02.0859 3172 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
19:31:02.0875 3172 splitter - ok
19:31:02.0890 3172 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
19:31:02.0890 3172 sr - ok
19:31:03.0000 3172 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
19:31:03.0078 3172 Srv - ok
19:31:03.0125 3172 sscdbhk5 (98625722ad52b40305e74aaa83c93086) C:\WINDOWS\system32\drivers\sscdbhk5.sys
19:31:03.0187 3172 sscdbhk5 - ok
19:31:03.0203 3172 ssrtln (d79412e3942c8a257253487536d5a994) C:\WINDOWS\system32\drivers\ssrtln.sys
19:31:03.0281 3172 ssrtln - ok
19:31:03.0328 3172 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
19:31:03.0328 3172 swenum - ok
19:31:03.0359 3172 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
19:31:03.0375 3172 swmidi - ok
19:31:03.0406 3172 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
19:31:03.0484 3172 symc810 - ok
19:31:03.0515 3172 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
19:31:03.0578 3172 symc8xx - ok
19:31:03.0593 3172 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
19:31:03.0609 3172 sym_hi - ok
19:31:03.0625 3172 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
19:31:03.0703 3172 sym_u3 - ok
19:31:03.0750 3172 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
19:31:03.0750 3172 sysaudio - ok
19:31:03.0812 3172 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
19:31:03.0828 3172 Tcpip - ok
19:31:03.0859 3172 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
19:31:03.0875 3172 TDPIPE - ok
19:31:03.0890 3172 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
19:31:03.0890 3172 TDTCP - ok
19:31:03.0921 3172 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
19:31:03.0921 3172 TermDD - ok
19:31:03.0984 3172 tfsnboio (d0177776e11b0b3f272eebd262a69661) C:\WINDOWS\system32\dla\tfsnboio.sys
19:31:04.0078 3172 tfsnboio - ok
19:31:04.0109 3172 tfsncofs (599804bc938b8305a5422319774da871) C:\WINDOWS\system32\dla\tfsncofs.sys
19:31:04.0187 3172 tfsncofs - ok
19:31:04.0218 3172 tfsndrct (a1902c00adc11c4d83f8e3ed947a6a32) C:\WINDOWS\system32\dla\tfsndrct.sys
19:31:04.0281 3172 tfsndrct - ok
19:31:04.0328 3172 tfsndres (d8ddb3f2b1bef15cff6728d89c042c61) C:\WINDOWS\system32\dla\tfsndres.sys
19:31:04.0390 3172 tfsndres - ok
19:31:04.0406 3172 tfsnifs (c4f2dea75300971cdaee311007de138d) C:\WINDOWS\system32\dla\tfsnifs.sys
19:31:04.0484 3172 tfsnifs - ok
19:31:04.0500 3172 tfsnopio (272925be0ea919f08286d2ee6f102b0f) C:\WINDOWS\system32\dla\tfsnopio.sys
19:31:04.0578 3172 tfsnopio - ok
19:31:04.0593 3172 tfsnpool (7b7d955e5cebc2fb88b03ef875d52a2f) C:\WINDOWS\system32\dla\tfsnpool.sys
19:31:04.0656 3172 tfsnpool - ok
19:31:04.0703 3172 tfsnudf (e3d01263109d800c1967c12c10a0b018) C:\WINDOWS\system32\dla\tfsnudf.sys
19:31:04.0765 3172 tfsnudf - ok
19:31:04.0828 3172 tfsnudfa (b9e9c377906e3a65bc74598fff7f7458) C:\WINDOWS\system32\dla\tfsnudfa.sys
19:31:04.0906 3172 tfsnudfa - ok
19:31:04.0937 3172 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
19:31:04.0953 3172 TosIde - ok
19:31:05.0015 3172 Trufos (f291c218b4a2a14409d6bb3c973623ad) C:\WINDOWS\system32\DRIVERS\Trufos.sys
19:31:05.0156 3172 Trufos - ok
19:31:05.0187 3172 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
19:31:05.0203 3172 Udfs - ok
19:31:05.0234 3172 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
19:31:05.0312 3172 ultra - ok
19:31:05.0359 3172 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
19:31:05.0375 3172 Update - ok
19:31:05.0406 3172 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
19:31:05.0406 3172 usbehci - ok
19:31:05.0640 3172 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
19:31:05.0656 3172 usbhub - ok
19:31:05.0906 3172 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
19:31:05.0921 3172 usbprint - ok
19:31:05.0968 3172 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
19:31:05.0968 3172 usbscan - ok
19:31:06.0000 3172 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
19:31:06.0000 3172 USBSTOR - ok
19:31:06.0031 3172 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
19:31:06.0031 3172 usbuhci - ok
19:31:06.0093 3172 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
19:31:06.0093 3172 VgaSave - ok
19:31:06.0140 3172 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
19:31:06.0156 3172 viaagp - ok
19:31:06.0187 3172 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
19:31:06.0187 3172 ViaIde - ok
19:31:06.0218 3172 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
19:31:06.0218 3172 VolSnap - ok
19:31:06.0281 3172 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
19:31:06.0281 3172 Wanarp - ok
19:31:06.0328 3172 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
19:31:06.0343 3172 wanatw - ok
19:31:06.0359 3172 WDICA - ok
19:31:06.0390 3172 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
19:31:06.0390 3172 wdmaud - ok
19:31:06.0500 3172 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
19:31:06.0500 3172 WudfPf - ok
19:31:06.0562 3172 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
19:31:06.0578 3172 WudfRd - ok
19:31:06.0609 3172 xcpip - ok
19:31:06.0625 3172 xpsec - ok
19:31:06.0656 3172 MBR (0x1B8) (ff3005b10e24fb7b6b1a2234285f23b9) \Device\Harddisk0\DR0
19:31:06.0718 3172 \Device\Harddisk0\DR0 - ok
19:31:06.0734 3172 Boot (0x1200) (63cd3b01e79a21896596b0353983f00f) \Device\Harddisk0\DR0\Partition0
19:31:06.0734 3172 \Device\Harddisk0\DR0\Partition0 - ok
19:31:06.0734 3172 ============================================================
19:31:06.0734 3172 Scan finished
19:31:06.0734 3172 ============================================================
19:31:06.0750 3088 Detected object count: 0
19:31:06.0750 3088 Actual detected object count: 0
19:36:33.0015 5904 Deinitialize success


Combofix log

ComboFix 11-12-13.03 - Chris 14/12/2011 19:53:18.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2653 [GMT 0:00]
Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Chris\Application Data\Microsoft\Internet Explorer\Quick Launch\System Fix.lnk
c:\documents and settings\Chris\Application Data\Nitu
c:\documents and settings\Chris\Application Data\Nitu\izmyk.goz
c:\documents and settings\Chris\Application Data\Nitu\izmyk.tmp
c:\documents and settings\Chris\Desktop\System Fix.lnk
c:\documents and settings\Chris\Start Menu\Programs\System Fix
c:\documents and settings\Chris\Start Menu\Programs\System Fix\System Fix.lnk
c:\documents and settings\Chris\Start Menu\Programs\System Fix\Uninstall System Fix.lnk
c:\documents and settings\Chris\WINDOWS
c:\windows\$NtUninstallKB50411$
c:\windows\$NtUninstallKB50411$\1611834617\@
c:\windows\$NtUninstallKB50411$\1611834617\bckfg.tmp
c:\windows\$NtUninstallKB50411$\1611834617\cfg.ini
c:\windows\$NtUninstallKB50411$\1611834617\Desktop.ini
c:\windows\$NtUninstallKB50411$\1611834617\keywords
c:\windows\$NtUninstallKB50411$\1611834617\kwrd.dll
c:\windows\$NtUninstallKB50411$\1611834617\L\odetmngk
c:\windows\$NtUninstallKB50411$\1611834617\U\00000001.@
c:\windows\$NtUninstallKB50411$\1611834617\U\00000002.@
c:\windows\$NtUninstallKB50411$\1611834617\U\00000004.@
c:\windows\$NtUninstallKB50411$\1611834617\U\80000000.@
c:\windows\$NtUninstallKB50411$\1611834617\U\80000004.@
c:\windows\$NtUninstallKB50411$\1611834617\U\80000032.@
c:\windows\$NtUninstallKB50411$\2645128123
c:\windows\bdn.com
c:\windows\iTunesMusic.exe
c:\windows\mssecu.exe
c:\windows\settings.reg
c:\windows\system32\anticipator.dll
c:\windows\system32\awtoolb.dll
c:\windows\system32\bdn.com
c:\windows\system32\bsva-egihsg52.exe
c:\windows\system32\dpcproxy.exe
c:\windows\system32\emesx.dll
c:\windows\system32\hoproxy.dll
c:\windows\system32\hxiwlgpm.dat
c:\windows\system32\hxiwlgpm.exe
c:\windows\system32\medup012.dll
c:\windows\system32\medup020.dll
c:\windows\system32\msgp.exe
c:\windows\system32\msnbho.dll
c:\windows\system32\mssecu.exe
c:\windows\system32\msvchost.exe
c:\windows\system32\mtr2.exe
c:\windows\system32\mwin32.exe
c:\windows\system32\netode.exe
c:\windows\system32\newsd32.exe
c:\windows\system32\ps1.exe
c:\windows\system32\psof1.exe
c:\windows\system32\psoft1.exe
c:\windows\system32\regc64.dll
c:\windows\system32\regm64.dll
c:\windows\system32\Rundl1.exe
c:\windows\system32\sncntr.exe
c:\windows\system32\ssurf022.dll
c:\windows\system32\ssvchost.com
c:\windows\system32\ssvchost.exe
c:\windows\system32\sysreq.exe
c:\windows\system32\taack.dat
c:\windows\system32\taack.exe
c:\windows\system32\temp#01.exe
c:\windows\system32\thun.dll
c:\windows\system32\thun32.dll
c:\windows\system32\twain.dll
c:\windows\system32\VBIEWER.OCX
c:\windows\system32\vcatchpi.dll
c:\windows\system32\winlogonpc.exe
c:\windows\system32\winsystem.exe
c:\windows\system32\WINWGPX.EXE
.
.
((((((((((((((((((((((((( Files Created from 2011-11-14 to 2011-12-14 )))))))))))))))))))))))))))))))
.
.
2011-12-04 12:29 . 2011-12-04 12:29 -------- d--h--w- c:\documents and settings\Chris\Application Data\Malwarebytes
2011-12-04 12:29 . 2011-12-04 12:29 -------- d--h--w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-12-04 12:29 . 2011-12-08 09:44 -------- d--h--w- c:\program files\Malwarebytes' Anti-Malware
2011-12-04 12:29 . 2011-08-31 17:00 22216 ---ha-w- c:\windows\system32\drivers\mbam.sys
2011-11-27 17:59 . 2011-11-27 17:59 -------- d--h--w- c:\documents and settings\Other\Local Settings\Application Data\Mozilla
2011-11-26 10:30 . 2011-11-26 10:30 309320 ---ha-w- c:\windows\system32\drivers\Trufos.sys
2011-11-24 22:34 . 2011-11-24 22:36 -------- d--h--w- c:\program files\WinPcap
2011-11-24 22:31 . 2011-11-24 22:31 -------- d--h--w- c:\documents and settings\All Users\Application Data\Trend Micro
2011-11-24 22:21 . 2011-11-24 22:21 -------- d--h--w- c:\program files\Trend Micro
2011-11-24 19:40 . 2011-12-02 20:58 -------- d--h--w- c:\documents and settings\Chris\Application Data\Paveinb
2011-11-24 19:40 . 2011-12-01 19:38 -------- d--h--w- c:\documents and settings\Chris\Application Data\Qyopi
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-26 10:38 . 2004-08-10 12:51 162816 ---ha-w- c:\windows\system32\drivers\netbt.sys
2011-11-26 09:19 . 2011-05-22 06:53 414368 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-11 19:47 . 2011-11-11 19:47 281104 ---ha-w- c:\windows\system32\wpcap.dll
2011-11-11 19:47 . 2011-11-11 19:47 100880 ---ha-w- c:\windows\system32\Packet.dll
2011-10-15 13:16 . 2010-07-11 11:44 9608 ---ha-w- c:\windows\system32\drivers\mfeclnk.sys
2011-10-15 13:16 . 2010-07-11 11:44 89792 ---ha-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-10-15 13:16 . 2010-07-11 11:44 87656 ---ha-w- c:\windows\system32\drivers\mferkdet.sys
2011-10-15 13:16 . 2010-07-11 11:44 83856 ---ha-w- c:\windows\system32\drivers\mfendisk.sys
2011-10-15 13:16 . 2010-07-11 11:44 59456 ---ha-w- c:\windows\system32\drivers\mfebopk.sys
2011-10-15 13:16 . 2010-07-11 11:44 57600 ---ha-w- c:\windows\system32\drivers\cfwids.sys
2011-10-15 13:16 . 2010-07-11 11:44 338176 ---ha-w- c:\windows\system32\drivers\mfefirek.sys
2011-10-15 13:16 . 2010-07-11 11:44 180816 ---ha-w- c:\windows\system32\drivers\mfeavfk.sys
2011-10-15 13:16 . 2010-05-31 19:32 464176 ---ha-w- c:\windows\system32\drivers\mfehidk.sys
2011-10-15 13:16 . 2010-05-31 19:32 121256 ---ha-w- c:\windows\system32\drivers\mfeapfk.sys
2011-10-10 14:22 . 2004-08-10 13:02 692736 ---ha-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2004-08-10 12:50 599040 ---ha-w- c:\windows\system32\crypt32.dll
2011-09-26 10:41 . 2008-07-29 18:59 611328 ---ha-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 10:41 . 2004-08-10 12:51 220160 ---ha-w- c:\windows\system32\oleacc.dll
2011-09-26 10:41 . 2004-08-10 12:51 20480 ---ha-w- c:\windows\system32\oleaccrc.dll
2008-06-28 12:37 . 2008-06-28 12:05 380208128 ---ha-w- c:\program files\mtgodl2.exe
2011-04-14 13:01 . 2010-09-18 08:00 24376 ---ha-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"Mobipocket Reader Notifications"="c:\program files\Mobipocket.com\Mobipocket Reader\readernotify.exe" [2005-12-14 57344]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-01 68856]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-08 7110656]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"P17Helper"="P17.dll" [2005-05-03 64512]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"AOL Spyware Protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-02-16 147456]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 376912]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"4oD"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"five Media Manager Tray"="c:\program files\Entriq\MediaSphere\EntriqMediaTray.exe" [2008-05-21 368640]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-16 1318552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"Lexmark X74-X75"="c:\program files\Lexmark X74-X75\lxbbbmgr.exe" [2002-10-14 57344]
"Trend Micro RUBotted V2.0 Beta"="c:\program files\Trend Micro\RUBotted\RUBottedGUI.exe" [2010-12-17 1103184]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
dlbcserv.lnk - c:\program files\Dell Photo Printer 720\dlbcserv.exe [2005-12-8 315392]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-6-30 24633]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Apprentice\\Appr.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Dragon Age Origins Character Creator\\bin_ship\\DAOCharacterCreator.exe"=
"c:\\Program Files\\Dragon Age Origins Character Creator\\DAOriginsLauncher.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
.
R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);c:\windows\system32\drivers\sfsync03.sys [06/12/2005 15:11 35328]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [11/07/2010 11:44 89792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [11/07/2010 11:44 57600]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [11/07/2010 11:44 338176]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [11/07/2010 11:44 83856]
R3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [20/10/2009 18:19 50704]
R3 pmxscan;Memorex USB Kernel;c:\windows\system32\drivers\usbscan.sys [08/02/2007 15:26 15104]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [11/07/2010 11:44 83856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [11/07/2010 11:44 87656]
S3 n_r9b9bu.sys;n_r9b9bu.sys;\??\c:\windows\system32\drivers\n_r9b9bu.sys --> c:\windows\system32\drivers\n_r9b9bu.sys [?]
S3 xcpip;TCP/IP Protocol Driver;c:\windows\system32\drivers\xcpip.sys --> c:\windows\system32\drivers\xcpip.sys [?]
S3 xpsec;IPSEC driver;c:\windows\system32\drivers\xpsec.sys --> c:\windows\system32\drivers\xpsec.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
2011-12-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-16 18:44]
.
2011-12-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-16 18:44]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.virginmedia.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\jap0ojsd.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ig
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Amazon Toolbar: amznUWL@amazon.com - %profile%\extensions\amznUWL@amazon.com
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
HKCU-Run-strwin - c:\windows\system32\yvqvazox.exe
HKCU-Run-22yRT3Hn0D - c:\documents and settings\All Users\Application Data\rsdqvqli\ngnmrgfk.exe
SSODL-SmartWeb-{62853C44-EA8E-B691-B4D7-03DE4E256A30} - (no file)
SafeBoot-49850104.sys
AddRemove-McAfee Uninstall Utility - c:\progra~1\McAfee.com\Shared\mcappins.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-14 20:19
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2181442231-1929713017-314551796-1007\Software\SecuROM\License information*]
"datasecu"=hex:0f,a6,ad,2f,9b,ac,52,93,d3,32,28,e8,d2,ec,08,83,06,1a,01,8f,de,
3f,0a,a5,87,74,84,b4,8d,ae,a4,63,85,cc,87,36,40,af,9c,29,5a,60,a7,1c,d1,52,\
"rkeysecu"=hex:3e,80,9e,c4,40,b4,90,83,87,8e,33,49,64,ac,f8,d9
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(4608)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.EXE
c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Trend Micro\RUBotted\RUBotSrv.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\Common Files\McAfee\SystemCore\mfefire.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\Rundll32.exe
c:\program files\Lexmark X74-X75\lxbbbmon.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
c:\progra~1\mcafee\VIRUSS~1\mcvsshld.exe
c:\windows\system32\sspipes.scr
.
**************************************************************************
.
Completion time: 2011-12-14 20:35:14 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-14 20:35
.
Pre-Run: 12,889,083,904 bytes free
Post-Run: 15,557,206,016 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - C53B30BDA43AF1F5F193460609ABD60B

#5 chrismw1

chrismw1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:12 PM

Posted 14 December 2011 - 04:47 PM

Looks like thats cleared it - I've rebooted and everything seems to be working ok

thanks

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:12 PM

Posted 14 December 2011 - 05:52 PM

Hi,

Yes, good, please stay with me until I give the "all clear" we have some leftovers to clean up


please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic431335.html/page__pid__2509579#entry2509579

Folder::
c:\documents and settings\Chris\Application Data\Paveinb
c:\documents and settings\Chris\Application Data\Qyopi

Driver::
n_r9b9bu.sys

Collect::
c:\windows\system32\drivers\n_r9b9bu.sys

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



NEXT


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 chrismw1

chrismw1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:12 PM

Posted 15 December 2011 - 06:36 PM

scripted combofix log:

ComboFix 11-12-15.02 - Chris 15/12/2011 19:36:53.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2428 [GMT 0:00]
Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Chris\Desktop\cfscript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Chris\Application Data\Paveinb
c:\documents and settings\Chris\Application Data\Qyopi
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_N_R9B9BU.SYS
-------\Service_n_r9b9bu.sys
.
.
((((((((((((((((((((((((( Files Created from 2011-11-15 to 2011-12-15 )))))))))))))))))))))))))))))))
.
.
2011-12-04 12:29 . 2011-12-04 12:29 -------- d-----w- c:\documents and settings\Chris\Application Data\Malwarebytes
2011-12-04 12:29 . 2011-12-04 12:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-12-04 12:29 . 2011-12-08 09:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-04 12:29 . 2011-08-31 17:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-27 17:59 . 2011-11-27 17:59 -------- d-----w- c:\documents and settings\Other\Local Settings\Application Data\Mozilla
2011-11-26 10:30 . 2011-11-26 10:30 309320 ----a-w- c:\windows\system32\drivers\Trufos.sys
2011-11-24 22:34 . 2011-11-24 22:36 -------- d-----w- c:\program files\WinPcap
2011-11-24 22:31 . 2011-11-24 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2011-11-24 22:21 . 2011-11-24 22:21 -------- d-----w- c:\program files\Trend Micro
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-26 10:38 . 2004-08-10 12:51 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-11-26 09:19 . 2011-05-22 06:53 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-11 19:47 . 2011-11-11 19:47 281104 ----a-w- c:\windows\system32\wpcap.dll
2011-11-11 19:47 . 2011-11-11 19:47 100880 ----a-w- c:\windows\system32\Packet.dll
2011-10-15 13:16 . 2010-07-11 11:44 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-10-15 13:16 . 2010-07-11 11:44 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-10-15 13:16 . 2010-07-11 11:44 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-10-15 13:16 . 2010-07-11 11:44 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-10-15 13:16 . 2010-07-11 11:44 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-10-15 13:16 . 2010-07-11 11:44 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-10-15 13:16 . 2010-07-11 11:44 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-10-15 13:16 . 2010-07-11 11:44 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-10-15 13:16 . 2010-05-31 19:32 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-10-15 13:16 . 2010-05-31 19:32 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-10-10 14:22 . 2004-08-10 13:02 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2004-08-10 12:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 10:41 . 2008-07-29 18:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 10:41 . 2004-08-10 12:51 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 10:41 . 2004-08-10 12:51 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2008-06-28 12:37 . 2008-06-28 12:05 380208128 ----a-w- c:\program files\mtgodl2.exe
2011-04-14 13:01 . 2010-09-18 08:00 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-14_20.19.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-15 19:47 . 2011-12-15 19:47 16384 c:\windows\Temp\Perflib_Perfdata_300.dat
+ 2011-12-15 19:47 . 2011-12-15 19:47 16384 c:\windows\Temp\Perflib_Perfdata_2e8.dat
- 2011-12-14 20:18 . 2011-12-14 20:18 16384 c:\windows\Temp\Perflib_Perfdata_2e8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"Mobipocket Reader Notifications"="c:\program files\Mobipocket.com\Mobipocket Reader\readernotify.exe" [2005-12-14 57344]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-01 68856]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-08 7110656]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"CTSysVol"="c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"P17Helper"="P17.dll" [2005-05-03 64512]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"AOL Spyware Protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-02-16 147456]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 376912]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"4oD"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"five Media Manager Tray"="c:\program files\Entriq\MediaSphere\EntriqMediaTray.exe" [2008-05-21 368640]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-16 1318552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"Lexmark X74-X75"="c:\program files\Lexmark X74-X75\lxbbbmgr.exe" [2002-10-14 57344]
"Trend Micro RUBotted V2.0 Beta"="c:\program files\Trend Micro\RUBotted\RUBottedGUI.exe" [2010-12-17 1103184]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
dlbcserv.lnk - c:\program files\Dell Photo Printer 720\dlbcserv.exe [2005-12-8 315392]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-6-30 24633]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Apprentice\\Appr.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Dragon Age Origins Character Creator\\bin_ship\\DAOCharacterCreator.exe"=
"c:\\Program Files\\Dragon Age Origins Character Creator\\DAOriginsLauncher.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
.
R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);c:\windows\system32\drivers\sfsync03.sys [06/12/2005 15:11 35328]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [11/07/2010 11:44 89792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [11/07/2010 11:44 57600]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [11/07/2010 11:44 338176]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [11/07/2010 11:44 83856]
R3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [20/10/2009 18:19 50704]
R3 pmxscan;Memorex USB Kernel;c:\windows\system32\drivers\usbscan.sys [08/02/2007 15:26 15104]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [11/07/2010 11:44 83856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [11/07/2010 11:44 87656]
S3 xcpip;TCP/IP Protocol Driver;c:\windows\system32\drivers\xcpip.sys --> c:\windows\system32\drivers\xcpip.sys [?]
S3 xpsec;IPSEC driver;c:\windows\system32\drivers\xpsec.sys --> c:\windows\system32\drivers\xpsec.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
2011-12-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-16 18:44]
.
2011-12-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-16 18:44]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.virginmedia.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\jap0ojsd.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ig
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Amazon Toolbar: amznUWL@amazon.com - %profile%\extensions\amznUWL@amazon.com
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-15 19:48
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2181442231-1929713017-314551796-1007\Software\SecuROM\License information*]
"datasecu"=hex:0f,a6,ad,2f,9b,ac,52,93,d3,32,28,e8,d2,ec,08,83,06,1a,01,8f,de,
3f,0a,a5,87,74,84,b4,8d,ae,a4,63,85,cc,87,36,40,af,9c,29,5a,60,a7,1c,d1,52,\
"rkeysecu"=hex:3e,80,9e,c4,40,b4,90,83,87,8e,33,49,64,ac,f8,d9
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(4608)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.EXE
c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Trend Micro\RUBotted\RUBotSrv.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\Common Files\McAfee\SystemCore\mfefire.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\Rundll32.exe
c:\program files\Lexmark X74-X75\lxbbbmon.exe
c:\program files\Entriq\MediaSphere\3.8.2.9\EntriqMediaServer.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Microsoft Shared\Works Shared\WksCal.exe
c:\progra~1\mcafee\VIRUSS~1\mcvsshld.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2011-12-15 19:55:32 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-15 19:55
ComboFix2.txt 2011-12-14 20:35
.
Pre-Run: 15,525,351,424 bytes free
Post-Run: 15,421,943,808 bytes free
.
- - End Of File - - B1CEEA2552FDF7E60913E377C812181A



Don't know if its relevant but a windows error message appeared while running Combofix - "pev.3XE The exception unknown software exception (0x40000015)occurred in the application at location 0x0044ccbc."



MBAM log:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8377

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

15/12/2011 20:08:18
mbam-log-2011-12-15 (20-08-18).txt

Scan type: Quick scan
Objects scanned: 191502
Time elapsed: 6 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


ESET scan:

C:\Documents and Settings\Chris\Desktop\win_sail_away.exe multiple threats

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:12 PM

Posted 15 December 2011 - 06:47 PM

What is this program? win_sail_away.exe Did you download it to your desktop?

Please do the following:

Visit ADOBE and download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.

NEXT

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 6 and Save it to your Desktop.
  • Scroll down to where it says Java SE 6 Update 29
  • Click the Download button under JRE to the right.
  • Read the License Agreement then select Accept License Agreement
  • Click on the link to download Windows x86 Offline and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u29-windows-i586.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


NEXT

Please post a fresh DDS Log and advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 chrismw1

chrismw1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:12 PM

Posted 16 December 2011 - 04:51 PM

Hi

I updated Adobe and deleted/reinstalled Java

I had to download dds again as the previously downloaded program on my desktop gave a bluescreen windows error message and I had to reboot the PC.

DDS log below

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_30
Run by Chris at 21:32:41 on 2011-12-16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2484 [GMT 0:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
.
============== Running Processes ===============

.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Entriq\MediaSphere\EntriqMediaTray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Entriq\MediaSphere\3.8.2.9\EntriqMediaServer.exe
C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Mobipocket.com\Mobipocket Reader\readernotify.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WksCal.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.virginmedia.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111122211952.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [Mobipocket Reader Notifications] c:\program files\mobipocket.com\mobipocket reader\readernotify.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [CTSysVol] c:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe /r
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [AOL Spyware Protection] "c:\progra~1\common~1\aol\aolspy~1\AOLSP Scheduler.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [five Media Manager Tray] "c:\program files\entriq\mediasphere\EntriqMediaTray.exe" /CustomId:five
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Lexmark X74-X75] "c:\program files\lexmark x74-x75\lxbbbmgr.exe"
mRun: [Trend Micro RUBotted V2.0 Beta] c:\program files\trend micro\rubotted\RUBottedGUI.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dlbcserv.lnk - c:\program files\dell photo printer 720\dlbcserv.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} - hxxp://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.0/jinstall-1_4_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {FD0EBBED-0C42-4D0F-82DA-44399B5C420A} - hxxp://downloads.virginmedia.com/CST/ver1/xp_mail.cab
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
TCP: Interfaces\{1F0B45E9-54DC-411E-A72D-CFB56015C840} : DhcpNameServer = 10.145.0.1
TCP: Interfaces\{5D31ADD9-3557-40C7-8150-E1E0FEF5F664} : DhcpNameServer = 194.168.4.100 194.168.8.100
Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - c:\program files\tiscali\tiscali internet\dlls\tiscalifilter.dll
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\chris\application data\mozilla\firefox\profiles\jap0ojsd.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ig
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\mozilla firefox\distribution\bundles\{d19ca586-dd6c-4a0a-96f8-14644f340d60}\components\scriptff.dll
FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\entriq\mediasphere\3.8.2.9\npEntriqMediaMozillaPlugin.dll
FF - plugin: c:\program files\entriq\mediasphere\3.8.2.9\npEntriqVersionCheckMozillaPlugin.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Amazon Toolbar: amznUWL@amazon.com - %profile%\extensions\amznUWL@amazon.com
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-5-31 464176]
R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);c:\windows\system32\drivers\sfsync03.sys [2005-12-6 35328]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-7-11 89792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-7-11 57600]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-7-11 180816]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-7-11 338176]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-7-11 83856]
R3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
R3 pmxscan;Memorex USB Kernel;c:\windows\system32\drivers\usbscan.sys [2007-2-8 15104]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-7-11 59456]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-7-11 83856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-7-11 87656]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-2-23 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-2-23 40552]
S3 xcpip;TCP/IP Protocol Driver;c:\windows\system32\drivers\xcpip.sys --> c:\windows\system32\drivers\xcpip.sys [?]
S3 xpsec;IPSEC driver;c:\windows\system32\drivers\xpsec.sys --> c:\windows\system32\drivers\xpsec.sys [?]
.
=============== Created Last 30 ================
.
2011-12-16 19:28:42 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-12-16 19:24:06 0 ----a-w- c:\windows\system32\REN270F.tmp
2011-12-16 19:24:06 0 ----a-w- c:\windows\system32\REN270E.tmp
2011-12-15 20:11:16 -------- d-----w- c:\program files\ESET
2011-12-14 19:40:12 -------- d-sha-r- C:\cmdcons
2011-12-14 19:37:33 98816 ----a-w- c:\windows\sed.exe
2011-12-14 19:37:33 518144 ----a-w- c:\windows\SWREG.exe
2011-12-14 19:37:33 256000 ----a-w- c:\windows\PEV.exe
2011-12-14 19:37:33 208896 ----a-w- c:\windows\MBR.exe
2011-12-04 12:29:48 -------- d-----w- c:\documents and settings\chris\application data\Malwarebytes
2011-12-04 12:29:43 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-12-04 12:29:40 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-04 12:29:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-26 10:30:37 309320 ----a-w- c:\windows\system32\drivers\Trufos.sys
2011-11-24 22:34:52 -------- d-----w- c:\program files\WinPcap
2011-11-24 22:31:45 -------- d-----w- c:\documents and settings\all users\application data\Trend Micro
2011-11-24 22:21:48 -------- d-----w- c:\program files\Trend Micro
.
==================== Find3M ====================
.
2011-12-16 19:28:14 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-26 10:38:51 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-11-26 09:19:38 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-11 19:47:19 281104 ----a-w- c:\windows\system32\wpcap.dll
2011-11-11 19:47:18 100880 ----a-w- c:\windows\system32\Packet.dll
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-15 13:16:16 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-10-15 13:16:16 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-10-15 13:16:16 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-10-15 13:16:16 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-10-15 13:16:16 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-10-15 13:16:16 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-10-15 13:16:16 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-10-15 13:16:16 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-10-15 13:16:16 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-10-15 13:16:16 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 10:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 10:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 10:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2008-06-28 12:37:07 380208128 ----a-w- c:\program files\mtgodl2.exe
.
============= FINISH: 21:39:16.76 ===============

Everything looks ok now.

Thanks for all your help

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:12 PM

Posted 16 December 2011 - 04:54 PM

Hi

Just some housekeeping to do now,

Please do the following:


You can delete the TDSSKiller, DDS and GMER logs and programs from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Click START then RUN
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
    PC Safety and Security--What Do I Need?.


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 chrismw1

chrismw1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:12 PM

Posted 18 December 2011 - 11:52 AM

All sorted now - thank you for your help :thumbsup:

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:12 PM

Posted 18 December 2011 - 12:16 PM

you are welcome

stay safe :hello:

~CB

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:12 PM

Posted 18 December 2011 - 12:16 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users