Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Unwanted IE windows

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Unwanted IE windows

Unread postby chryssi2001 » January 17th, 2009, 10:59 am

Hi trags,

Please rename Flash Disinfector to FlashD, and then try to save it. ;)
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away
Advertisement
Register to Remove

Re: Unwanted IE windows

Unread postby trags » January 17th, 2009, 2:28 pm

Hello chryssi2001,
Well to start with, I am writing this post from the infected laptop, so things are much better. Here are my notes from the most recent requests.

I followed your suggestion to disable McAfee before downloading Flash_Disinfector to my desktop (nominally uninfected PC). This worked. I did not need to resort to the most recent suggestion of renaming it to FlashD. However, when I subsequently restarted the PC to reinitialize McAfee, the file once again disappeared. I should be able to follow the process again when it again needs to be invoked.

I then transferred MBAM installer and ComboFix to the infected laptop via the flash drive. During the install of MBAM, I unchecked the Update option (because there was no network available at that time). Even with altered names for the install directory and program group, I couldn't run MBAM from any of the icons. However, I modified the name in c:\Program Files\NewMBAM\ for the executable to an alternate name, and launched it from there (in explorer).

At the end of the MBAM run it notified me that some removals would require a reboot. I allowed this. The resulting report follows:

Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 3

1/17/2009 11:53:14 AM
mbam-log-2009-01-17 (11-53-14).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 140962
Time elapsed: 1 hour(s), 39 minute(s), 30 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 2
Registry Keys Infected: 5
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 28

Memory Processes Infected:
C:\Program Files\Spyware Guard 2009\spywareguard.exe (Rogue.SpywareGuard) -> Unloaded process successfully.
C:\WINDOWS\system32\winscenter.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\jzfhthayjz.dll (Trojan.TDSS) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{746c7839-e492-4d45-9392-eef0de53c39f} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{81e5d0d9-fd2e-4808-bd51-e430b34e78f7} (Trojan.TDSS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\spyware guard 2009 (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\iemodule (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\internetconnection (Trojan.TDSS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spywareguard (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Spyware Guard 2009 (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\Program Files\Spyware Guard 2009\quarantine (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\jzfhthayjz.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSShrxm.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSSoiqt.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSSvkql.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSSxfum.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\drivers\TDSSmhct.sys (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\temp\TDSSf29c.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Spyware Guard 2009\conf.cfg (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\Program Files\Spyware Guard 2009\mbase.vdb (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\Program Files\Spyware Guard 2009\quarantine.vdb (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\Program Files\Spyware Guard 2009\queue.vdb (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\Program Files\Spyware Guard 2009\spywareguard.exe (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\Program Files\Spyware Guard 2009\uninstall.exe (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\Program Files\Spyware Guard 2009\vbase.vdb (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\sysexplorer.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winscenter.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\reged.exe (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\WINDOWS\spoolsystem.exe (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\WINDOWS\sys.com (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\WINDOWS\syscert.exe (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\WINDOWS\vmreg.dll (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\svhost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\Protect\svhost.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\Protect\track.sys (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSkkbi.log (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\TDSSlxwp.dll (Rootkit.Agent) -> Delete on reboot.

After the reboot finished, I ran ComboFix. It notified me to disable McAfee, so I did. It proceeded normally through message:
Code: Select all
Completed State_50

Then there was a message:
Code: Select all
Deleting files  C:\WINDOWS\System32\TDDSmtvd.dat
'C:\WINDOWS\System32\"' is not recognized as an internal or external command,
             operable program or batch file.

I let it remain in this state for 30 minutes with no update to the display or disk activity according to the disk LED.

I rebooted the laptop at this point.
After reboot, McAfee complained that the virus definition files were more than 8 days old. I enabled the wireless network adapter, and allowed McAfee to connect. It was able to successfully update the DAT file to 5496.000, dated 2009-01-15. :P

Sorry, I don't have the log from ComboFix. But here is a new HijackThis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:27, on 2009-01-17
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.livejournal.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://h20239.www2.hp.com/techcenter/HP ... scheck.htm
O1 - Hosts: 72.233.90.98 www.malwareremoval.com
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [McAfee Backup] "C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Pavilion Webcam Tray Icon.lnk = C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_11.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 11330 bytes

Once again, thanks for your efforts.
Regards,
trags
trags
Regular Member
 
Posts: 19
Joined: December 26th, 2008, 3:46 pm

Re: Unwanted IE windows

Unread postby chryssi2001 » January 17th, 2009, 2:59 pm

Hello trags,

Good news. :)

McAfee things that Flash Disinfector is bad. That's why it's reacting like that.

As soon as we are done with this pc, i would like you to open another thread for your own pc, to be checked.

Now, i want you to update mbam, and run it again, and remove what it finds.

Then try to go mannually and see if you find this file:

C:\WINDOWS\System32\TDDSmtvd.dat

Right-Click and try to delete it. Let me know the results.

Then try to run Combofix again.

Also run Gmer again, and post back the report.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Unwanted IE windows

Unread postby trags » January 17th, 2009, 5:28 pm

Hello chryssi2001,
update mbam, and run it again

MBAM didn't find anything. Here's the report:

Malwarebytes' Anti-Malware 1.33
Database version: 1659
Windows 5.1.2600 Service Pack 3

2009-01-17 15:12:34
mbam-log-2009-01-17 (15-12-34).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 140212
Time elapsed: 58 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

C:\WINDOWS\System32\TDDSmtvd.dat

This file doesn't exist. I insured that my folder options included "Show System Files" and "Show hidden files". (I know that some rootkit files still can't be seen, but this is the best I know how to do.)

Then try to run Combofix again.

It failed in a manner identical to the last time, except there was no message about TDDSmtvd.dat
Also run Gmer again, and post back the report.

OK. Here it is.
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-17 15:58:33
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xF0C539CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xF0C53A61]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xF0C53978]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF0C5398C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xF0C53A75]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF0C53AA1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xF0C53B0F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xF0C53AF9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF0C53A0A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xF0C53B3B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xF0C53A4D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xF0C53950]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xF0C53964]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF0C539DE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xF0C53B77]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xF0C53AE3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xF0C53ACD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xF0C53A8B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xF0C53B63]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xF0C53B4F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xF0C539B6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF0C539A2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xF0C53AB7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF0C53A39]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xF0C53B25]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF0C53A20]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xF0C539F4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP F0C539F8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP F0C539CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP F0C53A0E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 5 Bytes JMP F0C53A24 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E6 7 Bytes JMP F0C539E2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB408 5 Bytes JMP F0C53954 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB694 5 Bytes JMP F0C53968 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE52 5 Bytes JMP F0C539A6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1142 7 Bytes JMP F0C53990 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11F8 5 Bytes JMP F0C5397C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1702 5 Bytes JMP F0C539BA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AA 5 Bytes JMP F0C53A3D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 806219CA 7 Bytes JMP F0C53AD1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D18 7 Bytes JMP F0C53ABB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80622042 7 Bytes JMP F0C53B29 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 806228E0 7 Bytes JMP F0C53AE7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231B4 7 Bytes JMP F0C53A8F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 80623792 5 Bytes JMP F0C53A65 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C22 7 Bytes JMP F0C53A79 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623DF2 7 Bytes JMP F0C53AA5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FD2 7 Bytes JMP F0C53B13 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062423C 7 Bytes JMP F0C53AFD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624B64 5 Bytes JMP F0C53A51 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 80624E8A 7 Bytes JMP F0C53B7B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8062514A 5 Bytes JMP F0C53B53 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8062583E 5 Bytes JMP F0C53B67 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80625958 5 Bytes JMP F0C53B3F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\explorer.exe[804] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\explorer.exe[804] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F54
.text C:\WINDOWS\explorer.exe[804] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0049
.text C:\WINDOWS\explorer.exe[804] kernel32.dll!LoadLibraryExW 7C801AF5 1 Byte [ E9 ]
.text C:\WINDOWS\explorer.exe[804] kernel32.dll!LoadLibraryExW + 2 7C801AF7 3 Bytes [ E5, 99, 83 ]
.text C:\WINDOWS\explorer.exe[804] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0F65
.text C:\WINDOWS\explorer.exe[804] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0000
.text C:\WINDOWS\explorer.exe[804] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F26
.text C:\WINDOWS\explorer.exe[804] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A006E
.text C:\WINDOWS\explorer.exe[804] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0EFA
.text C:\WINDOWS\explorer.exe[804] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0093
.text C:\WINDOWS\explorer.exe[804] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001A00B8
.text C:\WINDOWS\explorer.exe[804] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001A0011
.text C:\WINDOWS\explorer.exe[804] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001A0FD4
.text C:\WINDOWS\explorer.exe[804] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001A0F43
.text C:\WINDOWS\explorer.exe[804] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001A0F9E
.text C:\WINDOWS\explorer.exe[804] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001A0FAF
.text C:\WINDOWS\explorer.exe[804] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001A0F0B
.text C:\WINDOWS\explorer.exe[804] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00290FEF
.text C:\WINDOWS\explorer.exe[804] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00290FB9
.text C:\WINDOWS\explorer.exe[804] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00290036
.text C:\WINDOWS\explorer.exe[804] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0029001B
.text C:\WINDOWS\explorer.exe[804] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 0029006C
.text C:\WINDOWS\explorer.exe[804] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 0029000A
.text C:\WINDOWS\explorer.exe[804] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00290FD4
.text C:\WINDOWS\explorer.exe[804] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 49, 88 ]
.text C:\WINDOWS\explorer.exe[804] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 0029005B
.text C:\WINDOWS\explorer.exe[804] WININET.dll!InternetOpenW 771BAF39 5 Bytes JMP 002C0FDB
.text C:\WINDOWS\explorer.exe[804] WININET.dll!InternetOpenA 771C5786 5 Bytes JMP 002C0000
.text C:\WINDOWS\explorer.exe[804] WININET.dll!InternetOpenUrlA 771C5A52 5 Bytes JMP 002C001D
.text C:\WINDOWS\explorer.exe[804] WININET.dll!InternetOpenUrlW 771D5BA2 5 Bytes JMP 002C002E
.text C:\WINDOWS\explorer.exe[804] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00ED000A
.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070076
.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0007005B
.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0007004A
.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070F8D
.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0007002F
.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 000700BF
.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 000700AE
.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00070F52
.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 000700EB
.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 000700FC
.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00070F9E
.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00070091
.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00070FC3
.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[1000] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 000700D0
.text C:\WINDOWS\system32\services.exe[1000] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00060FCA
.text C:\WINDOWS\system32\services.exe[1000] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00060F8D
.text C:\WINDOWS\system32\services.exe[1000] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0006001B
.text C:\WINDOWS\system32\services.exe[1000] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[1000] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 0006004A
.text C:\WINDOWS\system32\services.exe[1000] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[1000] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00060FA8
.text C:\WINDOWS\system32\services.exe[1000] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 26, 88 ]
.text C:\WINDOWS\system32\services.exe[1000] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00060FB9
.text C:\WINDOWS\system32\services.exe[1000] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\lsass.exe[1012] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01020000
.text C:\WINDOWS\system32\lsass.exe[1012] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01020F8B
.text C:\WINDOWS\system32\lsass.exe[1012] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01020076
.text C:\WINDOWS\system32\lsass.exe[1012] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01020065
.text C:\WINDOWS\system32\lsass.exe[1012] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01020054
.text C:\WINDOWS\system32\lsass.exe[1012] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01020FB2
.text C:\WINDOWS\system32\lsass.exe[1012] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01020F49
.text C:\WINDOWS\system32\lsass.exe[1012] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0102009B
.text C:\WINDOWS\system32\lsass.exe[1012] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01020F02
.text C:\WINDOWS\system32\lsass.exe[1012] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01020F13
.text C:\WINDOWS\system32\lsass.exe[1012] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 010200B6
.text C:\WINDOWS\system32\lsass.exe[1012] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 01020043
.text C:\WINDOWS\system32\lsass.exe[1012] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01020FEF
.text C:\WINDOWS\system32\lsass.exe[1012] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 01020F70
.text C:\WINDOWS\system32\lsass.exe[1012] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 01020FCD
.text C:\WINDOWS\system32\lsass.exe[1012] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 01020FDE
.text C:\WINDOWS\system32\lsass.exe[1012] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 01020F2E
.text C:\WINDOWS\system32\lsass.exe[1012] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 01010FB9
.text C:\WINDOWS\system32\lsass.exe[1012] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 01010047
.text C:\WINDOWS\system32\lsass.exe[1012] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 01010FCA
.text C:\WINDOWS\system32\lsass.exe[1012] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 01010000
.text C:\WINDOWS\system32\lsass.exe[1012] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 01010036
.text C:\WINDOWS\system32\lsass.exe[1012] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 01010FEF
.text C:\WINDOWS\system32\lsass.exe[1012] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 01010F94
.text C:\WINDOWS\system32\lsass.exe[1012] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 21, 89 ]
.text C:\WINDOWS\system32\lsass.exe[1012] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 0101001B
.text C:\WINDOWS\system32\lsass.exe[1012] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F90000
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F90F79
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F90078
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F90F94
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F90FA5
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F9003D
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F90F57
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F90F68
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F90F1A
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F90F2B
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00F90F09
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00F90FB6
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00F90011
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00F90093
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00F90FDB
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00F9002C
.text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00F90F3C
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00F8002F
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00F8004A
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00F80FD4
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00F80FE5
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00F80F97
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00F8000A
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00F80FA8
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 18, 89 ]
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00F80FC3
.text C:\WINDOWS\system32\svchost.exe[1176] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F60000
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BF0F9E
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BF0FAF
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BF0FC0
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BF0073
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BF0047
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BF0F55
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BF0F72
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BF00DA
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BF00C9
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00BF00FF
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00BF0058
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00BF000A
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00BF0F83
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00BF0036
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00BF001B
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00BF00B8
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00BE0FE5
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00BE0076
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00BE002C
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00BE001B
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00BE0065
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00BE000A
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00BE0FC3
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ DE, 88 ]
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00BE0FD4
.text C:\WINDOWS\system32\svchost.exe[1244] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BC0000
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0198000A
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0198006C
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0198005B
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01980F77
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01980040
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01980FB9
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01980F50
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01980098
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01980F06
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01980F2B
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 019800C4
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 01980F9E
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01980FEF
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 01980087
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 01980FCA
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 01980025
.text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 019800A9
.text C:\WINDOWS\System32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 01970FB9
.text C:\WINDOWS\System32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 01970040
.text C:\WINDOWS\System32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 01970000
.text C:\WINDOWS\System32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 01970FD4
.text C:\WINDOWS\System32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 01970F83
.text C:\WINDOWS\System32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 01970FE5
.text C:\WINDOWS\System32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 01970F94
.text C:\WINDOWS\System32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ B7, 89 ]
.text C:\WINDOWS\System32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 0197001B
.text C:\WINDOWS\System32\svchost.exe[1284] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0167000A
.text C:\WINDOWS\System32\svchost.exe[1284] WININET.dll!InternetOpenW 771BAF39 5 Bytes JMP 0168001B
.text C:\WINDOWS\System32\svchost.exe[1284] WININET.dll!InternetOpenA 771C5786 5 Bytes JMP 01680000
.text C:\WINDOWS\System32\svchost.exe[1284] WININET.dll!InternetOpenUrlA 771C5A52 5 Bytes JMP 01680FD9
.text C:\WINDOWS\System32\svchost.exe[1284] WININET.dll!InternetOpenUrlW 771D5BA2 5 Bytes JMP 0168002C
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00810FEF
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00810073
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00810062
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00810F88
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00810051
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0081001B
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008100AB
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0081009A
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008100C6
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00810F37
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 008100E1
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00810036
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00810000
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00810F63
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00810FAF
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00810FC0
.text C:\WINDOWS\system32\svchost.exe[1404] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00810F48
.text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00800FA8
.text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00800F7C
.text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00800FC3
.text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00800FD4
.text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00800039
.text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00800FE5
.text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 0080001E
.text C:\WINDOWS\system32\svchost.exe[1404] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00800F97
.text C:\WINDOWS\system32\svchost.exe[1404] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007E000A
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E80FE5
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E80F7E
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E80F8F
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E80FAC
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E80069
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E80033
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E80F46
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E8008E
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E800D5
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E800C4
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00E80F21
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00E8004E
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00E80000
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00E80F6D
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00E80022
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00E80011
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00E800B3
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00E70051
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00E70FCA
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00E70036
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00E7001B
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00E70091
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00E70000
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00E7006C
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00E70FE5
.text C:\WINDOWS\system32\svchost.exe[1432] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E9000A
.text C:\WINDOWS\system32\svchost.exe[1432] WININET.dll!InternetOpenW 771BAF39 5 Bytes JMP 00E50011
.text C:\WINDOWS\system32\svchost.exe[1432] WININET.dll!InternetOpenA 771C5786 5 Bytes JMP 00E50000
.text C:\WINDOWS\system32\svchost.exe[1432] WININET.dll!InternetOpenUrlA 771C5A52 5 Bytes JMP 00E50FD9
.text C:\WINDOWS\system32\svchost.exe[1432] WININET.dll!InternetOpenUrlW 771D5BA2 5 Bytes JMP 00E5002C
.text C:\WINDOWS\System32\svchost.exe[2160] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F80000
.text C:\WINDOWS\System32\svchost.exe[2160] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F80F3A
.text C:\WINDOWS\System32\svchost.exe[2160] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F80F55
.text C:\WINDOWS\System32\svchost.exe[2160] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F80F66
.text C:\WINDOWS\System32\svchost.exe[2160] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F80F8D
.text C:\WINDOWS\System32\svchost.exe[2160] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F80FB9
.text C:\WINDOWS\System32\svchost.exe[2160] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F80F13
.text C:\WINDOWS\System32\svchost.exe[2160] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F8005B
.text C:\WINDOWS\System32\svchost.exe[2160] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F80EDD
.text C:\WINDOWS\System32\svchost.exe[2160] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F80EEE
.text C:\WINDOWS\System32\svchost.exe[2160] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00F80091
.text C:\WINDOWS\System32\svchost.exe[2160] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00F80FA8
.text C:\WINDOWS\System32\svchost.exe[2160] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00F80011
.text C:\WINDOWS\System32\svchost.exe[2160] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00F80040
.text C:\WINDOWS\System32\svchost.exe[2160] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00F80FCA
.text C:\WINDOWS\System32\svchost.exe[2160] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00F80FDB
.text C:\WINDOWS\System32\svchost.exe[2160] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00F8006C
.text C:\WINDOWS\System32\svchost.exe[2160] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00F70FB9
.text C:\WINDOWS\System32\svchost.exe[2160] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00F70F83
.text C:\WINDOWS\System32\svchost.exe[2160] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00F70FCA
.text C:\WINDOWS\System32\svchost.exe[2160] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00F70000
.text C:\WINDOWS\System32\svchost.exe[2160] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00F70036
.text C:\WINDOWS\System32\svchost.exe[2160] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00F70FEF
.text C:\WINDOWS\System32\svchost.exe[2160] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00F70F9E
.text C:\WINDOWS\System32\svchost.exe[2160] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 17, 89 ]
.text C:\WINDOWS\System32\svchost.exe[2160] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00F7001B
.text C:\WINDOWS\System32\svchost.exe[2160] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006B0000
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2752] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041BF60 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2752] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0041BFE0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\dllhost.exe[3516] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\system32\dllhost.exe[3516] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A00B5
.text C:\WINDOWS\system32\dllhost.exe[3516] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A009A
.text C:\WINDOWS\system32\dllhost.exe[3516] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A007D
.text C:\WINDOWS\system32\dllhost.exe[3516] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0062
.text C:\WINDOWS\system32\dllhost.exe[3516] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A002C
.text C:\WINDOWS\system32\dllhost.exe[3516] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F94
.text C:\WINDOWS\system32\dllhost.exe[3516] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0FA5
.text C:\WINDOWS\system32\dllhost.exe[3516] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A010B
.text C:\WINDOWS\system32\dllhost.exe[3516] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F68
.text C:\WINDOWS\system32\dllhost.exe[3516] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001A0F4D
.text C:\WINDOWS\system32\dllhost.exe[3516] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001A0051
.text C:\WINDOWS\system32\dllhost.exe[3516] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001A0000
.text C:\WINDOWS\system32\dllhost.exe[3516] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001A00C6
.text C:\WINDOWS\system32\dllhost.exe[3516] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001A0FC0
.text C:\WINDOWS\system32\dllhost.exe[3516] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001A0011
.text C:\WINDOWS\system32\dllhost.exe[3516] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001A0F79
.text C:\WINDOWS\system32\dllhost.exe[3516] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 002A0FDB
.text C:\WINDOWS\system32\dllhost.exe[3516] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 002A0F80
.text C:\WINDOWS\system32\dllhost.exe[3516] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 002A002C
.text C:\WINDOWS\system32\dllhost.exe[3516] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 002A001B
.text C:\WINDOWS\system32\dllhost.exe[3516] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 002A0047
.text C:\WINDOWS\system32\dllhost.exe[3516] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 002A0000
.text C:\WINDOWS\system32\dllhost.exe[3516] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 002A0FA5
.text C:\WINDOWS\system32\dllhost.exe[3516] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 4A, 88 ]
.text C:\WINDOWS\system32\dllhost.exe[3516] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 002A0FB6
.text C:\WINDOWS\system32\dllhost.exe[3516] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006E0FEF
.text C:\WINDOWS\system32\svchost.exe[3576] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA0FE5
.text C:\WINDOWS\system32\svchost.exe[3576] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA0F41
.text C:\WINDOWS\system32\svchost.exe[3576] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA0F52
.text C:\WINDOWS\system32\svchost.exe[3576] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA002C
.text C:\WINDOWS\system32\svchost.exe[3576] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA0F6F
.text C:\WINDOWS\system32\svchost.exe[3576] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA0011
.text C:\WINDOWS\system32\svchost.exe[3576] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA0F09
.text C:\WINDOWS\system32\svchost.exe[3576] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA0F26
.text C:\WINDOWS\system32\svchost.exe[3576] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA008E
.text C:\WINDOWS\system32\svchost.exe[3576] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA007D
.text C:\WINDOWS\system32\svchost.exe[3576] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00BA00A9
.text C:\WINDOWS\system32\svchost.exe[3576] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00BA0F8A
.text C:\WINDOWS\system32\svchost.exe[3576] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00BA0FD4
.text C:\WINDOWS\system32\svchost.exe[3576] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00BA0051
.text C:\WINDOWS\system32\svchost.exe[3576] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00BA0FA5
.text C:\WINDOWS\system32\svchost.exe[3576] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00BA0000
.text C:\WINDOWS\system32\svchost.exe[3576] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00BA006C
.text C:\WINDOWS\system32\svchost.exe[3576] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00B90FD4
.text C:\WINDOWS\system32\svchost.exe[3576] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00B90F8D
.text C:\WINDOWS\system32\svchost.exe[3576] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00B9001B
.text C:\WINDOWS\system32\svchost.exe[3576] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00B90000
.text C:\WINDOWS\system32\svchost.exe[3576] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00B90FA8
.text C:\WINDOWS\system32\svchost.exe[3576] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00B90FE5
.text C:\WINDOWS\system32\svchost.exe[3576] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00B90040
.text C:\WINDOWS\system32\svchost.exe[3576] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00B90FC3
.text C:\WINDOWS\system32\svchost.exe[3576] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B70000
.text C:\WINDOWS\system32\svchost.exe[3640] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CB0000
.text C:\WINDOWS\system32\svchost.exe[3640] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CB0F94
.text C:\WINDOWS\system32\svchost.exe[3640] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CB0089
.text C:\WINDOWS\system32\svchost.exe[3640] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CB0FAF
.text C:\WINDOWS\system32\svchost.exe[3640] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CB006C
.text C:\WINDOWS\system32\svchost.exe[3640] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CB004A
.text C:\WINDOWS\system32\svchost.exe[3640] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CB0F52
.text C:\WINDOWS\system32\svchost.exe[3640] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CB0F6F
.text C:\WINDOWS\system32\svchost.exe[3640] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CB00E1
.text C:\WINDOWS\system32\svchost.exe[3640] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CB00C6
.text C:\WINDOWS\system32\svchost.exe[3640] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00CB00F2
.text C:\WINDOWS\system32\svchost.exe[3640] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00CB005B
.text C:\WINDOWS\system32\svchost.exe[3640] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00CB0FEF
.text C:\WINDOWS\system32\svchost.exe[3640] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00CB009A
.text C:\WINDOWS\system32\svchost.exe[3640] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00CB002F
.text C:\WINDOWS\system32\svchost.exe[3640] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00CB0FDE
.text C:\WINDOWS\system32\svchost.exe[3640] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00CB00B5
.text C:\WINDOWS\system32\svchost.exe[3640] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00CA0047
.text C:\WINDOWS\system32\svchost.exe[3640] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00CA00A2
.text C:\WINDOWS\system32\svchost.exe[3640] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00CA0036
.text C:\WINDOWS\system32\svchost.exe[3640] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00CA001B
.text C:\WINDOWS\system32\svchost.exe[3640] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00CA007D
.text C:\WINDOWS\system32\svchost.exe[3640] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00CA0000
.text C:\WINDOWS\system32\svchost.exe[3640] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00CA006C
.text C:\WINDOWS\system32\svchost.exe[3640] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00CA0FDB

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- EOF - GMER 1.0.14 ----

It does make me uneasy that ComboFix doesn't complete and give a report, but otherwise this looks much better.

Regards,
trags
trags
Regular Member
 
Posts: 19
Joined: December 26th, 2008, 3:46 pm

Re: Unwanted IE windows

Unread postby chryssi2001 » January 18th, 2009, 5:24 am

Hello trags,

Let's try this:

Delete this folder:
C:\QooBox\LastRun

Disable McAfee and any other protection programs you have and try to run Combofix again.
If it's not working, remove Combofix and get a new copy from one of these Links and try again:
Link 1
Link 2
----------------------------------------------
FileLook

Please download FileLook by jpshortstuff from one of the following mirrors:
Link 1
Link 2
  • Double-click FileLook.exe to run it. (Vista users will almost certainly have to right click and select Run As Administrator)
  • Ensure that the BBCode Ouput checkbox is checked.
  • Copy the content of the following codebox into the main textfield:

    Code: Select all
    C:\WINDOWS\System32\TDDSmtvd.dat

  • Click the FileLook button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found at C:\fl_log.txt
----------------------------------------------
Rooter.exe

Download Rooter.exe to your desktop.
  • Then double-click it to start the tool.
  • A Notepad file containing the report will open, also found at %systemdrive%\Rooter.txt. Post that here.
----------------------------------------------
Post back:
FileLook results.
Rooter.exe results.
Combofix report if you get one.
If Combofix still doesn't run let me know exactly where it stops, at which stage etc.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Unwanted IE windows

Unread postby trags » January 18th, 2009, 11:16 am

Hello chryssi2001,
Your suggestion allowed ComboFix to run (and reboot and continue). I did not have to reinstall it. Here is the log that it created.
ComboFix 09-01-17.02 - Noelle Rogers 2009-01-18 9:38:01.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1462 [GMT -5:00]
Running from: c:\documents and settings\Noelle Rogers\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-12-18 to 2009-01-18 )))))))))))))))))))))))))))))))
.

2009-01-17 15:19 . 2009-01-17 15:22 <DIR> d-------- C:\NewCombo-Fix
2009-01-17 14:13 . 2009-01-17 14:13 <DIR> d-------- c:\program files\MalwareBytesAnti-Malware
2009-01-17 10:10 . 2009-01-17 10:11 <DIR> d-------- c:\program files\NewMbAM
2009-01-17 10:10 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-17 10:10 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-13 20:22 . 2009-01-13 20:43 <DIR> d-------- C:\gmer
2009-01-08 06:55 . 2009-01-08 06:55 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-01-07 17:09 . 2009-01-14 03:37 <DIR> d--hs---- c:\windows\system32\twain32
2009-01-04 11:51 . 2009-01-14 22:00 <DIR> d-------- C:\Rooter$
2009-01-03 11:47 . 2009-01-03 11:47 <DIR> d-------- c:\documents and settings\Noelle Rogers\Application Data\Malwarebytes
2009-01-03 11:47 . 2009-01-03 11:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-01 13:28 . 2009-01-01 13:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2008-12-26 15:52 . 2008-12-26 15:52 <DIR> d-------- c:\documents and settings\Noelle Rogers\Application Data\GTek
2008-12-26 14:34 . 2008-12-26 14:34 <DIR> d-------- c:\program files\Trend Micro
2008-12-26 14:01 . 2008-12-26 14:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Citrix
2008-12-26 13:26 . 2008-12-26 13:26 61,224 --a------ c:\documents and settings\Noelle Rogers\GoToAssistDownloadHelper.exe
2008-12-26 12:59 . 2008-12-26 12:59 <DIR> d-------- c:\documents and settings\Noelle Rogers\Application Data\McAfee
2008-12-26 12:00 . 2008-12-26 12:00 <DIR> d-------- c:\windows\McAfee.com
2008-12-20 10:58 . 2008-12-20 11:01 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-20 10:58 . 2008-12-20 15:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-20 10:37 . 2008-12-20 10:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-18 14:42 --------- d-----w c:\program files\Steam
2009-01-18 14:41 --------- d-----w c:\documents and settings\Noelle Rogers\Application Data\Skype
2009-01-13 21:10 --------- d-----w c:\program files\mIRC
2009-01-08 12:49 --------- d-----w c:\program files\Java
2009-01-08 11:54 --------- d-----w c:\program files\Common Files\Adobe
2009-01-04 19:10 --------- d-----w c:\documents and settings\NetworkService\Application Data\SACore
2009-01-01 18:35 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-01-01 18:32 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-18 06:20 --------- d-----w c:\program files\GemMaster
2008-12-11 15:03 --------- d-----w c:\program files\McAfee
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-09 21:57 11,388 ----a-w c:\documents and settings\Noelle Rogers\Application Data\wklnhst.dat
2008-11-28 11:28 --------- d-----w c:\documents and settings\Noelle Rogers\Application Data\dvdcss
2008-11-25 22:31 --------- d-----w c:\program files\AIM6
2008-11-25 22:30 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2008-11-25 22:29 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-13 22:45 99,408 ----a-w c:\documents and settings\Noelle Rogers\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2009-01-01_14.07.53.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-16 00:27:05 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-18 02:13:02 811,008 ----a-w c:\windows\gmer.exe
+ 2007-12-12 20:06:42 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe
- 2000-08-31 13:00:00 28,672 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 13:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
- 2009-01-01 16:49:47 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-18 14:30:44 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-01 16:49:47 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-18 14:30:44 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-01-01 16:49:47 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-18 14:30:44 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-14 09:23:10 3,077,120 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KDQ7WLMR\SpywareGuard2009[1].exe
- 2008-09-08 10:41:42 333,824 ------w c:\windows\system32\dllcache\srv.sys
+ 2008-12-11 10:57:09 333,952 ------w c:\windows\system32\dllcache\srv.sys
+ 2009-01-16 00:27:05 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
- 2008-04-25 00:46:37 73,984 ---ha-w c:\windows\system32\mlfcache.dat
+ 2009-01-08 22:32:08 74,160 ---ha-w c:\windows\system32\mlfcache.dat
+ 2009-01-09 22:35:30 20,853,704 ----a-w c:\windows\system32\MRT.exe
+ 2009-01-18 14:41:45 16,384 ----atw c:\windows\temp\Perflib_Perfdata_8f0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2007-05-28 23458344]
"Steam"="c:\program files\steam\steam.exe" [2008-11-26 1410296]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-20 7581696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-20 86016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 794713]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-19 102400]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-03-15 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2006-03-15 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2006-03-15 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-03-15 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-03-15 455168]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"nwiz"="nwiz.exe" [2006-07-20 c:\windows\system32\nwiz.exe]
"MsmqIntCert"="mqrt.dll" [2008-04-13 c:\windows\system32\mqrt.dll]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 c:\windows\system32\CHDAudPropShortcut.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-02-27 113664]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-02-27 113664]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-12 581693]
HP Pavilion Webcam Tray Icon.lnk - c:\program files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe [2007-01-27 102400]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsmap.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcods.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcsysmon.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2007-10-10 8576]
R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-09-04 206096]
S3 iComp;HP Analog TV Tuner;c:\windows\system32\drivers\p2usbwdm.sys [2006-03-17 1544704]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{daee8a71-be2d-11db-aeca-001636db8edb}]
\Shell\Explore\command - explorer.exe /n,/e ,.
\Shell\Launch\command - F:\portablevaultaes.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]

2008-12-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.livejournal.com/
uInternet Connection Wizard,ShellNext = hxxp://h20239.www2.hp.com/techcenter/HP ... scheck.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Noelle Rogers\Application Data\Mozilla\Firefox\Profiles\ugosvz8k.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.livejournal.com/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-18 09:43:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ????\??????`?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\windows\system32\msdtc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\windows\system32\nvsvc32.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\windows\system32\mqsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\mqtgsvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\locator.exe
.
**************************************************************************
.
Completion time: 2009-01-18 9:46:26 - machine was rebooted [Noelle Rogers]
ComboFix-quarantined-files.txt 2009-01-18 14:46:22
ComboFix2.txt 2009-01-02 19:57:40
ComboFix3.txt 2009-01-01 19:08:58

Pre-Run: 10,477,223,936 bytes free
Post-Run: 10,513,203,200 bytes free

233 --- E O F --- 2009-01-13 21:13:06

Next the FileLook output:
FileLook.exe v2.0 by jpshortstuff
Log created at 10:02 on 18/01/2009
==================================
FileLook - "TDDSmtvd.da"

Unable to find file.

==============================

=EOF=

And finally, the Rooter report:
Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 3
X86-based PC ( Multiprocessor Free : Intel(R) Core(TM)2 CPU T5500 @ 1.66GHz )
BIOS : Ver 1.00PARTTBLv
USER : Noelle Rogers ( Administrator )
BOOT : Normal boot

Antivirus : McAfee VirusScan (Activated)
Firewall : McAfee Personal Firewall (Activated)

C:\ (Local Disk) - NTFS - Total:80 Go (Free:9 Go)
D:\ (Local Disk) - FAT32 - Total:11 Go (Free:1 Go)
E:\ (CD or DVD)

Sun 01/18/2009|10:03

----------------------\\ Search..

No infections found !


1 - "C:\Rooter$\Rooter_1.txt" - Sun 01/04/2009|11:52
2 - "C:\Rooter$\Rooter_2.txt" - Wed 01/14/2009|22:00
3 - "C:\Rooter$\Rooter_3.txt" - Sun 01/18/2009|10:03

----------------------\\ Scan completed at 10:03

This looks very good. What else do we need to do?
Regards,
trags :)
trags
Regular Member
 
Posts: 19
Joined: December 26th, 2008, 3:46 pm

Re: Unwanted IE windows

Unread postby chryssi2001 » January 18th, 2009, 2:56 pm

Hello trags,

The reports looks much better, but still some work to do.
----------------------------------------------
COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    File::
    c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KDQ7WLMR\SpywareGuard2009[1].exe
    
    Folder::
    c:\windows\system32\twain32
    
    
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------------------------------------------
Please download ATF cleaner
Make sure that all browser windows are closed.
    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All and UNCHECK Cookies.
    Click the Empty Selected button.
If you use Firefox browser
    Click Firefox at the top and choose: Select All and UNCHECK Cookies.
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
    Click Opera at the top and choose: Select All and UNCHECK Cookies.
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
----------------------------------------------
Run Kaspersky Online AV Scanner
Note: Internet Explorer should be used.

Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases
  • Click on My Computer under Scan and then put the kettle on!
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Unwanted IE windows

Unread postby trags » January 18th, 2009, 7:00 pm

Hello chryssi2001,

In order to get ComboFix to run, I had to use the trick again:
Delete this folder:
C:\QooBox\LastRun

The first time (without the folder deletion), it stopped responding, but I'm pretty sure it did produce a message about the Twain32 folder. On the subsequent run, the Twain folder wasn't mentioned, and isn't listed in the log. As an aside, will I need to recreate the folder if I attach a scanner? I thought that folder was supposed to exist in a vanilla installation. (I wrote a twain driver years ago, but I haven't stayed current.) In any case, here is the ComboFix log from the second run.

ComboFix 09-01-17.04 - Noelle Rogers 2009-01-18 14:59:43.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1489 [GMT -5:00]
Running from: c:\documents and settings\Noelle Rogers\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Noelle Rogers\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point

FILE ::
c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KDQ7WLMR\SpywareGuard2009[1].exe
.

((((((((((((((((((((((((( Files Created from 2008-12-18 to 2009-01-18 )))))))))))))))))))))))))))))))
.

2009-01-18 14:56 . 2009-01-18 14:56 <DIR> d-------- C:\NewCombo-Fix
2009-01-17 14:13 . 2009-01-17 14:13 <DIR> d-------- c:\program files\MalwareBytesAnti-Malware
2009-01-17 10:10 . 2009-01-17 10:11 <DIR> d-------- c:\program files\NewMbAM
2009-01-17 10:10 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-17 10:10 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-13 20:22 . 2009-01-13 20:43 <DIR> d-------- C:\gmer
2009-01-08 06:55 . 2009-01-08 06:55 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-01-04 11:51 . 2009-01-18 10:03 <DIR> d-------- C:\Rooter$
2009-01-03 11:47 . 2009-01-03 11:47 <DIR> d-------- c:\documents and settings\Noelle Rogers\Application Data\Malwarebytes
2009-01-03 11:47 . 2009-01-03 11:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-01 13:28 . 2009-01-01 13:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2008-12-26 15:52 . 2008-12-26 15:52 <DIR> d-------- c:\documents and settings\Noelle Rogers\Application Data\GTek
2008-12-26 14:34 . 2008-12-26 14:34 <DIR> d-------- c:\program files\Trend Micro
2008-12-26 14:01 . 2008-12-26 14:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Citrix
2008-12-26 13:26 . 2008-12-26 13:26 61,224 --a------ c:\documents and settings\Noelle Rogers\GoToAssistDownloadHelper.exe
2008-12-26 12:59 . 2008-12-26 12:59 <DIR> d-------- c:\documents and settings\Noelle Rogers\Application Data\McAfee
2008-12-26 12:00 . 2008-12-26 12:00 <DIR> d-------- c:\windows\McAfee.com
2008-12-20 10:58 . 2008-12-20 11:01 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-20 10:58 . 2008-12-20 15:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-20 10:37 . 2008-12-20 10:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-18 19:50 --------- d-----w c:\documents and settings\Noelle Rogers\Application Data\Skype
2009-01-18 19:48 --------- d-----w c:\program files\Steam
2009-01-13 21:10 --------- d-----w c:\program files\mIRC
2009-01-08 12:49 --------- d-----w c:\program files\Java
2009-01-08 11:54 --------- d-----w c:\program files\Common Files\Adobe
2009-01-04 19:10 --------- d-----w c:\documents and settings\NetworkService\Application Data\SACore
2009-01-01 18:35 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-01-01 18:32 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-18 06:20 --------- d-----w c:\program files\GemMaster
2008-12-12 17:01 3,067,904 ----a-w c:\windows\system32\SET135.tmp
2008-12-12 17:01 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 15:03 --------- d-----w c:\program files\McAfee
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-12-09 21:57 11,388 ----a-w c:\documents and settings\Noelle Rogers\Application Data\wklnhst.dat
2008-11-28 11:28 --------- d-----w c:\documents and settings\Noelle Rogers\Application Data\dvdcss
2008-11-25 22:31 --------- d-----w c:\program files\AIM6
2008-11-25 22:30 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2008-11-25 22:29 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-13 22:45 99,408 ----a-w c:\documents and settings\Noelle Rogers\Application Data\GDIPFONTCACHEV1.DAT
2008-11-10 10:43 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-01_14.07.53.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-16 00:27:05 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-18 02:13:02 811,008 ----a-w c:\windows\gmer.exe
+ 2007-12-12 20:06:42 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe
- 2000-08-31 13:00:00 28,672 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 13:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
- 2009-01-01 16:49:47 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-18 19:35:04 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-01 16:49:47 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-18 19:35:04 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-16 00:27:05 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
- 2008-04-25 00:46:37 73,984 ---ha-w c:\windows\system32\mlfcache.dat
+ 2009-01-08 22:32:08 74,160 ---ha-w c:\windows\system32\mlfcache.dat
+ 2009-01-09 22:35:30 20,853,704 ----a-w c:\windows\system32\MRT.exe
+ 2009-01-18 19:48:18 16,384 ----atw c:\windows\temp\Perflib_Perfdata_8b8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2007-05-28 23458344]
"Steam"="c:\program files\steam\steam.exe" [2008-11-26 1410296]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-20 7581696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-20 86016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 794713]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-19 102400]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-03-15 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2006-03-15 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2006-03-15 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-03-15 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-03-15 455168]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-11 641208]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"nwiz"="nwiz.exe" [2006-07-20 c:\windows\system32\nwiz.exe]
"MsmqIntCert"="mqrt.dll" [2008-04-13 c:\windows\system32\mqrt.dll]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 c:\windows\system32\CHDAudPropShortcut.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-02-27 113664]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-02-27 113664]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-12 581693]
HP Pavilion Webcam Tray Icon.lnk - c:\program files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe [2007-01-27 102400]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsmap.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcods.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcsysmon.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2007-10-10 8576]
R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-09-04 206096]
S3 iComp;HP Analog TV Tuner;c:\windows\system32\drivers\p2usbwdm.sys [2006-03-17 1544704]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{daee8a71-be2d-11db-aeca-001636db8edb}]
\Shell\Explore\command - explorer.exe /n,/e ,.
\Shell\Launch\command - F:\portablevaultaes.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]

2008-12-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.livejournal.com/
uInternet Connection Wizard,ShellNext = hxxp://h20239.www2.hp.com/techcenter/HP ... scheck.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Noelle Rogers\Application Data\Mozilla\Firefox\Profiles\ugosvz8k.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.livejournal.com/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-18 15:01:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ????\??????`?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-18 15:02:56
ComboFix-quarantined-files.txt 2009-01-18 20:02:53
ComboFix2.txt 2009-01-18 14:46:28
ComboFix3.txt 2009-01-02 19:57:40
ComboFix4.txt 2009-01-01 19:08:58

Pre-Run: 10,512,015,360 bytes free
Post-Run: 10,495,787,008 bytes free

203 --- E O F --- 2009-01-13 21:13:06

There were no issues when I ran ATF Cleaner. I guess it doesn't create a log.

Next I ran Kaspersky. Here is the log.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, January 18, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, January 18, 2009 19:11:15
Records in database: 1643385
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 86522
Threat name: 2
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 01:34:58


File name / Threat name / Threats count
C:\Documents and Settings\Noelle Rogers\My Documents\mirc621.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1
C:\Qoobox\Quarantine\[4]-Submit_2009-01-02@14.55.zip Infected: Trojan.Win32.Monder.gen 2

The selected area was scanned.

Finally, here is a new HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:56:26 PM, on 1/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\program files\steam\steam.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.livejournal.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://h20239.www2.hp.com/techcenter/HP ... scheck.htm
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [McAfee Backup] "C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Pavilion Webcam Tray Icon.lnk = C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_11.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 11453 bytes

Finally, the computer is running without issues, and is fast again. What is next?
Regards,
trags
trags
Regular Member
 
Posts: 19
Joined: December 26th, 2008, 3:46 pm

Re: Unwanted IE windows

Unread postby chryssi2001 » January 19th, 2009, 8:18 am

Hello trags :) ,

Regarding twain32 folder, Combofix didn't show it removed it, although it doesn't excist in your folders anymore as the report shows. Can you remember what was the message?

We can bring it back if you want just let me know, it should be in Combofix Quarantee folder.
Note: Do not remove Combofix if you want to bring it back.

If you can easily recreate it like you did the first time, no reason to bring it back.

You are good to go. :cheers:

Let's remove some tools we used.

FileLook
C:\Rooter$
c:\program files\NewMbAM << You can let this, or uninstall and install it properly again.
C:\gmer

I will give you special instructions to uninstall Combofix.
My instructions will unistall Combofix, and all it's files, reports etc.
If after you do that and this is still on your pc, C:\NewCombo-Fix remove it mannually.
----------------------------------------------
Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
  • Image
The above procedure will reset your System Restore and clear out the backups and quarantines created during the course of this fix.
----------------------------------------------
Congratulations your machine appears to be clean! :)

Here are some free programs I recommend that could help you improve your computer's security.

Spybot Search and Destroy 1.6
Download it from here. Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here

Install SpyWare Blaster 4.0
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Install FireTrust SiteHound
You can find information and download it from here

Install MVPS Hosts File from here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Note 1: If you are running Windows XP SP2, you should upgrade to SP3.
Note 2: Users of Norton Internet Security 2008 and newer versions should uninstall the software before they install Service Pack 3.
The security suite can then be reinstalled afterwards.

Please check out Tony Klein's article "How did I get infected in the first place?"

Read some information here how to prevent Malware.

Is your pc running slow?
Read What to do if your Computer is running slowly

Happy safe surfing!
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: Unwanted IE windows

Unread postby Blade81 » January 21st, 2009, 1:03 pm

this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 77 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware