Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

I think I'm infected

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

I think I'm infected

Unread postby Grimblade » January 28th, 2009, 12:19 am

I can't tell, but I have a feeling I'm infected with a virus, or something. I can't access certain sites (download.microsoft.com, download.mcafee.com, etc...) and can't update my macafee, or malware bytes. Also on websites I have visited recently, they are all showing Vimax ads, but they never have in the past. Here is my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:15:00 PM, on 1/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.live.com/
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Autorun Eater] d:\Program Files\Autorun Eater\oldmcdonald.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E56B747-E103-44DE-8565-5E1BE8C628FE}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: crd - Unknown owner - C:\DOCUME~1\VICKI~1.JAM\LOCALS~1\Temp\IXP001.TMP\poststp.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MSN Toolbar Setup (mstbsvc) - Unknown owner - C:\Program Files\MSN\Toolbar\3.0.0988.2\mstbsvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe

--
End of file - 6632 bytes


Any assistance is very appreciated!
Grimblade
Active Member
 
Posts: 6
Joined: January 27th, 2009, 11:13 pm
Advertisement
Register to Remove

Re: I think I'm infected

Unread postby Bio-Hazard » January 30th, 2009, 11:09 am

Hello and Welcome to forums!

My name is Bio-Hazard and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

  • I will be working on your Malware issues this may or may not solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • I f you don't know or understand something please don't hesitate to ask.
  • Please DO NOT run any other tools or scans whilst I am helping you.
  • It is important that you reply to this thread. Do not start a new topic.
  • Absence of symptoms does not mean that everything is clear.

NOTE: Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: I think I'm infected

Unread postby Bio-Hazard » January 30th, 2009, 11:13 am

Download and Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

HOW TO USE COMBOFIX

IMPORTANT: combofix.exe MUST be on your Desktop for us to proceed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Double click on ComboFix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

NOTE: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Image


  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Image

  • Click on Yes, to continue scanning for malware.
  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Combofix should never take more that 20 minutes including the reboot if malware is detected.


Next Reply

Please reply with:
  • ComboFix log (found at C:\Combofix.txt)
  • New HijackThis log
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: I think I'm infected

Unread postby Grimblade » January 30th, 2009, 7:56 pm

Thanks! I ran combofix and it detected and removed rootkits. here are the new logs requested:

ComboFix 09-01-21.04 - James 2009-01-30 16:28:58.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2906 [GMT -7:00]
Running from: c:\documents and settings\James.JAMES-HOME\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\James\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\drivers\gaopdxvpevrxms.sys
c:\windows\system32\drivers\gaopdxxiqhextu.sys
c:\windows\system32\gaopdxwqjnvmet.dll
D:\resycled
d:\resycled\ntldr.com
E:\resycled
e:\resycled\ntldr.com

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-30 )))))))))))))))))))))))))))))))
.

2009-01-26 09:40 . 2009-01-20 16:41 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-01-22 20:00 . 2009-01-18 14:30 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-01-22 19:59 . 2009-01-22 19:59 <DIR> d-------- c:\program files\Lavasoft
2009-01-22 19:59 . 2009-01-22 20:00 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft
2009-01-22 19:59 . 2009-01-22 19:59 <DIR> d--h-c--- c:\documents and settings\All Users.WINDOWS\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-20 16:41 . 2009-01-26 09:40 <DIR> d-------- c:\documents and settings\James.JAMES-HOME\.housecall6.6
2009-01-20 16:27 . 2009-01-20 16:27 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Blizzard
2009-01-19 18:59 . 2008-04-14 00:15 26,368 --a------ c:\windows\system32\drivers\usbstor.bak
2009-01-19 18:55 . 2009-01-19 18:55 <DIR> d-------- c:\documents and settings\VICKI~1~JAM\LOCALS~1
2009-01-19 18:55 . 2009-01-19 18:55 <DIR> d-------- c:\documents and settings\VICKI~1~JAM
2009-01-19 18:55 . 1998-10-29 16:45 306,688 --a------ c:\windows\IsUninst.exe
2009-01-19 11:00 . 2009-01-19 11:08 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\NOS
2009-01-10 08:45 . 2009-01-10 08:45 <DIR> d-------- c:\documents and settings\Vicki.JAMES-HOME\Application Data\MSNInstaller
2009-01-03 15:45 . 2009-01-04 16:45 245 --a------ c:\windows\lexstat.ini
2009-01-03 15:45 . 2009-01-03 15:45 76 --a------ c:\windows\dellstat.ini
2009-01-03 15:44 . 2009-01-03 15:44 <DIR> d-------- c:\documents and settings\Vicki.JAMES-HOME\WINDOWS
2009-01-03 15:44 . 1997-04-08 20:08 299,520 --a------ c:\windows\uninst.exe
2009-01-03 15:44 . 2001-08-17 22:36 87,040 --a------ c:\windows\system32\wiafbdrv.dll
2009-01-03 15:44 . 2001-08-17 22:36 87,040 --a--c--- c:\windows\system32\dllcache\wiafbdrv.dll
2009-01-03 15:43 . 2009-01-03 15:43 <DIR> d-------- C:\Lexmark
2009-01-01 17:45 . 2009-01-01 17:45 262,144 --a------ c:\windows\system32\wrap_oal.dll
2009-01-01 17:45 . 2009-01-01 17:45 86,016 --a------ c:\windows\system32\OpenAL32.dll
2009-01-01 17:43 . 2009-01-01 17:43 <DIR> d-------- c:\windows\system32\Futuremark
2009-01-01 17:43 . 2007-09-07 14:55 27,672 --a------ c:\windows\system32\drivers\Entech.sys
2009-01-01 17:43 . 2007-09-07 14:55 12,744 --a------ c:\windows\system32\drivers\Entech64.sys
2009-01-01 17:43 . 2007-09-07 14:55 6,173 --a------ c:\windows\system32\drivers\Entech.vxd
2009-01-01 17:43 . 2001-11-19 20:05 3,972 --a------ c:\windows\system32\drivers\PciBus.sys
2008-12-31 17:48 . 2008-12-31 17:47 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-31 17:48 . 2008-12-31 17:47 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-31 17:21 . 2008-04-14 05:42 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-12-31 17:21 . 2008-04-14 00:15 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-12-31 17:21 . 2008-04-14 00:15 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2008-12-31 17:21 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-12-25 21:18 . 2008-12-25 21:18 <DIR> d-------- c:\documents and settings\James.JAMES-HOME\Application Data\Acreon
2008-12-21 20:06 . 2008-12-21 20:06 262 --a------ c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2008-12-21 20:01 . 2008-12-21 20:22 <DIR> d-------- c:\documents and settings\James.JAMES-HOME\Application Data\Ventrilo
2008-12-16 20:30 . 2009-01-26 00:48 <DIR> d-------- c:\program files\SpeedFan
2008-12-16 20:30 . 2008-12-16 20:30 45 --a------ c:\windows\system32\initdebug.nfo
2008-12-15 16:04 . 2008-02-27 12:49 3,840 --a------ c:\windows\system32\drivers\BANTExt.sys
2008-12-15 15:26 . 2009-01-30 16:27 11,163 --a------ c:\windows\system32\Config.MPF
2008-12-15 15:25 . 2006-03-03 08:07 143,360 --a------ c:\windows\system32\dunzip32.dll
2008-12-15 15:22 . 2007-11-22 06:44 201,320 --a------ c:\windows\system32\drivers\mfehidk.sys
2008-12-15 15:22 . 2007-07-13 06:20 113,952 --a------ c:\windows\system32\drivers\Mpfp.sys
2008-12-15 15:22 . 2007-11-22 06:44 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys
2008-12-15 15:22 . 2007-12-02 12:51 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys
2008-12-15 15:22 . 2007-11-22 06:44 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys
2008-12-15 15:22 . 2007-11-22 06:44 33,832 --a------ c:\windows\system32\drivers\mferkdk.sys
2008-12-15 15:21 . 2008-12-15 15:21 <DIR> d-------- c:\program files\McAfee.com
2008-12-15 15:21 . 2008-12-15 22:09 <DIR> d-------- c:\program files\McAfee
2008-12-15 15:01 . 2008-12-15 15:01 <DIR> d-------- c:\documents and settings\James.JAMES-HOME\Application Data\Malwarebytes
2008-12-15 15:01 . 2008-12-15 15:01 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-12-15 15:01 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-15 15:01 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-15 08:28 . 2008-12-15 08:28 <DIR> d-------- c:\windows\system32\XPSViewer
2008-12-15 08:28 . 2008-12-15 08:28 <DIR> d-------- c:\program files\MSBuild
2008-12-15 08:27 . 2008-12-15 08:27 <DIR> d-------- c:\program files\Reference Assemblies
2008-12-15 08:27 . 2008-07-06 05:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll
2008-12-15 08:27 . 2008-07-06 05:06 1,676,288 -----c--- c:\windows\system32\dllcache\xpssvcs.dll
2008-12-15 08:27 . 2008-07-06 03:50 597,504 -----c--- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2008-12-15 08:27 . 2008-07-06 05:06 575,488 --------- c:\windows\system32\xpsshhdr.dll
2008-12-15 08:27 . 2008-07-06 05:06 575,488 -----c--- c:\windows\system32\dllcache\xpsshhdr.dll
2008-12-15 08:27 . 2008-07-06 05:06 117,760 --------- c:\windows\system32\prntvpt.dll
2008-12-15 08:27 . 2008-07-06 05:06 89,088 -----c--- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2008-12-15 07:37 . 2008-12-15 15:26 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\McAfee
2008-12-14 23:02 . 2008-12-14 23:02 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Logitech
2008-12-14 22:58 . 2007-11-14 15:18 553 --a------ c:\windows\USetup.iss
2008-12-14 22:57 . 2008-12-14 22:57 <DIR> d-------- c:\documents and settings\JAMES~1~JAM\LOCALS~1
2008-12-14 22:57 . 2008-12-14 22:57 <DIR> d-------- c:\documents and settings\JAMES~1~JAM
2008-12-14 22:57 . 2008-12-14 22:57 940,794 --a------ c:\windows\system32\LoopyMusic.wav
2008-12-14 22:57 . 2008-03-05 18:07 520,192 --a------ c:\windows\RtlExUpd.dll
2008-12-14 22:57 . 2008-12-14 22:57 315,392 --a------ c:\windows\HideWin.exe
2008-12-14 22:57 . 2008-12-14 22:57 146,650 --a------ c:\windows\system32\BuzzingBee.wav
2008-12-14 22:57 . 2006-08-01 15:02 49,152 --a------ c:\windows\system32\ChCfg.exe
2008-12-14 20:30 . 2008-04-14 00:15 26,368 --a--c--- c:\windows\system32\dllcache\usbstor.sys
2008-12-14 19:59 . 2003-06-18 17:31 17,920 --a------ c:\windows\system32\mdimon.dll
2008-12-14 17:54 . 2008-12-14 20:30 376 --a------ c:\windows\ODBC.INI
2008-12-14 16:08 . 2008-06-13 04:05 272,128 --------- c:\windows\system32\drivers\bthport.sys
2008-12-14 16:08 . 2008-06-13 04:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-12-14 16:06 . 2008-08-14 03:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-14 16:06 . 2008-08-14 03:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-14 16:06 . 2008-08-14 02:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-14 16:06 . 2008-08-14 02:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-14 16:06 . 2008-10-24 04:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-14 16:05 . 2007-11-30 04:18 26,488 --a------ c:\windows\system32\spupdsvc.exe
2008-12-14 16:03 . 2008-12-14 16:03 0 --a------ c:\windows\nsreg.dat
2008-12-14 15:53 . 2008-12-14 15:53 <DIR> d-------- c:\program files\Linksys Wireless-G Wireless Network Monitor
2008-12-14 15:53 . 2004-12-22 01:32 1,396,831 --a------ c:\windows\system32\AegisE5.dll
2008-12-14 15:53 . 2003-11-20 22:03 651,264 --a------ c:\windows\system32\libeay32.dll
2008-12-14 15:53 . 2003-11-20 22:03 147,456 --a------ c:\windows\system32\ssleay32.dll
2008-12-14 15:53 . 2003-10-13 15:30 94,208 --a------ c:\windows\system32\GTW32N50.dll
2008-12-14 15:53 . 2005-03-04 03:13 71,520 --a------ c:\windows\system32\drivers\WMP54GS.inf
2008-12-14 15:53 . 2003-09-25 23:28 31,930 --a------ c:\windows\system32\GTNDIS3.VXD
2008-12-14 15:53 . 2008-12-14 15:53 17,801 --a------ c:\windows\system32\drivers\AegisP.sys
2008-12-14 15:53 . 2003-09-25 22:15 15,872 --a------ c:\windows\system32\GTNDIS5.sys
2008-12-14 15:53 . 2005-03-07 11:50 7,986 --a------ c:\windows\system32\drivers\WMP54GS.cat
2008-12-14 15:53 . 2008-12-14 15:53 4,279 --a------ c:\windows\system32\WLAN.INI
2008-12-14 15:44 . 2009-01-25 19:47 <DIR> d-------- c:\documents and settings\Vicki.JAMES-HOME
2008-12-14 15:38 . 2009-01-20 16:41 <DIR> d-------- c:\documents and settings\James.JAMES-HOME
2008-12-14 15:36 . 2008-12-14 15:36 <DIR> d--hs---- c:\documents and settings\NetworkService.NT AUTHORITY
2008-12-14 15:36 . 2008-12-14 15:36 <DIR> d--hs---- c:\documents and settings\LocalService.NT AUTHORITY
2008-12-14 15:36 . 2008-12-14 15:36 8,192 --a------ c:\windows\REGLOCS.OLD
2008-12-14 15:33 . 2008-04-13 21:42 2,134,528 --a--c--- c:\windows\system32\dllcache\smtpsnap.dll
2008-12-14 15:32 . 2008-12-14 15:32 316,640 --a------ c:\windows\WMSysPr9.prx
2008-12-14 15:32 . 2008-12-17 18:32 23,392 --a------ c:\windows\system32\nscompat.tlb
2008-12-14 15:32 . 2008-12-17 18:32 16,832 --a------ c:\windows\system32\amcompat.tlb
2008-12-14 15:32 . 2008-12-14 15:32 2,577 --a------ c:\windows\system32\CONFIG.NT
2008-12-14 15:32 . 2008-12-14 15:32 0 --a------ c:\windows\control.ini
2008-12-14 15:31 . 2008-12-17 18:31 <DIR> d--hs---- c:\documents and settings\All Users.WINDOWS\DRM
2008-12-14 15:30 . 2008-04-13 21:42 3,166,208 --a--c--- c:\windows\system32\dllcache\msgr3en.dll
2008-12-14 15:29 . 2008-04-13 21:41 2,061,824 --a------ c:\windows\system32\mstscax.dll
2008-12-14 15:28 . 2008-04-14 00:02 196,224 --a------ c:\windows\system32\drivers\rdpdr.sys
2008-12-14 15:28 . 2008-04-13 21:41 185,344 --a--c--- c:\windows\system32\dllcache\cmprops.dll
2008-12-14 15:28 . 2008-04-13 21:41 185,344 --a------ c:\windows\system32\cmprops.dll
2008-12-14 15:28 . 2008-04-13 21:41 58,880 --a------ c:\windows\system32\licwmi.dll
2008-12-14 15:28 . 2008-04-13 21:41 58,880 --a--c--- c:\windows\system32\dllcache\licwmi.dll
2008-12-14 15:28 . 2008-04-14 05:43 40,840 --a------ c:\windows\system32\drivers\termdd.sys
2008-12-14 08:26 . 2008-04-13 17:15 172,416 --a------ c:\windows\system32\drivers\kmixer.sys
2008-12-14 08:26 . 2008-04-13 15:09 142,592 --a------ c:\windows\system32\drivers\aec.sys
2008-12-14 08:26 . 2008-04-13 17:47 83,072 --a------ c:\windows\system32\drivers\wdmaud.sys
2008-12-14 08:26 . 2008-04-13 17:45 60,800 --a------ c:\windows\system32\drivers\sysaudio.sys
2008-12-14 08:26 . 2008-04-13 17:15 56,576 --a------ c:\windows\system32\drivers\swmidi.sys
2008-12-14 08:26 . 2008-04-13 17:15 52,864 --a------ c:\windows\system32\drivers\DMusic.sys
2008-12-14 08:26 . 2008-04-13 17:09 7,552 --a------ c:\windows\system32\drivers\MSKSSRV.sys
2008-12-14 08:26 . 2008-04-13 17:15 6,272 --a------ c:\windows\system32\drivers\splitter.sys
2008-12-14 08:26 . 2008-04-13 17:09 5,376 --a------ c:\windows\system32\drivers\MSPCLOCK.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-19 18:08 --------- d-----w c:\program files\NOS
2009-01-19 18:02 --------- d-----w c:\program files\Common Files\Adobe
2009-01-03 22:45 --------- d-----w c:\program files\Lexmark 1200 Series
2009-01-02 00:43 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-01 00:47 --------- d-----w c:\program files\Java
2008-12-15 06:02 --------- d-----w c:\program files\Logitech
2008-12-15 05:52 --------- d-----w c:\program files\Opera
2008-12-14 17:48 --------- d-----w c:\documents and settings\James\Application Data\Azureus
2008-12-12 05:34 --------- d-----w c:\program files\SystemRequirementsLab
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-19 19:04 18,537 ----a-w c:\program files\Common Files\gigaq._dl
2008-10-19 19:04 16,087 ----a-w c:\program files\Common Files\onoge._dl
2008-10-16 21:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 21:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 21:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 21:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 21:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 21:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 21:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 21:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 01:00 666,112 ----a-w c:\windows\system32\wininet.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2007-10-06 00:00 256 ----a-w c:\documents and settings\James\pool.bin
2006-09-10 03:39 32 ----a-r c:\documents and settings\All Users\hash.dat
2005-04-20 01:25 53,323 ----a-w c:\program files\opera\program\plugins\PlugDef.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-04 8523776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-04 81920]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-12-13 2051096]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-12-13 2095640]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-31 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Autorun Eater"="d:\program files\Autorun Eater\oldmcdonald.exe" [2008-11-27 501768]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-18 506712]
"nwiz"="nwiz.exe" [2007-12-04 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2008-03-06 c:\windows\RTHDCPL.exe]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-01-22 64160]
R4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 921936]
S3 RTCore32;RTCore32;d:\program files\RMClock\RTCore32.sys [2008-02-04 4608]
S4 crd;crd;c:\docume~1\VICKI~1.JAM\LOCALS~1\Temp\IXP001.TMP\poststp.exe --> c:\docume~1\VICKI~1.JAM\LOCALS~1\Temp\IXP001.TMP\poststp.exe [?]
S4 mstbsvc;MSN Toolbar Setup;"c:\program files\MSN\Toolbar\3.0.0988.2\mstbsvc.exe" --> c:\program files\MSN\Toolbar\3.0.0988.2\mstbsvc.exe [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - upnphost
*Deregistered* - W32Time
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - WMP54GSSVC
*Deregistered* - WMPNetworkSvc
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC
.
Contents of the 'Scheduled Tasks' folder

2009-01-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 14:34]

2009-01-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)


.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {4E56B747-E103-44DE-8565-5E1BE8C628FE} = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\documents and settings\James.JAMES-HOME\Application Data\Mozilla\Firefox\Profiles\083zf3hk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-30 16:33:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-30 16:34:26
ComboFix-quarantined-files.txt 2009-01-30 23:34:22

Pre-Run: 2,035,515,392 bytes free
Post-Run: 2,741,501,952 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

272 --- E O F --- 2009-01-14 10:00:34
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:56:35 PM, on 1/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Autorun Eater] d:\Program Files\Autorun Eater\oldmcdonald.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E56B747-E103-44DE-8565-5E1BE8C628FE}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: crd - Unknown owner - C:\DOCUME~1\VICKI~1.JAM\LOCALS~1\Temp\IXP001.TMP\poststp.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MSN Toolbar Setup (mstbsvc) - Unknown owner - C:\Program Files\MSN\Toolbar\3.0.0988.2\mstbsvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe

--
End of file - 6084 bytes
Grimblade
Active Member
 
Posts: 6
Joined: January 27th, 2009, 11:13 pm

Re: I think I'm infected

Unread postby Bio-Hazard » January 31st, 2009, 12:35 pm

Run CFScript

  • Close any open browsers.
  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:

Code: Select all
Folder::
c:\docume~1\VICKI~1.JAM\LOCALS~1\Temp\IXP001.TMP
c:\documents and settings\James\Application Data\Azureus

File::
c:\program files\Common Files\gigaq._dl
c:\program files\Common Files\onoge._dl

Driver::
crd

FileLook::
c:\program files\MSN\Toolbar\3.0.0988.2\mstbsvc.exe


Save this as CFScript.txt, in the same location as ComboFix.exe (on your desktop)


Image


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

NOTE: Do not mouseclick combofix's window whilst it's running. That may cause it to stall it.



ATF-Cleaner

Please download ATF Cleaner by Atribune.

  • Save it to your desktop
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

    If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords please click No at the prompt.
  • Click Exit on the Main menu to close the program.


Kaspersky Online Scan

Please go to Kaspersky website and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply along with a fresh HijackThis log.


Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:
  • ComboFix log (found at C:\Combofix.txt)
  • A fresh HijackThis Log ( after all the above has been done)
  • A description of how your computer is behaving
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: I think I'm infected

Unread postby Grimblade » February 1st, 2009, 4:07 am

I appreciate all the help with this! Well, so far things appear to be running better. I can access download.microsoft.com, and download.mcafee.com, as well as update my mcafee and malwarebytes (have not run them yet). Currently I'm also not seeing the Vimax Ads that I was seeing on all websites with ads either. (now they are the normal things I was seeing before)

Here are the logs requested so far:
Kapersky:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, February 1, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, February 01, 2009 03:12:01
Records in database: 1733830
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 362188
Threat name: 4
Infected objects: 10
Suspicious objects: 0
Duration of the scan: 04:23:21


File name / Threat name / Threats count
C:\Documents and Settings\James.JAMES-HOME\.housecall6.6\Quarantine\Cliprexdsfree.exe.bac_a02960 Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ak 1
C:\Documents and Settings\James.JAMES-HOME\.housecall6.6\Quarantine\Cliprexdsfree.exe.bac_a02960 Infected: not-a-virus:WebToolbar.Win32.WhenU.a 1
C:\Documents and Settings\James.JAMES-HOME\.housecall6.6\Quarantine\Cliprexdsfree.exe.bac_a03968 Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ak 1
C:\Documents and Settings\James.JAMES-HOME\.housecall6.6\Quarantine\Cliprexdsfree.exe.bac_a03968 Infected: not-a-virus:WebToolbar.Win32.WhenU.a 1
C:\Program Files\Musicmatch\Common\ComponentMgr\HoldingArea\WebSys\WebSys.mmz Infected: not-a-virus:RiskTool.Win32.Deleter.f 1
C:\Program Files\Musicmatch\Musicmatch Jukebox\WebSys\offline.mmz Infected: not-a-virus:RiskTool.Win32.Deleter.f 1
C:\Qoobox\Quarantine\D\resycled\ntldr.com.vir Infected: Worm.Win32.AutoTDSS.blt 1
C:\Qoobox\Quarantine\E\resycled\ntldr.com.vir Infected: Worm.Win32.AutoTDSS.blt 1
D:\CDVD\Cdvd.exe Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ak 1
D:\CDVD\Cdvd.exe Infected: not-a-virus:WebToolbar.Win32.WhenU.a 1

The selected area was scanned.

~~~~~~~~~~~~~~~

ComboFix log:
ComboFix 09-01-31.01 - James 2009-01-31 19:50:34.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2841 [GMT -7:00]
Running from: c:\documents and settings\James.JAMES-HOME\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\James.JAMES-HOME\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point

FILE ::
c:\program files\Common Files\gigaq._dl
c:\program files\Common Files\onoge._dl
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\James\Application Data\Azureus
c:\documents and settings\James\Application Data\Azureus\.certs
c:\documents and settings\James\Application Data\Azureus\.keystore
c:\documents and settings\James\Application Data\Azureus\.lock
c:\documents and settings\James\Application Data\Azureus\active\0725A084CBD540D09900CEF9CED97424ACE7ADE5.dat
c:\documents and settings\James\Application Data\Azureus\active\0725A084CBD540D09900CEF9CED97424ACE7ADE5.dat.bak
c:\documents and settings\James\Application Data\Azureus\active\4598AEA2631347B9637D34EF849628BFDF198851.dat
c:\documents and settings\James\Application Data\Azureus\active\4598AEA2631347B9637D34EF849628BFDF198851.dat.bak
c:\documents and settings\James\Application Data\Azureus\active\cache.dat
c:\documents and settings\James\Application Data\Azureus\azureus.config
c:\documents and settings\James\Application Data\Azureus\azureus.config.bak
c:\documents and settings\James\Application Data\Azureus\azureus.statistics
c:\documents and settings\James\Application Data\Azureus\azureus.statistics.bak
c:\documents and settings\James\Application Data\Azureus\banips.config
c:\documents and settings\James\Application Data\Azureus\banips.config.bak
c:\documents and settings\James\Application Data\Azureus\dht\addresses.dat
c:\documents and settings\James\Application Data\Azureus\dht\contacts.dat
c:\documents and settings\James\Application Data\Azureus\dht\diverse.dat
c:\documents and settings\James\Application Data\Azureus\dht\general.dat
c:\documents and settings\James\Application Data\Azureus\dht\version.dat
c:\documents and settings\James\Application Data\Azureus\downloads.config
c:\documents and settings\James\Application Data\Azureus\downloads.config.bak
c:\documents and settings\James\Application Data\Azureus\friends.config
c:\documents and settings\James\Application Data\Azureus\friends.config.bak
c:\documents and settings\James\Application Data\Azureus\ipfilter.cache
c:\documents and settings\James\Application Data\Azureus\logs\alerts_1.log
c:\documents and settings\James\Application Data\Azureus\logs\AutoSpeed_1.log
c:\documents and settings\James\Application Data\Azureus\logs\AutoSpeed_2.log
c:\documents and settings\James\Application Data\Azureus\logs\AutoSpeedSearchHistory_1.log
c:\documents and settings\James\Application Data\Azureus\logs\AutoSpeedSearchHistory_2.log
c:\documents and settings\James\Application Data\Azureus\logs\clientid_1.log
c:\documents and settings\James\Application Data\Azureus\logs\debug_1.log
c:\documents and settings\James\Application Data\Azureus\logs\debug_2.log
c:\documents and settings\James\Application Data\Azureus\logs\Friends_1.log
c:\documents and settings\James\Application Data\Azureus\logs\MetaSearch_1.log
c:\documents and settings\James\Application Data\Azureus\logs\MetaSearch_2.log
c:\documents and settings\James\Application Data\Azureus\logs\MetaSearch_Engine_-1334422170.txt
c:\documents and settings\James\Application Data\Azureus\logs\MetaSearch_Engine_2442043648.txt
c:\documents and settings\James\Application Data\Azureus\logs\MetaSearch_Engine_3.txt
c:\documents and settings\James\Application Data\Azureus\logs\MetaSearch_Engine_4.txt
c:\documents and settings\James\Application Data\Azureus\logs\MetaSearch_Engine_5.txt
c:\documents and settings\James\Application Data\Azureus\logs\MetaSearch_Engine_7.txt
c:\documents and settings\James\Application Data\Azureus\logs\MetaSearch_Engine_8.txt
c:\documents and settings\James\Application Data\Azureus\logs\MetaSearch_Engine_9.txt
c:\documents and settings\James\Application Data\Azureus\logs\NetStatus_1.log
c:\documents and settings\James\Application Data\Azureus\logs\save\1229275598515_alerts_1.log
c:\documents and settings\James\Application Data\Azureus\logs\save\1229275598515_AutoSpeed_1.log
c:\documents and settings\James\Application Data\Azureus\logs\save\1229275598515_AutoSpeed_2.log
c:\documents and settings\James\Application Data\Azureus\logs\save\1229275598515_AutoSpeedSearchHistory_1.log
c:\documents and settings\James\Application Data\Azureus\logs\save\1229275598515_AutoSpeedSearchHistory_2.log
c:\documents and settings\James\Application Data\Azureus\logs\save\1229275598515_clientid_1.log
c:\documents and settings\James\Application Data\Azureus\logs\save\1229275598515_debug_1.log
c:\documents and settings\James\Application Data\Azureus\logs\save\1229275598515_debug_2.log
c:\documents and settings\James\Application Data\Azureus\logs\save\1229275598515_Friends_1.log
c:\documents and settings\James\Application Data\Azureus\logs\save\1229275598515_MetaSearch_1.log
c:\documents and settings\James\Application Data\Azureus\logs\save\1229275598515_MetaSearch_2.log
c:\documents and settings\James\Application Data\Azureus\logs\save\1229275598515_MetaSearch_Engine_-1334422170.txt
c:\documents and settings\James\Application Data\Azureus\logs\save\1229275598515_MetaSearch_Engine_2442043648.txt
c:\documents and settings\James\Application Data\Azureus\logs\save\1229275598515_MetaSearch_Engine_3.txt
c:\documents and settings\James\Application Data\Azureus\logs\save\1229275598515_MetaSearch_Engine_4.txt
c:\documents and settings\James\Application Data\Azureus\logs\save\1229275598515_MetaSearch_Engine_5.txt
c:\documents and settings\James\Application Data\Azureus\logs\save\1229275598515_MetaSearch_Engine_7.txt
c:\documents and settings\James\Application Data\Azureus\logs\save\1229275598515_MetaSearch_Engine_8.txt
c:\documents and settings\James\Application Data\Azureus\logs\save\1229275598515_MetaSearch_Engine_9.txt
c:\documents and settings\James\Application Data\Azureus\logs\save\1229275598515_NetStatus_1.log
c:\documents and settings\James\Application Data\Azureus\logs\save\1229275598515_seltrace_1.log
c:\documents and settings\James\Application Data\Azureus\logs\save\1229275598515_SpeedMan_1.log
c:\documents and settings\James\Application Data\Azureus\logs\save\1229275598515_SpeedMan_2.log
c:\documents and settings\James\Application Data\Azureus\logs\save\1229275598515_Subscriptions_1.log
c:\documents and settings\James\Application Data\Azureus\logs\save\1229275598515_thread_1.log
c:\documents and settings\James\Application Data\Azureus\logs\save\1229275598515_thread_2.log
c:\documents and settings\James\Application Data\Azureus\logs\save\1229275598515_v3.ads_1.log
c:\documents and settings\James\Application Data\Azureus\logs\save\1229275598515_v3.CMsgr_1.log
c:\documents and settings\James\Application Data\Azureus\logs\save\1229275598515_v3.CMsgr_2.log
c:\documents and settings\James\Application Data\Azureus\logs\save\1229275598515_v3.emp_1.log
c:\documents and settings\James\Application Data\Azureus\logs\save\1229275598515_v3.Friends_1.log
c:\documents and settings\James\Application Data\Azureus\logs\save\1229275598515_v3.Friends_2.log
c:\documents and settings\James\Application Data\Azureus\logs\save\1229275598515_v3.MD_1.log
c:\documents and settings\James\Application Data\Azureus\logs\save\1229275598515_v3.PMsgr_1.log
c:\documents and settings\James\Application Data\Azureus\logs\save\1229275598515_v3.Stream_1.log
c:\documents and settings\James\Application Data\Azureus\logs\save\1229275598515_v3.STres_1.log
c:\documents and settings\James\Application Data\Azureus\logs\seltrace_1.log
c:\documents and settings\James\Application Data\Azureus\logs\SpeedMan_1.log
c:\documents and settings\James\Application Data\Azureus\logs\SpeedMan_2.log
c:\documents and settings\James\Application Data\Azureus\logs\Subscriptions_1.log
c:\documents and settings\James\Application Data\Azureus\logs\thread_1.log
c:\documents and settings\James\Application Data\Azureus\logs\thread_2.log
c:\documents and settings\James\Application Data\Azureus\logs\v3.ads_1.log
c:\documents and settings\James\Application Data\Azureus\logs\v3.CMsgr_1.log
c:\documents and settings\James\Application Data\Azureus\logs\v3.CMsgr_2.log
c:\documents and settings\James\Application Data\Azureus\logs\v3.emp_1.log
c:\documents and settings\James\Application Data\Azureus\logs\v3.Friends_1.log
c:\documents and settings\James\Application Data\Azureus\logs\v3.Friends_2.log
c:\documents and settings\James\Application Data\Azureus\logs\v3.MD_1.log
c:\documents and settings\James\Application Data\Azureus\logs\v3.PMsgr_1.log
c:\documents and settings\James\Application Data\Azureus\logs\v3.Stream_1.log
c:\documents and settings\James\Application Data\Azureus\logs\v3.STres_1.log
c:\documents and settings\James\Application Data\Azureus\media\azpd\45TEVWOLEIXNXPVGO47RGQHWIQZDWH66.azpd
c:\documents and settings\James\Application Data\Azureus\metasearch.config
c:\documents and settings\James\Application Data\Azureus\metasearch.config.bak
c:\documents and settings\James\Application Data\Azureus\net\pm_33652.dat
c:\documents and settings\James\Application Data\Azureus\net\pm_default.dat
c:\documents and settings\James\Application Data\Azureus\sidebarauto.config
c:\documents and settings\James\Application Data\Azureus\sidebarauto.config.bak
c:\documents and settings\James\Application Data\Azureus\tables.config
c:\documents and settings\James\Application Data\Azureus\tables.config.bak
c:\documents and settings\James\Application Data\Azureus\timingstats.dat
c:\documents and settings\James\Application Data\Azureus\tmp\AZU18622.tmp
c:\documents and settings\James\Application Data\Azureus\tmp\AZU18623.tmp
c:\documents and settings\James\Application Data\Azureus\tmp\AZU18624.tmp
c:\documents and settings\James\Application Data\Azureus\tmp\AZU18625.tmp
c:\documents and settings\James\Application Data\Azureus\tmp\AZU18626.tmp
c:\documents and settings\James\Application Data\Azureus\tmp\AZU18627.tmp
c:\documents and settings\James\Application Data\Azureus\tmp\AZU18628.tmp
c:\documents and settings\James\Application Data\Azureus\tmp\AZU18629.tmp
c:\documents and settings\James\Application Data\Azureus\tmp\AZU18631.tmp
c:\documents and settings\James\Application Data\Azureus\tmp\AZU18635.tmp
c:\documents and settings\James\Application Data\Azureus\tmp\AZU18636.tmp
c:\documents and settings\James\Application Data\Azureus\tmp\AZU18637.tmp
c:\documents and settings\James\Application Data\Azureus\tmp\speedTestTorrent.torrent
c:\documents and settings\James\Application Data\Azureus\tracker.config
c:\documents and settings\James\Application Data\Azureus\tracker.config.bak
c:\documents and settings\James\Application Data\Azureus\unsentdata.config
c:\documents and settings\James\Application Data\Azureus\unsentdata.config.bak
c:\documents and settings\James\Application Data\Azureus\update.log
c:\documents and settings\James\Application Data\Azureus\update.properties
c:\documents and settings\James\Application Data\Azureus\v3.Friends.dat
c:\documents and settings\James\Application Data\Azureus\v3.Friends.dat.bak
c:\documents and settings\James\Application Data\Azureus\VuzeActivities.config
c:\documents and settings\James\Application Data\Azureus\VuzeActivities.config.bak
c:\program files\Common Files\gigaq._dl
c:\program files\Common Files\onoge._dl

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CRD
-------\Service_crd


((((((((((((((((((((((((( Files Created from 2009-01-01 to 2009-02-01 )))))))))))))))))))))))))))))))
.

2009-01-30 20:45 . 2009-01-30 17:03 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-01-26 09:40 . 2009-01-20 16:41 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-01-22 20:00 . 2009-01-18 14:30 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-01-22 19:59 . 2009-01-22 19:59 <DIR> d-------- c:\program files\Lavasoft
2009-01-22 19:59 . 2009-01-22 20:00 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft
2009-01-22 19:59 . 2009-01-22 19:59 <DIR> d--h-c--- c:\documents and settings\All Users.WINDOWS\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-20 16:41 . 2009-01-26 09:40 <DIR> d-------- c:\documents and settings\James.JAMES-HOME\.housecall6.6
2009-01-20 16:27 . 2009-01-20 16:27 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Blizzard
2009-01-19 18:59 . 2008-04-14 00:15 26,368 --a------ c:\windows\system32\drivers\usbstor.bak
2009-01-19 18:55 . 2009-01-19 18:55 <DIR> d-------- c:\documents and settings\VICKI~1~JAM\LOCALS~1
2009-01-19 18:55 . 2009-01-19 18:55 <DIR> d-------- c:\documents and settings\VICKI~1~JAM
2009-01-19 18:55 . 1998-10-29 16:45 306,688 --a------ c:\windows\IsUninst.exe
2009-01-19 11:00 . 2009-01-19 11:08 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\NOS
2009-01-10 08:45 . 2009-01-10 08:45 <DIR> d-------- c:\documents and settings\Vicki.JAMES-HOME\Application Data\MSNInstaller
2009-01-03 15:45 . 2009-01-04 16:45 245 --a------ c:\windows\lexstat.ini
2009-01-03 15:45 . 2009-01-03 15:45 76 --a------ c:\windows\dellstat.ini
2009-01-03 15:44 . 2009-01-03 15:44 <DIR> d-------- c:\documents and settings\Vicki.JAMES-HOME\WINDOWS
2009-01-03 15:44 . 1997-04-08 20:08 299,520 --a------ c:\windows\uninst.exe
2009-01-03 15:44 . 2001-08-17 22:36 87,040 --a------ c:\windows\system32\wiafbdrv.dll
2009-01-03 15:44 . 2001-08-17 22:36 87,040 --a--c--- c:\windows\system32\dllcache\wiafbdrv.dll
2009-01-03 15:43 . 2009-01-03 15:43 <DIR> d-------- C:\Lexmark
2009-01-01 17:45 . 2009-01-01 17:45 262,144 --a------ c:\windows\system32\wrap_oal.dll
2009-01-01 17:45 . 2009-01-01 17:45 86,016 --a------ c:\windows\system32\OpenAL32.dll
2009-01-01 17:43 . 2009-01-01 17:43 <DIR> d-------- c:\windows\system32\Futuremark
2009-01-01 17:43 . 2007-09-07 14:55 27,672 --a------ c:\windows\system32\drivers\Entech.sys
2009-01-01 17:43 . 2007-09-07 14:55 12,744 --a------ c:\windows\system32\drivers\Entech64.sys
2009-01-01 17:43 . 2007-09-07 14:55 6,173 --a------ c:\windows\system32\drivers\Entech.vxd
2009-01-01 17:43 . 2001-11-19 20:05 3,972 --a------ c:\windows\system32\drivers\PciBus.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-26 07:48 --------- d-----w c:\program files\SpeedFan
2009-01-19 18:08 --------- d-----w c:\program files\NOS
2009-01-19 18:02 --------- d-----w c:\program files\Common Files\Adobe
2009-01-14 23:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 23:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-03 22:45 --------- d-----w c:\program files\Lexmark 1200 Series
2009-01-02 00:43 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-01 00:47 --------- d-----w c:\program files\Java
2008-12-26 04:18 --------- d-----w c:\documents and settings\James.JAMES-HOME\Application Data\Acreon
2008-12-22 03:22 --------- d-----w c:\documents and settings\James.JAMES-HOME\Application Data\Ventrilo
2008-12-16 05:09 --------- d-----w c:\program files\McAfee
2008-12-15 22:26 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\McAfee
2008-12-15 22:21 --------- d-----w c:\program files\McAfee.com
2008-12-15 22:01 --------- d-----w c:\documents and settings\James.JAMES-HOME\Application Data\Malwarebytes
2008-12-15 22:01 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-12-15 15:28 --------- d-----w c:\program files\MSBuild
2008-12-15 15:27 --------- d-----w c:\program files\Reference Assemblies
2008-12-15 06:02 --------- d-----w c:\program files\Logitech
2008-12-15 06:02 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Logitech
2008-12-15 05:57 315,392 ----a-w c:\windows\HideWin.exe
2008-12-15 05:52 --------- d-----w c:\program files\Opera
2008-12-14 22:53 17,801 ----a-w c:\windows\system32\drivers\AegisP.sys
2008-12-14 22:53 --------- d-----w c:\program files\Linksys Wireless-G Wireless Network Monitor
2008-12-14 03:17 --------- d-----w c:\program files\Common Files\LightScribe
2008-12-13 04:19 --------- d-----w c:\program files\Realtek
2008-12-12 05:34 --------- d-----w c:\program files\SystemRequirementsLab
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2007-10-06 00:00 256 ----a-w c:\documents and settings\James\pool.bin
2006-09-10 03:39 32 ----a-r c:\documents and settings\All Users\hash.dat
2005-04-20 01:25 53,323 ----a-w c:\program files\opera\program\plugins\PlugDef.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\MSN\Toolbar\3.0.0988.2\mstbsvc.exe -- Invalid filepath or file no longer exist


((((((((((((((((((((((((((((( snapshot@2009-01-30_16.33.58.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 03:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2000-08-31 15:00:00 161,792 ----a-w c:\windows\SWREG.exe
+ 2000-08-31 15:00:00 286,720 ----a-w c:\windows\SWREG.exe
- 2009-01-30 19:36:14 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-31 23:44:39 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-30 19:36:14 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-31 23:44:39 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-04 8523776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-04 81920]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-12-13 2051096]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-12-13 2095640]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-31 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Autorun Eater"="d:\program files\Autorun Eater\oldmcdonald.exe" [2008-11-27 501768]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-30 509784]
"nwiz"="nwiz.exe" [2007-12-04 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2008-03-06 c:\windows\RTHDCPL.exe]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-01-22 64160]
R4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096]
S3 RTCore32;RTCore32;d:\program files\RMClock\RTCore32.sys [2008-02-04 4608]
S4 mstbsvc;MSN Toolbar Setup;"c:\program files\MSN\Toolbar\3.0.0988.2\mstbsvc.exe" --> c:\program files\MSN\Toolbar\3.0.0988.2\mstbsvc.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2009-01-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-30 17:03]

2009-01-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {4E56B747-E103-44DE-8565-5E1BE8C628FE} = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\documents and settings\James.JAMES-HOME\Application Data\Mozilla\Firefox\Profiles\083zf3hk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-31 19:54:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
c:\program files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
c:\program files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
c:\program files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-01-31 19:57:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-01 02:57:01
ComboFix2.txt 2009-01-30 23:34:29

Pre-Run: 2,673,553,408 bytes free
Post-Run: 2,617,487,360 bytes free

326 --- E O F --- 2009-01-14 10:00:34
~~~~~~~~~~~~~~~~~~~

and fresh HijackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:03:02 AM, on 2/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Autorun Eater] d:\Program Files\Autorun Eater\oldmcdonald.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E56B747-E103-44DE-8565-5E1BE8C628FE}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MSN Toolbar Setup (mstbsvc) - Unknown owner - C:\Program Files\MSN\Toolbar\3.0.0988.2\mstbsvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe

--
End of file - 6693 bytes


Thanks again for all your patience and assistance!!!!
Grimblade
Active Member
 
Posts: 6
Joined: January 27th, 2009, 11:13 pm

Re: I think I'm infected

Unread postby Bio-Hazard » February 1st, 2009, 12:06 pm

Hello!


Go to this older and empty it (DO NOT delete it):C:\Documents and Settings\James.JAMES-HOME\.housecall6.6\ Quarantine


I'd like you to check (a file/some files) for Viruses.
C:\Program Files\MSN\Toolbar\3.0.0988.2\mstbsvc.exe

  • Copy/Paste file into the white Upload a file box.
  • Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
  • After a while, a window will open, with details of what the scans found.
  • Copy and Paste results in your next reply.

OTMoveIt3

Download OTMoveIt3 by Old Timer and save it to your Desktop.
  • Double-click OTMoveIt3.exe to run it.
  • Copy the lines in the codebox below.
Code: Select all
:files
C:\Program Files\Musicmatch\Common\ComponentMgr\HoldingArea\WebSys\WebSys.mmz
C:\Program Files\Musicmatch\Musicmatch Jukebox\WebSys\offline.mmz
:commands
[EmptyTemp]

  • Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt3

Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:
  • OTMoveIt Log
  • Virustotal or Jotti results
  • A fresh HijackThis Log ( after all the above has been done)
  • A description of how your computer is behaving
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: I think I'm infected

Unread postby Grimblade » February 1st, 2009, 5:16 pm

Okay, I was unable to scan ":\Program Files\MSN\Toolbar\3.0.0988.2\mstbsvc.exe" as the file doesn't exist on my machine currently. I see the folder there, but now executable currently. I also checked logs on malwarebytes and mcafee (in case they grabbed it somehow) and am not seeing it in any of their logs. I am unsure how it has disappeared, but it's no longer there.

I did run OTMoveit3, and here is the logfile:

========== FILES ==========
C:\Program Files\Musicmatch\Common\ComponentMgr\HoldingArea\WebSys\WebSys.mmz moved successfully.
C:\Program Files\Musicmatch\Musicmatch Jukebox\WebSys\offline.mmz moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\JAMES~1.JAM\LOCALS~1\Temp\hsperfdata_James\4020 scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\JAMES~1.JAM\LOCALS~1\Temp\etilqs_bGcvgrGSGb82EjYpdPJ2 scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\mcmsc_pQpYALPVDTwsHEw scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_130.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\WFV119.tmp scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\James.JAMES-HOME\Local Settings\Application Data\Mozilla\Firefox\Profiles\083zf3hk.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\James.JAMES-HOME\Local Settings\Application Data\Mozilla\Firefox\Profiles\083zf3hk.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\James.JAMES-HOME\Local Settings\Application Data\Mozilla\Firefox\Profiles\083zf3hk.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\James.JAMES-HOME\Local Settings\Application Data\Mozilla\Firefox\Profiles\083zf3hk.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\James.JAMES-HOME\Local Settings\Application Data\Mozilla\Firefox\Profiles\083zf3hk.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\James.JAMES-HOME\Local Settings\Application Data\Mozilla\Firefox\Profiles\083zf3hk.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Opera cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02012009_140046

Files moved on Reboot...
File C:\DOCUME~1\JAMES~1.JAM\LOCALS~1\Temp\hsperfdata_James\4020 not found!
File C:\DOCUME~1\JAMES~1.JAM\LOCALS~1\Temp\etilqs_bGcvgrGSGb82EjYpdPJ2 not found!
File C:\WINDOWS\temp\mcmsc_pQpYALPVDTwsHEw not found!
File C:\WINDOWS\temp\Perflib_Perfdata_130.dat not found!
File C:\WINDOWS\temp\WFV119.tmp not found!
C:\Documents and Settings\James.JAMES-HOME\Local Settings\Application Data\Mozilla\Firefox\Profiles\083zf3hk.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\James.JAMES-HOME\Local Settings\Application Data\Mozilla\Firefox\Profiles\083zf3hk.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\James.JAMES-HOME\Local Settings\Application Data\Mozilla\Firefox\Profiles\083zf3hk.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\James.JAMES-HOME\Local Settings\Application Data\Mozilla\Firefox\Profiles\083zf3hk.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\James.JAMES-HOME\Local Settings\Application Data\Mozilla\Firefox\Profiles\083zf3hk.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\James.JAMES-HOME\Local Settings\Application Data\Mozilla\Firefox\Profiles\083zf3hk.default\XUL.mfl moved successfully.
~~~~~~~~~~~

HijackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:09:33 PM, on 2/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Autorun Eater] d:\Program Files\Autorun Eater\oldmcdonald.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E56B747-E103-44DE-8565-5E1BE8C628FE}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MSN Toolbar Setup (mstbsvc) - Unknown owner - C:\Program Files\MSN\Toolbar\3.0.0988.2\mstbsvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe

--
End of file - 6643 bytes


So far everything still appears to be working fine. Nothing sluggish, no pop-ups, and still able to access websites I should be able to. I've also still kept mcafee, malwarebytes, adaware, etc... disabled.

Edit: (looks like "C:\Program Files\MSN\Toolbar\3.0.0988.2\mstbsvc.exe" has been missing since the beginning, original hijackthis log shows:

O23 - Service: MSN Toolbar Setup (mstbsvc) - Unknown owner - C:\Program Files\MSN\Toolbar\3.0.0988.2\mstbsvc.exe (file missing)

Edit 2: Looks like firefox pop-ups are still occurring. I am also seeing them open new windows as well as new tabs.
Grimblade
Active Member
 
Posts: 6
Joined: January 27th, 2009, 11:13 pm

Re: I think I'm infected

Unread postby Bio-Hazard » February 2nd, 2009, 5:46 am

Delete Services

  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:

    Code: Select all
    @echo off
    sc stop mstbsvc
    sc delete mstbsvc
    

  • Make sure there are NO blank lines before @echo off
  • Make sure there IS one blank line at the end of the file.
  • Go to File > Save As
  • Save File name as Fix.bat
  • Change Save as Type to All Files and save the file to your desktop.
  • Close Notepad
  • Double-click Fix.bat on your Desktop

Step 1

Image
Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop.

Step 2

Please download gmer.zip from Gmer and save it to your desktop.

  1. Right click on gmer.zip and select Extract All....
  2. Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  3. Click on the Browse button. Click on Desktop. Then click OK.
  4. Click Next. It will start extracting.
  5. Once done, check (tick) the Show extracted files box and click Finish.

Double click on gmer.exe to run it. It will start running a scan. If it detects rootkit activity, you will receive a prompt to run a full scan. Click Yes.

  • When done, you may receive another notice. Click OK.
  • Click on Save ... to save a log.
  • Copy and paste in Gmer.txt and click Save.
  • Close Gmer.

If you receive no notice, click on the Scan button.

  • It will start scanning again.
  • When done, click on Save ... to save a log.
  • Copy and paste in Gmer.txt and click Save.
  • Close Gmer.

Note: Do not run any programs while Gmer is running.

In your next reply, please post:

  1. DDS.txt
  2. Attach.txt
  3. Gmer.txt
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: I think I'm infected

Unread postby Grimblade » February 2nd, 2009, 11:22 pm

Haven't seen any pop-ups today so far, but Mcafee popped up a message stating I needed to reinstall my mcafee suite. nothing else unusual other than that.
Here are the logs requested:

DDS log:

DDS (Ver_09-02-01.01) - NTFSx86
Run by James at 19:54:19.05 on Mon 02/02/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2509 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\James.JAMES-HOME\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Launch LCDMon] "c:\program files\logitech\gamepanel software\lcd manager\LCDMon.exe"
mRun: [Launch LGDCore] "c:\program files\logitech\gamepanel software\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Autorun Eater] d:\program files\autorun eater\oldmcdonald.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
TCP: {4E56B747-E103-44DE-8565-5E1BE8C628FE} = 208.67.222.222,208.67.220.220
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\james~1.jam\applic~1\mozilla\firefox\profiles\083zf3hk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\opera\program\plugins\npdivx32.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-1-22 64160]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-12-15 201320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-6-29 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-12-15 144704]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-12-15 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-12-15 35240]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 950096]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-12-15 33832]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-12-15 40488]
S3 RTCore32;RTCore32;d:\program files\rmclock\RTCore32.sys [2008-2-4 4608]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-12-15 695624]

=============== Created Last 30 ================

2009-02-01 14:00 <DIR> --d----- C:\_OTMoveIt
2009-01-30 20:45 15,688 a------- c:\windows\system32\lsdelete.exe
2009-01-30 16:23 <DIR> a-dshr-- C:\cmdcons
2009-01-30 16:22 286,720 a------- c:\windows\SWREG.exe
2009-01-30 16:22 98,816 a------- c:\windows\sed.exe
2009-01-26 09:40 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-01-22 20:00 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-01-22 19:59 <DIR> -cd-h--- c:\docume~1\alluse~1.win\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-22 19:59 <DIR> --d----- c:\program files\Lavasoft
2009-01-20 16:41 <DIR> --d----- c:\documents and settings\james.james-home\.housecall6.6
2009-01-20 16:27 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Blizzard
2009-01-19 18:59 26,368 a------- c:\windows\system32\drivers\usbstor.bak
2009-01-19 18:55 306,688 a------- c:\windows\IsUninst.exe

==================== Find3M ====================

2009-01-14 16:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 16:11 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-01 17:45 262,144 a------- c:\windows\system32\wrap_oal.dll
2009-01-01 17:45 86,016 a------- c:\windows\system32\OpenAL32.dll
2008-12-31 17:47 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-14 22:57 315,392 a------- c:\windows\HideWin.exe
2008-12-14 16:42 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-14 15:53 17,801 a------- c:\windows\system32\drivers\AegisP.sys
2008-12-14 15:30 21,640 a------- c:\windows\system32\emptyregdb.dat
2008-12-13 09:11 28,672 a------- c:\windows\system32\setupold.exe
2008-12-13 09:11 3,127 a------- c:\windows\system32\presetup.cmd
2008-12-11 03:57 333,952 a------- c:\windows\system32\drivers\srv.sys

============= FINISH: 19:54:38.64 ===============

Attach.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-02-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/14/2008 3:35:04 PM
System Uptime: 2/1/2009 2:01:47 PM (29 hours ago)

Motherboard: XFX | | MI-A78S-8209
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4800+ | CPU 1 | 2871/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 24 GiB total, 2.411 GiB free.
D: is FIXED (NTFS) - 208 GiB total, 187.537 GiB free.
E: is FIXED (NTFS) - 233 GiB total, 90.992 GiB free.
F: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: SM Bus Controller
Device ID: PCI\VEN_10DE&DEV_0752&SUBSYS_CB8410DE&REV_A1\3&267A616A&0&09
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_10DE&DEV_0752&SUBSYS_CB8410DE&REV_A1\3&267A616A&0&09
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Coprocessor
Device ID: PCI\VEN_10DE&DEV_0753&SUBSYS_CB8410DE&REV_A2\3&267A616A&0&0B
Manufacturer:
Name: Coprocessor
PNP Device ID: PCI\VEN_10DE&DEV_0753&SUBSYS_CB8410DE&REV_A2\3&267A616A&0&0B
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Audio Device on High Definition Audio Bus
Device ID: HDAUDIO\FUNC_01&VEN_10DE&DEV_0002&SUBSYS_10DE0101&REV_1000\4&14C43916&0&0301
Manufacturer:
Name: Audio Device on High Definition Audio Bus
PNP Device ID: HDAUDIO\FUNC_01&VEN_10DE&DEV_0002&SUBSYS_10DE0101&REV_1000\4&14C43916&0&0301
Service:

==== System Restore Points ===================

RP1: 1/31/2009 7:50:11 PM - ComboFix created restore point
RP2: 2/2/2009 2:03:06 AM - System Checkpoint

==== Installed Programs ======================

3DMark06
Ad-Aware
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Reader 9
Autorun Eater v2.3
Belarc Advisor 7.2
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Java(TM) 6 Update 11
Linksys Wireless-G PCI Network Adapter with SpeedBooster
Logitech GamePanel Software 2.02
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (3.0.4)
MSN
MSN Toolbar
MSN Toolbar Setup
NVIDIA Drivers
Opera 9.62
Realtek High Definition Audio Driver
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960714)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Windows Media Format 11 runtime
Windows Media Player 11
WinRAR archiver

==== Event Viewer Messages From Past Week ========

1/26/2009 9:52:36 AM, error: Service Control Manager [7000] - The crd service failed to start due to the following error: The system cannot find the path specified.
1/26/2009 9:52:36 AM, error: Service Control Manager [7000] - The MSN Toolbar Setup service failed to start due to the following error: The system cannot find the file specified.
1/27/2009 7:26:55 AM, error: DCOM [10001] - Unable to start a DCOM Server: {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493} as /. The error: "%233" Happened while starting this command: c:\PROGRA~1\mcafee.com\agent\mcagent.exe -Embedding
1/27/2009 7:46:34 PM, error: DCOM [10005] - DCOM got error "%1055" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
1/27/2009 7:46:34 PM, error: DCOM [10005] - DCOM got error "%1055" attempting to start the service McMSCSvc with arguments "" in order to run the server: {03082469-BA75-44A5-89CB-D187F313E572}
1/30/2009 4:34:29 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the WMP54GSSVC service.

==== End Of File ===========================


Gmer.txt
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-02 20:18:13
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xBA8F887E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xBA8F8C10]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB73D99AA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB73D9958]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB73D996C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB73D99EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB73D9930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB73D9944]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB73D99BE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB73D9996]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB73D9982]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB73D9A19]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB73D9A00]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB73D99D4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP B73D99D8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP B73D99AE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP B73D99EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 5 Bytes JMP B73D9A04 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E6 7 Bytes JMP B73D99C2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB408 5 Bytes JMP B73D9934 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB694 5 Bytes JMP B73D9948 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE52 5 Bytes JMP B73D9986 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1142 7 Bytes JMP B73D9970 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11F8 5 Bytes JMP B73D995C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1702 5 Bytes JMP B73D999A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AA 5 Bytes JMP B73D9A1D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\System32\svchost.exe[388] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F70FE5
.text C:\WINDOWS\System32\svchost.exe[388] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F70F39
.text C:\WINDOWS\System32\svchost.exe[388] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F70F54
.text C:\WINDOWS\System32\svchost.exe[388] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F70022
.text C:\WINDOWS\System32\svchost.exe[388] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F70F65
.text C:\WINDOWS\System32\svchost.exe[388] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F70011
.text C:\WINDOWS\System32\svchost.exe[388] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F7006B
.text C:\WINDOWS\System32\svchost.exe[388] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F7005A
.text C:\WINDOWS\System32\svchost.exe[388] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F700A1
.text C:\WINDOWS\System32\svchost.exe[388] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F70086
.text C:\WINDOWS\System32\svchost.exe[388] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00F70EE3
.text C:\WINDOWS\System32\svchost.exe[388] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00F70F8A
.text C:\WINDOWS\System32\svchost.exe[388] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00F70FD4
.text C:\WINDOWS\System32\svchost.exe[388] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00F70049
.text C:\WINDOWS\System32\svchost.exe[388] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00F70FAF
.text C:\WINDOWS\System32\svchost.exe[388] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00F70000
.text C:\WINDOWS\System32\svchost.exe[388] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00F70F12
.text C:\WINDOWS\System32\svchost.exe[388] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00F60FDE
.text C:\WINDOWS\System32\svchost.exe[388] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00F60FA8
.text C:\WINDOWS\System32\svchost.exe[388] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00F60025
.text C:\WINDOWS\System32\svchost.exe[388] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00F60FEF
.text C:\WINDOWS\System32\svchost.exe[388] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00F60065
.text C:\WINDOWS\System32\svchost.exe[388] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00F60000
.text C:\WINDOWS\System32\svchost.exe[388] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00F60FC3
.text C:\WINDOWS\System32\svchost.exe[388] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 16, 89 ]
.text C:\WINDOWS\System32\svchost.exe[388] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00F6004A
.text C:\WINDOWS\System32\svchost.exe[388] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F40000
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[768] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C340 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[768] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0041C3C0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B80000
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B80073
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B80058
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B80F7E
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B80F9B
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B80FB6
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B80F37
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B80F48
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B800BF
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B800AE
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00B800D0
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00B8003D
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00B80011
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00B80F63
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00B80022
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00B80FDB
.text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00B80F26
.text C:\WINDOWS\system32\svchost.exe[812] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00B70047
.text C:\WINDOWS\system32\svchost.exe[812] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00B7008E
.text C:\WINDOWS\system32\svchost.exe[812] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00B7002C
.text C:\WINDOWS\system32\svchost.exe[812] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00B70011
.text C:\WINDOWS\system32\svchost.exe[812] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00B70073
.text C:\WINDOWS\system32\svchost.exe[812] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00B70000
.text C:\WINDOWS\system32\svchost.exe[812] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00B70FD1
.text C:\WINDOWS\system32\svchost.exe[812] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ D7, 88 ]
.text C:\WINDOWS\system32\svchost.exe[812] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00B70058
.text C:\WINDOWS\system32\services.exe[1028] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[1028] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070062
.text C:\WINDOWS\system32\services.exe[1028] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070051
.text C:\WINDOWS\system32\services.exe[1028] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070F83
.text C:\WINDOWS\system32\services.exe[1028] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070F94
.text C:\WINDOWS\system32\services.exe[1028] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070FAF
.text C:\WINDOWS\system32\services.exe[1028] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070F4B
.text C:\WINDOWS\system32\services.exe[1028] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070F5C
.text C:\WINDOWS\system32\services.exe[1028] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000700A4
.text C:\WINDOWS\system32\services.exe[1028] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070F15
.text C:\WINDOWS\system32\services.exe[1028] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 000700B5
.text C:\WINDOWS\system32\services.exe[1028] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00070040
.text C:\WINDOWS\system32\services.exe[1028] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[1028] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 0007007D
.text C:\WINDOWS\system32\services.exe[1028] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 0007001B
.text C:\WINDOWS\system32\services.exe[1028] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00070FCA
.text C:\WINDOWS\system32\services.exe[1028] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00070F26
.text C:\WINDOWS\system32\services.exe[1028] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00060036
.text C:\WINDOWS\system32\services.exe[1028] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00060087
.text C:\WINDOWS\system32\services.exe[1028] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00060025
.text C:\WINDOWS\system32\services.exe[1028] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00060014
.text C:\WINDOWS\system32\services.exe[1028] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00060076
.text C:\WINDOWS\system32\services.exe[1028] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[1028] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00060FCA
.text C:\WINDOWS\system32\services.exe[1028] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 26, 88 ]
.text C:\WINDOWS\system32\services.exe[1028] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00060047
.text C:\WINDOWS\system32\services.exe[1028] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\lsass.exe[1040] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\lsass.exe[1040] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070098
.text C:\WINDOWS\system32\lsass.exe[1040] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0007007D
.text C:\WINDOWS\system32\lsass.exe[1040] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070FA5
.text C:\WINDOWS\system32\lsass.exe[1040] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070058
.text C:\WINDOWS\system32\lsass.exe[1040] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070036
.text C:\WINDOWS\system32\lsass.exe[1040] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070F77
.text C:\WINDOWS\system32\lsass.exe[1040] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070F88
.text C:\WINDOWS\system32\lsass.exe[1040] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00070F5C
.text C:\WINDOWS\system32\lsass.exe[1040] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 000700EB
.text C:\WINDOWS\system32\lsass.exe[1040] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00070F4B
.text C:\WINDOWS\system32\lsass.exe[1040] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00070047
.text C:\WINDOWS\system32\lsass.exe[1040] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\lsass.exe[1040] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 000700A9
.text C:\WINDOWS\system32\lsass.exe[1040] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 0007001B
.text C:\WINDOWS\system32\lsass.exe[1040] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 0007000A
.text C:\WINDOWS\system32\lsass.exe[1040] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 000700DA
.text C:\WINDOWS\system32\lsass.exe[1040] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00060FCA
.text C:\WINDOWS\system32\lsass.exe[1040] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 0006006C
.text C:\WINDOWS\system32\lsass.exe[1040] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0006001B
.text C:\WINDOWS\system32\lsass.exe[1040] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0006000A
.text C:\WINDOWS\system32\lsass.exe[1040] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00060FA5
.text C:\WINDOWS\system32\lsass.exe[1040] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\lsass.exe[1040] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00060047
.text C:\WINDOWS\system32\lsass.exe[1040] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00060036
.text C:\WINDOWS\system32\lsass.exe[1040] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AC0FE5
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AC0089
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AC006E
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AC0051
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AC0040
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AC001B
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AC00AB
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AC0F6F
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AC00CD
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AC0F3E
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00AC0F0F
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00AC0F94
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00AC0FD4
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00AC009A
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00AC0FAF
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00AC0000
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00AC00BC
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00AB0036
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00AB0F91
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00AB0FEF
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00AB001B
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00AB0FB6
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00AB000A
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00AB0058
.text C:\WINDOWS\system32\svchost.exe[1208] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00AB0047
.text C:\WINDOWS\system32\svchost.exe[1208] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A9000A
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA0000
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA0F8A
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA0FAF
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA007D
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA0062
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA0047
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA0F68
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA0F79
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA0F28
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA00C1
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00BA0F17
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00BA0FC0
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00BA001B
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00BA00A4
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00BA002C
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00BA0FE5
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00BA0F43
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00B90FCD
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00B90F75
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00B90FDE
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00B9000A
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00B90F86
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00B90FEF
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00B90FAB
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ D9, 88 ]
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00B90FBC
.text C:\WINDOWS\system32\svchost.exe[1276] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B70000
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02CB000A
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02CB007D
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02CB0062
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02CB0051
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02CB0040
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02CB0FB9
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02CB0F50
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02CB0F61
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02CB00CE
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02CB00BD
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 02CB0F24
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 02CB0F9E
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 02CB001B
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 02CB008E
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 02CB0FCA
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 02CB0FE5
.text C:\WINDOWS\System32\svchost.exe[1320] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 02CB0F3F
.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 02BC0000
.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 02BC0F4D
.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 02BC0FB9
.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 02BC0FCA
.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 02BC0F5E
.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 02BC0FE5
.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 02BC0F6F
.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ DC, 8A ]
.text C:\WINDOWS\System32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 02BC0F8A
.text C:\WINDOWS\System32\svchost.exe[1320] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02B50FEF
.text C:\WINDOWS\System32\svchost.exe[1320] WININET.dll!InternetOpenW 771BAF39 5 Bytes JMP 02BA001B
.text C:\WINDOWS\System32\svchost.exe[1320] WININET.dll!InternetOpenA 771C5786 5 Bytes JMP 02BA0000
.text C:\WINDOWS\System32\svchost.exe[1320] WININET.dll!InternetOpenUrlA 771C5A52 5 Bytes JMP 02BA0FE5
.text C:\WINDOWS\System32\svchost.exe[1320] WININET.dll!InternetOpenUrlW 771D5BA2 5 Bytes JMP 02BA0042
.text C:\WINDOWS\Explorer.EXE[1416] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 014F0FE5
.text C:\WINDOWS\Explorer.EXE[1416] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 014F006F
.text C:\WINDOWS\Explorer.EXE[1416] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 014F0F7A
.text C:\WINDOWS\Explorer.EXE[1416] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 014F0F8B
.text C:\WINDOWS\Explorer.EXE[1416] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 014F0054
.text C:\WINDOWS\Explorer.EXE[1416] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 014F0025
.text C:\WINDOWS\Explorer.EXE[1416] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 014F0F31
.text C:\WINDOWS\Explorer.EXE[1416] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 014F0F42
.text C:\WINDOWS\Explorer.EXE[1416] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 014F0094
.text C:\WINDOWS\Explorer.EXE[1416] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 014F0EFB
.text C:\WINDOWS\Explorer.EXE[1416] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 014F0EE0
.text C:\WINDOWS\Explorer.EXE[1416] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 014F0FA8
.text C:\WINDOWS\Explorer.EXE[1416] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 014F000A
.text C:\WINDOWS\Explorer.EXE[1416] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 014F0F69
.text C:\WINDOWS\Explorer.EXE[1416] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 014F0FB9
.text C:\WINDOWS\Explorer.EXE[1416] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 014F0FD4
.text C:\WINDOWS\Explorer.EXE[1416] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 014F0F16
.text C:\WINDOWS\Explorer.EXE[1416] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 014E001B
.text C:\WINDOWS\Explorer.EXE[1416] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 014E0F8A
.text C:\WINDOWS\Explorer.EXE[1416] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 014E000A
.text C:\WINDOWS\Explorer.EXE[1416] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 014E0FD4
.text C:\WINDOWS\Explorer.EXE[1416] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 014E0FA5
.text C:\WINDOWS\Explorer.EXE[1416] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 014E0FE5
.text C:\WINDOWS\Explorer.EXE[1416] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 014E0047
.text C:\WINDOWS\Explorer.EXE[1416] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 014E0036
.text C:\WINDOWS\Explorer.EXE[1416] WININET.dll!InternetOpenW 771BAF39 5 Bytes JMP 014C0FEF
.text C:\WINDOWS\Explorer.EXE[1416] WININET.dll!InternetOpenA 771C5786 5 Bytes JMP 014C0000
.text C:\WINDOWS\Explorer.EXE[1416] WININET.dll!InternetOpenUrlA 771C5A52 5 Bytes JMP 014C0025
.text C:\WINDOWS\Explorer.EXE[1416] WININET.dll!InternetOpenUrlW 771D5BA2 5 Bytes JMP 014C0036
.text C:\WINDOWS\Explorer.EXE[1416] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01930FEF
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007B0FEF
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007B007B
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007B0F7C
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007B0F97
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007B0FA8
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007B0036
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007B0F44
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007B0F5F
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007B00DD
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007B00C2
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 007B00F8
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 007B0FB9
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 007B000A
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 007B0096
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 007B0025
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 007B0FD4
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!WinExec 7C8623AD 1 Byte [ E9 ]
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!WinExec + 2 7C8623AF 3 Bytes [ DC, F4, 83 ]
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 007A0FA8
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 007A001E
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 007A0FC3
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 007A0FD4
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 007A0F6B
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 007A0FEF
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 007A0F7C
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 9A, 88 ]
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 007A0F97
.text C:\WINDOWS\system32\svchost.exe[1484] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00780FEF
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01690000
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01690F7C
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01690F8D
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!LoadLibraryExW 7C801AF5 3 Bytes JMP 0169005B
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!LoadLibraryExW + 4 7C801AF9 1 Byte [ 84 ]
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0169004A
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01690025
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01690F3D
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01690F4E
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01690F07
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 016900A0
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 01690EF6
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 01690F9E
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01690FE5
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 01690F6B
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 01690FB9
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 01690FCA
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 01690F22
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 01680FB6
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 01680062
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 01680011
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 01680000
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 01680051
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 01680FE5
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 01680FA5
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 88, 89 ]
.text C:\WINDOWS\system32\svchost.exe[1516] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 0168002C
.text C:\WINDOWS\system32\svchost.exe[1516] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01650000
.text C:\WINDOWS\system32\svchost.exe[1516] WININET.dll!InternetOpenW 771BAF39 5 Bytes JMP 01660FDB
.text C:\WINDOWS\system32\svchost.exe[1516] WININET.dll!InternetOpenA 771C5786 5 Bytes JMP 01660000
.text C:\WINDOWS\system32\svchost.exe[1516] WININET.dll!InternetOpenUrlA 771C5A52 5 Bytes JMP 01660011
.text C:\WINDOWS\system32\svchost.exe[1516] WININET.dll!InternetOpenUrlW 771D5BA2 5 Bytes JMP 01660FBE
.text C:\WINDOWS\Explorer.EXE[2436] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0000
.text C:\WINDOWS\Explorer.EXE[2436] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A006C
.text C:\WINDOWS\Explorer.EXE[2436] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0F77
.text C:\WINDOWS\Explorer.EXE[2436] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A005B
.text C:\WINDOWS\Explorer.EXE[2436] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0FA8
.text C:\WINDOWS\Explorer.EXE[2436] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0040
.text C:\WINDOWS\Explorer.EXE[2436] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A00AE
.text C:\WINDOWS\Explorer.EXE[2436] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0087
.text C:\WINDOWS\Explorer.EXE[2436] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0F2D
.text C:\WINDOWS\Explorer.EXE[2436] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A00D0
.text C:\WINDOWS\Explorer.EXE[2436] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001A00E1
.text C:\WINDOWS\Explorer.EXE[2436] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001A0FC3
.text C:\WINDOWS\Explorer.EXE[2436] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\Explorer.EXE[2436] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001A0F5C
.text C:\WINDOWS\Explorer.EXE[2436] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001A002F
.text C:\WINDOWS\Explorer.EXE[2436] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001A0FD4
.text C:\WINDOWS\Explorer.EXE[2436] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001A00BF
.text C:\WINDOWS\Explorer.EXE[2436] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00290FD4
.text C:\WINDOWS\Explorer.EXE[2436] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00290F97
.text C:\WINDOWS\Explorer.EXE[2436] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0029001B
.text C:\WINDOWS\Explorer.EXE[2436] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0029000A
.text C:\WINDOWS\Explorer.EXE[2436] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00290054
.text C:\WINDOWS\Explorer.EXE[2436] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00290FEF
.text C:\WINDOWS\Explorer.EXE[2436] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00290FA8
.text C:\WINDOWS\Explorer.EXE[2436] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 49, 88 ]
.text C:\WINDOWS\Explorer.EXE[2436] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00290FB9
.text C:\WINDOWS\Explorer.EXE[2436] WININET.dll!InternetOpenW 771BAF39 5 Bytes JMP 002C0FD4
.text C:\WINDOWS\Explorer.EXE[2436] WININET.dll!InternetOpenA 771C5786 5 Bytes JMP 002C0FE5
.text C:\WINDOWS\Explorer.EXE[2436] WININET.dll!InternetOpenUrlA 771C5A52 5 Bytes JMP 002C0FC3
.text C:\WINDOWS\Explorer.EXE[2436] WININET.dll!InternetOpenUrlW 771D5BA2 5 Bytes JMP 002C000A
.text C:\WINDOWS\Explorer.EXE[2436] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01760FEF
.text C:\WINDOWS\system32\wuauclt.exe[5168] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\system32\wuauclt.exe[5168] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0F8B
.text C:\WINDOWS\system32\wuauclt.exe[5168] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0FA6
.text C:\WINDOWS\system32\wuauclt.exe[5168] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0080
.text C:\WINDOWS\system32\wuauclt.exe[5168] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0FC3
.text C:\WINDOWS\system32\wuauclt.exe[5168] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0FD4
.text C:\WINDOWS\system32\wuauclt.exe[5168] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B0F53
.text C:\WINDOWS\system32\wuauclt.exe[5168] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B00A5
.text C:\WINDOWS\system32\wuauclt.exe[5168] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0F2E
.text C:\WINDOWS\system32\wuauclt.exe[5168] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B00D1
.text C:\WINDOWS\system32\wuauclt.exe[5168] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001B00EC
.text C:\WINDOWS\system32\wuauclt.exe[5168] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001B0065
.text C:\WINDOWS\system32\wuauclt.exe[5168] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001B0014
.text C:\WINDOWS\system32\wuauclt.exe[5168] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001B0F7A
.text C:\WINDOWS\system32\wuauclt.exe[5168] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001B0040
.text C:\WINDOWS\system32\wuauclt.exe[5168] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001B002F
.text C:\WINDOWS\system32\wuauclt.exe[5168] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001B00B6
.text C:\WINDOWS\system32\wuauclt.exe[5168] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 002B0FB6
.text C:\WINDOWS\system32\wuauclt.exe[5168] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 002B0F6F
.text C:\WINDOWS\system32\wuauclt.exe[5168] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 002B0FD1
.text C:\WINDOWS\system32\wuauclt.exe[5168] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 002B0011
.text C:\WINDOWS\system32\wuauclt.exe[5168] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 002B002C
.text C:\WINDOWS\system32\wuauclt.exe[5168] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 002B0000
.text C:\WINDOWS\system32\wuauclt.exe[5168] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 002B0F80
.text C:\WINDOWS\system32\wuauclt.exe[5168] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 4B, 88 ]
.text C:\WINDOWS\system32\wuauclt.exe[5168] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 002B0F9B

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- EOF - GMER 1.0.14 ----
Grimblade
Active Member
 
Posts: 6
Joined: January 27th, 2009, 11:13 pm

Re: I think I'm infected

Unread postby Bio-Hazard » February 3rd, 2009, 5:01 am

Hello!

Best thing would be to then reinstall Mcafee.

Your log now appears to be clean. Congratulations!

You can get rid of the tools we used:
  • ATF Cleaner (You can just delete the exe file from your desktop)
  • DDS (You can just delete the exe file from your desktop)

Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints. You need to be registered to post as, unfortunately, we were hit with too many spam posts to allow guest posting to continue. Just find your country room and register your complaint.

    Delete ComboFix and Clean Up
    Click Start > Run > type combofix /u > OK (Note the space between combofix and /u)
    Image
    Please advise if this step is missed for any reason as it performs some important actions.

    Clean up with OTMoveIt3

    • Double-click OTMoveIt3.exe to start the program.
    • Close all other programs apart from OTMoveIt3 as this step will require a reboot
    • On the OTMoveIt main screen, press the CleanUp! button
    • Say Yes to the prompt and then allow the program to reboot your computer.


    General Security and Computer Health
    Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.

    • Make sure that you keep your antivirus updated
      New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
      NOTE: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
    • Security Updates for Windows, Internet Explorer & Microsoft Office
      Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
      NOTE: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.
    • Update Non-Microsoft Programs
      Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector or
      F-secure Health Check. I suggest that you run one of them at least once a month.
    • Make Internet Explorer More Secure
      You are using Internet Explorer v. 7. Therefore please read and follow the recommendations at this SITE


    Recommended Programs

    I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.

    • WinPatrol
      As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.
    • SpywareBlaster
      SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing on your computer. If you don't know what ActiveX controls are, see HERE. You can download SpywareBlaster from HERE.
    • Malwarebytes' Anti-Malware
      Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start.You can download Malwarebytes' Anti-Malware from HERE. Here are two tutorials: Malwarebytes' Anti-Malware Setup Guide and Malwarebytes' Anti-Malware Scanning Guide.
    • Hosts File
      For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.
    • Use an alternative Internet Browser
      Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:Firefox or Opera


Finally I am trying to make one point very clear. It is ABSOLUTELY ESSENTIAL to keep all of your security programs up to date.

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Happy surfing and stay clean!

Bio-Hazard
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: I think I'm infected

Unread postby Grimblade » February 4th, 2009, 10:51 pm

Thank you so much Bio-Hazard! Everything appears to be working normally again, and I appreciate all of your efforts and advice! I will definitely complain about the offenders, as I'd like to prevent this from being as widespread as it is.

Updating and downloading the recommended programs now.

Thank you once again!!!
Grimblade
Active Member
 
Posts: 6
Joined: January 27th, 2009, 11:13 pm

Re: I think I'm infected

Unread postby Gary R » February 5th, 2009, 5:31 am

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21871
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 20 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware