Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HIJACKTHIS Log - New infection. Help appreciated

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

HIJACKTHIS Log - New infection. Help appreciated

Unread postby techno_turtle » August 14th, 2009, 7:00 am

I was running IE, and despite also using Adware, Spybot, Bazooka, PC Tools Spyware Doctor (as well as McAfee ) I still got infected. It's a new infection and are not 'pop ups' as such, as ads display along the start bar at the bottom of page. They seem to be directly related to web sites I visit as opposed to 'random' and are becoming more 'specific'. I even switched to Firefox, running adblocker, but that does not work on them!

I ran Hijack This, and this is the log. Help much appreciated. Thank You::

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:30, on 14/08/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\SysMonitor.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\nvraidservice.exe
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
C:\Program Files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\BOINC\boincmgr.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\BOINC\boinctray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Users\Murray\AppData\Local\uusggeu.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\ehome\ehmsas.exe
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\BOINC\boinc.exe
C:\ProgramData\BOINC\projects\climateprediction.net\hadcm3trans_6.04_windows_intelx86.exe
C:\ProgramData\BOINC\projects\climateprediction.net\hadam3_6.01_windows_intelx86.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\ProgramData\BOINC\projects\climateprediction.net\hadam3_um_6.01_windows_intelx86.exe
C:\ProgramData\BOINC\projects\climateprediction.net\hadcm3trans_um_6.04_windows_intelx86.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Apple Software Update\SoftwareUpdate.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.uk.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Acer Empowering Technology Monitor] C:\Acer\Empowering Technology\SysMonitor.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe
O4 - HKLM\..\Run: [PCMMediaSharing] C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Apanel] C:\ACERSW\config\SetApanel.cmd
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [NVRaidService] C:\Windows\system32\nvraidservice.exe
O4 - HKLM\..\Run: [btbb_McciTrayApp] "C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe"
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] "C:\Program Files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [boincmgr] "C:\Program Files\BOINC\boincmgr.exe" /a /s
O4 - HKLM\..\Run: [boinctray] "C:\Program Files\BOINC\boinctray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [EPSON Stylus SX200 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIEFE.EXE /FU "C:\Windows\TEMP\E_S1B5E.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [uusggeu] "c:\users\murray\appdata\local\uusggeu.exe" uusggeu
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Acer HomeMedia Connect Service - CyberLink - C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe
O23 - Service: ePerformance Service (AcerMemUsageCheckService) - Unknown owner - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Google Update Service (gupdate1c9947169a3c264) (gupdate1c9947169a3c264) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 13792 bytes
Last edited by Orac on October 31st, 2009, 12:06 pm, edited 1 time in total.
Reason: disable live links
techno_turtle
Regular Member
 
Posts: 19
Joined: August 14th, 2009, 6:44 am
Advertisement
Register to Remove

Re: HIJACKTHIS Log - New infection. Help appreciated

Unread postby Blade81 » August 18th, 2009, 12:24 pm

Hi techno_turtle,

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop. Post them back to your topic.

Download GMER here by clicking download exe -button and then saving it your desktop:
  • Double-click .exe that you downloaded
  • Click rootkit-tab and then scan.
  • Don't check
    Show All
    box while scanning in progress!
  • When scanning is ready, click Copy.
  • This copies log to clipboard
  • Post log in your reply.
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland

Re: HIJACKTHIS Log - New infection. Help appreciated

Unread postby techno_turtle » August 18th, 2009, 2:33 pm

Hi, DDs log attached . Thanks.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 24/12/2008 04:27:07
System Uptime: 18/08/2009 16:27:35 (3 hours ago)

Motherboard: ACER | | MCP73VE
Processor: Intel(R) Core(TM)2 Duo CPU E4700 @ 2.60GHz | SOCKET775 M/B | 2603/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 144 GiB total, 60.858 GiB free.
D: is FIXED (NTFS) - 145 GiB total, 144.628 GiB free.
E: is CDROM (CDFS)
F: is Removable
G: is Removable
H: is Removable
I: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Tun Miniport Adapter
Device ID: ROOT\*TUNMP\0001
Manufacturer: Microsoft
Name: Teredo Tunneling Pseudo-Interface
PNP Device ID: ROOT\*TUNMP\0001
Service: tunmp

==== System Restore Points ===================


==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 1 (SP1)
ABBYY FineReader 6.0 Sprint
Acer Arcade Live Main Page
Acer DV Magician
Acer DVDivine
Acer eDataSecurity Management
Acer Empowering Technology
Acer ePerformance Management
Acer eSettings Management
Acer GameZone Console DTV 2.0.1.1
Acer HomeMedia
Acer HomeMedia Connect
Acer HomeMedia Trial Creator
Acer ScreenSaver
Acer SlideShow DVD
Acer VideoMagician
Activation Assistant for the 2007 Microsoft Office suites
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.2
Agatha Christie Death on the Nile
Alice Greenfingers
Apple Mobile Device Support
Apple Software Update
ATI Catalyst Install Manager
Azada
Backspin Billiards
Bazooka Scanner
BBC iPlayer Download Manager
Big Kahuna Reef
BOINC
Bonjour
Bookworm Deluxe
Bricks of Egypt
BT Broadband Desktop Help
BT Wireless Connection Manager
BT Yahoo! Applications
CA Yahoo! Anti-Spy (remove only)
Cake Mania
Camera RAW Plug-In for EPSON Creativity Suite
Chicken Invaders 3
Chuzzle
Citrix Presentation Server Client - Web Only
DCC Repackaged CAG Components a
Diner Dash Flo on the Go
EPAFactory Endpoint Analysis Client 3.0
EPSON Attach To Email
EPSON Easy Photo Print
EPSON File Manager
EPSON Scan
EPSON Scan Assistant
EPSON Stylus SX200 Series Printer Uninstall
EPSON Stylus SX200_SX400_TX200_TX400 Manual
eSobi v2
Flip Words 2
Google Earth
Google Earth Plugin
Google Photos Screensaver
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
iTunes
Java(TM) 6 Update 13
Jewel Quest Solitaire
Kick N Rush
LightScribe 1.4.142.1
Mahjong Escape Ancient China
Mahjongg Artifacts
McAfee SecurityCenter
Microsoft .NET Framework 3.5 SP1
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MobileMe Control Panel
Mozilla Firefox (3.0.1)
MSXML 4.0 SP2 (KB954430)
Mystery Case Files - Huntsville
Mystery Solitaire - Secret Island
NTI Backup NOW! 4.7
NTI CD & DVD-Maker
NVIDIA Drivers
Picasa 2
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Safari
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Skype™ 4.0
Spybot - Search & Destroy
Spyware Doctor 6.0
Turbo Pizza
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Yahoo! Software Update
Zuma Deluxe

==== End Of File ===========================
techno_turtle
Regular Member
 
Posts: 19
Joined: August 14th, 2009, 6:44 am

Re: HIJACKTHIS Log - New infection. Help appreciated

Unread postby techno_turtle » August 18th, 2009, 2:57 pm

DDS Notepad

DDS (Ver_09-07-30.01) - NTFSx86
Run by Murray at 19:30:00.87 on 18/08/2009
Internet Explorer: 8.0.6001.18813 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.1791.493 [GMT 1:00]

SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Lavasoft Ad-Watch Live! *enabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Windows\system32\rundll32.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\SysMonitor.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\nvraidservice.exe
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
C:\Program Files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\BOINC\boinctray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\BOINC\boinc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\ProgramData\BOINC\projects\climateprediction.net\hadcm3trans_6.04_windows_intelx86.exe
C:\ProgramData\BOINC\projects\climateprediction.net\hadam3_6.01_windows_intelx86.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\ProgramData\BOINC\projects\climateprediction.net\hadam3_um_6.01_windows_intelx86.exe
C:\ProgramData\BOINC\projects\climateprediction.net\hadcm3trans_um_6.04_windows_intelx86.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Murray\Downloads\dds.com
C:\Windows\servicing\TrustedInstaller.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bbc.co.uk/
mStart Page = hxxp://en.uk.acer.yahoo.com
mDefault_Page_URL = hxxp://en.uk.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\acer\empowering technology\edatasecurity\x86\ActiveToolBand.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [EPSON Stylus SX200 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiefe.exe /fu "c:\windows\temp\E_S1B5E.tmp" /EF "HKCU"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Acer Empowering Technology Monitor] c:\acer\empowering technology\SysMonitor.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\x86\eDSloader.exe
mRun: [PCMMediaSharing] c:\program files\acer arcade live\acer homemedia connect\kernel\dms\PCMMediaSharing.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Apanel] c:\acersw\config\SetApanel.cmd
mRun: [WarReg_PopUp] c:\acer\wr_popup\WarReg_PopUp.exe
mRun: [eRecoveryService]
mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe
mRun: [btbb_McciTrayApp] "c:\program files\bt broadband desktop help\btbb\BTHelpNotifier.exe"
mRun: [btbb_wcm_McciTrayApp] "c:\program files\bt broadband desktop help\btbb_wcm\McciTrayApp.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [boincmgr] "c:\program files\boinc\boincmgr.exe" /a /s
mRun: [boinctray] "c:\program files\boinc\boinctray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunOnce: [SpybotSnD] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
StartupFolder: c:\users\murray\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: gov.uk\cag1.devon
Trusted Zone: gov.uk\cag2.devon
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\murray\appdata\roaming\mozilla\firefox\profiles\t1pnb6sj.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\google\google earth plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1508.6312\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\users\murray\appdata\roaming\mozilla\plugins\np65BF5EDF-441F-445F-A0C2-6A686BF56710.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-8 64160]
R0 nvrd32;NVIDIA nForce RAID Driver;c:\windows\system32\drivers\nvrd32.sys [2008-3-16 131616]
S3 NVHDA;Service for NVIDIA HDMI Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-3-16 30752]

=============== Created Last 30 ================

2009-08-13 22:10 <DIR> --d----- c:\program files\Trend Micro
2009-08-13 20:00 <DIR> --d----- c:\users\murray\appdata\roaming\Uniblue
2009-08-13 20:00 <DIR> --d----- c:\programdata\DriverScanner
2009-08-13 20:00 <DIR> --d----- c:\program files\Uniblue
2009-08-13 20:00 <DIR> --d----- c:\progra~2\DriverScanner
2009-08-12 12:19 160,256 a------- c:\windows\system32\wkssvc.dll
2009-08-12 12:19 71,680 a------- c:\windows\system32\atl.dll
2009-08-12 12:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-08-12 12:19 91,136 a------- c:\windows\system32\avifil32.dll
2009-08-12 12:19 313,344 a------- c:\windows\system32\wmpdxm.dll
2009-08-12 12:19 7,680 a------- c:\windows\system32\spwmp.dll
2009-08-12 12:19 4,096 a------- c:\windows\system32\msdxm.ocx
2009-08-12 12:19 4,096 a------- c:\windows\system32\dxmasf.dll
2009-08-12 12:19 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-08-12 12:19 43,520 a------- c:\windows\system32\msdxm.tlb
2009-08-12 12:19 18,432 a------- c:\windows\system32\amcompat.tlb
2009-08-11 11:08 <DIR> --d----- c:\program files\Bazooka Scanner
2009-08-06 19:18 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-08-06 19:18 97,800 a------- c:\windows\system32\infocardapi.dll
2009-08-06 19:18 622,080 a------- c:\windows\system32\icardagt.exe
2009-08-06 19:18 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-08-06 19:18 37,384 a------- c:\windows\system32\infocardcpl.cpl
2009-08-06 19:18 11,264 a------- c:\windows\system32\icardres.dll
2009-08-06 19:18 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-08-06 19:18 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-08-06 19:14 96,760 a------- c:\windows\system32\dfshim.dll
2009-08-06 19:14 282,112 a------- c:\windows\system32\mscoree.dll
2009-08-06 19:13 41,984 a------- c:\windows\system32\netfxperf.dll
2009-08-06 19:13 158,720 a------- c:\windows\system32\mscorier.dll
2009-08-06 19:13 83,968 a------- c:\windows\system32\mscories.dll
2009-07-24 17:57 <DIR> --d----- c:\program files\alot
2009-07-22 19:56 <DIR> --d----- c:\programdata\UDL
2009-07-22 19:56 <DIR> --d----- c:\progra~2\UDL
2009-07-22 19:52 <DIR> --d----- c:\program files\ABBYY FineReader 6.0 Sprint
2009-07-21 20:00 192 a------- c:\windows\wininit.ini
2009-07-21 16:24 <DIR> --d----- c:\program files\Babylon

==================== Find3M ====================

2009-07-22 19:48 86,016 a------- c:\windows\inf\infstrng.dat
2009-07-22 19:48 86,016 a------- c:\windows\inf\infstor.dat
2009-07-22 19:48 51,200 a------- c:\windows\inf\infpub.dat
2009-07-21 22:52 915,456 a------- c:\windows\system32\wininet.dll
2009-07-21 22:47 109,056 a------- c:\windows\system32\iesysprep.dll
2009-07-21 22:47 71,680 a------- c:\windows\system32\iesetup.dll
2009-07-21 21:13 133,632 a------- c:\windows\system32\ieUnatt.exe
2009-06-15 16:24 156,672 a------- c:\windows\system32\t2embed.dll
2009-06-15 16:20 72,704 a------- c:\windows\system32\fontsub.dll
2009-06-15 16:20 10,240 a------- c:\windows\system32\dciman32.dll
2009-06-15 13:52 289,792 a------- c:\windows\system32\atmfd.dll
2009-06-08 09:14 15,688 a------- c:\windows\system32\lsdelete.exe
2009-01-02 20:07 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-21 03:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 19:31:40.11 ===============
Last edited by Orac on October 31st, 2009, 12:07 pm, edited 1 time in total.
Reason: disable live links
techno_turtle
Regular Member
 
Posts: 19
Joined: August 14th, 2009, 6:44 am

Re: HIJACKTHIS Log - New infection. Help appreciated

Unread postby Blade81 » August 18th, 2009, 3:25 pm

Please run GMER too.
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland

Re: HIJACKTHIS Log - New infection. Help appreciated

Unread postby techno_turtle » August 18th, 2009, 3:53 pm

GMER log took long time to run - and it has too many characters, so posting on 2 messages::


GMER 1.0.15.15077 [cr8dk3p1.exe] - http://www.gmer.net
Rootkit scan 2009-08-18 20:52:11
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcess [0x8BC5D794]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcessEx [0x8BC5DF1E]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwTerminateProcess [0x8BC5CD0A]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwWriteVirtualMemory [0x8BC5C384]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateUserProcess [0x8BC5E6B6]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8C1844FC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8C18453A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x8C18457D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8C184470]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8C184484]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8C184510]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8C1844D4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8C184550]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8C184526]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 8227818C 5 Bytes JMP 8C18452A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.text ntkrnlpa.exe!KeSetTimerEx + 43C 82309A00 8 Bytes [94, D7, C5, 8B, 1E, DF, C5, ...] {XCHG ESP, EAX; XLATB ; LDS ECX, DWORD [EBX-0x743a20e2]}
.text ntkrnlpa.exe!KeSetTimerEx + 854 82309E18 4 Bytes [0A, CD, C5, 8B]
.text ntkrnlpa.exe!KeSetTimerEx + 8B4 82309E78 4 Bytes [84, C3, C5, 8B]
.text ntkrnlpa.exe!KeSetTimerEx + 918 82309EDC 4 Bytes [B6, E6, C5, 8B]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\services.exe[696] kernel32.dll!GetStartupInfoW 75641929 5 Bytes JMP 00060093
.text C:\Windows\system32\services.exe[696] kernel32.dll!GetStartupInfoA 756419C9 5 Bytes JMP 00060F4D
.text C:\Windows\system32\services.exe[696] kernel32.dll!CreateProcessW 75641C01 5 Bytes JMP 000600C2
.text C:\Windows\system32\services.exe[696] kernel32.dll!CreateProcessA 75641C36 5 Bytes JMP 00060F21
.text C:\Windows\system32\services.exe[696] kernel32.dll!VirtualProtect 75641DD1 5 Bytes JMP 0006005D
.text C:\Windows\system32\services.exe[696] kernel32.dll!CreateNamedPipeW 75645C44 5 Bytes JMP 00060025
.text C:\Windows\system32\services.exe[696] kernel32.dll!LoadLibraryExW 756630C3 5 Bytes JMP 00060F79
.text C:\Windows\system32\services.exe[696] kernel32.dll!LoadLibraryW 7566361F 5 Bytes JMP 00060F94
.text C:\Windows\system32\services.exe[696] kernel32.dll!VirtualProtectEx 75668D7E 5 Bytes JMP 00060F68
.text C:\Windows\system32\services.exe[696] kernel32.dll!LoadLibraryExA 75669469 5 Bytes JMP 00060036
.text C:\Windows\system32\services.exe[696] kernel32.dll!LoadLibraryA 75669491 5 Bytes JMP 00060FB9
.text C:\Windows\system32\services.exe[696] kernel32.dll!CreatePipe 75670284 5 Bytes JMP 00060078
.text C:\Windows\system32\services.exe[696] kernel32.dll!GetProcAddress 7568B8B6 5 Bytes JMP 00060F06
.text C:\Windows\system32\services.exe[696] kernel32.dll!CreateFileW 7568CC4E 5 Bytes JMP 0006000A
.text C:\Windows\system32\services.exe[696] kernel32.dll!CreateFileA 7568CF71 5 Bytes JMP 00060FEF
.text C:\Windows\system32\services.exe[696] kernel32.dll!CreateNamedPipeA 756D430E 5 Bytes JMP 00060FD4
.text C:\Windows\system32\services.exe[696] kernel32.dll!WinExec 756D54FF 5 Bytes JMP 00060F3C
.text C:\Windows\system32\services.exe[696] ADVAPI32.dll!RegCreateKeyExA 76B3B5E7 5 Bytes JMP 00180040
.text C:\Windows\system32\services.exe[696] ADVAPI32.dll!RegCreateKeyA 76B3B8AE 5 Bytes JMP 00180FB9
.text C:\Windows\system32\services.exe[696] ADVAPI32.dll!RegOpenKeyA 76B40BF5 5 Bytes JMP 00180000
.text C:\Windows\system32\services.exe[696] ADVAPI32.dll!RegCreateKeyW 76B4B83D 5 Bytes JMP 00180F9E
.text C:\Windows\system32\services.exe[696] ADVAPI32.dll!RegCreateKeyExW 76B4BCE1 5 Bytes JMP 00180051
.text C:\Windows\system32\services.exe[696] ADVAPI32.dll!RegOpenKeyExA 76B4D4E8 5 Bytes JMP 00180025
.text C:\Windows\system32\services.exe[696] ADVAPI32.dll!RegOpenKeyW 76B53CB0 5 Bytes JMP 00180FE5
.text C:\Windows\system32\services.exe[696] ADVAPI32.dll!RegOpenKeyExW 76B5F09D 5 Bytes JMP 00180FCA
.text C:\Windows\system32\services.exe[696] msvcrt.dll!_wsystem 76C48A47 5 Bytes JMP 00190064
.text C:\Windows\system32\services.exe[696] msvcrt.dll!system 76C48B63 5 Bytes JMP 00190053
.text C:\Windows\system32\services.exe[696] msvcrt.dll!_creat 76C4C6F1 5 Bytes JMP 00190FE3
.text C:\Windows\system32\services.exe[696] msvcrt.dll!_open 76C4DA7E 5 Bytes JMP 00190000
.text C:\Windows\system32\services.exe[696] msvcrt.dll!_wcreat 76C4DC9E 5 Bytes JMP 00190042
.text C:\Windows\system32\services.exe[696] msvcrt.dll!_wopen 76C4DE79 5 Bytes JMP 00190011
.text C:\Windows\system32\services.exe[696] WS2_32.dll!socket 76CA36D1 5 Bytes JMP 001B0FE5
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!GetStartupInfoW 75641929 5 Bytes JMP 001E0F30
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!GetStartupInfoA 756419C9 5 Bytes JMP 001E0F55
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!CreateProcessW 75641C01 5 Bytes JMP 001E00AC
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!CreateProcessA 75641C36 5 Bytes JMP 001E0091
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!VirtualProtect 75641DD1 5 Bytes JMP 001E0054
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!CreateNamedPipeW 75645C44 5 Bytes JMP 001E0FBC
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!LoadLibraryExW 756630C3 5 Bytes JMP 001E0F86
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!LoadLibraryW 7566361F 5 Bytes JMP 001E0028
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!VirtualProtectEx 75668D7E 5 Bytes JMP 001E0065
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!LoadLibraryExA 75669469 5 Bytes JMP 001E0043
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!LoadLibraryA 75669491 5 Bytes JMP 001E0FA1
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!CreatePipe 75670284 5 Bytes JMP 001E0080
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!GetProcAddress 7568B8B6 5 Bytes JMP 001E00BD
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!CreateFileW 7568CC4E 5 Bytes JMP 001E0FDE
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!CreateFileA 7568CF71 5 Bytes JMP 001E0FEF
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!CreateNamedPipeA 756D430E 5 Bytes JMP 001E0FCD
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!WinExec 756D54FF 5 Bytes JMP 001E0F1F
.text C:\Windows\system32\lsass.exe[708] ADVAPI32.dll!RegCreateKeyExA 76B3B5E7 5 Bytes JMP 001F0FAF
.text C:\Windows\system32\lsass.exe[708] ADVAPI32.dll!RegCreateKeyA 76B3B8AE 5 Bytes JMP 001F0FCA
.text C:\Windows\system32\lsass.exe[708] ADVAPI32.dll!RegOpenKeyA 76B40BF5 5 Bytes JMP 001F0000
.text C:\Windows\system32\lsass.exe[708] ADVAPI32.dll!RegCreateKeyW 76B4B83D 5 Bytes JMP 001F0051
.text C:\Windows\system32\lsass.exe[708] ADVAPI32.dll!RegCreateKeyExW 76B4BCE1 5 Bytes JMP 001F006C
.text C:\Windows\system32\lsass.exe[708] ADVAPI32.dll!RegOpenKeyExA 76B4D4E8 5 Bytes JMP 001F001B
.text C:\Windows\system32\lsass.exe[708] ADVAPI32.dll!RegOpenKeyW 76B53CB0 5 Bytes JMP 001F0FEF
.text C:\Windows\system32\lsass.exe[708] ADVAPI32.dll!RegOpenKeyExW 76B5F09D 5 Bytes JMP 001F0036
.text C:\Windows\system32\lsass.exe[708] msvcrt.dll!_wsystem 76C48A47 5 Bytes JMP 00200042
.text C:\Windows\system32\lsass.exe[708] msvcrt.dll!system 76C48B63 5 Bytes JMP 00200FB7
.text C:\Windows\system32\lsass.exe[708] msvcrt.dll!_creat 76C4C6F1 5 Bytes JMP 00200027
.text C:\Windows\system32\lsass.exe[708] msvcrt.dll!_open 76C4DA7E 5 Bytes JMP 00200FEF
.text C:\Windows\system32\lsass.exe[708] msvcrt.dll!_wcreat 76C4DC9E 5 Bytes JMP 00200FC8
.text C:\Windows\system32\lsass.exe[708] msvcrt.dll!_wopen 76C4DE79 5 Bytes JMP 0020000C
.text C:\Windows\system32\lsass.exe[708] WS2_32.dll!socket 76CA36D1 5 Bytes JMP 00700FEF
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[760] kernel32.dll!LoadLibraryW 7566361F 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[760] kernel32.dll!LoadLibraryA 75669491 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!GetStartupInfoW 75641929 5 Bytes JMP 001500D0
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!GetStartupInfoA 756419C9 5 Bytes JMP 00150F80
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!CreateProcessW 75641C01 5 Bytes JMP 00150F4A
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!CreateProcessA 75641C36 5 Bytes JMP 001500EB
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!VirtualProtect 75641DD1 5 Bytes JMP 0015009A
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!CreateNamedPipeW 75645C44 5 Bytes JMP 00150047
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!LoadLibraryExW 756630C3 5 Bytes JMP 0015007D
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!LoadLibraryW 7566361F 5 Bytes JMP 00150FCA
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!VirtualProtectEx 75668D7E 5 Bytes JMP 001500B5
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!LoadLibraryExA 75669469 5 Bytes JMP 0015006C
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!LoadLibraryA 75669491 5 Bytes JMP 00150FE5
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!CreatePipe 75670284 5 Bytes JMP 00150FA5
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!GetProcAddress 7568B8B6 5 Bytes JMP 00150F2F
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!CreateFileW 7568CC4E 5 Bytes JMP 0015001B
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!CreateFileA 7568CF71 5 Bytes JMP 0015000A
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!CreateNamedPipeA 756D430E 5 Bytes JMP 00150036
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!WinExec 756D54FF 5 Bytes JMP 00150F6F
.text C:\Windows\system32\svchost.exe[904] msvcrt.dll!_wsystem 76C48A47 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[904] msvcrt.dll!_wsystem 76C48A47 5 Bytes JMP 0018004B
.text C:\Windows\system32\svchost.exe[904] msvcrt.dll!system 76C48B63 5 Bytes JMP 0018003A
.text C:\Windows\system32\svchost.exe[904] msvcrt.dll!_creat 76C4C6F1 5 Bytes JMP 00180FDE
.text C:\Windows\system32\svchost.exe[904] msvcrt.dll!_open 76C4DA7E 5 Bytes JMP 00180FEF
.text C:\Windows\system32\svchost.exe[904] msvcrt.dll!_wcreat 76C4DC9E 5 Bytes JMP 00180029
.text C:\Windows\system32\svchost.exe[904] msvcrt.dll!_wopen 76C4DE79 5 Bytes JMP 0018000C
.text C:\Windows\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyExA 76B3B5E7 5 Bytes JMP 00160062
.text C:\Windows\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyA 76B3B8AE 5 Bytes JMP 0016003D
.text C:\Windows\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyA 76B40BF5 5 Bytes JMP 00160000
.text C:\Windows\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyW 76B4B83D 5 Bytes JMP 00160FC0
.text C:\Windows\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyExW 76B4BCE1 5 Bytes JMP 00160073
.text C:\Windows\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyExA 76B4D4E8 5 Bytes JMP 0016001B
.text C:\Windows\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyW 76B53CB0 5 Bytes JMP 00160FDB
.text C:\Windows\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyExW 76B5F09D 5 Bytes JMP 0016002C
.text C:\Windows\system32\svchost.exe[904] WS2_32.dll!socket 76CA36D1 5 Bytes JMP 003C000A
.text C:\Windows\system32\svchost.exe[976] kernel32.dll!GetStartupInfoW 75641929 5 Bytes JMP 002C0F98
.text C:\Windows\system32\svchost.exe[976] kernel32.dll!GetStartupInfoA 756419C9 5 Bytes JMP 002C00DE
.text C:\Windows\system32\svchost.exe[976] kernel32.dll!CreateProcessW 75641C01 5 Bytes JMP 002C010A
.text C:\Windows\system32\svchost.exe[976] kernel32.dll!CreateProcessA 75641C36 5 Bytes JMP 002C00F9
.text C:\Windows\system32\svchost.exe[976] kernel32.dll!VirtualProtect 75641DD1 5 Bytes JMP 002C00B2
.text C:\Windows\system32\svchost.exe[976] kernel32.dll!CreateNamedPipeW 75645C44 5 Bytes JMP 002C0033
.text C:\Windows\system32\svchost.exe[976] kernel32.dll!LoadLibraryExW 756630C3 5 Bytes JMP 002C00A1
.text C:\Windows\system32\svchost.exe[976] kernel32.dll!LoadLibraryW 7566361F 5 Bytes JMP 002C0073
.text C:\Windows\system32\svchost.exe[976] kernel32.dll!VirtualProtectEx 75668D7E 5 Bytes JMP 002C00CD
.text C:\Windows\system32\svchost.exe[976] kernel32.dll!LoadLibraryExA 75669469 5 Bytes JMP 002C0084
.text C:\Windows\system32\svchost.exe[976] kernel32.dll!LoadLibraryA 75669491 5 Bytes JMP 002C0058
.text C:\Windows\system32\svchost.exe[976] kernel32.dll!CreatePipe 75670284 5 Bytes JMP 002C0FBD
.text C:\Windows\system32\svchost.exe[976] kernel32.dll!GetProcAddress 7568B8B6 5 Bytes JMP 002C0125
.text C:\Windows\system32\svchost.exe[976] kernel32.dll!CreateFileW 7568CC4E 5 Bytes JMP 002C0011
.text C:\Windows\system32\svchost.exe[976] kernel32.dll!CreateFileA 7568CF71 5 Bytes JMP 002C0000
.text C:\Windows\system32\svchost.exe[976] kernel32.dll!CreateNamedPipeA 756D430E 5 Bytes JMP 002C0022
.text C:\Windows\system32\svchost.exe[976] kernel32.dll!WinExec 756D54FF 5 Bytes JMP 002C0F87
.text C:\Windows\system32\svchost.exe[976] msvcrt.dll!_wsystem 76C48A47 5 Bytes JMP 002E0FB2
.text C:\Windows\system32\svchost.exe[976] msvcrt.dll!system 76C48B63 5 Bytes JMP 002E0FCD
.text C:\Windows\system32\svchost.exe[976] msvcrt.dll!_creat 76C4C6F1 5 Bytes JMP 002E0FEF
.text C:\Windows\system32\svchost.exe[976] msvcrt.dll!_open 76C4DA7E 5 Bytes JMP 002E0000
.text C:\Windows\system32\svchost.exe[976] msvcrt.dll!_wcreat 76C4DC9E 5 Bytes JMP 002E0FDE
.text C:\Windows\system32\svchost.exe[976] msvcrt.dll!_wopen 76C4DE79 5 Bytes JMP 002E001D
.text C:\Windows\system32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyExA 76B3B5E7 5 Bytes JMP 002D0F97
.text C:\Windows\system32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyA 76B3B8AE 5 Bytes JMP 002D0039
.text C:\Windows\system32\svchost.exe[976] ADVAPI32.dll!RegOpenKeyA 76B40BF5 5 Bytes JMP 002D0FEF
.text C:\Windows\system32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyW 76B4B83D 5 Bytes JMP 002D0FA8
.text C:\Windows\system32\svchost.exe[976] ADVAPI32.dll!RegCreateKeyExW 76B4BCE1 5 Bytes JMP 002D0054
.text C:\Windows\system32\svchost.exe[976] ADVAPI32.dll!RegOpenKeyExA 76B4D4E8 5 Bytes JMP 002D0FC3
.text C:\Windows\system32\svchost.exe[976] ADVAPI32.dll!RegOpenKeyW 76B53CB0 5 Bytes JMP 002D0FD4
.text C:\Windows\system32\svchost.exe[976] ADVAPI32.dll!RegOpenKeyExW 76B5F09D 5 Bytes JMP 002D001E
.text C:\Windows\system32\svchost.exe[976] WS2_32.dll!socket 76CA36D1 5 Bytes JMP 00580FEF
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!GetStartupInfoW 75641929 5 Bytes JMP 00760098
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!GetStartupInfoA 756419C9 5 Bytes JMP 00760F5C
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!CreateProcessW 75641C01 5 Bytes JMP 007600D5
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!CreateProcessA 75641C36 5 Bytes JMP 007600C4
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!VirtualProtect 75641DD1 5 Bytes JMP 00760F6D
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!CreateNamedPipeW 75645C44 5 Bytes JMP 00760025
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!LoadLibraryExW 756630C3 5 Bytes JMP 00760F94
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!LoadLibraryW 7566361F 5 Bytes JMP 00760040
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!VirtualProtectEx 75668D7E 5 Bytes JMP 00760062
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!LoadLibraryExA 75669469 5 Bytes JMP 00760051
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!LoadLibraryA 75669491 5 Bytes JMP 00760FB9
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!CreatePipe 75670284 5 Bytes JMP 00760087
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!GetProcAddress 7568B8B6 5 Bytes JMP 00760F23
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!CreateFileW 7568CC4E 5 Bytes JMP 00760FE5
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!CreateFileA 7568CF71 5 Bytes JMP 0076000A
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!CreateNamedPipeA 756D430E 5 Bytes JMP 00760FD4
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!WinExec 756D54FF 5 Bytes JMP 007600B3
.text C:\Windows\System32\svchost.exe[1056] msvcrt.dll!_wsystem 76C48A47 5 Bytes JMP 009B0FA3
.text C:\Windows\System32\svchost.exe[1056] msvcrt.dll!system 76C48B63 5 Bytes JMP 009B0038
.text C:\Windows\System32\svchost.exe[1056] msvcrt.dll!_creat 76C4C6F1 5 Bytes JMP 009B000C
.text C:\Windows\System32\svchost.exe[1056] msvcrt.dll!_open 76C4DA7E 5 Bytes JMP 009B0FE3
.text C:\Windows\System32\svchost.exe[1056] msvcrt.dll!_wcreat 76C4DC9E 5 Bytes JMP 009B001D
.text C:\Windows\System32\svchost.exe[1056] msvcrt.dll!_wopen 76C4DE79 5 Bytes JMP 009B0FD2
.text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyExA 76B3B5E7 5 Bytes JMP 009A0F72
.text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyA 76B3B8AE 5 Bytes JMP 009A0F9E
.text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyA 76B40BF5 5 Bytes JMP 009A0FEF
.text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyW 76B4B83D 5 Bytes JMP 009A0F8D
.text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyExW 76B4BCE1 5 Bytes JMP 009A002F
.text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyExA 76B4D4E8 5 Bytes JMP 009A0FD4
.text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyW 76B53CB0 5 Bytes JMP 009A000A
.text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyExW 76B5F09D 5 Bytes JMP 009A0FB9
.text C:\Windows\System32\svchost.exe[1056] WS2_32.dll!socket 76CA36D1 5 Bytes JMP 009C0FE5
.text C:\Windows\System32\svchost.exe[1104] kernel32.dll!GetStartupInfoW 75641929 5 Bytes JMP 0078006E
.text C:\Windows\System32\svchost.exe[1104] kernel32.dll!GetStartupInfoA 756419C9 5 Bytes JMP 00780053
.text C:\Windows\System32\svchost.exe[1104] kernel32.dll!CreateProcessW 75641C01 5 Bytes JMP 00780EFC
.text C:\Windows\System32\svchost.exe[1104] kernel32.dll!CreateProcessA 75641C36 5 Bytes JMP 00780F0D
.text C:\Windows\System32\svchost.exe[1104] kernel32.dll!VirtualProtect 75641DD1 5 Bytes JMP 00780F4D
.text C:\Windows\System32\svchost.exe[1104] kernel32.dll!CreateNamedPipeW 75645C44 5 Bytes JMP 00780FB9
.text C:\Windows\System32\svchost.exe[1104] kernel32.dll!LoadLibraryExW 756630C3 5 Bytes JMP 00780F68
.text C:\Windows\System32\svchost.exe[1104] kernel32.dll!LoadLibraryW 7566361F 5 Bytes JMP 00780F94
.text C:\Windows\System32\svchost.exe[1104] kernel32.dll!VirtualProtectEx 75668D7E 5 Bytes JMP 00780042
.text C:\Windows\System32\svchost.exe[1104] kernel32.dll!LoadLibraryExA 75669469 5 Bytes JMP 00780F79
.text C:\Windows\System32\svchost.exe[1104] kernel32.dll!LoadLibraryA 75669491 5 Bytes JMP 00780025
.text C:\Windows\System32\svchost.exe[1104] kernel32.dll!CreatePipe 75670284 5 Bytes JMP 00780F32
.text C:\Windows\System32\svchost.exe[1104] kernel32.dll!GetProcAddress 7568B8B6 5 Bytes JMP 00780EE1
.text C:\Windows\System32\svchost.exe[1104] kernel32.dll!CreateFileW 7568CC4E 5 Bytes JMP 00780FDE
.text C:\Windows\System32\svchost.exe[1104] kernel32.dll!CreateFileA 7568CF71 5 Bytes JMP 00780FEF
.text C:\Windows\System32\svchost.exe[1104] kernel32.dll!CreateNamedPipeA 756D430E 5 Bytes JMP 00780014
.text C:\Windows\System32\svchost.exe[1104] kernel32.dll!WinExec 756D54FF 5 Bytes JMP 0078007F
.text C:\Windows\System32\svchost.exe[1104] msvcrt.dll!_wsystem 76C48A47 5 Bytes JMP 007A0064
.text C:\Windows\System32\svchost.exe[1104] msvcrt.dll!system 76C48B63 5 Bytes JMP 007A0053
.text C:\Windows\System32\svchost.exe[1104] msvcrt.dll!_creat 76C4C6F1 5 Bytes JMP 007A0038
.text C:\Windows\System32\svchost.exe[1104] msvcrt.dll!_open 76C4DA7E 5 Bytes JMP 007A0000
.text C:\Windows\System32\svchost.exe[1104] msvcrt.dll!_wcreat 76C4DC9E 5 Bytes JMP 007A0FE3
.text C:\Windows\System32\svchost.exe[1104] msvcrt.dll!_wopen 76C4DE79 5 Bytes JMP 007A001D
.text C:\Windows\System32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyExA 76B3B5E7 5 Bytes JMP 00790F72
.text C:\Windows\System32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyA 76B3B8AE 5 Bytes JMP 00790F9E
.text C:\Windows\System32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyA 76B40BF5 5 Bytes JMP 00790FEF
.text C:\Windows\System32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyW 76B4B83D 5 Bytes JMP 00790F8D
.text C:\Windows\System32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyExW 76B4BCE1 5 Bytes JMP 00790025
.text C:\Windows\System32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyExA 76B4D4E8 5 Bytes JMP 00790FCA
.text C:\Windows\System32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyW 76B53CB0 5 Bytes JMP 00790000
.text C:\Windows\System32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyExW 76B5F09D 5 Bytes JMP 00790FB9
.text C:\Windows\System32\svchost.exe[1104] WS2_32.dll!socket 76CA36D1 5 Bytes JMP 007B0000
.text C:\Windows\system32\svchost.exe[1116] kernel32.dll!GetStartupInfoW 75641929 5 Bytes JMP 013100C4
.text C:\Windows\system32\svchost.exe[1116] kernel32.dll!GetStartupInfoA 756419C9 5 Bytes JMP 013100B3
.text C:\Windows\system32\svchost.exe[1116] kernel32.dll!CreateProcessW 75641C01 5 Bytes JMP 01310F37
.text C:\Windows\system32\svchost.exe[1116] kernel32.dll!CreateProcessA 75641C36 5 Bytes JMP 01310F52
.text C:\Windows\system32\svchost.exe[1116] kernel32.dll!VirtualProtect 75641DD1 5 Bytes JMP 01310091
.text C:\Windows\system32\svchost.exe[1116] kernel32.dll!CreateNamedPipeW 75645C44 5 Bytes JMP 01310FD4
.text C:\Windows\system32\svchost.exe[1116] kernel32.dll!LoadLibraryExW 756630C3 5 Bytes JMP 01310076
.text C:\Windows\system32\svchost.exe[1116] kernel32.dll!LoadLibraryW 7566361F 5 Bytes JMP 01310FC3
.text C:\Windows\system32\svchost.exe[1116] kernel32.dll!VirtualProtectEx 75668D7E 5 Bytes JMP 013100A2
.text C:\Windows\system32\svchost.exe[1116] kernel32.dll!LoadLibraryExA 75669469 5 Bytes JMP 01310065
.text C:\Windows\system32\svchost.exe[1116] kernel32.dll!LoadLibraryA 75669491 5 Bytes JMP 01310040
.text C:\Windows\system32\svchost.exe[1116] kernel32.dll!CreatePipe 75670284 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[1116] kernel32.dll!CreatePipe 75670284 5 Bytes JMP 01310F88
.text C:\Windows\system32\svchost.exe[1116] kernel32.dll!GetProcAddress 7568B8B6 5 Bytes JMP 013100E9
.text C:\Windows\system32\svchost.exe[1116] kernel32.dll!CreateFileW 7568CC4E 5 Bytes JMP 01310FEF
.text C:\Windows\system32\svchost.exe[1116] kernel32.dll!CreateFileA 7568CF71 5 Bytes JMP 01310000
.text C:\Windows\system32\svchost.exe[1116] kernel32.dll!CreateNamedPipeA 756D430E 5 Bytes JMP 01310025
.text C:\Windows\system32\svchost.exe[1116] kernel32.dll!WinExec 756D54FF 5 Bytes JMP 01310F63
.text C:\Windows\system32\svchost.exe[1116] msvcrt.dll!_wsystem 76C48A47 5 Bytes JMP 014B004E
.text C:\Windows\system32\svchost.exe[1116] msvcrt.dll!system 76C48B63 5 Bytes JMP 014B0033
.text C:\Windows\system32\svchost.exe[1116] msvcrt.dll!_creat 76C4C6F1 5 Bytes JMP 014B0FDE
.text C:\Windows\system32\svchost.exe[1116] msvcrt.dll!_open 76C4DA7E 5 Bytes JMP 014B0FEF
.text C:\Windows\system32\svchost.exe[1116] msvcrt.dll!_wcreat 76C4DC9E 5 Bytes JMP 014B0FC3
.text C:\Windows\system32\svchost.exe[1116] msvcrt.dll!_wopen 76C4DE79 5 Bytes JMP 014B0018
.text C:\Windows\system32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyExA 76B3B5E7 5 Bytes JMP 014A0FB9
.text C:\Windows\system32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyA 76B3B8AE 5 Bytes JMP 014A0FCA
.text C:\Windows\system32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyA 76B40BF5 5 Bytes JMP 014A000A
.text C:\Windows\system32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyW 76B4B83D 5 Bytes JMP 014A0051
.text C:\Windows\system32\svchost.exe[1116] ADVAPI32.dll!RegCreateKeyExW 76B4BCE1 5 Bytes JMP 014A0076
.text C:\Windows\system32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyExA 76B4D4E8 5 Bytes JMP 014A0FEF
.text C:\Windows\system32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyW 76B53CB0 5 Bytes JMP 014A0025
.text C:\Windows\system32\svchost.exe[1116] ADVAPI32.dll!RegOpenKeyExW 76B5F09D 5 Bytes JMP 014A0040
.text C:\Windows\system32\svchost.exe[1116] WS2_32.dll!socket 76CA36D1 5 Bytes JMP 01910000
.text C:\Windows\system32\svchost.exe[1264] kernel32.dll!GetStartupInfoW 75641929 5 Bytes JMP 00210F4B
.text C:\Windows\system32\svchost.exe[1264] kernel32.dll!GetStartupInfoA 756419C9 5 Bytes JMP 00210F5C
.text C:\Windows\system32\svchost.exe[1264] kernel32.dll!CreateProcessW 75641C01 5 Bytes JMP 00210F04
.text C:\Windows\system32\svchost.exe[1264] kernel32.dll!CreateProcessA 75641C36 5 Bytes JMP 00210F15
.text C:\Windows\system32\svchost.exe[1264] kernel32.dll!VirtualProtect 75641DD1 5 Bytes JMP 00210076
.text C:\Windows\system32\svchost.exe[1264] kernel32.dll!CreateNamedPipeW 75645C44 5 Bytes JMP 00210FC3
.text C:\Windows\system32\svchost.exe[1264] kernel32.dll!LoadLibraryExW 756630C3 5 Bytes JMP 0021005B
.text C:\Windows\system32\svchost.exe[1264] kernel32.dll!LoadLibraryW 7566361F 5 Bytes JMP 0021004A
.text C:\Windows\system32\svchost.exe[1264] kernel32.dll!VirtualProtectEx 75668D7E 5 Bytes JMP 00210087
.text C:\Windows\system32\svchost.exe[1264] kernel32.dll!LoadLibraryExA 75669469 5 Bytes JMP 00210F9E
.text C:\Windows\system32\svchost.exe[1264] kernel32.dll!LoadLibraryA 75669491 5 Bytes JMP 00210039
.text C:\Windows\system32\svchost.exe[1264] kernel32.dll!CreatePipe 75670284 5 Bytes JMP 00210F77
.text C:\Windows\system32\svchost.exe[1264] kernel32.dll!GetProcAddress 7568B8B6 5 Bytes JMP 002100B6
.text C:\Windows\system32\svchost.exe[1264] kernel32.dll!CreateFileW 7568CC4E 5 Bytes JMP 0021000A
.text C:\Windows\system32\svchost.exe[1264] kernel32.dll!CreateFileA 7568CF71 5 Bytes JMP 00210FEF
.text C:\Windows\system32\svchost.exe[1264] kernel32.dll!CreateNamedPipeA 756D430E 5 Bytes JMP 00210FDE
.text C:\Windows\system32\svchost.exe[1264] kernel32.dll!WinExec 756D54FF 5 Bytes JMP 00210F26
.text C:\Windows\system32\svchost.exe[1264] msvcrt.dll!_wsystem 76C48A47 5 Bytes JMP 0023006E
.text C:\Windows\system32\svchost.exe[1264] msvcrt.dll!system 76C48B63 5 Bytes JMP 0023005D
.text C:\Windows\system32\svchost.exe[1264] msvcrt.dll!_creat 76C4C6F1 5 Bytes JMP 00230FE3
.text C:\Windows\system32\svchost.exe[1264] msvcrt.dll!_open 76C4DA7E 5 Bytes JMP 00230000
.text C:\Windows\system32\svchost.exe[1264] msvcrt.dll!_wcreat 76C4DC9E 5 Bytes JMP 00230042
.text C:\Windows\system32\svchost.exe[1264] msvcrt.dll!_wopen 76C4DE79 5 Bytes JMP 0023001D
.text C:\Windows\system32\svchost.exe[1264] ADVAPI32.dll!RegCreateKeyExA 76B3B5E7 5 Bytes JMP 0022004A
.text C:\Windows\system32\svchost.exe[1264] ADVAPI32.dll!RegCreateKeyA 76B3B8AE 5 Bytes JMP 00220FB9
.text C:\Windows\system32\svchost.exe[1264] ADVAPI32.dll!RegOpenKeyA 76B40BF5 5 Bytes JMP 0022000A
.text C:\Windows\system32\svchost.exe[1264] ADVAPI32.dll!RegCreateKeyW 76B4B83D 5 Bytes JMP 00220FA8
.text C:\Windows\system32\svchost.exe[1264] ADVAPI32.dll!RegCreateKeyExW 76B4BCE1 5 Bytes JMP 00220F8D
.text C:\Windows\system32\svchost.exe[1264] ADVAPI32.dll!RegOpenKeyExA 76B4D4E8 5 Bytes JMP 0022001B
.text C:\Windows\system32\svchost.exe[1264] ADVAPI32.dll!RegOpenKeyW 76B53CB0 5 Bytes JMP 00220FEF
.text C:\Windows\system32\svchost.exe[1264] ADVAPI32.dll!RegOpenKeyExW 76B5F09D 5 Bytes JMP 00220FCA
.text C:\Windows\system32\svchost.exe[1264] WS2_32.dll!socket 76CA36D1 5 Bytes JMP 00250FEF
.text C:\Windows\system32\svchost.exe[1340] kernel32.dll!GetStartupInfoW 75641929 5 Bytes JMP 000800BA
.text C:\Windows\system32\svchost.exe[1340] kernel32.dll!GetStartupInfoA 756419C9 5 Bytes JMP 00080F74
.text C:\Windows\system32\svchost.exe[1340] kernel32.dll!CreateProcessW 75641C01 5 Bytes JMP 00080101
.text C:\Windows\system32\svchost.exe[1340] kernel32.dll!CreateProcessA 75641C36 5 Bytes JMP 000800F0
.text C:\Windows\system32\svchost.exe[1340] kernel32.dll!VirtualProtect 75641DD1 5 Bytes JMP 0008007A
.text C:\Windows\system32\svchost.exe[1340] kernel32.dll!CreateNamedPipeW 75645C44 5 Bytes JMP 0008003D
.text C:\Windows\system32\svchost.exe[1340] kernel32.dll!LoadLibraryExW 756630C3 5 Bytes JMP 00080F96
.text C:\Windows\system32\svchost.exe[1340] kernel32.dll!LoadLibraryW 7566361F 5 Bytes JMP 0008005F
.text C:\Windows\system32\svchost.exe[1340] kernel32.dll!VirtualProtectEx 75668D7E 5 Bytes JMP 0008008B
.text C:\Windows\system32\svchost.exe[1340] kernel32.dll!LoadLibraryExA 75669469 5 Bytes JMP 00080FBD
.text C:\Windows\system32\svchost.exe[1340] kernel32.dll!LoadLibraryA 75669491 5 Bytes JMP 0008004E
.text C:\Windows\system32\svchost.exe[1340] kernel32.dll!CreatePipe 75670284 5 Bytes JMP 00080F85
.text C:\Windows\system32\svchost.exe[1340] kernel32.dll!GetProcAddress 7568B8B6 5 Bytes JMP 00080112
.text C:\Windows\system32\svchost.exe[1340] kernel32.dll!CreateFileW 7568CC4E 5 Bytes JMP 00080011
.text C:\Windows\system32\svchost.exe[1340] kernel32.dll!CreateFileA 7568CF71 5 Bytes JMP 00080000
.text C:\Windows\system32\svchost.exe[1340] kernel32.dll!CreateNamedPipeA 756D430E 5 Bytes JMP 0008002C
.text C:\Windows\system32\svchost.exe[1340] kernel32.dll!WinExec 756D54FF 5 Bytes JMP 000800D5
.text C:\Windows\system32\svchost.exe[1340] msvcrt.dll!_wsystem 76C48A47 5 Bytes JMP 00DE0FC3
.text C:\Windows\system32\svchost.exe[1340] msvcrt.dll!system 76C48B63 5 Bytes JMP 00DE004E
.text C:\Windows\system32\svchost.exe[1340] msvcrt.dll!_creat 76C4C6F1 5 Bytes JMP 00DE0033
.text C:\Windows\system32\svchost.exe[1340] msvcrt.dll!_open 76C4DA7E 5 Bytes JMP 00DE0FEF
.text C:\Windows\system32\svchost.exe[1340] msvcrt.dll!_wcreat 76C4DC9E 5 Bytes JMP 00DE0FDE
.text C:\Windows\system32\svchost.exe[1340] msvcrt.dll!_wopen 76C4DE79 5 Bytes JMP 00DE0018
.text C:\Windows\system32\svchost.exe[1340] ADVAPI32.dll!RegCreateKeyExA 76B3B5E7 5 Bytes JMP 00DD0F7C
.text C:\Windows\system32\svchost.exe[1340] ADVAPI32.dll!RegCreateKeyA 76B3B8AE 5 Bytes JMP 00DD0FA8
.text C:\Windows\system32\svchost.exe[1340] ADVAPI32.dll!RegOpenKeyA 76B40BF5 5 Bytes JMP 00DD000A
.text C:\Windows\system32\svchost.exe[1340] ADVAPI32.dll!RegCreateKeyW 76B4B83D 5 Bytes JMP 00DD0F97
.text C:\Windows\system32\svchost.exe[1340] ADVAPI32.dll!RegCreateKeyExW 76B4BCE1 5 Bytes JMP 00DD0043
.text C:\Windows\system32\svchost.exe[1340] ADVAPI32.dll!RegOpenKeyExA 76B4D4E8 5 Bytes JMP 00DD0FCA
.text C:\Windows\system32\svchost.exe[1340] ADVAPI32.dll!RegOpenKeyW 76B53CB0 5 Bytes JMP 00DD0FEF
.text C:\Windows\system32\svchost.exe[1340] ADVAPI32.dll!RegOpenKeyExW 76B5F09D 5 Bytes JMP 00DD0FB9
.text C:\Windows\system32\svchost.exe[1340] WS2_32.dll!socket 76CA36D1 5 Bytes JMP 00DF0000
.text C:\Windows\system32\svchost.exe[1340] WinInet.dll!InternetOpenA 7675D688 5 Bytes JMP 009E0FE5
.text C:\Windows\system32\svchost.exe[1340] WinInet.dll!InternetOpenW 7675DB01 5 Bytes JMP 009E0FCA
.text C:\Windows\system32\svchost.exe[1340] WinInet.dll!InternetOpenUrlA 7675F39C 5 Bytes JMP 009E000A
.text C:\Windows\system32\svchost.exe[1340] WinInet.dll!InternetOpenUrlW 767A6F37 5 Bytes JMP 009E0FB9
.text C:\Program Files\Mozilla Firefox\firefox.exe[1396] WS2_32.dll!closesocket 76CA330C 5 Bytes JMP 01DA2C96
.text C:\Program Files\Mozilla Firefox\firefox.exe[1396] WS2_32.dll!send 76CA659B 5 Bytes JMP 01DA212F
.text C:\Program Files\Mozilla Firefox\firefox.exe[1396] WS2_32.dll!WSARecv 76CA8400 5 Bytes JMP 01DA2812
.text C:\Windows\System32\svchost.exe[1476] kernel32.dll!GetStartupInfoW 75641929 5 Bytes JMP 00010F63
.text C:\Windows\System32\svchost.exe[1476] kernel32.dll!GetStartupInfoA 756419C9 5 Bytes JMP 00010F7E
.text C:\Windows\System32\svchost.exe[1476] kernel32.dll!CreateProcessW 75641C01 5 Bytes JMP 00010F1C
.text C:\Windows\System32\svchost.exe[1476] kernel32.dll!CreateProcessA 75641C36 5 Bytes JMP 00010F37
.text C:\Windows\System32\svchost.exe[1476] kernel32.dll!VirtualProtect 75641DD1 5 Bytes JMP 00010098
.text C:\Windows\System32\svchost.exe[1476] kernel32.dll!CreateNamedPipeW 75645C44 5 Bytes JMP 00010FE5
.text C:\Windows\System32\svchost.exe[1476] kernel32.dll!LoadLibraryExW 756630C3 5 Bytes JMP 00010FCA
.text C:\Windows\System32\svchost.exe[1476] kernel32.dll!LoadLibraryW 7566361F 5 Bytes JMP 00010062
.text C:\Windows\System32\svchost.exe[1476] kernel32.dll!VirtualProtectEx 75668D7E 5 Bytes JMP 00010FA3
.text C:\Windows\System32\svchost.exe[1476] kernel32.dll!LoadLibraryExA 75669469 5 Bytes JMP 0001007D
.text C:\Windows\System32\svchost.exe[1476] kernel32.dll!LoadLibraryA 75669491 5 Bytes JMP 00010051
.text C:\Windows\System32\svchost.exe[1476] kernel32.dll!CreatePipe 75670284 5 Bytes JMP 000100A9
.text C:\Windows\System32\svchost.exe[1476] kernel32.dll!GetProcAddress 7568B8B6 5 Bytes JMP 00010F0B
.text C:\Windows\System32\svchost.exe[1476] kernel32.dll!CreateFileW 7568CC4E 5 Bytes JMP 0001001B
.text C:\Windows\System32\svchost.exe[1476] kernel32.dll!CreateFileA 7568CF71 5 Bytes JMP 0001000A
.text C:\Windows\System32\svchost.exe[1476] kernel32.dll!CreateNamedPipeA 756D430E 5 Bytes JMP 00010036
.text C:\Windows\System32\svchost.exe[1476] kernel32.dll!WinExec 756D54FF 5 Bytes JMP 00010F52
.text C:\Windows\System32\svchost.exe[1476] msvcrt.dll!_wsystem 76C48A47 5 Bytes JMP 00050036
.text C:\Windows\System32\svchost.exe[1476] msvcrt.dll!system 76C48B63 5 Bytes JMP 00050FAB
.text C:\Windows\System32\svchost.exe[1476] msvcrt.dll!_creat 76C4C6F1 5 Bytes JMP 0005001B
.text C:\Windows\System32\svchost.exe[1476] msvcrt.dll!_open 76C4DA7E 3 Bytes JMP 00050FE3
.text C:\Windows\System32\svchost.exe[1476] msvcrt.dll!_open + 4 76C4DA82 1 Byte [89]
.text C:\Windows\System32\svchost.exe[1476] msvcrt.dll!_wcreat 76C4DC9E 5 Bytes JMP 00050FBC
.text C:\Windows\System32\svchost.exe[1476] msvcrt.dll!_wopen 76C4DE79 3 Bytes JMP 00050000
.text C:\Windows\System32\svchost.exe[1476] msvcrt.dll!_wopen + 4 76C4DE7D 1 Byte [89]
.text C:\Windows\System32\svchost.exe[1476] ADVAPI32.dll!RegCreateKeyExA 76B3B5E7 5 Bytes JMP 00060054
.text C:\Windows\System32\svchost.exe[1476] ADVAPI32.dll!RegCreateKeyA 76B3B8AE 5 Bytes JMP 00060FC3
.text C:\Windows\System32\svchost.exe[1476] ADVAPI32.dll!RegOpenKeyA 76B40BF5 5 Bytes JMP 00060FEF
.text C:\Windows\System32\svchost.exe[1476] ADVAPI32.dll!RegCreateKeyW 76B4B83D 5 Bytes JMP 00060FB2
.text C:\Windows\System32\svchost.exe[1476] ADVAPI32.dll!RegCreateKeyExW 76B4BCE1 5 Bytes JMP 00060F8D
.text C:\Windows\System32\svchost.exe[1476] ADVAPI32.dll!RegOpenKeyExA 76B4D4E8 5 Bytes JMP 0006001B
.text C:\Windows\System32\svchost.exe[1476] ADVAPI32.dll!RegOpenKeyW 76B53CB0 5 Bytes JMP 00060000
.text C:\Windows\System32\svchost.exe[1476] ADVAPI32.dll!RegOpenKeyExW 76B5F09D 5 Bytes JMP 00060FD4
.text C:\Windows\system32\svchost.exe[1544] kernel32.dll!GetStartupInfoW 75641929 5 Bytes JMP 008E0F4D
.text C:\Windows\system32\svchost.exe[1544] kernel32.dll!GetStartupInfoA 756419C9 5 Bytes JMP 008E0093
.text C:\Windows\system32\svchost.exe[1544] kernel32.dll!CreateProcessW 75641C01 5 Bytes JMP 008E00DA
.text C:\Windows\system32\svchost.exe[1544] kernel32.dll!CreateProcessA 75641C36 5 Bytes JMP 008E00BF
.text C:\Windows\system32\svchost.exe[1544] kernel32.dll!VirtualProtect 75641DD1 5 Bytes JMP 008E005D
.text C:\Windows\system32\svchost.exe[1544] kernel32.dll!CreateNamedPipeW 75645C44 5 Bytes JMP 008E000A
.text C:\Windows\system32\svchost.exe[1544] kernel32.dll!LoadLibraryExW 756630C3 5 Bytes JMP 008E004C
.text C:\Windows\system32\svchost.exe[1544] kernel32.dll!LoadLibraryW 7566361F 5 Bytes JMP 008E0F9E
.text C:\Windows\system32\svchost.exe[1544] kernel32.dll!VirtualProtectEx 75668D7E 5 Bytes JMP 008E0078
.text C:\Windows\system32\svchost.exe[1544] kernel32.dll!LoadLibraryExA 75669469 5 Bytes JMP 008E0F8D
.text C:\Windows\system32\svchost.exe[1544] kernel32.dll!LoadLibraryA 75669491 5 Bytes JMP 008E001B
.text C:\Windows\system32\svchost.exe[1544] kernel32.dll!CreatePipe 75670284 5 Bytes JMP 008E0F68
.text C:\Windows\system32\svchost.exe[1544] kernel32.dll!GetProcAddress 7568B8B6 5 Bytes JMP 008E0F1E
.text C:\Windows\system32\svchost.exe[1544] kernel32.dll!CreateFileW 7568CC4E 5 Bytes JMP 008E0FD4
.text C:\Windows\system32\svchost.exe[1544] kernel32.dll!CreateFileA 7568CF71 5 Bytes JMP 008E0FE5
.text C:\Windows\system32\svchost.exe[1544] kernel32.dll!CreateNamedPipeA 756D430E 5 Bytes JMP 008E0FB9
.text C:\Windows\system32\svchost.exe[1544] kernel32.dll!WinExec 756D54FF 5 Bytes JMP 008E00A4
.text C:\Windows\system32\svchost.exe[1544] msvcrt.dll!_wsystem 76C48A47 5 Bytes JMP 00940FB2
.text C:\Windows\system32\svchost.exe[1544] msvcrt.dll!system 76C48B63 5 Bytes JMP 00940047
.text C:\Windows\system32\svchost.exe[1544] msvcrt.dll!_creat 76C4C6F1 5 Bytes JMP 00940011
.text C:\Windows\system32\svchost.exe[1544] msvcrt.dll!_open 76C4DA7E 5 Bytes JMP 00940000
.text C:\Windows\system32\svchost.exe[1544] msvcrt.dll!_wcreat 76C4DC9E 5 Bytes JMP 0094002C
.text C:\Windows\system32\svchost.exe[1544] msvcrt.dll!_wopen 76C4DE79 5 Bytes JMP 00940FE3
.text C:\Windows\system32\svchost.exe[1544] ADVAPI32.dll!RegCreateKeyExA 76B3B5E7 5 Bytes JMP 00930036
.text C:\Windows\system32\svchost.exe[1544] ADVAPI32.dll!RegCreateKeyA 76B3B8AE 5 Bytes JMP 00930F9E
.text C:\Windows\system32\svchost.exe[1544] ADVAPI32.dll!RegOpenKeyA 76B40BF5 5 Bytes JMP 00930FEF
.text C:\Windows\system32\svchost.exe[1544] ADVAPI32.dll!RegCreateKeyW 76B4B83D 5 Bytes JMP 00930025
.text C:\Windows\system32\svchost.exe[1544] ADVAPI32.dll!RegCreateKeyExW 76B4BCE1 5 Bytes JMP 00930F79
.text C:\Windows\system32\svchost.exe[1544] ADVAPI32.dll!RegOpenKeyExA 76B4D4E8 5 Bytes JMP 00930FCA
.text C:\Windows\system32\svchost.exe[1544] ADVAPI32.dll!RegOpenKeyW 76B53CB0 5 Bytes JMP 0093000A
.text C:\Windows\system32\svchost.exe[1544] ADVAPI32.dll!RegOpenKeyExW 76B5F09D 5 Bytes JMP 00930FB9
.text C:\Windows\system32\svchost.exe[1544] WS2_32.dll!socket 76CA36D1 5 Bytes JMP 00DA0FEF
.text C:\Windows\system32\svchost.exe[1792] kernel32.dll!GetStartupInfoW 75641929 5 Bytes JMP 016100AC
.text C:\Windows\system32\svchost.exe[1792] kernel32.dll!GetStartupInfoA 756419C9 5 Bytes JMP 01610F5C
.text C:\Windows\system32\svchost.exe[1792] kernel32.dll!CreateProcessW 75641C01 5 Bytes JMP 016100F3
.text C:\Windows\system32\svchost.exe[1792] kernel32.dll!CreateProcessA 75641C36 5 Bytes JMP 016100E2
.text C:\Windows\system32\svchost.exe[1792] kernel32.dll!VirtualProtect 75641DD1 5 Bytes JMP 01610F92
.text C:\Windows\system32\svchost.exe[1792] kernel32.dll!CreateNamedPipeW 75645C44 5 Bytes JMP 01610FD4
.text C:\Windows\system32\svchost.exe[1792] kernel32.dll!LoadLibraryExW 756630C3 5 Bytes JMP 0161006C
.text C:\Windows\system32\svchost.exe[1792] kernel32.dll!LoadLibraryW 7566361F 5 Bytes JMP 01610FB9
.text C:\Windows\system32\svchost.exe[1792] kernel32.dll!VirtualProtectEx 75668D7E 5 Bytes JMP 0161007D
.text C:\Windows\system32\svchost.exe[1792] kernel32.dll!LoadLibraryExA 75669469 5 Bytes JMP 0161005B
.text C:\Windows\system32\svchost.exe[1792] kernel32.dll!LoadLibraryA 75669491 5 Bytes JMP 01610040
.text C:\Windows\system32\svchost.exe[1792] kernel32.dll!CreatePipe 75670284 5 Bytes JMP 01610F77
.text C:\Windows\system32\svchost.exe[1792] kernel32.dll!GetProcAddress 7568B8B6 5 Bytes JMP 01610F4B
.text C:\Windows\system32\svchost.exe[1792] kernel32.dll!CreateFileW 7568CC4E 5 Bytes JMP 01610014
.text C:\Windows\system32\svchost.exe[1792] kernel32.dll!CreateFileA 7568CF71 5 Bytes JMP 01610FEF
.text C:\Windows\system32\svchost.exe[1792] kernel32.dll!CreateNamedPipeA 756D430E 5 Bytes JMP 01610025
.text C:\Windows\system32\svchost.exe[1792] kernel32.dll!WinExec 756D54FF 5 Bytes JMP 016100BD
.text C:\Windows\system32\svchost.exe[1792] msvcrt.dll!_wsystem 76C48A47 5 Bytes JMP 01670047
.text C:\Windows\system32\svchost.exe[1792] msvcrt.dll!system 76C48B63 5 Bytes JMP 01670036
.text C:\Windows\system32\svchost.exe[1792] msvcrt.dll!_creat 76C4C6F1 5 Bytes JMP 0167001B
.text C:\Windows\system32\svchost.exe[1792] msvcrt.dll!_open 76C4DA7E 5 Bytes JMP 01670FEF
.text C:\Windows\system32\svchost.exe[1792] msvcrt.dll!_wcreat 76C4DC9E 5 Bytes JMP 01670FC6
.text C:\Windows\system32\svchost.exe[1792] msvcrt.dll!_wopen 76C4DE79 5 Bytes JMP 01670000
.text C:\Windows\system32\svchost.exe[1792] ADVAPI32.dll!RegCreateKeyExA 76B3B5E7 5 Bytes JMP 01620051
.text C:\Windows\system32\svchost.exe[1792] ADVAPI32.dll!RegCreateKeyA 76B3B8AE 5 Bytes JMP 0162002C
.text C:\Windows\system32\svchost.exe[1792] ADVAPI32.dll!RegOpenKeyA 76B40BF5 5 Bytes JMP 01620000
.text C:\Windows\system32\svchost.exe[1792] ADVAPI32.dll!RegCreateKeyW 76B4B83D 5 Bytes JMP 01620FAF
.text C:\Windows\system32\svchost.exe[1792] ADVAPI32.dll!RegCreateKeyExW 76B4BCE1 5 Bytes JMP 01620F9E
.text C:\Windows\system32\svchost.exe[1792] ADVAPI32.dll!RegOpenKeyExA 76B4D4E8 5 Bytes JMP 01620FD4
.text C:\Windows\system32\svchost.exe[1792] ADVAPI32.dll!RegOpenKeyW 76B53CB0 5 Bytes JMP 01620FE5
.text C:\Windows\system32\svchost.exe[1792] ADVAPI32.dll!RegOpenKeyExW 76B5F09D 5 Bytes JMP 0162001B
.text C:\Windows\system32\svchost.exe[1792] WS2_32.dll!socket 76CA36D1 5
techno_turtle
Regular Member
 
Posts: 19
Joined: August 14th, 2009, 6:44 am

Re: HIJACKTHIS Log - New infection. Help appreciated

Unread postby techno_turtle » August 18th, 2009, 3:54 pm

PART 2 GMER LOG:::::

Bytes JMP 01840FEF
.text C:\Windows\system32\svchost.exe[2192] kernel32.dll!GetStartupInfoW 75641929 5 Bytes JMP 00100F81
.text C:\Windows\system32\svchost.exe[2192] kernel32.dll!GetStartupInfoA 756419C9 5 Bytes JMP 00100F92
.text C:\Windows\system32\svchost.exe[2192] kernel32.dll!CreateProcessW 75641C01 5 Bytes JMP 00100F41
.text C:\Windows\system32\svchost.exe[2192] kernel32.dll!CreateProcessA 75641C36 5 Bytes JMP 00100F5C
.text C:\Windows\system32\svchost.exe[2192] kernel32.dll!VirtualProtect 75641DD1 5 Bytes JMP 0010007D
.text C:\Windows\system32\svchost.exe[2192] kernel32.dll!CreateNamedPipeW 75645C44 5 Bytes JMP 00100FDE
.text C:\Windows\system32\svchost.exe[2192] kernel32.dll!LoadLibraryExW 756630C3 5 Bytes JMP 00100FA3
.text C:\Windows\system32\svchost.exe[2192] kernel32.dll!LoadLibraryW 7566361F 5 Bytes JMP 0010005B
.text C:\Windows\system32\svchost.exe[2192] kernel32.dll!VirtualProtectEx 75668D7E 5 Bytes JMP 001000A2
.text C:\Windows\system32\svchost.exe[2192] kernel32.dll!LoadLibraryExA 75669469 5 Bytes JMP 0010006C
.text C:\Windows\system32\svchost.exe[2192] kernel32.dll!LoadLibraryA 75669491 5 Bytes JMP 0010004A
.text C:\Windows\system32\svchost.exe[2192] kernel32.dll!CreatePipe 75670284 5 Bytes JMP 001000BD
.text C:\Windows\system32\svchost.exe[2192] kernel32.dll!GetProcAddress 7568B8B6 5 Bytes JMP 00100F30
.text C:\Windows\system32\svchost.exe[2192] kernel32.dll!CreateFileW 7568CC4E 5 Bytes JMP 0010000A
.text C:\Windows\system32\svchost.exe[2192] kernel32.dll!CreateFileA 7568CF71 5 Bytes JMP 00100FEF
.text C:\Windows\system32\svchost.exe[2192] kernel32.dll!CreateNamedPipeA 756D430E 5 Bytes JMP 0010002F
.text C:\Windows\system32\svchost.exe[2192] kernel32.dll!WinExec 756D54FF 5 Bytes JMP 001000D8
.text C:\Windows\system32\svchost.exe[2192] msvcrt.dll!_wsystem 76C48A47 5 Bytes JMP 001D007A
.text C:\Windows\system32\svchost.exe[2192] msvcrt.dll!system 76C48B63 5 Bytes JMP 001D005F
.text C:\Windows\system32\svchost.exe[2192] msvcrt.dll!_creat 76C4C6F1 5 Bytes JMP 001D0044
.text C:\Windows\system32\svchost.exe[2192] msvcrt.dll!_open 76C4DA7E 5 Bytes JMP 001D0000
.text C:\Windows\system32\svchost.exe[2192] msvcrt.dll!_wcreat 76C4DC9E 5 Bytes JMP 001D0FEF
.text C:\Windows\system32\svchost.exe[2192] msvcrt.dll!_wopen 76C4DE79 5 Bytes JMP 001D001D
.text C:\Windows\system32\svchost.exe[2192] ADVAPI32.dll!RegCreateKeyExA 76B3B5E7 5 Bytes JMP 00170F87
.text C:\Windows\system32\svchost.exe[2192] ADVAPI32.dll!RegCreateKeyA 76B3B8AE 5 Bytes JMP 00170FB6
.text C:\Windows\system32\svchost.exe[2192] ADVAPI32.dll!RegOpenKeyA 76B40BF5 5 Bytes JMP 00170FEF
.text C:\Windows\system32\svchost.exe[2192] ADVAPI32.dll!RegCreateKeyW 76B4B83D 5 Bytes JMP 00170033
.text C:\Windows\system32\svchost.exe[2192] ADVAPI32.dll!RegCreateKeyExW 76B4BCE1 5 Bytes JMP 00170F76
.text C:\Windows\system32\svchost.exe[2192] ADVAPI32.dll!RegOpenKeyExA 76B4D4E8 5 Bytes JMP 00170011
.text C:\Windows\system32\svchost.exe[2192] ADVAPI32.dll!RegOpenKeyW 76B53CB0 5 Bytes JMP 00170000
.text C:\Windows\system32\svchost.exe[2192] ADVAPI32.dll!RegOpenKeyExW 76B5F09D 5 Bytes JMP 00170022
.text C:\Windows\system32\svchost.exe[2192] WS2_32.dll!socket 76CA36D1 5 Bytes JMP 001E0000
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[2348] kernel32.dll!CreateThread + 1A 756846E2 4 Bytes CALL 0044A809 C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools Security Service/PC Tools)
.text C:\Windows\system32\svchost.exe[2572] kernel32.dll!GetStartupInfoW 75641929 5 Bytes JMP 00890F79
.text C:\Windows\system32\svchost.exe[2572] kernel32.dll!GetStartupInfoA 756419C9 5 Bytes JMP 00890F8A
.text C:\Windows\system32\svchost.exe[2572] kernel32.dll!CreateProcessW 75641C01 5 Bytes JMP 008900EE
.text C:\Windows\system32\svchost.exe[2572] kernel32.dll!CreateProcessA 75641C36 5 Bytes JMP 00890F57
.text C:\Windows\system32\svchost.exe[2572] kernel32.dll!VirtualProtect 75641DD1 5 Bytes JMP 00890090
.text C:\Windows\system32\svchost.exe[2572] kernel32.dll!CreateNamedPipeW 75645C44 5 Bytes JMP 00890FDB
.text C:\Windows\system32\svchost.exe[2572] kernel32.dll!LoadLibraryExW 756630C3 5 Bytes JMP 0089007F
.text C:\Windows\system32\svchost.exe[2572] kernel32.dll!LoadLibraryW 7566361F 5 Bytes JMP 00890051
.text C:\Windows\system32\svchost.exe[2572] kernel32.dll!VirtualProtectEx 75668D7E 5 Bytes JMP 00890F9B
.text C:\Windows\system32\svchost.exe[2572] kernel32.dll!LoadLibraryExA 75669469 5 Bytes JMP 00890062
.text C:\Windows\system32\svchost.exe[2572] kernel32.dll!LoadLibraryA 75669491 5 Bytes JMP 00890FCA
.text C:\Windows\system32\svchost.exe[2572] kernel32.dll!CreatePipe 75670284 5 Bytes JMP 008900AB
.text C:\Windows\system32\svchost.exe[2572] kernel32.dll!GetProcAddress 7568B8B6 5 Bytes JMP 00890F3C
.text C:\Windows\system32\svchost.exe[2572] kernel32.dll!CreateFileW 7568CC4E 5 Bytes JMP 00890011
.text C:\Windows\system32\svchost.exe[2572] kernel32.dll!CreateFileA 7568CF71 5 Bytes JMP 00890000
.text C:\Windows\system32\svchost.exe[2572] kernel32.dll!CreateNamedPipeA 756D430E 5 Bytes JMP 00890022
.text C:\Windows\system32\svchost.exe[2572] kernel32.dll!WinExec 756D54FF 5 Bytes JMP 00890F68
.text C:\Windows\system32\svchost.exe[2572] msvcrt.dll!_wsystem 76C48A47 5 Bytes JMP 008F0FCD
.text C:\Windows\system32\svchost.exe[2572] msvcrt.dll!system 76C48B63 5 Bytes JMP 008F0058
.text C:\Windows\system32\svchost.exe[2572] msvcrt.dll!_creat 76C4C6F1 5 Bytes JMP 008F0FDE
.text C:\Windows\system32\svchost.exe[2572] msvcrt.dll!_open 76C4DA7E 5 Bytes JMP 008F000C
.text C:\Windows\system32\svchost.exe[2572] msvcrt.dll!_wcreat 76C4DC9E 5 Bytes JMP 008F0033
.text C:\Windows\system32\svchost.exe[2572] msvcrt.dll!_wopen 76C4DE79 5 Bytes JMP 008F0FEF
.text C:\Windows\system32\svchost.exe[2572] ADVAPI32.dll!RegCreateKeyExA 76B3B5E7 5 Bytes JMP 008E0FA8
.text C:\Windows\system32\svchost.exe[2572] ADVAPI32.dll!RegCreateKeyA 76B3B8AE 5 Bytes JMP 008E0025
.text C:\Windows\system32\svchost.exe[2572] ADVAPI32.dll!RegOpenKeyA 76B40BF5 5 Bytes JMP 008E0000
.text C:\Windows\system32\svchost.exe[2572] ADVAPI32.dll!RegCreateKeyW 76B4B83D 5 Bytes JMP 008E004A
.text C:\Windows\system32\svchost.exe[2572] ADVAPI32.dll!RegCreateKeyExW 76B4BCE1 5 Bytes JMP 008E0065
.text C:\Windows\system32\svchost.exe[2572] ADVAPI32.dll!RegOpenKeyExA 76B4D4E8 5 Bytes JMP 008E0FDE
.text C:\Windows\system32\svchost.exe[2572] ADVAPI32.dll!RegOpenKeyW 76B53CB0 5 Bytes JMP 008E0FEF
.text C:\Windows\system32\svchost.exe[2572] ADVAPI32.dll!RegOpenKeyExW 76B5F09D 5 Bytes JMP 008E0FC3
.text C:\Windows\system32\svchost.exe[2572] WS2_32.dll!socket 76CA36D1 5 Bytes JMP 00940000
.text C:\Windows\System32\svchost.exe[2604] kernel32.dll!GetStartupInfoW 75641929 5 Bytes JMP 000A00B5
.text C:\Windows\System32\svchost.exe[2604] kernel32.dll!GetStartupInfoA 756419C9 5 Bytes JMP 000A0F6F
.text C:\Windows\System32\svchost.exe[2604] kernel32.dll!CreateProcessW 75641C01 5 Bytes JMP 000A00DA
.text C:\Windows\System32\svchost.exe[2604] kernel32.dll!CreateProcessA 75641C36 5 Bytes JMP 000A0F43
.text C:\Windows\System32\svchost.exe[2604] kernel32.dll!VirtualProtect 75641DD1 5 Bytes JMP 000A007F
.text C:\Windows\System32\svchost.exe[2604] kernel32.dll!CreateNamedPipeW 75645C44 5 Bytes JMP 000A0025
.text C:\Windows\System32\svchost.exe[2604] kernel32.dll!LoadLibraryExW 756630C3 5 Bytes JMP 000A006E
.text C:\Windows\System32\svchost.exe[2604] kernel32.dll!LoadLibraryW 7566361F 5 Bytes JMP 000A0036
.text C:\Windows\System32\svchost.exe[2604] kernel32.dll!VirtualProtectEx 75668D7E 5 Bytes JMP 000A0F8A
.text C:\Windows\System32\svchost.exe[2604] kernel32.dll!LoadLibraryExA 75669469 5 Bytes JMP 000A0051
.text C:\Windows\System32\svchost.exe[2604] kernel32.dll!LoadLibraryA 75669491 5 Bytes JMP 000A0FAF
.text C:\Windows\System32\svchost.exe[2604] kernel32.dll!CreatePipe 75670284 5 Bytes JMP 000A009A
.text C:\Windows\System32\svchost.exe[2604] kernel32.dll!GetProcAddress 7568B8B6 5 Bytes JMP 000A00EB
.text C:\Windows\System32\svchost.exe[2604] kernel32.dll!CreateFileW 7568CC4E 5 Bytes JMP 000A0FDB
.text C:\Windows\System32\svchost.exe[2604] kernel32.dll!CreateFileA 7568CF71 5 Bytes JMP 000A0000
.text C:\Windows\System32\svchost.exe[2604] kernel32.dll!CreateNamedPipeA 756D430E 5 Bytes JMP 000A0FCA
.text C:\Windows\System32\svchost.exe[2604] kernel32.dll!WinExec 756D54FF 5 Bytes JMP 000A0F5E
.text C:\Windows\System32\svchost.exe[2604] msvcrt.dll!_wsystem 76C48A47 5 Bytes JMP 000C0FA6
.text C:\Windows\System32\svchost.exe[2604] msvcrt.dll!system 76C48B63 5 Bytes JMP 000C0027
.text C:\Windows\System32\svchost.exe[2604] msvcrt.dll!_creat 76C4C6F1 5 Bytes JMP 000C0FC1
.text C:\Windows\System32\svchost.exe[2604] msvcrt.dll!_open 76C4DA7E 5 Bytes JMP 000C0FEF
.text C:\Windows\System32\svchost.exe[2604] msvcrt.dll!_wcreat 76C4DC9E 5 Bytes JMP 000C0016
.text C:\Windows\System32\svchost.exe[2604] msvcrt.dll!_wopen 76C4DE79 5 Bytes JMP 000C0FDE
.text C:\Windows\System32\svchost.exe[2604] ADVAPI32.dll!RegCreateKeyExA 76B3B5E7 5 Bytes JMP 000B002F
.text C:\Windows\System32\svchost.exe[2604] ADVAPI32.dll!RegCreateKeyA 76B3B8AE 5 Bytes JMP 000B0014
.text C:\Windows\System32\svchost.exe[2604] ADVAPI32.dll!RegOpenKeyA 76B40BF5 5 Bytes JMP 000B0FE5
.text C:\Windows\System32\svchost.exe[2604] ADVAPI32.dll!RegCreateKeyW 76B4B83D 5 Bytes JMP 000B0F8D
.text C:\Windows\System32\svchost.exe[2604] ADVAPI32.dll!RegCreateKeyExW 76B4BCE1 5 Bytes JMP 000B004A
.text C:\Windows\System32\svchost.exe[2604] ADVAPI32.dll!RegOpenKeyExA 76B4D4E8 5 Bytes JMP 000B0FC3
.text C:\Windows\System32\svchost.exe[2604] ADVAPI32.dll!RegOpenKeyW 76B53CB0 5 Bytes JMP 000B0FD4
.text C:\Windows\System32\svchost.exe[2604] ADVAPI32.dll!RegOpenKeyExW 76B5F09D 5 Bytes JMP 000B0FA8
.text C:\Windows\Explorer.EXE[4236] kernel32.dll!GetStartupInfoW 75641929 5 Bytes JMP 00010F50
.text C:\Windows\Explorer.EXE[4236] kernel32.dll!GetStartupInfoA 756419C9 5 Bytes JMP 00010F61
.text C:\Windows\Explorer.EXE[4236] kernel32.dll!CreateProcessW 75641C01 5 Bytes JMP 00010F1D
.text C:\Windows\Explorer.EXE[4236] kernel32.dll!CreateProcessA 75641C36 5 Bytes JMP 00010F2E
.text C:\Windows\Explorer.EXE[4236] kernel32.dll!VirtualProtect 75641DD1 5 Bytes JMP 00010060
.text C:\Windows\Explorer.EXE[4236] kernel32.dll!CreateNamedPipeW 75645C44 5 Bytes JMP 00010FB9
.text C:\Windows\Explorer.EXE[4236] kernel32.dll!LoadLibraryExW 756630C3 5 Bytes JMP 00010F86
.text C:\Windows\Explorer.EXE[4236] kernel32.dll!LoadLibraryW 7566361F 5 Bytes JMP 00010F97
.text C:\Windows\Explorer.EXE[4236] kernel32.dll!VirtualProtectEx 75668D7E 5 Bytes JMP 00010071
.text C:\Windows\Explorer.EXE[4236] kernel32.dll!LoadLibraryExA 75669469 5 Bytes JMP 00010039
.text C:\Windows\Explorer.EXE[4236] kernel32.dll!LoadLibraryA 75669491 5 Bytes JMP 00010FA8
.text C:\Windows\Explorer.EXE[4236] kernel32.dll!CreatePipe 75670284 5 Bytes JMP 0001008C
.text C:\Windows\Explorer.EXE[4236] kernel32.dll!GetProcAddress 7568B8B6 5 Bytes JMP 00010F02
.text C:\Windows\Explorer.EXE[4236] kernel32.dll!CreateFileW 7568CC4E 5 Bytes JMP 00010FCA
.text C:\Windows\Explorer.EXE[4236] kernel32.dll!CreateFileA 7568CF71 5 Bytes JMP 00010FE5
.text C:\Windows\Explorer.EXE[4236] kernel32.dll!CreateNamedPipeA 756D430E 5 Bytes JMP 0001000A
.text C:\Windows\Explorer.EXE[4236] kernel32.dll!WinExec 756D54FF 5 Bytes JMP 00010F3F
.text C:\Windows\Explorer.EXE[4236] ADVAPI32.dll!RegCreateKeyExA 76B3B5E7 5 Bytes JMP 00050025
.text C:\Windows\Explorer.EXE[4236] ADVAPI32.dll!RegCreateKeyA 76B3B8AE 5 Bytes JMP 00050F8D
.text C:\Windows\Explorer.EXE[4236] ADVAPI32.dll!RegOpenKeyA 76B40BF5 5 Bytes JMP 00050FEF
.text C:\Windows\Explorer.EXE[4236] ADVAPI32.dll!RegCreateKeyW 76B4B83D 5 Bytes JMP 00050014
.text C:\Windows\Explorer.EXE[4236] ADVAPI32.dll!RegCreateKeyExW 76B4BCE1 5 Bytes JMP 00050036
.text C:\Windows\Explorer.EXE[4236] ADVAPI32.dll!RegOpenKeyExA 76B4D4E8 5 Bytes JMP 00050FB9
.text C:\Windows\Explorer.EXE[4236] ADVAPI32.dll!RegOpenKeyW 76B53CB0 5 Bytes JMP 00050FCA
.text C:\Windows\Explorer.EXE[4236] ADVAPI32.dll!RegOpenKeyExW 76B5F09D 5 Bytes JMP 00050FA8
.text C:\Windows\Explorer.EXE[4236] msvcrt.dll!_wsystem 76C48A47 5 Bytes JMP 00060069
.text C:\Windows\Explorer.EXE[4236] msvcrt.dll!system 76C48B63 5 Bytes JMP 00060058
.text C:\Windows\Explorer.EXE[4236] msvcrt.dll!_creat 76C4C6F1 5 Bytes JMP 0006002C
.text C:\Windows\Explorer.EXE[4236] msvcrt.dll!_open 76C4DA7E 5 Bytes JMP 00060000
.text C:\Windows\Explorer.EXE[4236] msvcrt.dll!_wcreat 76C4DC9E 5 Bytes JMP 0006003D
.text C:\Windows\Explorer.EXE[4236] msvcrt.dll!_wopen 76C4DE79 5 Bytes JMP 00060011
.text C:\Windows\Explorer.EXE[4236] WS2_32.dll!socket 76CA36D1 5 Bytes JMP 01D0000A
.text C:\Windows\Explorer.EXE[4236] WININET.dll!InternetOpenA 7675D688 5 Bytes JMP 03A2000A
.text C:\Windows\Explorer.EXE[4236] WININET.dll!InternetOpenW 7675DB01 5 Bytes JMP 03A20FEF
.text C:\Windows\Explorer.EXE[4236] WININET.dll!InternetOpenUrlA 7675F39C 5 Bytes JMP 03A20025
.text C:\Windows\Explorer.EXE[4236] WININET.dll!InternetOpenUrlW 767A6F37 5 Bytes JMP 03A20FD4
.text C:\Program Files\Spyware Doctor\pctsTray.exe[5188] kernel32.dll!CreateThread + 1A 756846E2 4 Bytes CALL 0044A81D C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)
.text C:\Windows\system32\wuauclt.exe[6784] kernel32.dll!GetStartupInfoW 75641929 5 Bytes JMP 00010F39
.text C:\Windows\system32\wuauclt.exe[6784] kernel32.dll!GetStartupInfoA 756419C9 5 Bytes JMP 00010F5E
.text C:\Windows\system32\wuauclt.exe[6784] kernel32.dll!CreateProcessW 75641C01 5 Bytes JMP 00010EFC
.text C:\Windows\system32\wuauclt.exe[6784] kernel32.dll!CreateProcessA 75641C36 5 Bytes JMP 00010F0D
.text C:\Windows\system32\wuauclt.exe[6784] kernel32.dll!VirtualProtect 75641DD1 5 Bytes JMP 00010F83
.text C:\Windows\system32\wuauclt.exe[6784] kernel32.dll!CreateNamedPipeW 75645C44 5 Bytes JMP 00010036
.text C:\Windows\system32\wuauclt.exe[6784] kernel32.dll!LoadLibraryExW 756630C3 5 Bytes JMP 00010F94
.text C:\Windows\system32\wuauclt.exe[6784] kernel32.dll!LoadLibraryW 7566361F 5 Bytes JMP 00010FAF
.text C:\Windows\system32\wuauclt.exe[6784] kernel32.dll!VirtualProtectEx 75668D7E 5 Bytes JMP 00010078
.text C:\Windows\system32\wuauclt.exe[6784] kernel32.dll!LoadLibraryExA 75669469 5 Bytes JMP 00010051
.text C:\Windows\system32\wuauclt.exe[6784] kernel32.dll!LoadLibraryA 75669491 5 Bytes JMP 00010FCA
.text C:\Windows\system32\wuauclt.exe[6784] kernel32.dll!CreatePipe 75670284 5 Bytes JMP 00010089
.text C:\Windows\system32\wuauclt.exe[6784] kernel32.dll!GetProcAddress 7568B8B6 5 Bytes JMP 00010EEB
.text C:\Windows\system32\wuauclt.exe[6784] kernel32.dll!CreateFileW 7568CC4E 5 Bytes JMP 00010FE5
.text C:\Windows\system32\wuauclt.exe[6784] kernel32.dll!CreateFileA 7568CF71 5 Bytes JMP 00010000
.text C:\Windows\system32\wuauclt.exe[6784] kernel32.dll!CreateNamedPipeA 756D430E 5 Bytes JMP 0001001B
.text C:\Windows\system32\wuauclt.exe[6784] kernel32.dll!WinExec 756D54FF 5 Bytes JMP 00010F28
.text C:\Windows\system32\wuauclt.exe[6784] msvcrt.dll!_wsystem 76C48A47 5 Bytes JMP 00060FCA
.text C:\Windows\system32\wuauclt.exe[6784] msvcrt.dll!system 76C48B63 5 Bytes JMP 00060055
.text C:\Windows\system32\wuauclt.exe[6784] msvcrt.dll!_creat 76C4C6F1 5 Bytes JMP 00060033
.text C:\Windows\system32\wuauclt.exe[6784] msvcrt.dll!_open 76C4DA7E 5 Bytes JMP 00060FEF
.text C:\Windows\system32\wuauclt.exe[6784] msvcrt.dll!_wcreat 76C4DC9E 5 Bytes JMP 00060044
.text C:\Windows\system32\wuauclt.exe[6784] msvcrt.dll!_wopen 76C4DE79 5 Bytes JMP 00060018
.text C:\Windows\system32\wuauclt.exe[6784] ADVAPI32.dll!RegCreateKeyExA 76B3B5E7 5 Bytes JMP 00070FAF
.text C:\Windows\system32\wuauclt.exe[6784] ADVAPI32.dll!RegCreateKeyA 76B3B8AE 5 Bytes JMP 00070FDB
.text C:\Windows\system32\wuauclt.exe[6784] ADVAPI32.dll!RegOpenKeyA 76B40BF5 5 Bytes JMP 00070000
.text C:\Windows\system32\wuauclt.exe[6784] ADVAPI32.dll!RegCreateKeyW 76B4B83D 5 Bytes JMP 00070FCA
.text C:\Windows\system32\wuauclt.exe[6784] ADVAPI32.dll!RegCreateKeyExW 76B4BCE1 5 Bytes JMP 00070F94
.text C:\Windows\system32\wuauclt.exe[6784] ADVAPI32.dll!RegOpenKeyExA 76B4D4E8 5 Bytes JMP 00070022
.text C:\Windows\system32\wuauclt.exe[6784] ADVAPI32.dll!RegOpenKeyW 76B53CB0 5 Bytes JMP 00070011
.text C:\Windows\system32\wuauclt.exe[6784] ADVAPI32.dll!RegOpenKeyExW 76B5F09D 5 Bytes JMP 0007003D
.text C:\Windows\system32\wuauclt.exe[6784] WS2_32.dll!socket 76CA36D1 5 Bytes JMP 009B0FEF

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Mozilla Firefox\firefox.exe[1396] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [01D22B60] C:\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[1396] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [01D211D0] C:\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[1396] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [01D227E0] C:\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated)
IAT C:\Program Files\Mozilla Firefox\firefox.exe[1396] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FreeLibraryAndExitThread] [01D21B60] C:\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated)
IAT C:\Program Files\Spyware Doctor\pctsSvc.exe[2348] @ C:\Windows\system32\shell32.dll [KERNEL32.dll!QueueUserWorkItem] [0044A960] C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools Security Service/PC Tools)
IAT C:\Program Files\Spyware Doctor\pctsSvc.exe[2348] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!QueueUserWorkItem] [0044A960] C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools Security Service/PC Tools)
IAT C:\Windows\Explorer.EXE[4236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73E77BA4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73EB98C5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73E7D3C8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73E6F527] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73E77599] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73E6E43D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73EAB33D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [73E7D68A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73E7012E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73E70095] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73E671F3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [73EFD802] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [73E975E1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73E6DAE1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73E6668F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73E666BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73E71E45] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[4236] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [018027E0] C:\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated)
IAT C:\Windows\Explorer.EXE[4236] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FreeLibraryAndExitThread] [01801B60] C:\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated)
IAT C:\Windows\Explorer.EXE[4236] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [01802B60] C:\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated)
IAT C:\Windows\Explorer.EXE[4236] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [018011D0] C:\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated)
IAT C:\Program Files\Spyware Doctor\pctsTray.exe[5188] @ C:\Windows\system32\shell32.dll [KERNEL32.dll!QueueUserWorkItem] [0044A974] C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)
IAT C:\Program Files\Spyware Doctor\pctsTray.exe[5188] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!QueueUserWorkItem] [0044A974] C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5680] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5680] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5680] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5680] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5680] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5680] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5680] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5680] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5680] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5680] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5680] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5680] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5680] @ C:\Windows\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5680] @ C:\Windows\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5680] @ C:\Windows\system32\SHELL32.dll [USER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5680] @ C:\Windows\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5680] @ C:\Windows\system32\SHELL32.dll [USER32.dll!AnimateWindow] [63601740] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5680] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5680] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5680] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5680] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5680] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5680] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5680] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5680] @ C:\Windows\system32\SAMLIB.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5680] @ C:\Windows\system32\SAMLIB.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Skype\Phone\Skype.exe[5944] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [051727E0] C:\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated)
IAT C:\Program Files\Skype\Phone\Skype.exe[5944] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FreeLibraryAndExitThread] [05171B60] C:\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated)
IAT C:\Program Files\Skype\Phone\Skype.exe[5944] @ C:\Windows\system32\shell32.dll [KERNEL32.dll!GetProcAddress] [05172B60] C:\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated)
IAT C:\Program Files\Skype\Phone\Skype.exe[5944] @ C:\Windows\system32\shell32.dll [KERNEL32.dll!LoadLibraryA] [051711D0] C:\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug@StoreLocation C:\ProgramData\Microsoft\Windows\WER\ReportArchive\Report0f286f46
Reg HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LiveKernelReports\WATCHDOG
Reg HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LiveKernelReports\WATCHDOG\WD-20090818-2007.dmp

---- EOF - GMER 1.0.15 ----
techno_turtle
Regular Member
 
Posts: 19
Joined: August 14th, 2009, 6:44 am

Re: HIJACKTHIS Log - New infection. Help appreciated

Unread postby Blade81 » August 19th, 2009, 1:22 am

Hi,

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Please post contents of that file & fresh dds.txt log in your next reply.
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland

Re: HIJACKTHIS Log - New infection. Help appreciated

Unread postby techno_turtle » August 19th, 2009, 7:26 am

Hi there, find below 3 more log files as requested. Again, many thanks for your time.


Malwarebytes' Anti-Malware 1.40
Database version: 2653
Windows 6.0.6001 Service Pack 1

19/08/2009 12:13:18
mbam-log-2009-08-19 (12-13-18).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)
Objects scanned: 219560
Time elapsed: 1 hour(s), 30 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\fcn (Rogue.Residue) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Murray\Local Settings\Application Data\uusggeu_nav.dat (Adware.NaviPromo) -> Quarantined and deleted successfully.
Last edited by techno_turtle on August 19th, 2009, 7:35 am, edited 1 time in total.
techno_turtle
Regular Member
 
Posts: 19
Joined: August 14th, 2009, 6:44 am

Re: HIJACKTHIS Log - New infection. Help appreciated

Unread postby techno_turtle » August 19th, 2009, 7:31 am

DDS (Ver_09-07-30.01) - NTFSx86
Run by Murray at 12:27:37.78 on 19/08/2009
Internet Explorer: 8.0.6001.18813 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.1791.482 [GMT 1:00]

SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Lavasoft Ad-Watch Live! *enabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Windows\system32\rundll32.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\SysMonitor.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\nvraidservice.exe
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
C:\Program Files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\BOINC\boinctray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\BOINC\boinc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\ProgramData\BOINC\projects\climateprediction.net\hadcm3trans_6.04_windows_intelx86.exe
C:\ProgramData\BOINC\projects\climateprediction.net\hadam3_6.01_windows_intelx86.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\ProgramData\BOINC\projects\climateprediction.net\hadam3_um_6.01_windows_intelx86.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\ProgramData\BOINC\projects\climateprediction.net\hadcm3trans_um_6.04_windows_intelx86.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Murray\Downloads\dds(2).com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bbc.co.uk/
mStart Page = hxxp://en.uk.acer.yahoo.com
mDefault_Page_URL = hxxp://en.uk.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\acer\empowering technology\edatasecurity\x86\ActiveToolBand.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [EPSON Stylus SX200 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiefe.exe /fu "c:\windows\temp\E_S1B5E.tmp" /EF "HKCU"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Acer Empowering Technology Monitor] c:\acer\empowering technology\SysMonitor.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\x86\eDSloader.exe
mRun: [PCMMediaSharing] c:\program files\acer arcade live\acer homemedia connect\kernel\dms\PCMMediaSharing.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Apanel] c:\acersw\config\SetApanel.cmd
mRun: [WarReg_PopUp] c:\acer\wr_popup\WarReg_PopUp.exe
mRun: [eRecoveryService]
mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe
mRun: [btbb_McciTrayApp] "c:\program files\bt broadband desktop help\btbb\BTHelpNotifier.exe"
mRun: [btbb_wcm_McciTrayApp] "c:\program files\bt broadband desktop help\btbb_wcm\McciTrayApp.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [boincmgr] "c:\program files\boinc\boincmgr.exe" /a /s
mRun: [boinctray] "c:\program files\boinc\boinctray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\users\murray\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: gov.uk\cag1.devon
Trusted Zone: gov.uk\cag2.devon
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\murray\appdata\roaming\mozilla\firefox\profiles\t1pnb6sj.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\google\google earth plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1508.6312\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\users\murray\appdata\roaming\mozilla\plugins\np65BF5EDF-441F-445F-A0C2-6A686BF56710.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-8 64160]
R0 nvrd32;NVIDIA nForce RAID Driver;c:\windows\system32\drivers\nvrd32.sys [2008-3-16 131616]
R2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\acer arcade live\acer homemedia connect\kernel\dms\CLMSServer.exe [2008-3-16 269448]
S2 gupdate1c9947169a3c264;Google Update Service (gupdate1c9947169a3c264);c:\program files\google\update\GoogleUpdate.exe [2009-2-21 133104]
S3 NVHDA;Service for NVIDIA HDMI Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-3-16 30752]

=============== Created Last 30 ================

2009-08-19 11:35 49 a------- c:\windows\cdplayer.ini
2009-08-19 10:24 <DIR> --d----- c:\users\murray\appdata\roaming\Malwarebytes
2009-08-19 10:24 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-19 10:24 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-19 10:24 <DIR> --d----- c:\programdata\Malwarebytes
2009-08-19 10:24 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-19 10:24 <DIR> --d----- c:\progra~2\Malwarebytes
2009-08-13 22:10 <DIR> --d----- c:\program files\Trend Micro
2009-08-13 20:00 <DIR> --d----- c:\users\murray\appdata\roaming\Uniblue
2009-08-13 20:00 <DIR> --d----- c:\programdata\DriverScanner
2009-08-13 20:00 <DIR> --d----- c:\program files\Uniblue
2009-08-13 20:00 <DIR> --d----- c:\progra~2\DriverScanner
2009-08-12 12:19 160,256 a------- c:\windows\system32\wkssvc.dll
2009-08-12 12:19 71,680 a------- c:\windows\system32\atl.dll
2009-08-12 12:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-08-12 12:19 91,136 a------- c:\windows\system32\avifil32.dll
2009-08-12 12:19 313,344 a------- c:\windows\system32\wmpdxm.dll
2009-08-12 12:19 7,680 a------- c:\windows\system32\spwmp.dll
2009-08-12 12:19 4,096 a------- c:\windows\system32\msdxm.ocx
2009-08-12 12:19 4,096 a------- c:\windows\system32\dxmasf.dll
2009-08-12 12:19 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-08-12 12:19 43,520 a------- c:\windows\system32\msdxm.tlb
2009-08-12 12:19 18,432 a------- c:\windows\system32\amcompat.tlb
2009-08-11 11:08 <DIR> --d----- c:\program files\Bazooka Scanner
2009-08-06 19:18 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-08-06 19:18 97,800 a------- c:\windows\system32\infocardapi.dll
2009-08-06 19:18 622,080 a------- c:\windows\system32\icardagt.exe
2009-08-06 19:18 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-08-06 19:18 37,384 a------- c:\windows\system32\infocardcpl.cpl
2009-08-06 19:18 11,264 a------- c:\windows\system32\icardres.dll
2009-08-06 19:18 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-08-06 19:18 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-08-06 19:14 96,760 a------- c:\windows\system32\dfshim.dll
2009-08-06 19:14 282,112 a------- c:\windows\system32\mscoree.dll
2009-08-06 19:13 41,984 a------- c:\windows\system32\netfxperf.dll
2009-08-06 19:13 158,720 a------- c:\windows\system32\mscorier.dll
2009-08-06 19:13 83,968 a------- c:\windows\system32\mscories.dll
2009-07-24 17:57 <DIR> --d----- c:\program files\alot
2009-07-22 19:56 <DIR> --d----- c:\programdata\UDL
2009-07-22 19:56 <DIR> --d----- c:\progra~2\UDL
2009-07-22 19:52 <DIR> --d----- c:\program files\ABBYY FineReader 6.0 Sprint
2009-07-21 20:00 192 a------- c:\windows\wininit.ini
2009-07-21 16:24 <DIR> --d----- c:\program files\Babylon

==================== Find3M ====================

2009-07-22 19:48 86,016 a------- c:\windows\inf\infstrng.dat
2009-07-22 19:48 86,016 a------- c:\windows\inf\infstor.dat
2009-07-22 19:48 51,200 a------- c:\windows\inf\infpub.dat
2009-07-21 22:52 915,456 a------- c:\windows\system32\wininet.dll
2009-07-21 22:47 109,056 a------- c:\windows\system32\iesysprep.dll
2009-07-21 22:47 71,680 a------- c:\windows\system32\iesetup.dll
2009-07-21 21:13 133,632 a------- c:\windows\system32\ieUnatt.exe
2009-06-15 16:24 156,672 a------- c:\windows\system32\t2embed.dll
2009-06-15 16:20 72,704 a------- c:\windows\system32\fontsub.dll
2009-06-15 16:20 10,240 a------- c:\windows\system32\dciman32.dll
2009-06-15 13:52 289,792 a------- c:\windows\system32\atmfd.dll
2009-06-08 09:14 15,688 a------- c:\windows\system32\lsdelete.exe
2009-01-02 20:07 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-21 03:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 12:29:16.10 ===============
Last edited by Orac on October 31st, 2009, 12:07 pm, edited 1 time in total.
Reason: disable live links
techno_turtle
Regular Member
 
Posts: 19
Joined: August 14th, 2009, 6:44 am

Re: HIJACKTHIS Log - New infection. Help appreciated

Unread postby techno_turtle » August 19th, 2009, 7:33 am

DDS (Ver_09-07-30.01) - NTFSx86
Run by Murray at 12:27:37.78 on 19/08/2009
Internet Explorer: 8.0.6001.18813 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.1791.482 [GMT 1:00]

SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Lavasoft Ad-Watch Live! *enabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Windows\system32\rundll32.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\SysMonitor.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\nvraidservice.exe
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
C:\Program Files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\BOINC\boinctray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\BOINC\boinc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\ProgramData\BOINC\projects\climateprediction.net\hadcm3trans_6.04_windows_intelx86.exe
C:\ProgramData\BOINC\projects\climateprediction.net\hadam3_6.01_windows_intelx86.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\ProgramData\BOINC\projects\climateprediction.net\hadam3_um_6.01_windows_intelx86.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\ProgramData\BOINC\projects\climateprediction.net\hadcm3trans_um_6.04_windows_intelx86.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Murray\Downloads\dds(2).com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bbc.co.uk/
mStart Page = hxxp://en.uk.acer.yahoo.com
mDefault_Page_URL = hxxp://en.uk.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\acer\empowering technology\edatasecurity\x86\ActiveToolBand.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [EPSON Stylus SX200 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiefe.exe /fu "c:\windows\temp\E_S1B5E.tmp" /EF "HKCU"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Acer Empowering Technology Monitor] c:\acer\empowering technology\SysMonitor.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\x86\eDSloader.exe
mRun: [PCMMediaSharing] c:\program files\acer arcade live\acer homemedia connect\kernel\dms\PCMMediaSharing.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Apanel] c:\acersw\config\SetApanel.cmd
mRun: [WarReg_PopUp] c:\acer\wr_popup\WarReg_PopUp.exe
mRun: [eRecoveryService]
mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe
mRun: [btbb_McciTrayApp] "c:\program files\bt broadband desktop help\btbb\BTHelpNotifier.exe"
mRun: [btbb_wcm_McciTrayApp] "c:\program files\bt broadband desktop help\btbb_wcm\McciTrayApp.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [boincmgr] "c:\program files\boinc\boincmgr.exe" /a /s
mRun: [boinctray] "c:\program files\boinc\boinctray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\users\murray\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: gov.uk\cag1.devon
Trusted Zone: gov.uk\cag2.devon
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\murray\appdata\roaming\mozilla\firefox\profiles\t1pnb6sj.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\google\google earth plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1508.6312\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\users\murray\appdata\roaming\mozilla\plugins\np65BF5EDF-441F-445F-A0C2-6A686BF56710.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-8 64160]
R0 nvrd32;NVIDIA nForce RAID Driver;c:\windows\system32\drivers\nvrd32.sys [2008-3-16 131616]
R2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\acer arcade live\acer homemedia connect\kernel\dms\CLMSServer.exe [2008-3-16 269448]
S2 gupdate1c9947169a3c264;Google Update Service (gupdate1c9947169a3c264);c:\program files\google\update\GoogleUpdate.exe [2009-2-21 133104]
S3 NVHDA;Service for NVIDIA HDMI Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-3-16 30752]

=============== Created Last 30 ================

2009-08-19 11:35 49 a------- c:\windows\cdplayer.ini
2009-08-19 10:24 <DIR> --d----- c:\users\murray\appdata\roaming\Malwarebytes
2009-08-19 10:24 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-19 10:24 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-19 10:24 <DIR> --d----- c:\programdata\Malwarebytes
2009-08-19 10:24 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-19 10:24 <DIR> --d----- c:\progra~2\Malwarebytes
2009-08-13 22:10 <DIR> --d----- c:\program files\Trend Micro
2009-08-13 20:00 <DIR> --d----- c:\users\murray\appdata\roaming\Uniblue
2009-08-13 20:00 <DIR> --d----- c:\programdata\DriverScanner
2009-08-13 20:00 <DIR> --d----- c:\program files\Uniblue
2009-08-13 20:00 <DIR> --d----- c:\progra~2\DriverScanner
2009-08-12 12:19 160,256 a------- c:\windows\system32\wkssvc.dll
2009-08-12 12:19 71,680 a------- c:\windows\system32\atl.dll
2009-08-12 12:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-08-12 12:19 91,136 a------- c:\windows\system32\avifil32.dll
2009-08-12 12:19 313,344 a------- c:\windows\system32\wmpdxm.dll
2009-08-12 12:19 7,680 a------- c:\windows\system32\spwmp.dll
2009-08-12 12:19 4,096 a------- c:\windows\system32\msdxm.ocx
2009-08-12 12:19 4,096 a------- c:\windows\system32\dxmasf.dll
2009-08-12 12:19 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-08-12 12:19 43,520 a------- c:\windows\system32\msdxm.tlb
2009-08-12 12:19 18,432 a------- c:\windows\system32\amcompat.tlb
2009-08-11 11:08 <DIR> --d----- c:\program files\Bazooka Scanner
2009-08-06 19:18 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-08-06 19:18 97,800 a------- c:\windows\system32\infocardapi.dll
2009-08-06 19:18 622,080 a------- c:\windows\system32\icardagt.exe
2009-08-06 19:18 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-08-06 19:18 37,384 a------- c:\windows\system32\infocardcpl.cpl
2009-08-06 19:18 11,264 a------- c:\windows\system32\icardres.dll
2009-08-06 19:18 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-08-06 19:18 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-08-06 19:14 96,760 a------- c:\windows\system32\dfshim.dll
2009-08-06 19:14 282,112 a------- c:\windows\system32\mscoree.dll
2009-08-06 19:13 41,984 a------- c:\windows\system32\netfxperf.dll
2009-08-06 19:13 158,720 a------- c:\windows\system32\mscorier.dll
2009-08-06 19:13 83,968 a------- c:\windows\system32\mscories.dll
2009-07-24 17:57 <DIR> --d----- c:\program files\alot
2009-07-22 19:56 <DIR> --d----- c:\programdata\UDL
2009-07-22 19:56 <DIR> --d----- c:\progra~2\UDL
2009-07-22 19:52 <DIR> --d----- c:\program files\ABBYY FineReader 6.0 Sprint
2009-07-21 20:00 192 a------- c:\windows\wininit.ini
2009-07-21 16:24 <DIR> --d----- c:\program files\Babylon

==================== Find3M ====================

2009-07-22 19:48 86,016 a------- c:\windows\inf\infstrng.dat
2009-07-22 19:48 86,016 a------- c:\windows\inf\infstor.dat
2009-07-22 19:48 51,200 a------- c:\windows\inf\infpub.dat
2009-07-21 22:52 915,456 a------- c:\windows\system32\wininet.dll
2009-07-21 22:47 109,056 a------- c:\windows\system32\iesysprep.dll
2009-07-21 22:47 71,680 a------- c:\windows\system32\iesetup.dll
2009-07-21 21:13 133,632 a------- c:\windows\system32\ieUnatt.exe
2009-06-15 16:24 156,672 a------- c:\windows\system32\t2embed.dll
2009-06-15 16:20 72,704 a------- c:\windows\system32\fontsub.dll
2009-06-15 16:20 10,240 a------- c:\windows\system32\dciman32.dll
2009-06-15 13:52 289,792 a------- c:\windows\system32\atmfd.dll
2009-06-08 09:14 15,688 a------- c:\windows\system32\lsdelete.exe
2009-01-02 20:07 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-21 03:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 12:29:16.10 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 24/12/2008 04:27:07
System Uptime: 19/08/2009 12:15:28 (0 hours ago)

Motherboard: ACER | | MCP73VE
Processor: Intel(R) Core(TM)2 Duo CPU E4700 @ 2.60GHz | SOCKET775 M/B | 2603/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 144 GiB total, 59.415 GiB free.
D: is FIXED (NTFS) - 145 GiB total, 144.628 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Tun Miniport Adapter
Device ID: ROOT\*TUNMP\0001
Manufacturer: Microsoft
Name: Teredo Tunneling Pseudo-Interface
PNP Device ID: ROOT\*TUNMP\0001
Service: tunmp

==== System Restore Points ===================


==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 1 (SP1)
ABBYY FineReader 6.0 Sprint
Acer Arcade Live Main Page
Acer DV Magician
Acer DVDivine
Acer eDataSecurity Management
Acer Empowering Technology
Acer ePerformance Management
Acer eSettings Management
Acer GameZone Console DTV 2.0.1.1
Acer HomeMedia
Acer HomeMedia Connect
Acer HomeMedia Trial Creator
Acer ScreenSaver
Acer SlideShow DVD
Acer VideoMagician
Activation Assistant for the 2007 Microsoft Office suites
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.2
Agatha Christie Death on the Nile
Alice Greenfingers
Apple Mobile Device Support
Apple Software Update
ATI Catalyst Install Manager
Azada
Backspin Billiards
Bazooka Scanner
BBC iPlayer Download Manager
Big Kahuna Reef
BOINC
Bonjour
Bookworm Deluxe
Bricks of Egypt
BT Broadband Desktop Help
BT Wireless Connection Manager
BT Yahoo! Applications
CA Yahoo! Anti-Spy (remove only)
Cake Mania
Camera RAW Plug-In for EPSON Creativity Suite
Chicken Invaders 3
Chuzzle
Citrix Presentation Server Client - Web Only
DCC Repackaged CAG Components a
Diner Dash Flo on the Go
EPAFactory Endpoint Analysis Client 3.0
EPSON Attach To Email
EPSON Easy Photo Print
EPSON File Manager
EPSON Scan
EPSON Scan Assistant
EPSON Stylus SX200 Series Printer Uninstall
EPSON Stylus SX200_SX400_TX200_TX400 Manual
eSobi v2
Flip Words 2
Google Earth
Google Earth Plugin
Google Photos Screensaver
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
iTunes
Java(TM) 6 Update 13
Jewel Quest Solitaire
Kick N Rush
LightScribe 1.4.142.1
Mahjong Escape Ancient China
Mahjongg Artifacts
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft .NET Framework 3.5 SP1
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MobileMe Control Panel
Mozilla Firefox (3.0.1)
MSXML 4.0 SP2 (KB954430)
Mystery Case Files - Huntsville
Mystery Solitaire - Secret Island
NTI Backup NOW! 4.7
NTI CD & DVD-Maker
NVIDIA Drivers
Picasa 2
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Safari
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Skype™ 4.0
Spybot - Search & Destroy
Spyware Doctor 6.0
Turbo Pizza
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Yahoo! Software Update
Zuma Deluxe

==== End Of File ===========================
Last edited by Orac on October 31st, 2009, 12:08 pm, edited 1 time in total.
Reason: disable live links
techno_turtle
Regular Member
 
Posts: 19
Joined: August 14th, 2009, 6:44 am

Re: HIJACKTHIS Log - New infection. Help appreciated

Unread postby Blade81 » August 19th, 2009, 10:34 am

Hi again,


Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:
  • Run Spybot-S&D in Advanced Mode
  • If it is not already set to do this, go to the Mode menu
    select
    Advanced Mode
  • On the left hand side, click on Tools
  • Then click on the Resident icon in the list
  • Uncheck
    Resident TeaTimer
    and OK any prompts.
  • Restart your computer


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.


Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds.txt log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland

Re: HIJACKTHIS Log - New infection. Help appreciated

Unread postby techno_turtle » August 19th, 2009, 11:26 am

Again, a big thank you. I have disabled Teatime option on Spybot and printed off the instruction manual for running Combo Fix. to my untrained eye it looks complicated and due to the warning you gave about it possibly damaging my computer, I will take time to read it properly. I will do this tonight and start the process mid morning Thursday.
techno_turtle
Regular Member
 
Posts: 19
Joined: August 14th, 2009, 6:44 am

Re: HIJACKTHIS Log - New infection. Help appreciated

Unread postby techno_turtle » August 20th, 2009, 8:09 am

Hopefully I followed all instructions to disable Ad-ware etc before scanning. I did try and it was a nervous time for me worrying I would damage my computer. It all appeared to go well. Computer started again after scan anyway! I strted up McAfee & Ad-ware immediately, so hope that OK. Can I re-stat teatimer on spybot now as well ?

Logs as follows:

ComboFix 09-08-19.06 - Murray 20/08/2009 12:31.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1791.840 [GMT 1:00]
Running from: c:\users\Murray\Desktop\ComboFix.exe
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\alot
c:\program files\alot\bin\ALOTSettings.exe
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1132.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1170.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc147E.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1595.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1697.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc191E.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1C69.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1DCF.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1E59.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc1F45.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2234.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc237D.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2399.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc252F.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc28C7.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2ACA.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2B75.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2C5.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2D0.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2D6D.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2DAC.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc2F4C.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc30F2.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc38FD.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc3C37.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc41F2.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc4240.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc46A8.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc4741.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc4777.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc4932.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc4A2C.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc4B78.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc4C14.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5073.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc50A2.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc531.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5360.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc544A.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5547.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5588.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc57D2.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5A04.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5C0B.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5C74.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5CA9.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5CEA.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5D53.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc5F9B.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc61B6.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc626D.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc6588.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc6598.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc6693.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc66A2.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc6A1A.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc6F99.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc7476.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc7487.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc751A.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc7543.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc776.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc7866.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc7966.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc7ABE.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc7BC6.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc86E2.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc877A.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc877B.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc893E.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc8D9.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc8F85.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc91AB.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc93C9.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc959D.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc98B4.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mcc991F.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA05C.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA1DC.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA3EF.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA667.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA66F.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA6A4.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA98A.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccA9B9.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB2D.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB492.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB972.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccB98C.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccBCA.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccBD78.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccBE33.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC112.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC2E4.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccC8AE.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccCB0E.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccCDCC.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccCDFF.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccCE1A.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccCE39.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD1D.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD3CF.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD6B7.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD82D.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD889.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccD8A.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccDC1F.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccDEDC.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccDF3E.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE11E.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE6BF.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE74C.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccE825.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccEAAF.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccEADD.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccEB4F.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccECE0.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccED8C.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccEF84.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccF3CE.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccFCC8.tmp
c:\users\Murray\AppData\Local\Microsoft\Windows\Temporary Internet Files\mccFDD1.tmp
c:\windows\Cursors\aero_link.cur

.
((((((((((((((((((((((((( Files Created from 2009-07-20 to 2009-08-20 )))))))))))))))))))))))))))))))
.

2009-08-20 11:38 . 2009-08-20 11:38 -------- d-----w- c:\users\Orla\AppData\Local\temp
2009-08-20 11:38 . 2009-08-20 11:38 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-08-20 10:22 . 2009-08-20 10:24 -------- d-----w- c:\windows\system32\ca-ES
2009-08-20 10:22 . 2009-08-20 10:23 -------- d-----w- c:\windows\system32\eu-ES
2009-08-20 10:22 . 2009-08-20 10:23 -------- d-----w- c:\windows\system32\vi-VN
2009-08-20 10:00 . 2009-08-20 10:00 -------- d-----w- c:\windows\system32\EventProviders
2009-08-19 09:24 . 2009-08-19 09:24 -------- d-----w- c:\users\Murray\AppData\Roaming\Malwarebytes
2009-08-19 09:24 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-19 09:24 . 2009-08-19 09:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-19 09:24 . 2009-08-19 09:24 -------- d-----w- c:\programdata\Malwarebytes
2009-08-19 09:24 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-18 19:06 . 2009-04-11 06:28 114176 ----a-w- c:\windows\system32\EhStorShell.dll
2009-08-18 19:05 . 2009-04-11 06:28 241664 ----a-w- c:\windows\system32\msltus40.dll
2009-08-18 19:03 . 2009-04-11 06:28 777216 ----a-w- c:\windows\system32\slcc.dll
2009-08-18 19:02 . 2009-04-11 06:28 19968 ----a-w- c:\windows\system32\winrnr.dll
2009-08-18 19:01 . 2009-04-11 06:28 218624 ----a-w- c:\windows\system32\wdscore.dll
2009-08-18 19:01 . 2009-04-11 06:27 130560 ----a-w- c:\windows\system32\PkgMgr.exe
2009-08-18 19:01 . 2009-04-11 06:28 247808 ----a-w- c:\windows\system32\drvstore.dll
2009-08-13 21:10 . 2009-08-13 21:10 -------- d-----w- c:\program files\Trend Micro
2009-08-13 19:00 . 2009-08-13 19:06 -------- d-----w- c:\users\Murray\AppData\Roaming\Uniblue
2009-08-13 19:00 . 2009-08-13 19:06 -------- d-----w- c:\programdata\DriverScanner
2009-08-13 19:00 . 2009-08-13 19:06 -------- d-----w- c:\program files\Uniblue
2009-08-12 11:19 . 2009-06-10 11:42 160256 ----a-w- c:\windows\system32\wkssvc.dll
2009-08-12 11:19 . 2009-07-17 13:54 71680 ----a-w- c:\windows\system32\atl.dll
2009-08-12 11:19 . 2009-06-04 12:07 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-08-12 11:19 . 2009-04-11 06:28 136192 ----a-w- c:\windows\system32\aaclient.dll
2009-08-12 11:19 . 2009-04-11 06:28 53248 ----a-w- c:\windows\system32\tsgqec.dll
2009-08-12 11:19 . 2009-06-10 11:38 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-08-12 11:19 . 2009-07-15 12:39 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-08-12 11:19 . 2009-07-15 12:39 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-08-12 11:19 . 2009-07-15 12:40 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-08-12 11:19 . 2009-07-15 12:39 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-08-11 10:08 . 2009-08-11 10:08 -------- d-----w- c:\program files\Bazooka Scanner
2009-08-06 18:13 . 2008-07-27 18:03 41984 ----a-w- c:\windows\system32\netfxperf.dll
2009-07-22 19:09 . 2009-07-22 20:44 -------- d-----w- c:\users\Murray\AppData\Roaming\EPSON
2009-07-22 18:56 . 2009-07-22 18:56 -------- d-----w- c:\programdata\UDL
2009-07-22 18:52 . 2009-07-22 18:53 -------- d-----w- c:\program files\ABBYY FineReader 6.0 Sprint
2009-07-22 18:50 . 2007-12-17 04:00 143872 ----a-w- c:\programdata\EPSON\EPW!3 SSRP\E_S40ST7.EXE
2009-07-22 18:50 . 2007-01-11 04:02 113664 ----a-w- c:\programdata\EPSON\EPW!3 SSRP\E_S40RP7.EXE
2009-07-22 08:29 . 2009-07-22 08:29 -------- d-----w- c:\users\Orla\AppData\Local\Babylon
2009-07-22 08:28 . 2009-07-22 09:46 -------- d-----w- c:\users\Orla\AppData\Roaming\Babylon
2009-07-21 15:24 . 2009-07-21 15:24 -------- d-----w- c:\program files\Babylon
2009-07-21 15:22 . 2009-08-18 15:29 91 ----a-w- c:\users\Murray\AppData\Local\sadjp.bat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-20 11:39 . 2009-01-02 16:16 -------- d-----w- c:\users\Murray\AppData\Roaming\Skype
2009-08-20 11:38 . 2009-01-15 17:31 -------- d-----w- c:\programdata\Kontiki
2009-08-20 11:34 . 2009-02-21 22:41 -------- d-----w- c:\programdata\BOINC
2009-08-20 10:45 . 2009-04-10 17:18 -------- d-----w- c:\program files\Java
2009-08-20 10:33 . 2008-03-16 19:20 -------- d-----w- c:\programdata\NVIDIA
2009-08-20 10:24 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-08-20 10:24 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-08-20 10:24 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-08-20 10:24 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-08-20 10:24 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-08-20 10:24 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-08-20 10:24 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-08-20 10:22 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-08-20 10:03 . 2009-01-24 16:19 -------- d-----w- c:\program files\Spyware Doctor
2009-08-20 09:48 . 2009-01-02 16:19 -------- d-----w- c:\users\Murray\AppData\Roaming\skypePM
2009-08-18 17:15 . 2009-01-02 16:02 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-14 10:37 . 2009-01-17 08:41 -------- d-----w- c:\program files\Safari
2009-07-25 11:34 . 2009-01-03 11:34 -------- d-----w- c:\programdata\Yahoo! Companion
2009-07-25 09:56 . 2009-01-03 11:22 -------- d-----w- c:\programdata\Yahoo!
2009-07-25 09:56 . 2008-03-16 20:02 -------- d-----w- c:\program files\Yahoo!
2009-07-25 04:23 . 2009-04-10 17:18 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-22 19:01 . 2008-03-16 19:24 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-22 18:58 . 2008-03-16 19:24 -------- d-----w- c:\program files\Common Files\InstallShield
2009-07-22 18:54 . 2009-07-17 14:52 -------- d-----w- c:\program files\epson
2009-07-22 18:50 . 2009-07-17 14:53 -------- d-----w- c:\programdata\EPSON
2009-07-21 21:52 . 2009-07-29 08:44 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-29 08:44 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-29 08:44 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-29 08:44 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-19 12:51 . 2009-07-19 12:51 -------- d-----w- c:\program files\iTunes
2009-07-19 12:51 . 2009-07-19 12:51 -------- d-----w- c:\program files\iPod
2009-07-19 12:51 . 2009-01-07 10:54 -------- d-----w- c:\program files\Common Files\Apple
2009-07-19 12:25 . 2009-07-19 12:25 75040 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-07-17 15:28 . 2009-07-17 15:28 -------- d-----w- c:\users\Murray\AppData\Roaming\InstallShield
2009-06-29 09:56 . 2009-06-27 10:35 -------- d-----w- c:\program files\McAfee
2009-06-27 10:40 . 2008-03-16 20:04 -------- d-----w- c:\programdata\McAfee
2009-06-27 10:36 . 2009-06-27 10:35 -------- d-----w- c:\program files\Common Files\McAfee
2009-06-27 10:35 . 2009-06-27 10:35 -------- d-----w- c:\program files\McAfee.com
2009-06-25 14:34 . 2009-01-02 16:15 -------- d-----w- c:\program files\Google
2009-06-15 14:53 . 2009-07-16 09:06 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 14:52 . 2009-07-16 09:06 23552 ----a-w- c:\windows\system32\lpk.dll
2009-06-15 14:52 . 2009-07-16 09:06 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 14:51 . 2009-07-16 09:06 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-06-15 12:42 . 2009-07-16 09:06 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-06-08 08:14 . 2009-06-08 08:14 15688 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-06-08 08:14 . 2009-01-24 09:39 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-08 08:14 . 2009-06-08 08:15 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-06-08 08:14 . 2009-06-08 08:14 64160 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2007-11-09 16:10 . 2007-11-09 16:10 30288 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2007-11-09 16:10 . 2007-11-09 16:10 79440 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2007-11-09 16:10 . 2007-11-09 16:10 75344 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2007-11-09 16:10 . 2007-11-09 16:10 140880 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2007-11-09 16:10 . 2007-11-09 16:10 42576 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2007-11-09 16:10 . 2007-11-09 16:10 50768 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2007-11-09 16:10 . 2007-11-09 16:10 34384 ----a-w- c:\program files\mozilla firefox\plugins\logging.dll
2007-11-09 16:11 . 2007-11-09 16:11 685648 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2007-11-09 16:11 . 2007-11-09 16:11 30288 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-03-05 06:38 121392 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-13 39408]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-01-29 23975720]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"Acer Empowering Technology Monitor"="c:\acer\Empowering Technology\SysMonitor.exe" [2008-01-10 326176]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-03-05 526896]
"PCMMediaSharing"="c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe" [2008-01-26 204908]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-04-04 13535776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-04-04 92704]
"WarReg_PopUp"="c:\acer\WR_PopUp\WarReg_PopUp.exe" [2006-11-05 57344]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2007-12-07 196128]
"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2008-09-11 1517056]
"btbb_wcm_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe" [2008-08-28 1516032]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-03 185896]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-13 177472]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-07-09 520024]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"boincmgr"="c:\program files\BOINC\boincmgr.exe" [2008-12-09 4289280]
"boinctray"="c:\program files\BOINC\boinctray.exe" [2008-12-09 58112]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-05-01 645328]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-10-11 4702208]

c:\users\Orla\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\users\Murray\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2008-3-16 535336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):bd,f0,4c,e4,80,21,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2974532428-1769531354-2744306558-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{89EC6C5A-4AB0-4332-8222-0B151E8A8E96}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{C318B0A4-B2D0-4D2E-9441-555DC11A8A75}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{479ECCE8-031F-4BCF-B7EB-31702685CE3A}"= c:\program files\Acer Arcade Live\Acer Arcade Live Main Page\Acer Arcade Live.exe:Acer Arcade Live
"{8E5AC746-02CF-4513-9F72-04A74B446FFC}"= c:\program files\Acer Arcade Live\Acer DVDivine\Acer DVDivine.exe:Acer DVDivine
"{92E72A5C-B72B-4379-94AE-F07E353CAB52}"= c:\program files\Acer Arcade Live\Acer HomeMedia\Acer HomeMedia.exe:Acer HomeMedia
"{31EB5216-7D72-4C17-8DF2-FA5B69B7869E}"= c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Acer HomeMedia Connect.exe:Acer HomeMedia Connect
"{39863CA9-3184-4F99-9510-39E313EE846B}"= c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.EXE:Acer HomeMedia Connect Service
"{94063567-A94D-492C-A5FE-C8A914B9B6F4}"= c:\program files\Acer Arcade Live\Acer SlideShow DVD\Acer SlideShow DVD.exe:Acer SlideShow DVD
"{6A4CAF56-9623-4AFA-854B-D47483B10A3B}"= c:\program files\Acer Arcade Live\Acer VideoMagician\Acer VideoMagician.exe:Acer VideoMagician
"{A95B326A-DD98-4550-8653-CE41D482B8FA}"= c:\program files\Acer Arcade Live\Acer HomeMedia Trial Creator\Acer HomeMedia Trial Creator.exe:Acer HomeMedia Trial Creator
"{70441C18-3E53-4EFF-B676-D2C732DCB557}"= c:\program files\Acer Arcade Live\Acer DV Magician\Acer DV Magician.exe:Acer DV Magician
"{C89A1E2F-CB31-478E-9493-AEDC9B7DB68E}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{C1914AC7-2B33-434D-BAA5-115995DA5793}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{B82E01A5-EA7E-4F96-AD8D-C392A679BD81}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{F3FCF371-014C-4D50-87FF-344D1EEB923E}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{C5D568E2-5FA5-4E15-B8F1-0D6480538521}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{1BACC0D3-EDF3-4F68-9B22-0E249E108980}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{6C18F104-92EA-45E3-B6F6-54F79FE7142E}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{85F3B94C-2A27-42C0-B5AA-49FA66320FBC}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{34812F52-104F-4A88-97A0-41BB1AB66797}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{5770A6FB-B5F5-47B7-929A-35D9A484D9A0}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{FA4BCF55-2BAA-4334-9E05-785FAAAC511E}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{D6D2CD49-BD93-4C09-B990-DE815C186179}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{56249E87-5844-4B5A-B3E5-F62272A07B04}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{667D8EBB-BE54-4FCD-B325-71DD8B1DA93A}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{19E4C5B8-F6A1-4475-A250-F3469FF4817D}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{2D64D503-92A4-4D40-8BE1-71B569138B21}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{4758E79B-1207-4A51-A0BE-E1180A53C6DB}"= c:\program files\Skype\Phone\Skype.exe:Skype

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [08/06/2009 09:15 64160]
R2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe [16/03/2008 20:47 269448]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [27/06/2009 11:38 203280]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [02/01/2009 17:02 1153368]
S2 gupdate1c9947169a3c264;Google Update Service (gupdate1c9947169a3c264);c:\program files\Google\Update\GoogleUpdate.exe [21/02/2009 23:11 133104]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [18/01/2009 22:34 1029456]
S3 NVHDA;Service for NVIDIA HDMI Audio Driver;c:\windows\System32\drivers\nvhda32v.sys [16/03/2008 20:01 30752]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [24/01/2009 17:19 356920]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 16:17]

2009-08-19 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-02 14:28]

2009-08-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-21 22:11]

2009-08-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-21 22:11]

2009-06-27 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-27 07:57]

2009-06-27 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-27 07:57]

2009-08-20 c:\windows\Tasks\User_Feed_Synchronization-{1E5D46C9-89B9-49DE-8853-03C221DEE727}.job
- c:\windows\system32\msfeedssync.exe [2009-07-29 20:13]

2009-08-20 c:\windows\Tasks\User_Feed_Synchronization-{68B172E1-07BC-4FE9-A6A8-D6784F181B92}.job
- c:\windows\system32\msfeedssync.exe [2009-07-29 20:13]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Apanel - c:\acersw\config\SetApanel.cmd
HKLM-Run-eRecoveryService - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bbc.co.uk/
mStart Page = hxxp://en.uk.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: gov.uk\cag1.devon
Trusted Zone: gov.uk\cag2.devon
FF - ProfilePath - c:\users\Murray\AppData\Roaming\Mozilla\Firefox\Profiles\t1pnb6sj.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Google\Google Earth Plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1508.6312\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\users\Murray\AppData\Roaming\Mozilla\plugins\np65BF5EDF-441F-445F-A0C2-6A686BF56710.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-20 12:39
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\users\Murray\AppData\Local\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
Completion time: 2009-08-20 12:42
ComboFix-quarantined-files.txt 2009-08-20 11:42

Pre-Run: 81,674,928,128 bytes free
Post-Run: 81,820,942,336 bytes free

434 --- E O F --- 2009-08-20 10:13
Last edited by Orac on October 31st, 2009, 12:09 pm, edited 1 time in total.
Reason: disable live links
techno_turtle
Regular Member
 
Posts: 19
Joined: August 14th, 2009, 6:44 am

Re: HIJACKTHIS Log - New infection. Help appreciated

Unread postby techno_turtle » August 20th, 2009, 8:12 am

DDS (Ver_09-07-30.01) - NTFSx86
Run by Murray at 13:10:20.14 on 20/08/2009
Internet Explorer: 8.0.6001.18813 BrowserJavaVersion: 1.6.0_15
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1791.642 [GMT 1:00]

SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Lavasoft Ad-Watch Live! *enabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\rundll32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Windows\system32\rundll32.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\SysMonitor.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\nvraidservice.exe
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
C:\Program Files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\BOINC\boinctray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Windows\ehome\ehmsas.exe
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\BOINC\boinc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\ProgramData\BOINC\projects\climateprediction.net\hadcm3trans_6.04_windows_intelx86.exe
C:\ProgramData\BOINC\projects\climateprediction.net\hadam3_6.01_windows_intelx86.exe
C:\ProgramData\BOINC\projects\climateprediction.net\hadam3_um_6.01_windows_intelx86.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\ProgramData\BOINC\projects\climateprediction.net\hadcm3trans_um_6.04_windows_intelx86.exe
C:\PROGRA~1\mcafee\msc\mcshell.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Murray\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bbc.co.uk/
mStart Page = hxxp://en.uk.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\acer\empowering technology\edatasecurity\x86\ActiveToolBand.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Acer Empowering Technology Monitor] c:\acer\empowering technology\SysMonitor.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\x86\eDSloader.exe
mRun: [PCMMediaSharing] c:\program files\acer arcade live\acer homemedia connect\kernel\dms\PCMMediaSharing.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [WarReg_PopUp] c:\acer\wr_popup\WarReg_PopUp.exe
mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe
mRun: [btbb_McciTrayApp] "c:\program files\bt broadband desktop help\btbb\BTHelpNotifier.exe"
mRun: [btbb_wcm_McciTrayApp] "c:\program files\bt broadband desktop help\btbb_wcm\McciTrayApp.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [boincmgr] "c:\program files\boinc\boincmgr.exe" /a /s
mRun: [boinctray] "c:\program files\boinc\boinctray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\users\murray\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: gov.uk\cag1.devon
Trusted Zone: gov.uk\cag2.devon
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\murray\appdata\roaming\mozilla\firefox\profiles\t1pnb6sj.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\google\google earth plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1508.6312\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\users\murray\appdata\roaming\mozilla\plugins\np65BF5EDF-441F-445F-A0C2-6A686BF56710.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-8 64160]
R0 nvrd32;NVIDIA nForce RAID Driver;c:\windows\system32\drivers\nvrd32.sys [2008-3-16 131616]
S3 NVHDA;Service for NVIDIA HDMI Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-3-16 30752]

=============== Created Last 30 ================

2009-08-20 12:57 <DIR> --dsh--- C:\$RECYCLE.BIN
2009-08-20 12:30 229,376 a------- c:\windows\PEV.exe
2009-08-20 12:30 161,792 a------- c:\windows\SWREG.exe
2009-08-20 12:30 98,816 a------- c:\windows\sed.exe
2009-08-20 12:30 <DIR> --ds---- C:\ComboFix
2009-08-20 11:22 <DIR> --d----- c:\windows\system32\eu-ES
2009-08-20 11:22 <DIR> --d----- c:\windows\system32\ca-ES
2009-08-20 11:22 <DIR> --d----- c:\windows\system32\vi-VN
2009-08-20 11:00 <DIR> --d----- c:\windows\system32\EventProviders
2009-08-19 11:35 49 a------- c:\windows\cdplayer.ini
2009-08-19 10:24 <DIR> --d----- c:\users\murray\appdata\roaming\Malwarebytes
2009-08-19 10:24 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-19 10:24 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-19 10:24 <DIR> --d----- c:\programdata\Malwarebytes
2009-08-19 10:24 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-19 10:24 <DIR> --d----- c:\progra~2\Malwarebytes
2009-08-18 20:06 114,176 a------- c:\windows\system32\EhStorShell.dll
2009-08-18 20:05 241,664 a------- c:\windows\system32\msltus40.dll
2009-08-18 20:04 738,816 a------- c:\windows\system32\inetcomm.dll
2009-08-18 20:03 777,216 a------- c:\windows\system32\slcc.dll
2009-08-18 20:02 19,968 a------- c:\windows\system32\winrnr.dll
2009-08-18 20:01 218,624 a------- c:\windows\system32\wdscore.dll
2009-08-18 20:01 130,560 a------- c:\windows\system32\PkgMgr.exe
2009-08-18 20:01 247,808 a------- c:\windows\system32\drvstore.dll
2009-08-13 22:10 <DIR> --d----- c:\program files\Trend Micro
2009-08-13 20:00 <DIR> --d----- c:\users\murray\appdata\roaming\Uniblue
2009-08-13 20:00 <DIR> --d----- c:\programdata\DriverScanner
2009-08-13 20:00 <DIR> --d----- c:\program files\Uniblue
2009-08-13 20:00 <DIR> --d----- c:\progra~2\DriverScanner
2009-08-11 11:08 <DIR> --d----- c:\program files\Bazooka Scanner
2009-08-06 19:13 41,984 a------- c:\windows\system32\netfxperf.dll
2009-07-22 19:56 <DIR> --d----- c:\programdata\UDL
2009-07-22 19:56 <DIR> --d----- c:\progra~2\UDL
2009-07-22 19:52 <DIR> --d----- c:\program files\ABBYY FineReader 6.0 Sprint
2009-07-21 20:00 192 a------- c:\windows\wininit.ini
2009-07-21 16:24 <DIR> --d----- c:\program files\Babylon

==================== Find3M ====================

2009-08-20 11:28 143,360 a------- c:\windows\inf\infstrng.dat
2009-08-20 11:28 86,016 a------- c:\windows\inf\infstor.dat
2009-08-20 11:28 51,200 a------- c:\windows\inf\infpub.dat
2009-08-20 11:22 665,600 a------- c:\windows\inf\drvindex.dat
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-21 22:52 915,456 a------- c:\windows\system32\wininet.dll
2009-07-21 22:47 109,056 a------- c:\windows\system32\iesysprep.dll
2009-07-21 22:47 71,680 a------- c:\windows\system32\iesetup.dll
2009-07-21 21:13 133,632 a------- c:\windows\system32\ieUnatt.exe
2009-07-17 14:54 71,680 a------- c:\windows\system32\atl.dll
2009-07-15 13:40 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-07-15 13:39 313,344 a------- c:\windows\system32\wmpdxm.dll
2009-07-15 13:39 4,096 a------- c:\windows\system32\dxmasf.dll
2009-07-15 13:39 7,680 a------- c:\windows\system32\spwmp.dll
2009-06-15 15:53 156,672 a------- c:\windows\system32\t2embed.dll
2009-06-15 15:52 23,552 a------- c:\windows\system32\lpk.dll
2009-06-15 15:52 72,704 a------- c:\windows\system32\fontsub.dll
2009-06-15 15:51 10,240 a------- c:\windows\system32\dciman32.dll
2009-06-15 13:42 289,792 a------- c:\windows\system32\atmfd.dll
2009-06-10 12:42 160,256 a------- c:\windows\system32\wkssvc.dll
2009-06-10 12:38 91,136 a------- c:\windows\system32\avifil32.dll
2009-06-08 09:14 15,688 a------- c:\windows\system32\lsdelete.exe
2009-06-04 13:07 2,066,432 a------- c:\windows\system32\mstscax.dll
2008-01-21 03:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 13:11:31.28 ===============
Last edited by Orac on October 31st, 2009, 12:10 pm, edited 1 time in total.
Reason: disable live links
techno_turtle
Regular Member
 
Posts: 19
Joined: August 14th, 2009, 6:44 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 61 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware