Solved Surprize new Anti-Virus program and constant virus warnings

Status
Not open for further replies.
G

gdt55

Posts: 67   +0
Somehow a new Anti-virus program was downloaded and installed. Now every program that tries to run is stopped and we get a message stating that the program is infected and asking if we want to start our anti-virus program. The program is not McAfee, which is what we are using. It wants us to purchase the program. I had to restart in safe mode to get TFC to run and after Malwarebytes was run have been able to run in normal mode. I finished the 8 steps. Here are the logs.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

11/6/2010 5:54:46 PM
mbam-log-2010-11-06 (17-54-46).txt

Scan type: Quick scan
Objects scanned: 120453
Time elapsed: 7 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
GMER Log Part 1

GMER 1.0.15.15477 - http://www.gmer.net
Rootkit scan 2010-11-06 18:37:14
Windows 5.1.2600 Service Pack 3
Running: 1g2cnhir.exe; Driver: C:\DOCUME~1\Dana\LOCALS~1\Temp\pftdqpog.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA210D78A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA210D738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xA210D74C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA210D7CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA210D710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA210D724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA210D79E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA210D776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA210D762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA210D7F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA210D7E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA210D7B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504B08 7 Bytes JMP A210D7B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP A210D78E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B1FE6 7 Bytes JMP A210D7CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2DF4 5 Bytes JMP A210D7E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83CA 7 Bytes JMP A210D7A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB3FA 5 Bytes JMP A210D714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB686 5 Bytes JMP A210D728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE44 5 Bytes JMP A210D766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1134 7 Bytes JMP A210D750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11EA 5 Bytes JMP A210D73C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D16F4 5 Bytes JMP A210D77A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D2982 5 Bytes JMP A210D7FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? ncuss.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\wuauclt.exe[404] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 027E000A
.text C:\WINDOWS\system32\wuauclt.exe[404] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 027E0F77
.text C:\WINDOWS\system32\wuauclt.exe[404] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 027E006C
.text C:\WINDOWS\system32\wuauclt.exe[404] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 027E005B
.text C:\WINDOWS\system32\wuauclt.exe[404] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 027E0040
.text C:\WINDOWS\system32\wuauclt.exe[404] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 027E0FB9
.text C:\WINDOWS\system32\wuauclt.exe[404] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 027E0F55
.text C:\WINDOWS\system32\wuauclt.exe[404] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 027E009D
.text C:\WINDOWS\system32\wuauclt.exe[404] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 027E00D3
.text C:\WINDOWS\system32\wuauclt.exe[404] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 027E0F3A
.text C:\WINDOWS\system32\wuauclt.exe[404] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 027E0F29
.text C:\WINDOWS\system32\wuauclt.exe[404] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 027E0FA8
.text C:\WINDOWS\system32\wuauclt.exe[404] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 027E0FE5
.text C:\WINDOWS\system32\wuauclt.exe[404] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 027E0F66
.text C:\WINDOWS\system32\wuauclt.exe[404] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 027E0025
.text C:\WINDOWS\system32\wuauclt.exe[404] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 027E0FD4
.text C:\WINDOWS\system32\wuauclt.exe[404] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 027E00AE
.text C:\WINDOWS\system32\wuauclt.exe[404] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 027C0062
.text C:\WINDOWS\system32\wuauclt.exe[404] msvcrt.dll!system 77C293C7 5 Bytes JMP 027C0047
.text C:\WINDOWS\system32\wuauclt.exe[404] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 027C0FDE
.text C:\WINDOWS\system32\wuauclt.exe[404] msvcrt.dll!_open 77C2F566 5 Bytes JMP 027C0FEF
.text C:\WINDOWS\system32\wuauclt.exe[404] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 027C0FCD
.text C:\WINDOWS\system32\wuauclt.exe[404] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 027C000C
.text C:\WINDOWS\system32\wuauclt.exe[404] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 027D002C
.text C:\WINDOWS\system32\wuauclt.exe[404] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 027D0069
.text C:\WINDOWS\system32\wuauclt.exe[404] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 027D0011
.text C:\WINDOWS\system32\wuauclt.exe[404] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 027D0FE5
.text C:\WINDOWS\system32\wuauclt.exe[404] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 027D0FB6
.text C:\WINDOWS\system32\wuauclt.exe[404] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 027D0000
.text C:\WINDOWS\system32\wuauclt.exe[404] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 027D004E
.text C:\WINDOWS\system32\wuauclt.exe[404] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 027D003D
.text C:\WINDOWS\system32\wuauclt.exe[404] WS2_32.dll!socket 71AB4211 5 Bytes JMP 027B0FEF
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0007000A
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070FA8
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0007009D
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070FC3
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070080
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070F55
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070F70
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000700CC
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070F29
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 000700DD
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0007005B
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00070025
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00070F8D
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00070036
.text C:\WINDOWS\system32\services.exe[720] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00070F44
.text C:\WINDOWS\system32\services.exe[720] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00060FAF
.text C:\WINDOWS\system32\services.exe[720] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00060025
.text C:\WINDOWS\system32\services.exe[720] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00060FD4
.text C:\WINDOWS\system32\services.exe[720] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[720] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00060F68
.text C:\WINDOWS\system32\services.exe[720] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[720] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00060F83
.text C:\WINDOWS\system32\services.exe[720] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [26, 88]
.text C:\WINDOWS\system32\services.exe[720] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00060F94
.text C:\WINDOWS\system32\services.exe[720] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050FA8
.text C:\WINDOWS\system32\services.exe[720] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050FB9
.text C:\WINDOWS\system32\services.exe[720] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050FE5
.text C:\WINDOWS\system32\services.exe[720] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0005000C
.text C:\WINDOWS\system32\services.exe[720] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050FCA
.text C:\WINDOWS\system32\services.exe[720] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0005001D
.text C:\WINDOWS\system32\services.exe[720] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BF0075
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BF0064
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BF0F80
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BF003D
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BF002C
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BF0F48
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BF0F65
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BF0F15
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BF0F26
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BF0F04
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BF0F9B
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BF0090
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BF0FC0
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BF0011
.text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BF0F37
.text C:\WINDOWS\system32\lsass.exe[732] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BE002F
.text C:\WINDOWS\system32\lsass.exe[732] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BE0076
.text C:\WINDOWS\system32\lsass.exe[732] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BE0FDE
.text C:\WINDOWS\system32\lsass.exe[732] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\lsass.exe[732] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BE005B
.text C:\WINDOWS\system32\lsass.exe[732] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BE000A
.text C:\WINDOWS\system32\lsass.exe[732] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BE0FC3
.text C:\WINDOWS\system32\lsass.exe[732] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DE, 88]
.text C:\WINDOWS\system32\lsass.exe[732] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BE004A
.text C:\WINDOWS\system32\lsass.exe[732] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BD003A
.text C:\WINDOWS\system32\lsass.exe[732] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BD0FAF
.text C:\WINDOWS\system32\lsass.exe[732] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BD0029
.text C:\WINDOWS\system32\lsass.exe[732] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\lsass.exe[732] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BD0FCA
.text C:\WINDOWS\system32\lsass.exe[732] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BD0018
.text C:\WINDOWS\system32\lsass.exe[732] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BC000A
.text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F60FEF
.text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F600B3
.text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F600A2
.text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F60087
.text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F60076
.text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F60FCA
.text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F600E9
.text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F600CE
.text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F60115
.text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F60104
.text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F60126
.text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F60051
.text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F6000A
.text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F60FAD
.text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F6002C
.text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F6001B
.text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F60F86
.text C:\WINDOWS\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F50047
.text C:\WINDOWS\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F500A2
.text C:\WINDOWS\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F5002C
.text C:\WINDOWS\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F5001B
.text C:\WINDOWS\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F5007D
.text C:\WINDOWS\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F5000A
.text C:\WINDOWS\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F50062
.text C:\WINDOWS\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F50FDB
.text C:\WINDOWS\system32\svchost.exe[880] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F40FC1
.text C:\WINDOWS\system32\svchost.exe[880] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F40FD2
.text C:\WINDOWS\system32\svchost.exe[880] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F40027
.text C:\WINDOWS\system32\svchost.exe[880] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F40FEF
.text C:\WINDOWS\system32\svchost.exe[880] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F40042
.text C:\WINDOWS\system32\svchost.exe[880] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F4000C
.text C:\WINDOWS\system32\svchost.exe[880] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C30FEF
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D40000
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D40F37
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D40F52
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D40036
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D40F79
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D40FAF
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D40F0B
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D40F1C
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D40090
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D40075
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D40EE6
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D40F94
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D40FEF
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D40047
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D40FD4
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D40025
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D40064
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D30FCD
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D30F97
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D30014
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D30FDE
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D3005E
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D30FEF
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D3004D
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D30FBC
.text C:\WINDOWS\system32\svchost.exe[980] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D20047
.text C:\WINDOWS\system32\svchost.exe[980] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D2002C
.text C:\WINDOWS\system32\svchost.exe[980] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D20FD7
.text C:\WINDOWS\system32\svchost.exe[980] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D20000
.text C:\WINDOWS\system32\svchost.exe[980] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D20FC6
.text C:\WINDOWS\system32\svchost.exe[980] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D20011
.text C:\WINDOWS\system32\svchost.exe[980] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D10000
.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 038B0FEF
.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 038B0F8D
.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 038B0F9E
.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 038B006C
.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 038B0051
.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 038B0FCA
.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 038B00AE
.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 038B0F66
.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 038B0F30
.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 038B00C9
.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 038B00EE
.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 038B0FAF
.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 038B000A
.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 038B009D
.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 038B0036
.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 038B001B
.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 038B0F4B
.text C:\WINDOWS\System32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02950FDB
.text C:\WINDOWS\System32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02950F9E
.text C:\WINDOWS\System32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02950036
.text C:\WINDOWS\System32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0295001B
.text C:\WINDOWS\System32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02950FAF
.text C:\WINDOWS\System32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02950000
.text C:\WINDOWS\System32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02950051
.text C:\WINDOWS\System32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02950FCA
.text C:\WINDOWS\System32\svchost.exe[1020] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0294002E
.text C:\WINDOWS\System32\svchost.exe[1020] msvcrt.dll!system 77C293C7 5 Bytes JMP 02940FA3
.text C:\WINDOWS\System32\svchost.exe[1020] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0294001D
.text C:\WINDOWS\System32\svchost.exe[1020] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0294000C
.text C:\WINDOWS\System32\svchost.exe[1020] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02940FBE
.text C:\WINDOWS\System32\svchost.exe[1020] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02940FE3
.text C:\WINDOWS\System32\svchost.exe[1020] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02930FEF
.text C:\WINDOWS\System32\svchost.exe[1020] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 0292000A
.text C:\WINDOWS\System32\svchost.exe[1020] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 02920FEF
.text C:\WINDOWS\System32\svchost.exe[1020] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 02920FD4
.text C:\WINDOWS\System32\svchost.exe[1020] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 02920025
 
GMER Log Part 2

.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007C0FEF
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007C0F5E
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007C0F79
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007C0047
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007C0F8A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007C0FAF
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007C0F2D
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007C0075
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007C00C6
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007C00AB
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007C0F12
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 007C002C
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 007C000A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 007C0064
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 007C001B
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 007C0FCA
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007C009A
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007B0FDE
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007B0FA1
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007B0FEF
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007B0025
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 007B0FBC
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 007B0000
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 007B0FCD
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [9B, 88]
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 007B0054
.text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007A0FB7
.text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!system 77C293C7 5 Bytes JMP 007A0FD2
.text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007A0FE3
.text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007A0000
.text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007A0042
.text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007A0011
.text C:\WINDOWS\system32\svchost.exe[1108] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006C0000
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE00C6
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE00AB
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE009A
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE0073
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE0047
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE00F2
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE00D7
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE0F74
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE0F85
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE0F59
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE0062
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE0FE5
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE0FB6
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE002C
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE001B
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE0103
.text C:\WINDOWS\system32\svchost.exe[1136] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BD0011
.text C:\WINDOWS\system32\svchost.exe[1136] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BD0051
.text C:\WINDOWS\system32\svchost.exe[1136] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\svchost.exe[1136] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BD0FD4
.text C:\WINDOWS\system32\svchost.exe[1136] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BD0F94
.text C:\WINDOWS\system32\svchost.exe[1136] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\svchost.exe[1136] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BD002C
.text C:\WINDOWS\system32\svchost.exe[1136] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BD0FA5
.text C:\WINDOWS\system32\svchost.exe[1136] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BC0038
.text C:\WINDOWS\system32\svchost.exe[1136] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BC0027
.text C:\WINDOWS\system32\svchost.exe[1136] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BC0FD2
.text C:\WINDOWS\system32\svchost.exe[1136] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BC0000
.text C:\WINDOWS\system32\svchost.exe[1136] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BC0FB7
.text C:\WINDOWS\system32\svchost.exe[1136] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BC0FE3
.text C:\WINDOWS\system32\svchost.exe[1136] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BF00AB
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BF009A
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BF007F
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BF0062
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BF0036
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BF00ED
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BF0F9B
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BF0F6F
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BF0F80
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BF0F5E
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BF0051
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BF0FDB
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BF00C6
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BF0025
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BF0FCA
.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BF00FE
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00660025
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00660F72
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00660FD4
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00660014
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00660F8D
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00660FEF
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00660F9E
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [86, 88]
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00660FB9
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00650FCA
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!system 77C293C7 5 Bytes JMP 0065005F
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00650FEF
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00650000
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0065004E
.text C:\WINDOWS\system32\svchost.exe[1388] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00650029
.text C:\WINDOWS\system32\svchost.exe[1388] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00630000
.text C:\WINDOWS\system32\svchost.exe[1388] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0063001B
.text C:\WINDOWS\system32\svchost.exe[1388] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00630FE5
.text C:\WINDOWS\system32\svchost.exe[1388] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00630036
.text C:\WINDOWS\system32\svchost.exe[1388] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0064000A
.text C:\WINDOWS\Explorer.EXE[1668] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01D80000
.text C:\WINDOWS\Explorer.EXE[1668] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01D80084
.text C:\WINDOWS\Explorer.EXE[1668] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01D80073
.text C:\WINDOWS\Explorer.EXE[1668] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01D80FA5
.text C:\WINDOWS\Explorer.EXE[1668] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01D80062
.text C:\WINDOWS\Explorer.EXE[1668] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01D80036
.text C:\WINDOWS\Explorer.EXE[1668] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01D80F63
.text C:\WINDOWS\Explorer.EXE[1668] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01D80F74
.text C:\WINDOWS\Explorer.EXE[1668] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01D80F2D
.text C:\WINDOWS\Explorer.EXE[1668] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01D800C6
.text C:\WINDOWS\Explorer.EXE[1668] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01D80F12
.text C:\WINDOWS\Explorer.EXE[1668] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01D80047
.text C:\WINDOWS\Explorer.EXE[1668] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01D80FE5
.text C:\WINDOWS\Explorer.EXE[1668] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01D8009F
.text C:\WINDOWS\Explorer.EXE[1668] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01D80FCA
.text C:\WINDOWS\Explorer.EXE[1668] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01D80011
.text C:\WINDOWS\Explorer.EXE[1668] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01D80F52
.text C:\WINDOWS\Explorer.EXE[1668] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01D60FCA
.text C:\WINDOWS\Explorer.EXE[1668] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01D60F9E
.text C:\WINDOWS\Explorer.EXE[1668] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01D60FE5
.text C:\WINDOWS\Explorer.EXE[1668] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01D6001B
.text C:\WINDOWS\Explorer.EXE[1668] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01D6005B
.text C:\WINDOWS\Explorer.EXE[1668] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01D60000
.text C:\WINDOWS\Explorer.EXE[1668] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01D60FAF
.text C:\WINDOWS\Explorer.EXE[1668] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F6, 89]
.text C:\WINDOWS\Explorer.EXE[1668] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01D6002C
.text C:\WINDOWS\Explorer.EXE[1668] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01700058
.text C:\WINDOWS\Explorer.EXE[1668] msvcrt.dll!system 77C293C7 5 Bytes JMP 01700FCD
.text C:\WINDOWS\Explorer.EXE[1668] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01700022
.text C:\WINDOWS\Explorer.EXE[1668] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01700000
.text C:\WINDOWS\Explorer.EXE[1668] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01700033
.text C:\WINDOWS\Explorer.EXE[1668] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01700011
.text C:\WINDOWS\Explorer.EXE[1668] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00CF0000
.text C:\WINDOWS\Explorer.EXE[1668] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00CF0FE5
.text C:\WINDOWS\Explorer.EXE[1668] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00CF0FCA
.text C:\WINDOWS\Explorer.EXE[1668] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00CF0011
.text C:\WINDOWS\Explorer.EXE[1668] WS2_32.dll!socket 71AB4211 5 Bytes JMP 016F0000
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1696] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1696] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE005D
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE0042
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE0F68
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE0F79
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE0F9B
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE008B
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE0F43
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE00C4
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE0F21
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE0F10
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE0F8A
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE006E
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE0FC0
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE0011
.text C:\WINDOWS\system32\svchost.exe[2008] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE0F32
.text C:\WINDOWS\system32\svchost.exe[2008] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BD0FD4
.text C:\WINDOWS\system32\svchost.exe[2008] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BD0F9E
.text C:\WINDOWS\system32\svchost.exe[2008] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BD0025
.text C:\WINDOWS\system32\svchost.exe[2008] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BD000A
.text C:\WINDOWS\system32\svchost.exe[2008] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BD0FB9
.text C:\WINDOWS\system32\svchost.exe[2008] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BD0FE5
.text C:\WINDOWS\system32\svchost.exe[2008] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BD0051
.text C:\WINDOWS\system32\svchost.exe[2008] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BD0040
.text C:\WINDOWS\system32\svchost.exe[2008] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BC002F
.text C:\WINDOWS\system32\svchost.exe[2008] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BC0014
.text C:\WINDOWS\system32\svchost.exe[2008] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BC0FB5
.text C:\WINDOWS\system32\svchost.exe[2008] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\system32\svchost.exe[2008] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BC0FA4
.text C:\WINDOWS\system32\svchost.exe[2008] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BC0FD2

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat A144CD20

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----
 
DDS Log

DDS (Ver_10-10-21.02) - NTFSx86
Run by Dana at 18:38:15.34 on Sat 11/06/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.655 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
C:\Program Files\EeePC\ACPI\AsEPCMon.exe
C:\Program Files\EeePC\ACPI\AsTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Asus\LiveUpdate\LiveUpdate.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ASUS\Eee Docking\Eee Docking.exe
C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Dana\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://asus.msn.com
uInternet Settings,ProxyServer = http=127.0.0.1:23012
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Eee Docking] c:\program files\asus\eee docking\Eee Docking.exe
uRun: [slfgurxw] c:\docume~1\dana\locals~1\temp\ttrexmhki\yaxtelbtsbl.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AsusACPIServer] c:\program files\eeepc\acpi\AsAcpiSvr.exe
mRun: [AsusEPCMonitor] c:\program files\eeepc\acpi\AsEPCMon.exe
mRun: [AsusTray] c:\program files\eeepc\acpi\AsTray.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SynAsusAcpi] c:\program files\synaptics\syntp\SynAsusAcpi.exe
mRun: [snp2uvc] c:\windows\vsnp2uvc.exe
mRun: [LiveUpdate] c:\program files\asus\liveupdate\LiveUpdate.exe auto
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\superh~1.lnk - c:\program files\asus\eeepc\super hybrid engine\SuperHybridEngine.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-1-5 214664]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-8-11 55152]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2010-3-13 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2010-3-13 144704]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-4-27 38912]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-3-13 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-3-13 35272]
R3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [2009-4-28 39040]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-8-11 1684736]
S3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\amustor.sys --> c:\windows\system32\drivers\AmUStor.SYS [?]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-3-13 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-3-13 40552]
S3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [2009-8-20 1015424]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2010-3-13 606736]

=============== Created Last 30 ================

2010-11-06 21:36:42 -------- d-----w- c:\docume~1\dana\applic~1\Malwarebytes
2010-11-06 21:36:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-06 21:36:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-06 21:36:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-06 21:36:22 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-11-04 21:04:15 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-11-04 21:04:15 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

==================== Find3M ====================

2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

============= FINISH: 18:38:52.40 ===============
 
Attach Log

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-10-21.02)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 12/26/2009 4:35:33 AM
System Uptime: 11/6/2010 5:55:54 PM (1 hours ago)

Motherboard: ASUSTeK Computer INC. | | 1005HA
Processor: Intel(R) Atom(TM) CPU N270 @ 1.60GHz | PBGA 437 | 1599/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 144 GiB total, 131.61 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Atheros AR9285 Wireless Network Adapter
Device ID: PCI\VEN_168C&DEV_002B&SUBSYS_10891A3B&REV_01\4&23C6FC68&0&00E1
Manufacturer: Atheros
Name: Atheros AR9285 Wireless Network Adapter
PNP Device ID: PCI\VEN_168C&DEV_002B&SUBSYS_10891A3B&REV_01\4&23C6FC68&0&00E1
Service: AR5416

==== System Restore Points ===================

RP24: 8/8/2010 6:51:39 PM - System Checkpoint
RP25: 8/9/2010 3:31:46 PM - Software Distribution Service 3.0
RP26: 8/16/2010 3:13:42 PM - System Checkpoint
RP27: 8/16/2010 5:09:23 PM - Software Distribution Service 3.0
RP28: 8/23/2010 4:29:36 PM - System Checkpoint
RP29: 9/21/2010 1:38:39 PM - Software Distribution Service 3.0
RP30: 9/22/2010 3:25:20 PM - System Checkpoint
RP31: 9/26/2010 9:22:22 PM - System Checkpoint
RP32: 9/30/2010 9:38:14 PM - Software Distribution Service 3.0
RP33: 10/4/2010 5:16:58 PM - System Checkpoint
RP34: 10/5/2010 5:23:49 PM - System Checkpoint
RP35: 10/6/2010 6:00:03 PM - System Checkpoint
RP36: 10/14/2010 7:14:09 AM - Software Distribution Service 3.0
RP37: 10/18/2010 10:52:42 PM - System Checkpoint
RP38: 10/18/2010 11:41:49 PM - Software Distribution Service 3.0
RP39: 10/23/2010 3:31:51 AM - System Checkpoint
RP40: 11/1/2010 8:57:35 PM - System Checkpoint
RP41: 11/3/2010 6:26:34 PM - System Checkpoint

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.1
Asus ACPI Driver
ASUS USB2.0 UVC VGA WebCam
ASUSUpdate for Eee PC
Atheros Client Installation Program
Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver
Choice Guard
Compatibility Pack for the 2007 Office system
Data Sync
Eee Docking 1.3.6.0
EeeSplendid
EzMessenger
FontResizer
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel(R) Graphics Media Accelerator Driver
Junk Mail filter update
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Professional 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Suite Activation Assistant
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MSVCRT
Ralink RT2860 Wireless LAN Card
Realtek High Definition Audio Driver
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB982312)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB2288953)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office Publisher 2007 (KB982124)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Segoe UI
Skype web features
Skype™ 4.1
Super Hybrid Engine
Synaptics Pointing Device Driver
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Outlook 2007 Junk Email Filter (kb2410711)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB898461)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951618-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB953356)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
USB2.0 UVC Camera Device
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Player 11

==== Event Viewer Messages From Past Week ========

11/6/2010 5:56:26 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: atapi PCIIde
11/6/2010 5:26:07 PM, error: Service Control Manager [7031] - The McAfee Services service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/6/2010 5:24:51 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
11/6/2010 5:22:32 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNASvc with arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}
11/6/2010 5:22:11 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec mfehidk MPFP MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
11/6/2010 5:22:11 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
11/6/2010 5:22:11 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/6/2010 5:22:11 PM, error: Service Control Manager [7001] - The fssfltr service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/6/2010 5:22:11 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/6/2010 5:22:11 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
11/6/2010 5:21:17 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
11/6/2010 4:42:18 PM, error: Dhcp [1002] - The IP address lease 192.168.1.107 for the Network Card with network address 0025D3C57589 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
11/4/2010 9:44:23 AM, error: Dhcp [1002] - The IP address lease 192.168.1.107 for the Network Card with network address 0025D3C57589 has been denied by the DHCP server 132.177.20.5 (The DHCP Server sent a DHCPNACK message).
11/4/2010 7:48:04 PM, error: Dhcp [1002] - The IP address lease 132.177.235.27 for the Network Card with network address 0025D3C57589 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
11/4/2010 1:39:26 PM, error: Dhcp [1002] - The IP address lease 132.177.235.26 for the Network Card with network address 0025D3C57589 has been denied by the DHCP server 132.177.24.5 (The DHCP Server sent a DHCPNACK message).
11/2/2010 11:35:15 AM, error: Dhcp [1002] - The IP address lease 192.168.1.107 for the Network Card with network address 0025D3C57589 has been denied by the DHCP server 132.177.232.5 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================
 
Welcome to TechSpot` I'll help you sort through the malware

As you most probably know, legitimate AV programs don't install on systems when they weren't intentionally downloaded. You do have malware- it's disabled the Security Center and something is running as svchost. This can be hard to pin down because many legitimate processes run as svchost.exe.

So we look a bit further:

Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the Active X control to install
  4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  5. Click Start
  6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  7. Click Scan
  8. Wait for the scan to finish
  9. Re-enable your Antivirus software.
  10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
=========================================
Then please download ComboFix from Here and save to your Desktop.

  • [1]. Do NOT rename Combofix unless instructed.
    [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3].Close any open browsers.
    [4]. Double click combofix.exe & follow the prompts to run.
  • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
    [5]. If Combofix asks you to install Recovery Console, please allow it.
    [6]. If Combofix asks you to update the program, always allow.
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..

I would prefer you to run the scans in Normal Mode if you can. McAfee is known to growl at some scanning programs when they are started, so do the online scan disabling McAfee just before. Then enable McAfee. While you are still online, download Combofix but don't run it yet. Click on File in the browser> check 'work offline.' Then disable McAfee and do the Combofix scan.

Note: If you don't have a Recovery Console installed, when you start the Combofix scan, you will be offered the Recovery Console. But it requires an online connection which you don't have. I'll have you get it after the scan if needed. Usually we don't have to go through such picky 'stuff' but McAfee does stall some scans mistakenly. I think this will be easier on you.

Ask if you don't follow what I said in the last 2 paragraphs.

In the meantime, do not act on anything this stray AV tells you or asks you to do. Also, Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
 
no internet connection

I have tried to open any web site but can't.

XP says that "windows cannot connect to the internet using HTTP, HTTPS, or FTP. This is probably caused by firewall settings on this computer."

I have checked the windows firewall, it is off and have turned off the McAfee firewall, but still cannot access the internet. I have a good connection to my wireless router and recieved a know good IP address from the DHCP server.

I will download combofix on this computer and transfer it to the laptop and send the log shortly.
 
I do have internet in safe mode

I am running the ESET scan in safe mode vice normal as explained in the prior post. I will post the logs when it finishes.
 
ESET Log

I ran ESET in safe mode.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=b46ad3a0afa16e41a97760696466a71a
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-11-07 04:30:20
# local_time=2010-11-07 12:30:20 (-0500, Eastern Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5121 16776550 83 96 7710028 41107879 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=35377
# found=0
# cleaned=0
# scan_time=1465
 
ComboFix Log

ComboFix 10-11-07.01 - Dana 11/07/2010 1:43.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.659 [GMT -5:00]
Running from: c:\documents and settings\Dana\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2010-10-07 to 2010-11-07 )))))))))))))))))))))))))))))))
.

2010-11-07 03:59 . 2010-11-07 03:59 -------- d-----w- c:\program files\ESET
2010-11-06 21:36 . 2010-11-06 21:36 -------- d-----w- c:\documents and settings\Dana\Application Data\Malwarebytes
2010-11-06 21:36 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-06 21:36 . 2010-11-06 21:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-06 21:36 . 2010-11-06 21:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-06 21:36 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-06 21:20 . 2010-11-07 03:55 -------- d-----w- c:\documents and settings\Administrator
2010-11-04 21:04 . 2008-04-14 04:09 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-11-04 21:04 . 2008-04-14 04:09 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 16:23 . 2009-08-11 13:03 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2009-08-11 13:03 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2009-08-11 13:03 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2009-08-11 13:03 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2009-08-11 13:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2009-08-11 13:03 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2009-08-11 13:03 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51 . 2009-08-11 13:03 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2009-08-11 13:03 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2009-08-11 13:03 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2009-08-11 13:03 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2009-08-11 13:03 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-08-11 19:30 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2009-08-11 13:03 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2009-08-11 13:03 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2009-08-11 13:03 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Eee Docking"="c:\program files\ASUS\Eee Docking\Eee Docking.exe" [2009-07-27 397312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"RTHDCPL"="RTHDCPL.EXE" [2009-04-27 17881088]
"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2009-04-17 630784]
"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2009-03-13 98304]
"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2009-04-17 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-04-09 1512744]
"SynAsusAcpi"="c:\program files\Synaptics\SynTP\SynAsusAcpi.exe" [2009-04-09 79144]
"LiveUpdate"="c:\program files\Asus\LiveUpdate\LiveUpdate.exe" [2009-06-25 712704]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2009-8-11 376832]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-11 02:51 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-02-07 01:51 3885408 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [4/27/2009 8:59 PM 38912]
R3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [4/28/2009 12:47 AM 39040]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/11/2009 2:00 PM 1684736]
S3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\AmUStor.SYS --> c:\windows\system32\drivers\AmUStor.SYS [?]
S3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [8/20/2009 7:24 AM 1015424]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://asus.msn.com
uInternet Settings,ProxyServer = http=127.0.0.1:23012
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-snp2uvc - c:\windows\vsnp2uvc.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-07 01:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-11-07 01:50:24
ComboFix-quarantined-files.txt 2010-11-07 06:50

Pre-Run: 141,113,303,040 bytes free
Post-Run: 141,075,251,200 bytes free

- - End Of File - - F3DC15E3BE030F741D25038203C46DA9
 
Additional information about the ComboFix scan

Sorry it was late last night when I finished and posted the results but I forgot to provide you with this information.

Combofix finished the scan and blue screened while writting the log. I had to delete the ComboFix file and re-install to get it to finish. So it may not have all of the information you would expect.

Here is a copy of the busted log.

ComboFix 10-11-07.01 - Dana 11/07/2010 1:55:09.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.662 [GMT -4:00]
Running from: C:\Documents and Settings\Dana\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
 
The Combofix log in Reply #10 is okay. Give me a chance to go over it.

I notice multiple errors for failed connection with this description: A device attached to the system is not functioning. If you have a router, this would be a good time to check it out. Set up the computer to bypass the router with the cable into the CPU. If you connect this way, then the router has gone bad.
 
internet connection

I couldn't get an internet connection in normal mode only in safe mode with internet.

Since I ran ESET and Combofix I now have an internet connection in normal mode.
 
I've gone through the Combofix logs and there are only a few entries to remove. I want to ask if this mystery AV program was giving alerts and attempting you to click to pay for repair was ever identified. Did it show up in a McAfee scan?

So far I'm not seeing it. I don't think the connection problems are relate to malware for 2 reasons: 1. The malware wants/needs to be able to connect to the internet. No matter what it is, it would be a fatal flaw for it to damage the system so badly that it would lose some of it's malware purposes and 2. the Even Errors and you description of the failed connections point more to a bad router-or-a setting that may have gotten changed.

You should open Internet Options- through the Control Panel or Tools in IE and go through all of the tabs for Programs, Connections, Security and any other that has a setting that could affect the connection.

For now, please run this Custom CFScript

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code: 
File::
c:\windows\system32\drivers\AmUStor.SYS
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=-

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:23012
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

Driver::
AmUStor
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
 
ComboFix log

You were right someone changed the network connection settings. I have to confess this is my daughters laptop she uses at college. Either her or her boyfriend must have changed the settings. Either way it is working fine now.

The New AV poped up constant alerts and wanted me to pay to fix them.

The McAfee log showed it cleaned up two items multiple times on 11/6 they are;
BackDoor
Generic.dx!una(trojan)

Here is the comboFix log.

ComboFix 10-11-07.09 - Dana 11/08/2010 6:50.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.525 [GMT -5:00]
Running from: c:\documents and settings\Dana\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dana\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point

FILE ::
"c:\windows\system32\drivers\AmUStor.SYS"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_AmUStor


((((((((((((((((((((((((( Files Created from 2010-10-08 to 2010-11-08 )))))))))))))))))))))))))))))))
.

2010-11-07 03:59 . 2010-11-07 03:59 -------- d-----w- c:\program files\ESET
2010-11-06 21:36 . 2010-11-06 21:36 -------- d-----w- c:\documents and settings\Dana\Application Data\Malwarebytes
2010-11-06 21:36 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-06 21:36 . 2010-11-06 21:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-06 21:36 . 2010-11-06 21:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-06 21:36 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-06 21:20 . 2010-11-07 03:55 -------- d-----w- c:\documents and settings\Administrator
2010-11-04 21:04 . 2008-04-14 04:09 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-11-04 21:04 . 2008-04-14 04:09 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 16:23 . 2009-08-11 13:03 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2009-08-11 13:03 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2009-08-11 13:03 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2009-08-11 13:03 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2009-08-11 13:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2009-08-11 13:03 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2009-08-11 13:03 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51 . 2009-08-11 13:03 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2009-08-11 13:03 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2009-08-11 13:03 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2009-08-11 13:03 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2009-08-11 13:03 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-08-11 19:30 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2009-08-11 13:03 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2009-08-11 13:03 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2009-08-11 13:03 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-11-07_06.48.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-20 12:10 . 2010-11-08 10:18 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-08-20 12:10 . 2010-11-07 02:51 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-11-07 07:29 . 2010-11-08 10:18 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-08-20 12:10 . 2010-11-07 02:51 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Eee Docking"="c:\program files\ASUS\Eee Docking\Eee Docking.exe" [2009-07-27 397312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"RTHDCPL"="RTHDCPL.EXE" [2009-04-27 17881088]
"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2009-04-17 630784]
"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2009-03-13 98304]
"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2009-04-17 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-04-09 1512744]
"SynAsusAcpi"="c:\program files\Synaptics\SynTP\SynAsusAcpi.exe" [2009-04-09 79144]
"LiveUpdate"="c:\program files\Asus\LiveUpdate\LiveUpdate.exe" [2009-06-25 712704]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2009-8-11 376832]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-11 02:51 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-02-07 01:51 3885408 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [4/27/2009 8:59 PM 38912]
R3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [4/28/2009 12:47 AM 39040]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/11/2009 2:00 PM 1684736]
S3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [8/20/2009 7:24 AM 1015424]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://asus.msn.com
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-08 07:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3384)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\igfxext.exe
.
**************************************************************************
.
Completion time: 2010-11-08 07:04:00 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-08 12:03
ComboFix2.txt 2010-11-07 06:50

Pre-Run: 141,050,699,776 bytes free
Post-Run: 140,971,360,256 bytes free

- - End Of File - - 8A1E4DC1E462C63BA663C45FB078B2EB
 
I do not have enough information about the entries in McAfee. They could be in the System Restore points, not active in your system and McAfee would tag them!

So have the popups stopped? Can you access the internet without problem? Can you open programs and access websites? IF those are all a Yes:

Removing all of the tools we used and the files and folders they created
  • Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg
  • Download OTCleanIt by OldTimer and save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
  • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
  • Go to Start > All Programs > Accessories > System Tools
  • Click "System Restore".
  • Choose "Create a Restore Point" on the first screen then click "Next".
  • Give the Restore Point a name> click "Create".
  • Go back and follow the path to > System Tools.
    [*]Choose Disc Cleanup
    [*]Click "OK" to select the partition or drive you want.
    [*]Click the "More Options" Tab.
    [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


Empty the Recycle Bin

Let me know if you have more questions.
 
You're welcome. Glad to help. Some tips to keep it safe:

Tips for added security and safer browsing:
Note: Some of these programs may not work on Windows 7 or a 64 bit system.
  1. Browser Security Settings: Custom is fine if the user did the settings. Mine are Custom. Default is okay too, but sometimes too restrictive.
    This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features: Make Internet Explorer safer.
  2. Have layered Security:
    • Antivirus Software(only one):Both of the following programs are free and known to be good:
      [o]Avira Free
      [o]Avast Home
    • Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
      [o]Comodo
      [o]Zone Alarm
    • Antispyware: I recommend all of the following:
      [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
    [o]Download ZonedOut and save to your desktop. this replaces IE/Spyad and manages the Zones in Internet explorer. This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    For IE7 and IE8, Windows 2000 thru Vista. No Windows 7 yet.
    IE/Spyad is not longer being supported. If you have this on your system, you should replace it with the following program. Make sure your IE8 is Up-to-date before adding sites to your restricted zone.
    Known issue: If you have "immunized" your computer with Spybot Search and Destroy, and use ZonedOut to "Remove All" restricted sites - ZonedOut will remove your trusted sites as well. Note that if you remove Spybot Search and Destroys Immunization the problem goes away...
    [o]MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
    [o]Google Toolbar Get the free google toolbar to help stop pop up windows.
  3. Stay current on updates:
    [o] Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates.
    [o]Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
    [o]Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
  4. Reset Cookies to prevent Tracking Cookies:
    [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
    [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
    I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
    AdBlock Plus
    Easy List
  5. Do regular Maintenance
    Remove Temporary Internet Files regularly:
    [o]ATF Cleaner by Atribune
    OR
    [o]TFC
    Disable and Enable System Restore:
    [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
  6. Practice Safe Email Handling
    [o] Don't open email from anyone you don't know.
    [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
    [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
 
Status
Not open for further replies.

Similar threads

wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
2K
Broni
Broni
L
Solved Unknown spyware/ Monitoring/ Hijacking of my devices
Replies
15
Views
3K
Broni
Broni
E
Solved Svchost.exe launching multiple iexplore.exe - unknown cause
Replies
23
Views
3K
Broni
Broni

Latest posts

Back