Inactive IE not responding, cpu usage 100%

Status
Not open for further replies.
K

kmck

Posts: 19   +0
Hi All,

I presume I have contracted something whilst using Vuze, but I don't know what or how to deal with it.
My computer takes ages to do anything, there are 60-70 processes running at any one time, Internet Exploreris Not Responding, then it IS responding, then Not etc. CPU usage usually very high, often 100%.
I am operating McAfee which finds nothing. Downloaded Ad-Aware and Spybot but both found nothing either.

I was directed here by pjamme and I have now followed your malware removal steps. I will post my log files seperately. Hope someone can help.

Yours hopefully
K
 
Malwarebytes Anti Malware log.

When this loaded it gave the following error message when looking for updates:

MBAM_ERROR_UPDATING (12029,0,WinHttp SendRequest)

I ran the program regardless, and the log is as follows:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

16/09/2010 17:30:50
mbam-log-2010-09-16 (17-30-50).txt

Scan type: Quick scan
Objects scanned: 137984
Time elapsed: 22 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3cab59b4-55a3-4737-9fd5-b93c6430bf75} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d318119e-cb62-4039-ae9b-cf9575bcaa7f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{d318119e-cb62-4039-ae9b-cf9575bcaa7f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AppDataLow\HavingFunOnline (Adware.BHO.FL) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\BM5b9f579a.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
 
DDS Attach.txt Log

Attach.txt:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 17/06/2002 13:26:19
System Uptime: 16/09/2010 21:29:40 (12 hours ago)

Motherboard: Intel Corporation | | D845PT
Processor: Intel(R) Pentium(R) 4 CPU 2.00GHz | J1E1 | 1993/100mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 74 GiB total, 15.745 GiB free.
D: is CDROM ()
E: is CDROM ()
J: is FIXED (FAT32) - 298 GiB total, 51.662 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP626: 22/08/2010 13:03:37 - System Checkpoint
RP627: 23/08/2010 14:03:31 - System Checkpoint
RP628: 24/08/2010 14:41:35 - System Checkpoint
RP629: 25/08/2010 15:41:22 - System Checkpoint
RP630: 26/08/2010 16:13:54 - System Checkpoint
RP631: 27/08/2010 17:14:03 - System Checkpoint
RP632: 28/08/2010 17:57:49 - System Checkpoint
RP633: 30/08/2010 10:34:30 - System Checkpoint
RP634: 31/08/2010 11:58:47 - System Checkpoint
RP635: 01/09/2010 14:05:09 - System Checkpoint
RP636: 22/05/2010 10:33:06 - System Checkpoint
RP637: 23/05/2010 10:34:40 - System Checkpoint
RP638: 03/09/2010 13:38:33 - System Checkpoint
RP639: 04/09/2010 13:57:37 - System Checkpoint
RP640: 05/09/2010 16:15:22 - System Checkpoint
RP641: 06/09/2010 20:31:38 - System Checkpoint
RP642: 08/09/2010 12:01:26 - System Checkpoint
RP643: 09/09/2010 15:12:43 - System Checkpoint
RP644: 10/09/2010 15:30:30 - System Checkpoint
RP645: 11/09/2010 20:12:22 - System Checkpoint
RP646: 12/09/2010 20:28:54 - System Checkpoint
RP647: 13/09/2010 21:04:34 - System Checkpoint
RP648: 14/09/2010 21:18:11 - System Checkpoint
RP649: 15/09/2010 21:56:57 - System Checkpoint
RP650: 16/09/2010 03:01:03 - Software Distribution Service 3.0
RP651: 16/09/2010 10:32:19 - Installed %1 %2.
RP652: 16/09/2010 21:57:48 - System Checkpoint

==== Installed Programs ======================


2009-10 S50Pay - RTR
3Com NIC Diagnostics
Accounts
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Photoshop 7.0
Adobe Reader 8.2.3
Adobe Shockwave Player 11
AnyDVD
AoA MP4 Converter
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI Display Driver
Avanquest update
AVG Anti-Spyware 7.5
Azureus
B's CLiP
BayGenie eBay Auction Sniper Pro Edition 3.3.5.0
BHA B's Recorder GOLD 5.20
BlackBerry Desktop Software 4.7
BlackBerry Device Software v4.7.0 for the BlackBerry 9500 smartphone
Bonjour
Brother 1440
Brother HL-7050
Brownie
CCleaner
CD Stomper 32 bit
CloneCD
CloneDVD2
CloneDVDmobile
Compatibility Pack for the 2007 Office system
ConvertXtoDVD 2.1.14.223
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
Creative MediaSource
Cucusoft MPEG/MOV/RM/DivX/AVI to DVD/VCD/SVCD Creator Pro 7.07
dBpowerAMP Music Converter
dBpoweramp Windows Media Audio 10 Codec
Dell Solution Center
DellTouch
Disc2Phone
dMC Power Pack
DotNet20withMsi30
DVD-CLONER V2.40
DVD-CLONER V5.60 Build 973
DVD Decrypter (Remove Only)
DVD Shrink 3.2
EasyStudio PIM & File Manager
EasyStudio Sample
Free Video to iPod Converter version 2.2
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
GoToMeeting 4.1.0.366
Help and Support Customization
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB976002-v5)
Image Transfer
ImageMixer for Sony
InFlac 1.1.1
Intel Application Accelerator
Intel(R) AnyPoint(R) Modem
IS Update for Sage Payroll
iSofter DVD Ripper Platinum 3.0.2007.228
iTunes
J2SE Runtime Environment 5.0 Update 10
Java 2 Runtime Environment, SE v1.4.2_01
Java Auto Updater
Java(TM) 6 Update 21
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) SE Runtime Environment 6 Update 1
LightScribe Applications
LightScribe Diagnostic Utility
LightScribe System Software 1.10.27.1
LightScribe Template Designs - Fantasy Pack 1
LightScribe Template Designs - Tattoo Pack 1
LightScribeTemplateLabeler
Line 50 V8 Service Pack 1
LiveReg (Symantec Corporation)
LiveUpdate 1.6 (Symantec Corporation)
Logitech QuickCam
Logitech® Camera Driver
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Media Go
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft AutoRoute 2005
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft IntelliPoint 5.2
Microsoft IntelliType Pro 5.2
Microsoft Interactive Training
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Money
Microsoft National Language Support Downlevel APIs
Microsoft NetShow Tools 2.0
Microsoft Office XP Media Content
Microsoft Office XP Professional
Microsoft Publisher 2002
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Works
Microsoft Works 2005 Setup Launcher
Microsoft WSE 2.0 SP3 Runtime
MicroStaff WINASPI
MobileMe Control Panel
Monkey's Audio
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MVision
Nero 7 Ultra Edition
NOMAD MuVo
NVIDIA Windows 2000/XP Display Drivers
OGA Notifier 2.0.0048.0
Payroll for Windows
PlayStation(R)Network Downloader
PlayStation(R)Store
PowerDVD
PowerISO
ProCite 5
QuickTime
RealPlayer
Review Manager 4.2.10
Review Manager 5.0.21
Roxio Media Manager
S50PayPro 2009-10 LAI
Safari
SafeGuard
Sage 50 Accounts 2008
Sage 50 Payroll
Sage 50 Payroll 08-09 LAI
Sage 50 Payroll 08-09 RTR
Sage 50 Payroll 08-09 STE
Sage 50 Payroll 09-10 STE
Sage 50 Payroll 2008-09
Sage 50 Payroll v11 08-09 RTR
Sage 50 Payroll v11 2007-08
Sage Accounts
Sage Accounts V10.00
Sage Accounts V11.00
Sage Accounts V12.00
Sage Instant Payroll 07-08
Sage Instant Payroll v10.00
Sage Instant Payroll v11.00
Sage Line 50 7.01
Sage Line 50 8.00
Sage MIS 3.01
Sage Payroll
Sage Payroll 07-08
Sage Payroll 2006-07
Sage Payroll for Windows
Sage Payroll v11 2005-06
Sage Payroll v12 05-06
Sage Payroll v12 2007-08a
Sage PayrollPro 2006-07
Sage PayrollPro2007-08
SageAcc
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB975558)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB982802)
Sky Broadband
Sky Broadband Browser Branding
Skype™ 3.6
Sony Ericsson PC Companion 1.50.52
Sony Ericsson PC Suite
Sony Ericsson PC Suite 6.009.00
SPSS 11.5.1 for Windows
SPSS Data Access Pack 2.5
SPSS Viewer 11.5.1
Spybot - Search & Destroy
Time Force
TuneSleeve
UltraISO 8.0 Premium Edition
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update Service
uTorrent
VideoLAN VLC media player 0.8.6f
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Vuze
Vuze Toolbar
WAC DMM
WebFldrs XP
Winamp
Winamp Detector Plug-in
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows PowerShell(TM) 1.0
Windows XP Service Pack 3
WinRAR archiver
WinZip
Wireless Audio Device Manager
Works Upgrade
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

17/09/2010 09:01:55, error: Service Control Manager [7016] - The BrSplService service has reported an invalid current state 0.
16/09/2010 21:33:29, error: System Error [1003] - Error code c000021a, parameter1 e1f4c828, parameter2 c0000005, parameter3 001b000a, parameter4 0112e064.
16/09/2010 21:12:33, error: DCOM [10000] - Unable to start a DCOM Server: {FFF2D28F-E4EE-44D9-8104-8E71556757F6}. The error: "%1450" Happened while starting this command: C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe -Embedding
16/09/2010 21:09:52, error: Dhcp [1008] - Your computer was unable to initialize a Network Interface attached to the system. The error code is: Insufficient system resources exist to complete the requested service. .
16/09/2010 21:05:53, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: Insufficient system resources exist to complete the requested service. .
16/09/2010 21:05:53, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Lavasoft\Ad-Aware\Resources.dll. Reference error message: The operation completed successfully. .
16/09/2010 21:05:53, error: SideBySide [58] - Syntax error in manifest or policy file "C:\WINDOWS\WinSxS\Policies\x86_Policy.9.0.Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_x-ww_b7353f75\9.0.30729.1.policy" on line 0.
16/09/2010 21:04:30, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000009A' while processing the file 'mcnasvc000.log' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
16/09/2010 21:04:08, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.Windows.Common-Controls. Reference error message: Insufficient system resources exist to complete the requested service. .
16/09/2010 21:04:08, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.CRT. Reference error message: Insufficient system resources exist to complete the requested service. .
16/09/2010 21:04:08, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll. Reference error message: The operation completed successfully. .
16/09/2010 21:04:08, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll. Reference error message: The operation completed successfully. .
16/09/2010 18:27:29, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: atapi IntelIde
16/09/2010 16:45:57, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
16/09/2010 16:45:56, error: Service Control Manager [7034] - The Sony Ericsson OMSI download service service terminated unexpectedly. It has done this 1 time(s).
16/09/2010 16:45:56, error: Service Control Manager [7034] - The McAfee SpamKiller Service service terminated unexpectedly. It has done this 1 time(s).
16/09/2010 16:45:56, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
16/09/2010 16:45:56, error: Service Control Manager [7031] - The McAfee SystemGuards service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
16/09/2010 16:45:56, error: Service Control Manager [7031] - The McAfee Personal Firewall Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Run the configured recovery program.
16/09/2010 16:45:55, error: Service Control Manager [7034] - The Pml Driver HPZ12 service terminated unexpectedly. It has done this 1 time(s).
16/09/2010 16:45:55, error: Service Control Manager [7034] - The NVIDIA Driver Helper Service service terminated unexpectedly. It has done this 1 time(s).
16/09/2010 16:45:55, error: Service Control Manager [7031] - The McAfee Proxy Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
16/09/2010 16:45:55, error: Service Control Manager [7031] - The McAfee Network Agent service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
16/09/2010 16:45:54, error: Service Control Manager [7034] - The Process Monitor service terminated unexpectedly. It has done this 1 time(s).
16/09/2010 16:45:54, error: Service Control Manager [7034] - The Netropa NHK Server service terminated unexpectedly. It has done this 1 time(s).
16/09/2010 16:45:54, error: Service Control Manager [7034] - The McAfee SiteAdvisor Service service terminated unexpectedly. It has done this 1 time(s).
16/09/2010 16:45:54, error: Service Control Manager [7034] - The LVCOMSer service terminated unexpectedly. It has done this 1 time(s).
16/09/2010 16:45:54, error: Service Control Manager [7034] - The LightScribeService Direct Disc Labeling Service service terminated unexpectedly. It has done this 1 time(s).
16/09/2010 16:45:54, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
16/09/2010 16:45:54, error: Service Control Manager [7034] - The Creative Service for CDROM Access service terminated unexpectedly. It has done this 1 time(s).
16/09/2010 16:45:54, error: Service Control Manager [7034] - The BrSplService service terminated unexpectedly. It has done this 1 time(s).
16/09/2010 16:45:54, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
16/09/2010 16:45:54, error: Service Control Manager [7034] - The AVG Anti-Spyware Guard service terminated unexpectedly. It has done this 1 time(s).
16/09/2010 16:45:54, error: Service Control Manager [7031] - The McAfee Services service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
16/09/2010 16:45:54, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
13/09/2010 07:05:13, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
13/09/2010 07:05:13, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/09/2010 13:05:15, error: Service Control Manager [7031] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
10/09/2010 19:53:29, error: Dhcp [1002] - The IP address lease 192.168.0.2 for the Network Card with network address 000476DB8498 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
10/09/2010 19:26:54, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the WZCSVC service.
10/09/2010 15:03:02, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service.
10/09/2010 14:26:20, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Roxio Hard Drive Watcher 9 service to connect.
10/09/2010 14:26:20, error: Service Control Manager [7000] - The Intel(R) PRO/DSL 3220 USB Modem Firmware Loader service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
10/09/2010 08:48:31, error: Service Control Manager [7031] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

==== End Of File ===========================
 
DDS.txt part 1

DDS (Ver_10-03-17.01) - NTFSx86
Run by Kevin at 9:01:36.35 on 17/09/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.511.124 [GMT 1:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
svchost.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\DrvMon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Kevin\My Documents\Downloads\Techspot 09-10\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://skysports.com/football
uWindow Title = Internet Explorer Provided By Sky Broadband
uDefault_Page_URL = hxxp://www.sky.com
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DrvMon.exe] c:\windows\system32\DrvMon.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRunOnce: [DelayShred] "c:\program files\mcafee\mshr\shrcl.exe" /p7 /q c:\docume~1\kevin\locals~1\tempor~1\content.ie5\4hj7fuys\index_~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\4hj7fuys\160-60~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\pfrd3z1q\bittor~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\pfrd3z1q\728-90~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\6o2f0vkt\xml_2_~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\a450xxtj\index_~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\a450xxtj\cashow~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\83wb9xcj\compos~2.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\83wb9xcj\mail_1~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\ooqoa1ae\footer~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\ooqoa1ae\signup~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\v38897v7\header~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\ooqoa1ae\ads_2_~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\v38897v7\_ord_1~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\c09nkn0i\mainte~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\0ci531u5\iframe~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\ooqoa1ae\in552d~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\ooqoa1ae\search~2.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\c09nkn0i\f3_1_~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\0ci531u5\index_~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\0ci531u5\in551d~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\0ci531u5\rw_1_~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\v38897v7\usenex~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\v38897v7\cashow~3.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\v38897v7\forumu~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\c09nkn0i\all_pr~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\c09nkn0i\blank_~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\ooqoa1ae\pgnum-~2.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\3ngtpdsd\forumu~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\56c40m9d\search~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\fes7kydz\forumu~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\658tmz0k\forumu~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\tgon2wkn\forumu~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\tfyvwq2o\home_1~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\fk65z8cx\loggin~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\np11abmc\list_1~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\kpcj4xwx\skymen~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\kpcj4xwx\skyhea~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\rmm760ml\footer~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\xlhnb2o6\signup~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\29ue9zl7\header~1.sh! c:\docume~1\kevin\locals~1\temp\hsperf~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\fc2ed85i\footer~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\zv4ktdct\signup~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\fc2ed85i\header~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\rdz9qp5e\footer~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\rdz9qp5e\signup~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\zv4ktdct\header~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\ftryn7ou\subpla~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\j3y9jf4x\welcom~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\j3y9jf4x\ml_win~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\egcvje7b\contex~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\ibyuqp73\am_win~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\iagdl6vk\downlo~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\5i7bcgcz\topsea~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\1i59qzon\hotmai~2.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\90dkugpq\mail_1~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\2nyuz477\forumu~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\heb2ge4g\forumu~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\wu8m8jrs\mapsgo~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\bzr31yq7\costco~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\dtrw764v\closed~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\wu8m8jrs\maps_2~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\y3pt41lf\openha~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\wu8m8jrs\home_4~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\y5p0r41z\footer~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\y5p0r41z\index_~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\tg4a22x4\ads_2_~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\uo2372ae\signup~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\tg4a22x4\header~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\16eblwkh\forumu~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\xvhdjwfl\torren~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\9f9xjzwp\pirate~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\xvhdjwfl\ads_1_~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\en9sh9os\pirate~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\0x11xnki\footer~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\wylhdxsy\signup~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\kwt0q7fg\header~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\kwt0q7fg\crackt~1.sh! c:\docume~1\kevin\locals~1\temp\cddb\2793472.sh! c:\docume~1\kevin\locals~1\temp\cddb.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\ywbsb0mu\defaul~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\ywbsb0mu\mail_1~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\9a1b6e3w\pngbeh~2.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\z0jdqi6k\v6_1_~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\4ile50u0\finish~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\9a1b6e3w\index_~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\4ile50u0\topic5~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\4ile50u0\glossa~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\9a1b6e3w\banner~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\4ile50u0\defaul~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\59swkn25\stage2~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\59swkn25\stage1~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\59swkn25\contex~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\4ile50u0\pngbeh~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\59swkn25\finish~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\z0jdqi6k\baseli~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\4ile50u0\stage2~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\9a1b6e3w\index_~2.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\9a1b6e3w\header~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\z0jdqi6k\stage1~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\z0jdqi6k\contex~3.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\4ile50u0\pngbeh~2.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\z0jdqi6k\signup~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\59swkn25\banner~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\4ile50u0\footer~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\59swkn25\v6_1_~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\9a1b6e3w\finish~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\9a1b6e3w\banner~2.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\59swkn25\pngbeh~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\9a1b6e3w\_ord_1~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\z0jdqi6k\stage2~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\z0jdqi6k\index_~2.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\z0jdqi6k\stage1~2.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\z0jdqi6k\contex~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\9a1b6e3w\pngbeh~3.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\59swkn25\finish~2.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\z0jdqi6k\baseli~3.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\z0jdqi6k\topic5~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\9a1b6e3w\glossa~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\9a1b6e3w\ads_1_~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\9a1b6e3w\vundof~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\58yj0l9r\closed~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\46sduehi\maps_1~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\58yj0l9r\maps_1~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\8ltbcu3p\openha~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\z39fu4in\avs-vi~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\973bf3vd\forumu~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\3ltrck8z\forumu~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\s0dnrzys\audio_~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\c0tom6kg\statio~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\j02n4xcw\adzdef~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\s0dnrzys\fc_1_~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\c0tom6kg\ondema~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\ekps3303\687474~3.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\1tr8sc82\687474~2.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\ekps3303\687474~2.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\ouqt4hqx\687474~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\l98c5nla\687474~2.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\ekps3303\687474~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\ouqt4hqx\687474~4.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\l98c5nla\687474~3.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\1tr8sc82\363936~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\1tr8sc82\363936~2.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\ouqt4hqx\2f2f77~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\l98c5nla\687474~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\ouqt4hqx\687474~3.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\l98c5nla\681533~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\02yid24v\ads_1_~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\02yid24v\ads_2_~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\vd238imi\auctio~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\vd238imi\search~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\02yid24v\filter~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\t7xy82hk\mail_1~1.sh! c:\docume~1\kevin\locals~1\temp\{7689c~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\9b0qu169\fc_2_~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\mspary9u\68c537~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\mspary9u\68b759~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\mspary9u\687474~3.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\mspary9u\6c6174~2.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\nhz6bxdn\687474~3.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\p1nxa9rk\6c6174~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\mspary9u\703a2f~2.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\cgvio2i3\header~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\fcmsunna\signup~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\kq1f9wi1\footer~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\3l17dsea\ads_1_~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\movk9ij1\ads_1_~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\zmkjfoc9\tr1699~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\qiowpate\loggin~2.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\zmkjfoc9\tre910~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\zmkjfoc9\tr057f~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\326pu3fg\secfa8~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\me62rc59\mail_1~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\y7g1qxoi\ads_2_~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\srbxhurk\trb6af~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\44e5lm1e\loggin~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\ydsgn26b\trb61c~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\ex2lfkm4\tr0fb4~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\44e5lm1e\tr165e~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\44e5lm1e\traa3f~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\mmfy12eo\loggin~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\8fzi9hdw\trb130~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\16z5xazp\tr932c~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\8fzi9hdw\tr0410~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\mmfy12eo\tr13a8~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\qwkr61uf\tr8320~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\0b2iyme7\search~3.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\585o1e0f\elliet~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\ikqddtsu\header~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\ikqddtsu\signup~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\k1js6ucw\footer~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\vsk79cpc\mail_2~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\deuibcvq\header~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\vsk79cpc\signup~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\vsk79cpc\footer~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\2ngyoktq\mail_1~1.sh! c:\docume~1\kevin\locals~1\tempor~1\content.ie5\g3jol5rm\GETMSG~1.SH!
 
DDS.txt part 2

mRun: [MISAggregator]
mRun: [MWLExe] c:\program files\mcafee\mwl\MWLGuiSt.exe
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [DSL Connection Manager] c:\program files\intel\dslsetup\ProDsl.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [<NO NAME>]
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [!AVG Anti-Spyware] "c:\program files\grisoft\avg anti-spyware 7.5\avgas.exe" /minimized
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
uPolicies-system: RunStartupScriptSync = 1 (0x1)
mPolicies-system: RunStartupScriptSync = 1 (0x1)
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206624755015
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: CShellExecuteHookImpl Object: {57b86673-276a-48b2-bae7-c6dbb3020eb8} - c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
Hosts: 127.0.0.1 www.spywareinfo.com
============= SERVICES / DRIVERS ===============

R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [2003-11-16 9344]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-9-7 64288]
R1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver;c:\program files\grisoft\avg anti-spyware 7.5\guard.sys [2007-5-30 11000]
R1 AvgAsCln;AVG Anti-Spyware Clean Driver;c:\windows\system32\drivers\AvgAsCln.sys [2008-4-4 10872]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-11-3 214664]
R2 BsUDF;B.H.A UDF Filesystem;c:\windows\system32\drivers\BsUDF.sys [2003-11-16 457088]
R2 tcaicchg;tcaicchg;c:\windows\system32\TCAICCHG.SYS [2002-3-7 21233]
R2 TCAITDI;TCAITDI Protocol;c:\windows\system32\drivers\TCAITDI.SYS [2002-3-7 19534]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-11-3 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-11-3 35272]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-11-3 34248]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-11-3 40552]
R3 Msikbd2k;DellTouch;c:\windows\system32\drivers\Msikbd2k.sys [2002-3-7 6942]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2010-2-16 27632]
S2 P31LOAD;Intel(R) PRO/DSL 3220 USB Modem Firmware Loader;c:\windows\system32\drivers\p31usbld.sys [2004-6-3 18906]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2010-6-16 13224]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-12 15008]
S3 PRO3200P;Intel(R) USB ADSL Modem;c:\windows\system32\drivers\p32d2kp.sys [2002-4-27 530785]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [2010-2-16 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [2010-2-16 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [2010-2-16 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [2010-2-16 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [2010-2-16 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [2010-2-16 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [2010-2-16 115752]

=============== Created Last 30 ================

2010-09-16 16:03:21 0 d-----w- c:\docume~1\kevin\applic~1\Malwarebytes
2010-09-16 16:01:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-16 16:01:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-09-16 16:00:48 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-16 16:00:46 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-16 09:41:54 0 d-----w- c:\docume~1\kevin\applic~1\ElevatedDiagnostics
2010-09-15 12:40:31 0 d-----w- c:\program files\iPod
2010-09-15 12:40:11 0 d-----w- c:\program files\iTunes
2010-09-08 20:44:15 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-09-07 14:58:24 71 ----a-w- c:\documents and settings\kevin\Application DatadMb.dat
2010-09-07 14:23:38 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-09-07 14:23:11 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-09-07 12:25:20 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-09-07 12:23:33 0 d-----w- c:\program files\Lavasoft
2010-09-03 11:37:55 0 d-----w- c:\program files\Winamp Detect
2010-08-20 10:11:17 423656 ----a-w- c:\windows\system32\deployJava1.dll

==================== Find3M ====================

2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-17 13:17:06 58880 ------w- c:\windows\system32\dllcache\spoolsv.exe
2010-07-28 17:02:03 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ggflt_01007.Wdf
2010-07-28 17:02:00 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ggsemc_01007.Wdf
2010-07-28 17:01:40 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 15:49:15 590848 ------w- c:\windows\system32\dllcache\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-30 12:31:35 149504 ------w- c:\windows\system32\dllcache\schannel.dll
2010-06-24 16:51:58 11077120 ----a-w- c:\windows\system32\dllcache\ieframe.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\dllcache\wininet.dll
2010-06-24 12:22:03 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-06-24 12:22:02 1210368 ----a-w- c:\windows\system32\dllcache\urlmon.dll
2010-06-24 12:22:01 611840 ----a-w- c:\windows\system32\dllcache\mstime.dll
2010-06-24 12:22:01 5951488 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2010-06-24 12:22:01 206848 ----a-w- c:\windows\system32\dllcache\occache.dll
2010-06-24 12:21:59 599040 ----a-w- c:\windows\system32\dllcache\msfeeds.dll
2010-06-24 12:21:59 55296 ----a-w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-06-24 12:21:59 25600 ----a-w- c:\windows\system32\dllcache\jsproxy.dll
2010-06-24 12:21:58 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-06-24 12:21:58 1986560 ----a-w- c:\windows\system32\dllcache\iertutil.dll
2010-06-24 12:21:58 184320 ----a-w- c:\windows\system32\dllcache\iepeers.dll
2010-06-24 12:21:56 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-24 12:21:55 387584 ----a-w- c:\windows\system32\dllcache\iedkcs32.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\dllcache\win32k.sys
2010-06-23 12:08:09 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-06-21 15:27:11 354304 ------w- c:\windows\system32\dllcache\srv.sys
2005-02-27 14:25:22 1031 --sh--w- c:\windows\system\ws32ntfa.dat
2006-01-05 09:01:05 1031 --sh--w- c:\windows\system\ws32ntfl.dat
2002-04-16 11:27:54 5 --sha-w- c:\windows\system32\CdI5T.drv
1998-03-20 01:00:00 1048 --sha-w- c:\windows\system32\flfnlf.sys
1998-03-20 01:00:00 1048 --sha-w- c:\windows\system32\rlfnlf.sys
1998-03-20 01:00:00 1048 --sha-w- c:\windows\system32\TMail3FL.SYS
1998-03-20 01:00:00 1048 --sha-w- c:\windows\system32\TMailRL.sys
2008-08-21 09:29:44 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082120080822\index.dat

============= FINISH: 9:04:56.98 ===============
 
GMER log part1

First time i ran GMER, it seemed to work successfully and i saved log file, then got blue screen. on rebooting i was unable to retrieve log file, so i ran GMER again and saved log file again. once again i got a blue screen, but on reboot i was able to retrieve log file and it is attached in several parts:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-17 21:19:43
Windows 5.1.2600 Service Pack 3
Running: mlfjnik6.exe; Driver: C:\DOCUME~1\Kevin\LOCALS~1\Temp\awldapow.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF85C687E]
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess [0xF8C258AC]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF85C6BFE]
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess [0xF8C25812]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB651478E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB651473C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB6514750]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB651483B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB6514867]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB65148D5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB65148BF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB65147CE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB6514901]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xB6514811]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB6514728]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB65147A2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xB651493D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB65148A9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB6514893]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB6514851]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xB6514929]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xB6514915]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB651477A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB6514766]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xB65148EB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB65147E4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB65147B8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 235 804E28A1 3 Bytes [58, C2, F8]
.text ntoskrnl.exe!ZwYieldExecution 804F0EB6 7 Bytes JMP B65147BC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80568D48 5 Bytes JMP B6514815 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryValueKey 8056A1F9 7 Bytes JMP B6514897 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056CF98 5 Bytes JMP B6514792 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8056DDD9 5 Bytes JMP B651476A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryKey 80570C4A 7 Bytes JMP B6514941 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateKey 80570F41 7 Bytes JMP B65148D9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80571E96 7 Bytes JMP B65147A6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 805738C6 5 Bytes JMP B65147E8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80573D41 7 Bytes JMP B65147D2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 8057FE4C 7 Bytes JMP B6514754 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateValueKey 80589A67 7 Bytes JMP B65148C3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058E5C4 5 Bytes JMP B651472C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 8058EA94 5 Bytes JMP B6514905 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80592D64 7 Bytes JMP B651486B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 80595316 7 Bytes JMP B651483F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B14AC 5 Bytes JMP B6514740 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062E057 5 Bytes JMP B651477E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnloadKey 8064DD32 7 Bytes JMP B65148EF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 8064E66B 7 Bytes JMP B65148AD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8064EAEA 7 Bytes JMP B6514855 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRestoreKey 8064EFDD 5 Bytes JMP B6514919 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwReplaceKey 8064F446 5 Bytes JMP B651492D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF7693340, 0xFFF3F, 0xF8000020]
.text C:\WINDOWS\System32\nv4_disp.dll section is writeable [0xBF012300, 0x234A20, 0xF8000020]
 
GMER log part2

File too large so I have zipped and attached.
 

Attachments

  • gmer.zip
    78.6 KB · Views: 3
Please download ComboFix by sUBs from HERE or HERE
  • You must download it to and run it from your Desktop
  • Physically disconnect from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply.
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

===============

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:


netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\System32\config\*.sav
CREATERESTOREPOINT


* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
ComboFix Log, OTL Log, Extras.txt

Logs attached, as requested. When running ComboFix I had to reconnect to internet as it wanted to download RestorePoint from Microsoft.com?
Other than that, all seemed to go smoothly.

Thanks for your help.

K
 

Attachments

  • log.txt
    20.6 KB · Views: 2
  • OTL.Txt
    132.5 KB · Views: 1
  • Extras.Txt
    51.1 KB · Views: 0
Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Code: 
    :OTL
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O9 - Extra Button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} -  File not found
:Commands
[emptyflash]
[Purity]
[emptytemp]
[resethosts]
[Reboot]
  • Then click the Run Fix button at the top.
  • Let the program run unhindered, reboot the PC when it is done.
  • Post log from this run.
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

====

Let me know how things are now.
 
OTL Logs

Hi

Attached are the log files you requested.
Hope they can shed some light on things!

K
 

Attachments

  • 09212010_215038.log
    4.7 KB · Views: 1
  • OTL.Txt
    119 KB · Views: 1
Still really slow, 60 processes running, commit Charge 740M+/1249M?
Hard disk chattering away while pc doesn't appear to be doing anything.
McAfee no longer updating. Before it used to run automatically whenever i connected to the internet, and would take a really long time to download (10mins plus). Now, nothing happens and no "M" icon displayed in systray anymore. How bad is it?

Your hopefully
K
 
Lets have a go at an online scan whilst we are at it and see what it turns up.

Please Run the ESET Online Scanner and post the ScanLog with your post for assistance.
  • You will need to use Internet Explorer to complete this scan.
  • You will need to temporarily Disable your current Anti-virus program.
  • Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
  • When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.

NOTE: If you are unable to complete the ESET scan, please try another from the list below:

 
Hi

Tried to run eset but it kept asking for proxy info and wouldnt run. Then tried Kaspersky online scan and it wouldn't run. So ran pandasoftware activescan. This took 30+hrs to run! found 5 items (log attached). At about 70% complete I got the following warning:

WINDOWS VIRTUAL MEMORY MINIMUM TOO LOW.

Your system is low on virtual memory. Windows is increasing the size of your virtual memory paging file. During this process memory requests for some applications may be denied. For more information, see Help.

At this point processes running were 60, CPU usage was 100%.

Hope this makes sense.

Thanks
K
 

Attachments

  • ActiveScan.txt
    3.2 KB · Views: 2
Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Code: 
    :Files
c:\windows\system32\cmd.ftp
c:\system volume information\_restore{e87a81fb-fdcf-4b92-a20c-951710f82d7c}\rp642\a0137383.exe
c:\system volume information\_restore{e87a81fb-fdcf-4b92-a20c-951710f82d7c}\rp642\a0137382.dll

:Commands
[emptytemp]
[clearallrestorepoints]
[Reboot]
  • Then click the Run Fix button at the top.
  • Let the program run unhindered, reboot the PC when it is done.
  • Post log from this run.
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
 
Hi,

Sorry for delay but have been away for few days.

Ran virusscan.jotti and findings as follows:

Scanners
2010-09-28 Found nothing 2010-09-28 Trojan.FTPGet.B
2010-09-27 Found nothing 2010-09-28 Trojan.FTPGet.B
2010-09-27 Found nothing 2010-09-28 Found nothing
2010-09-28 Found nothing 2010-09-27 Found nothing
2010-09-28 Trojan.FTPGet.B 2010-09-27 W32/Sasser.ftp
2010-09-28 Trojan.Downloader.Bat.Ftp.gen-3 2010-09-28 Found nothing
2010-09-28 Troj.Downloader.BAT.Ftp.R 2010-09-28 Troj/BatFtp-B
2010-09-28 Found nothing 2010-09-26 Found nothing
2010-09-27 Found nothing 2010-09-27 Found nothing


Hope this helps.

K


--------------------------------------------------------------------------------
 
Hi,

Sorry, per email from techspot openboards on 25/09/10 I was advised that you wanted me to run virusscan.jotti and to upload file c:\windows32\cmd.ftp. The log in my previous reply relates to this file.

I have now run otl and attach both requested logs for you.

Again, I hope this makes sense to you.

Thanks
K
 

Attachments

  • 09282010_104610.log
    5.7 KB · Views: 1
  • OTL.Txt
    120.3 KB · Views: 1
Hi

I'm not sure! I had to browse to the file and the filepath was C:\WINDOWS\SYSTEM32\cmd.ftp

This file is no longer there when I navigate to it in Windows Explorer.

K
 
What happened between you scanning that file at Jotti's and your last post?
The file existed when you went to Jotti's. I don't understand why it is now no longer there.
 
Hi

I went to virusscan.jotti.org and browsed to find C:\WINDOWS\SYSTEM32\cmd.ftp. Then I clicked on 'Upload File' button. it seemed to go through a routine. Then I ran OTL with the notations you suggested and posted both logs here.

I since tried a "search" of my pc for 'cmd.ftp' and it came back with 0 results. Its like the file has just vanished. Should I be worried?

Thanks
K
 
I have just gone back through the posts to 4 days ago and that is a file that I had you remove with OTL.

Let me know how your PC is now please.
 
Status
Not open for further replies.

Similar threads

Joaquim
Windows "Power" service keeps cpu usage in 100% at all times. Why?
Replies
1
Views
2K
Kshipper
Kshipper
S
  • Locked
Inactive Disk Usage 100%, Windows Very Slow
Replies
2
Views
1K
Broni
Broni
Joaquim
Explorer.exe high CPU usage, probably not malware
2
Replies
29
Views
35K
Vitoriano
Vitoriano

Latest posts

Back