Unsolved
This post is more than 5 years old
27 Posts
0
3977
Google searches being redirected to other sites. Malwarebytes not effective.
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:56:48 PM, on 20/06/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\McAfee Online Backup\MOBKbackup.exe
C:\WINDOWS\system32\DRIVERS\o2flash.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\DellTPad\Apoint.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\OEM13Mon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Ask.com\Updater\Updater.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.ca/hws/sb/dell-row/en/side.html?channel=ca-smb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ca/hws/sb/dell-row/en/side.html?channel=ca-smb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.ca/hws/sb/dell-row/en/side.html?channel=ca-smb
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://partnerpage.google.com/smallbiz.dell.com/en_ca?hl=en&client=dell-row&channel=ca-smb&ibd=4081113
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110512072847.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~2\mcieplg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~2\mcieplg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Support.com Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [OEM13Mon.exe] C:\WINDOWS\OEM13Mon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [ApnUpdater] "C:\Program Files\Ask.com\Updater\Updater.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
O4 - Global Startup: SetPoint.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O15 - ESC Trusted Zone: http://*.mcafee.com (HKLM)
O15 - ESC Trusted Zone: http://betavscan.mcafeeasap.com (HKLM)
O15 - ESC Trusted Zone: http://vs.mcafeeasap.com (HKLM)
O15 - ESC Trusted Zone: http://www.mcafeeasap.com (HKLM)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-29-0.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://www.arkansashighways.com/Road/acgm.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~2\mcieplg.dll
O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll
O18 - Protocol: intu-qt2009 - {03947252-2355-4E9B-B446-8CCC75C43370} - C:\Program Files\QuickTax 2009\ic2009pp.dll
O18 - Protocol: intu-tt2010 - {97A0575E-2309-4E75-8509-B1F9390C4DE7} - C:\Program Files\TurboTax 2010\ic2010pp.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~2\mcieplg.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.9.1005.12335 (GoogleDesktopManager-051210-111108) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1c98bec61cc55b6) (gupdate1c98bec61cc55b6) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McAfee SiteAdvisor Enterprise Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor Enterprise\McSACore.exe (file missing)
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
O23 - Service: McAfee Online Backup (MOBKbackup) - McAfee, Inc. - C:\Program Files\McAfee Online Backup\MOBKbackup.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: O2FLASH - O2Micro International - C:\WINDOWS\system32\DRIVERS\o2flash.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 14916 bytes
gahixon1
62 Posts
0
June 21st, 2011 16:00
Hi Tootall99,
I'd like you to follow these steps carefully. After running these tools could you please tell me if your browser redirections have stopped.
Step 1
TDSSKiller
Please read carefully and follow these steps.
Step 2
OTL
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
In your next reply:
OTL.txt
Extras.txt
TDSSKiller.txt
Have the redirects stopped.
gahixon1
62 Posts
0
June 21st, 2011 16:00
Hello tootall99 and welcome to the Forums,
My name is George and I will be assisting you with your problem. Please be patient while I determine my first set of instructions.
Please follow all my instructions carefully in the order that I give them.
Please give a VERY clear description of the problem you are having. The more detailed, the quicker we will be able to work through the problem together.
Do not install any updates until I tell you to do so. Updating an infected computer can have disastrous effects.
Do not attempt any other fixes than what I give you here. Using other tools might interfere with the cleaning process. It may also damage your computer.
Either print or save to Notepad all the instructions that I give you. If there is anything you are unsure of or any instructions you feel lack clarity, please do not hesitate to ask.
Some of the logs I may ask for are very long and complex. As is analysing these logs. My responses to you may take longer than you would expect. I assure you that I will work through your problem and a solution as quick as I can
I am currently an advanced trainee in Malware removal at SpywareHammer Academy. My posts have to be approved by a Mentor before posting, so my responses may take longer than expected; all I ask is that you please be patient.
Please wait while I analyse your log and devise my first set of instructions.
Thanks
G
tootall99
27 Posts
0
June 21st, 2011 21:00
Here is the OTL logfile
OTL logfile created on: 21/06/2011 7:03:59 PM - Run 1
OTL by OldTimer - Version 3.2.24.1 Folder = C:\Documents and Settings\Tom Cuthbertson\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy
2.99 Gb Total Physical Memory | 1.49 Gb Available Physical Memory | 49.67% Memory free
4.83 Gb Paging File | 3.37 Gb Available in Paging File | 69.75% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 288.25 Gb Total Space | 252.06 Gb Free Space | 87.44% Space Free | Partition Type: NTFS
Computer Name: TOM | User Name: Tom Cuthbertson | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Documents and Settings\Tom Cuthbertson\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Documents and Settings\Tom Cuthbertson\Desktop\tdsskiller\TDSSKiller.exe (Kaspersky Lab ZAO)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Ask.com\Updater\Updater.exe (Ask)
PRC - C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee Online Backup\MOBKbackup.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\Java\Java Update\jucheck.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe (McAfee, Inc.)
PRC - C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe (Adobe Systems Incorporated)
PRC - C:\WINDOWS\system32\drivers\o2flash.exe (O2Micro International)
PRC - C:\WINDOWS\OEM13Mon.exe (Creative Technology Ltd.)
PRC - C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe (TOSHIBA CORPORATION.)
PRC - C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)
PRC - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe (TOSHIBA CORPORATION.)
PRC - C:\Program Files\DellTPad\hidfind.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\DellTPad\ApMsgFwd.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\DellTPad\ApntEx.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe (TOSHIBA CORPORATION.)
PRC - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe (TOSHIBA CORPORATION.)
PRC - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe (TOSHIBA CORPORATION.)
PRC - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe (TOSHIBA CORPORATION.)
PRC - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe (TOSHIBA CORPORATION)
PRC - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe (TOSHIBA CORPORATION.)
PRC - C:\Program Files\SetPoint\SetPoint.exe (Logitech Inc.)
PRC - C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.exe (Logitech Inc.)
========== Modules (SafeList) ==========
MOD - C:\Documents and Settings\Tom Cuthbertson\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\msvcr80.dll (Microsoft Corporation)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\msvcp80.dll (Microsoft Corporation)
MOD - c:\Program Files\McAfee\SiteAdvisor\sahook.dll (McAfee, Inc.)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)
MOD - C:\Program Files\SetPoint\lgscroll.dll (Logitech Inc.)
========== Win32 Services (SafeList) ==========
SRV - (McAfee SiteAdvisor Enterprise Service) -- File not found
SRV - (MBAMService) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (mfefire) -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe (McAfee, Inc.)
SRV - (McShield) -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe ()
SRV - (mfevtp) -- C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee, Inc.)
SRV - (nosGetPlusHelper) getPlus(R) -- C:\Program Files\NOS\bin\getPlus_Helper_3004.dll (NOS Microsystems Ltd.)
SRV - (McODS) -- C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SRV - (MOBKbackup) -- C:\Program Files\McAfee Online Backup\MOBKbackup.exe (McAfee, Inc.)
SRV - (MSK80Service) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McProxy) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McOobeSv) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McNASvc) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McNaiAnn) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (mcmscsvc) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McMPFSvc) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McAfee SiteAdvisor Service) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McComponentHostService) -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe (McAfee, Inc.)
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
SRV - (AdobeActiveFileMonitor7.0) -- C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe (Adobe Systems Incorporated)
SRV - (O2FLASH) -- C:\WINDOWS\system32\drivers\o2flash.exe (O2Micro International)
SRV - (TOSHIBA Bluetooth Service) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe (TOSHIBA CORPORATION)
========== Driver Services (SafeList) ==========
DRV - (MBAMProtector) -- C:\WINDOWS\system32\drivers\mbam.sys (Malwarebytes Corporation)
DRV - (mfehidk) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (mfefirek) -- C:\WINDOWS\system32\drivers\mfefirek.sys (McAfee, Inc.)
DRV - (MfeAVFK) -- C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee, Inc.)
DRV - (mfeapfk) -- C:\WINDOWS\system32\drivers\mfeapfk.sys (McAfee, Inc.)
DRV - (mfendiskmp) -- C:\WINDOWS\system32\drivers\mfendisk.sys (McAfee, Inc.)
DRV - (mfendisk) -- C:\WINDOWS\system32\drivers\mfendisk.sys (McAfee, Inc.)
DRV - (mferkdet) -- C:\WINDOWS\system32\drivers\mferkdet.sys (McAfee, Inc.)
DRV - (mfetdi2k) -- C:\WINDOWS\system32\drivers\mfetdi2k.sys (McAfee, Inc.)
DRV - (cfwids) -- C:\WINDOWS\system32\drivers\cfwids.sys (McAfee, Inc.)
DRV - (MfeBOPK) -- C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee, Inc.)
DRV - (MOBKFilter) -- C:\WINDOWS\system32\drivers\MOBK.sys (Mozy, Inc.)
DRV - (mfetdik) -- C:\WINDOWS\system32\drivers\mfetdik.sys (McAfee, Inc.)
DRV - (MfeRKDK) -- C:\WINDOWS\system32\drivers\mferkdk.sys (McAfee, Inc.)
DRV - (O2SDRDR) -- C:\WINDOWS\system32\drivers\o2sd.sys (O2Micro )
DRV - (O2MDRDR) -- C:\WINDOWS\system32\drivers\o2media.sys (O2Micro )
DRV - (OEM13Vid) -- C:\WINDOWS\system32\drivers\OEM13Vid.sys (Creative Technology Ltd.)
DRV - (OEM13Vfx) -- C:\WINDOWS\system32\drivers\OEM13Vfx.sys (EyePower Games Pte. Ltd.)
DRV - (OEM13Afx) -- C:\WINDOWS\system32\drivers\OEM13Afx.sys (Creative Technology Ltd.)
DRV - (BCM43XX) -- C:\WINDOWS\system32\drivers\BCMWL5.SYS (Broadcom Corporation)
DRV - (Tosrfusb) -- C:\WINDOWS\system32\drivers\tosrfusb.sys (TOSHIBA CORPORATION)
DRV - (tosrfnds) -- C:\WINDOWS\system32\drivers\tosrfnds.sys (TOSHIBA Corporation.)
DRV - (Tosrfhid) -- C:\WINDOWS\system32\drivers\Tosrfhid.sys (TOSHIBA Corporation.)
DRV - (Tosrfcom) -- C:\WINDOWS\system32\drivers\tosrfcom.sys (TOSHIBA Corporation)
DRV - (tosrfbnp) -- C:\WINDOWS\system32\drivers\tosrfbnp.sys (TOSHIBA Corporation)
DRV - (tosrfbd) -- C:\WINDOWS\system32\drivers\tosrfbd.sys (TOSHIBA CORPORATION)
DRV - (tosporte) -- C:\WINDOWS\system32\drivers\tosporte.sys (TOSHIBA Corporation)
DRV - (RTLE8023xp) -- C:\WINDOWS\system32\drivers\Rtenicxp.sys (Realtek Semiconductor Corporation )
DRV - (ApfiltrService) -- C:\WINDOWS\system32\drivers\Apfiltr.sys (Alps Electric Co., Ltd.)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (LMouFilt) -- C:\WINDOWS\system32\drivers\LMouFilt.Sys (Logitech, Inc.)
DRV - (LHidFilt) -- C:\WINDOWS\system32\drivers\LHidFilt.Sys (Logitech, Inc.)
DRV - (APPDRV) -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS (Dell Inc)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/.../en_ca
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.ca/.../side.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = partnerpage.google.com/.../en_ca
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = www.google.ca/.../side.html
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2011/05/25 07:33:05 | 000,000,000 | ---D | M]
O1 HOSTS File: ([2008/04/14 06:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110512072847.dll (McAfee, Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll (Google Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
O2 - BHO: (Support.com Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (Support.com Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Support.com Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [ApnUpdater] C:\Program Files\Ask.com\Updater\Updater.exe (Ask)
O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)
O4 - HKLM..\Run: [DELL Webcam Manager] C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( )
O4 - HKLM..\Run: [ECenter] C:\DELL\E-Center\EULALauncher.exe ( )
O4 - HKLM..\Run: [ITSecMng] C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe ( TOSHIBA CORPORATION)
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\WINDOWS\KHALMNPR.Exe (Logitech Inc.)
O4 - HKLM..\Run: [Logitech Hardware Abstraction Layer] C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE (Logitech Inc.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [OEM13Mon.exe] C:\WINDOWS\OEM13Mon.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk = C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe (TOSHIBA CORPORATION.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk = C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe (McAfee, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SetPoint.lnk = C:\Program Files\SetPoint\SetPoint.exe (Logitech Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKCU\..Trusted Domains: localhost ([]http in Local intranet)
O15 - HKCU\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} dlm.tools.akamai.com/.../dlm-activex-2.2.4.1.cab (DLM Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} java.sun.com/.../jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} fpdownload.macromedia.com/.../ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} tools.ebayimg.com/.../eBay_Enhanced_Picture_Control_v1-0-29-0.cab (EPUImageControl Class)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} java.sun.com/.../jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} java.sun.com/.../jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} java.sun.com/.../jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} platformdl.adobe.com/.../gp.cab (get_atlcom Class)
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} www.arkansashighways.com/.../acgm.cab (ActiveCGM Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.1.1
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\intu-qt2008 {05E53CE9-66C8-4a9e-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll (Intuit Canada, a general partnership/une société en nom collectif.)
O18 - Protocol\Handler\intu-qt2009 {03947252-2355-4e9b-B446-8CCC75C43370} - C:\Program Files\QuickTax 2009\ic2009pp.dll (Intuit Canada, a general partnership/une société en nom collectif.)
O18 - Protocol\Handler\intu-tt2010 {97A0575E-2309-4e75-8509-B1F9390C4DE7} - C:\Program Files\TurboTax 2010\ic2010pp.dll (Intuit Canada, a general partnership/une société en nom collectif.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Tom Cuthbertson\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Tom Cuthbertson\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/04/25 15:29:32 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2011/06/21 19:02:34 | 000,579,072 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Tom Cuthbertson\Desktop\OTL.exe
[2011/06/21 18:59:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tom Cuthbertson\Desktop\tdsskiller
[2011/06/20 23:30:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tom Cuthbertson\Start Menu\Programs\HiJackThis
[2011/06/20 23:30:23 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/06/20 07:07:19 | 000,404,640 | ---- | C] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/06/20 00:25:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee
[2011/06/16 03:03:10 | 000,000,000 | ---D | C] -- C:\WINDOWS\SxsCaPendDel
[2011/06/15 13:58:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Earth
[2011/06/13 21:31:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tom Cuthbertson\Local Settings\Application Data\AskToolbar
[2011/06/12 19:12:07 | 000,000,000 | ---D | C] -- C:\Program Files\Ask.com
[2011/06/12 19:12:06 | 000,000,000 | ---D | C] -- C:\Firefox
[2011/06/12 19:12:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tom Cuthbertson\Application Data\Sammsoft
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[2011/06/21 19:03:30 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Tom Cuthbertson\Desktop\OTL.exe
[2011/06/21 19:01:00 | 000,000,254 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
[2011/06/21 18:59:23 | 001,309,375 | ---- | M] () -- C:\Documents and Settings\Tom Cuthbertson\Desktop\tdsskiller.zip
[2011/06/21 18:56:10 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/06/21 18:50:21 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2011/06/20 23:30:57 | 000,002,467 | ---- | M] () -- C:\Documents and Settings\Tom Cuthbertson\Desktop\HiJackThis.lnk
[2011/06/20 23:30:01 | 001,402,880 | ---- | M] () -- C:\Documents and Settings\Tom Cuthbertson\Desktop\HijackThis.msi
[2011/06/20 07:07:19 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/06/20 00:29:12 | 000,468,098 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/06/20 00:29:12 | 000,080,956 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/06/20 00:25:51 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/06/20 00:25:17 | 000,001,597 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\McAfee Total Protection.lnk
[2011/06/20 00:25:04 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/06/20 00:25:03 | 000,000,324 | -HS- | M] () -- C:\WINDOWS\tasks\hqgt.job
[2011/06/20 00:25:02 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/06/20 00:24:59 | 3211,186,176 | -HS- | M] () -- C:\hiberfil.sys
[2011/06/17 14:52:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/06/16 03:05:02 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/06/15 13:58:25 | 000,001,917 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2011/06/14 22:56:44 | 000,001,815 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2011/06/04 23:24:24 | 000,000,786 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/05/30 16:19:48 | 005,964,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll
[2011/05/29 09:11:30 | 000,039,984 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/05/29 09:11:20 | 000,022,712 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
========== Files Created - No Company Name ==========
[2011/06/21 18:58:53 | 001,309,375 | ---- | C] () -- C:\Documents and Settings\Tom Cuthbertson\Desktop\tdsskiller.zip
[2011/06/20 23:30:24 | 000,002,467 | ---- | C] () -- C:\Documents and Settings\Tom Cuthbertson\Desktop\HiJackThis.lnk
[2011/06/20 23:29:56 | 001,402,880 | ---- | C] () -- C:\Documents and Settings\Tom Cuthbertson\Desktop\HijackThis.msi
[2011/06/15 13:58:25 | 000,001,917 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2011/06/12 19:12:22 | 000,000,254 | ---- | C] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
[2011/04/24 14:17:11 | 000,134,656 | RHS- | C] () -- C:\WINDOWS\System32\apphelpy.dll
[2010/08/05 19:13:40 | 000,027,768 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/07/24 15:29:16 | 000,162,304 | ---- | C] () -- C:\WINDOWS\System32\ztvunrar36.dll
[2009/02/20 00:21:37 | 000,009,216 | ---- | C] () -- C:\Documents and Settings\Tom Cuthbertson\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/11/13 05:06:57 | 001,174,000 | ---- | C] () -- C:\WINDOWS\System32\igmedkrn.dll
[2008/11/13 05:06:57 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4864.dll
[2008/11/13 05:06:57 | 000,104,636 | ---- | C] () -- C:\WINDOWS\System32\igmedcompkrn.dll
[2008/11/13 05:06:54 | 000,077,824 | ---- | C] () -- C:\WINDOWS\setpwr32.exe
[2008/11/13 05:06:49 | 000,030,722 | ---- | C] () -- C:\WINDOWS\System32\asindis.dll
[2008/11/13 05:06:49 | 000,028,674 | ---- | C] () -- C:\WINDOWS\System32\elcp32i.dll
[2008/11/13 05:06:49 | 000,026,626 | ---- | C] () -- C:\WINDOWS\System32\iclldit.dll
[2008/11/13 05:05:53 | 000,001,195 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2008/11/13 03:30:49 | 000,000,000 | ---- | C] () -- C:\WINDOWS\tosOBEX.INI
[2008/11/13 03:30:34 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/11/13 03:20:46 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2008/11/13 03:20:45 | 000,753,664 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2008/11/13 03:20:45 | 000,024,064 | ---- | C] () -- C:\WINDOWS\System32\WLTRYSVC.EXE
[2008/11/13 03:20:03 | 000,000,074 | RHS- | C] () -- C:\WINDOWS\CT4CET.bin
[2008/05/26 22:59:42 | 000,018,904 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschematrivial.bin
[2008/05/26 22:59:40 | 000,106,605 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschema.bin
[2008/04/25 15:31:41 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2008/04/25 15:27:18 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008/04/25 15:26:32 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2008/04/25 10:16:35 | 000,755,200 | ---- | C] () -- C:\WINDOWS\System32\ir50_32.dll
[2008/04/25 10:16:35 | 000,338,432 | ---- | C] () -- C:\WINDOWS\System32\ir41_qcx.dll
[2008/04/25 10:16:35 | 000,200,192 | ---- | C] () -- C:\WINDOWS\System32\ir50_qc.dll
[2008/04/25 10:16:35 | 000,183,808 | ---- | C] () -- C:\WINDOWS\System32\ir50_qcx.dll
[2008/04/25 10:16:35 | 000,120,320 | ---- | C] () -- C:\WINDOWS\System32\ir41_qc.dll
[2008/04/25 10:16:24 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008/04/25 10:16:22 | 000,468,098 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008/04/25 10:16:22 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008/04/25 10:16:22 | 000,080,956 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008/04/25 10:16:22 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008/04/25 10:16:22 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2008/04/25 10:16:21 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2008/04/25 10:16:20 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2008/04/25 10:16:18 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008/04/25 10:16:18 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2008/04/25 10:16:13 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008/04/25 10:16:11 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008/04/25 03:22:39 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/04/25 03:21:52 | 000,152,384 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2007/12/21 16:46:32 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\TosBtAcc.dll
[2007/09/27 11:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 11:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 11:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2005/07/22 21:30:18 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\TosCommAPI.dll
========== Alternate Data Streams ==========
@Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CB0AACC9
< End of report >
tootall99
27 Posts
0
June 21st, 2011 21:00
Here is the OTL extras logfile
The TDSSkiller scan was completed and no infections were found
OTL Extras logfile created on: 21/06/2011 7:03:59 PM - Run 1
OTL by OldTimer - Version 3.2.24.1 Folder = C:\Documents and Settings\Tom Cuthbertson\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy
2.99 Gb Total Physical Memory | 1.49 Gb Available Physical Memory | 49.67% Memory free
4.83 Gb Paging File | 3.37 Gb Available in Paging File | 69.75% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 288.25 Gb Total Space | 252.06 Gb Free Space | 87.44% Space Free | Partition Type: NTFS
Computer Name: TOM | User Name: Tom Cuthbertson | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ ]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ \shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
========== System Restore Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:TCP" = 1900:TCP:LocalSubNet:Enabled:UDP 1900
========== Authorized Applications List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe" = C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe:*:Enabled:Managed Services Agent
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" = C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe:*:Enabled:McAfee Shared Service Host -- (McAfee, Inc.)
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0CB9668D-F979-4F31-B8B8-67FE90F929F8}" = Bonjour
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP620_series" = Canon MP620 series MP Drivers
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1D5E29AD-39A9-4D0A-A8B6-46A6FCD8C995}" = Live! Cam Avatar v1.0
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{24AE6B5B-3D5A-488C-9224-1BEE11F75DD9}" = TurboTax 2010
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 20
"{27C467F8-F8EF-4f68-BD72-D63632B2096C}" = McAfee Online Backup
"{2E8EAC71-BFE4-417A-88F0-5A1BDFBCF5D3}" = SetPoint
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3D9892BB-A751-4E48-ADC8-E4289956CE1D}" = QuickTime
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{62230596-37E5-4618-A329-0D21F529A86F}" = Browser Address Error Redirector
"{65D0C510-D7B6-4438-9FC8-E6B91115AB0D}" = Live! Cam Avatar Creator
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{8215AC14-BFC2-4ECC-96D6-1030202F8BDF}" = Visual C++ 8.0 x86 Runtime Setup Package
"{85991ED2-010C-4930-96FA-52F43C2CE98A}" = Apple Mobile Device Support
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8CC990CD-87C8-475C-AC32-8A7984E2FCFA}" = CDDRV_Installer
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_BASICR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_BASICR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_BASICR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_BASICR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_BASICR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_BASICR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_BASICR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_BASICR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{9060B698-2B29-4A1F-B876-BEAC4C0A25D5}" = KhalSetup
"{91120000-0013-0000-0000-0000000FF1CE}" = Microsoft Office Basic 2007
"{91120000-0013-0000-0000-0000000FF1CE}_BASICR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0013-0000-0000-0000000FF1CE}_BASICR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{91F7F3F3-CE80-48C3-8327-7D24A0A5716A}" = iTunes
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Dell Touchpad
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{a9264802-8a7a-40fe-a135-5c6d204aed7a}.sdb" = Internet Explorer (Enable DEP)
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AA0D2D5F-612B-45D3-8759-DA87206E5CC9}" = QuickTax 2008
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AC76BA86-7AD7-1033-7B44-AA0000000001}" = Adobe Reader X (10.0.1)
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B2D328BE-45AD-4D92-96F9-2151490A203E}" = Apple Application Support
"{B3FED300-806C-11E0-A0D0-B8AC6F97B88E}" = Google Earth
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{C5074CC4-0E26-4716-A307-960272A90040}" = QuickSet
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CB6075D9-F912-40AE-BEA6-E590DA24F16B}" = Adobe Photoshop Elements 7.0
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}" = Bluetooth Stack for Windows by Toshiba
"{CFF4500E-C5D6-695D-A027-B3D4DDED2CC3}" = McAfee Online Backup
"{D6BCB0B1-9AC8-407B-B679-F925A01F2B2C}" = Bonjour Print Services
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center
"{ECB9C58E-C565-4683-9599-B72290BD3B25}" = QuickTax 2009
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F44F0A3A-2110-4705-B5EC-D5B6371F53C1}" = Visual C++ 8.0 x86 Runtime Setup Package
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Photoshop Elements 7" = Adobe Photoshop Elements 7.0
"Advanced Audio FX Engine" = Advanced Audio FX Engine
"Advanced Video FX Engine" = Advanced Video FX Engine
"BASICR" = Microsoft Office Basic 2007
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card Utility
"Canon_IJ_Network_UTILITY" = Canon IJ Network Tool
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Creative OEM013" = Laptop Integrated Webcam Driver (1.01.01.0529)
"Dell Webcam Center" = Dell Webcam Center
"Dell Webcam Manager" = Dell Webcam Manager
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"Google Chrome" = Google Chrome
"Google Desktop" = Google Desktop
"Google Updater" = Google Updater
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.0.1200
"McAfee Security Scan" = McAfee Security Scan Plus
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSC" = McAfee Total Protection
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"SearchAssist" = SearchAssist
"Spell Checker For OE 2.1" = Spell Checker For OE 2.1
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
========== Last 10 Event Log Errors ==========
[ Application Events ]
Error - 19/06/2011 11:08:50 AM | Computer Name = TOM | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 11935938
Error - 19/06/2011 11:08:50 AM | Computer Name = TOM | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 11935938
Error - 19/06/2011 11:09:05 AM | Computer Name = TOM | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second
Error - 19/06/2011 11:09:05 AM | Computer Name = TOM | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 11951563
Error - 19/06/2011 11:09:05 AM | Computer Name = TOM | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 11951563
Error - 19/06/2011 11:09:21 AM | Computer Name = TOM | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second
Error - 19/06/2011 11:09:21 AM | Computer Name = TOM | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 11967188
Error - 19/06/2011 11:09:21 AM | Computer Name = TOM | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 11967188
Error - 19/06/2011 11:09:36 AM | Computer Name = TOM | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second
Error - 19/06/2011 11:09:36 AM | Computer Name = TOM | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 11982813
[ System Events ]
Error - 22/05/2011 10:04:31 PM | Computer Name = TOM | Source = NetBT | ID = 4321
Description = The name "WORKGROUP :1d" could not be registered on the Interface
with IP address 10.0.1.4. The machine with the IP address 10.0.1.3 did not allow
the name to be claimed by this machine.
Error - 24/05/2011 1:49:49 AM | Computer Name = TOM | Source = MRxSmb | ID = 8003
Description = The master browser has received a server announcement from the computer
MAC0023329643A4 that believes that it is the master browser for the domain on transport
NetBT_Tcpip_{5F5575A4-537. The master browser is stopping or an election is being
forced.
Error - 08/06/2011 5:12:11 PM | Computer Name = TOM | Source = MRxSmb | ID = 8003
Description = The master browser has received a server announcement from the computer
MAC0023329643A4 that believes that it is the master browser for the domain on transport
NetBT_Tcpip_{5F5575A4-537. The master browser is stopping or an election is being
forced.
Error - 10/06/2011 4:03:28 PM | Computer Name = TOM | Source = Service Control Manager | ID = 7000
Description = The McAfee SiteAdvisor Enterprise Service service failed to start
due to the following error: %%2
Error - 10/06/2011 4:05:36 PM | Computer Name = TOM | Source = DCOM | ID = 10010
Description = The server {209500FC-6B45-4693-8871-6296C4843751} did not register
with DCOM within the required timeout.
Error - 16/06/2011 5:24:30 AM | Computer Name = TOM | Source = Service Control Manager | ID = 7000
Description = The McAfee SiteAdvisor Enterprise Service service failed to start
due to the following error: %%2
Error - 19/06/2011 1:07:15 PM | Computer Name = TOM | Source = Service Control Manager | ID = 7000
Description = The McAfee SiteAdvisor Enterprise Service service failed to start
due to the following error: %%2
Error - 19/06/2011 1:09:33 PM | Computer Name = TOM | Source = DCOM | ID = 10010
Description = The server {209500FC-6B45-4693-8871-6296C4843751} did not register
with DCOM within the required timeout.
Error - 20/06/2011 2:25:30 AM | Computer Name = TOM | Source = Service Control Manager | ID = 7000
Description = The McAfee SiteAdvisor Enterprise Service service failed to start
due to the following error: %%2
Error - 20/06/2011 11:58:44 AM | Computer Name = TOM | Source = ACPIEC | ID = 327681
Description = \Device\ACPIEC: The embedded controller (EC) hardware didn't respond
within the timeout period. This may indicate an error in the EC hardware or firmware,
or possibly a poorly designed BIOS which accesses the EC in an unsafe manner.
The EC driver will retry the failed transaction if possible.
< End of report >
gahixon1
62 Posts
0
June 22nd, 2011 12:00
Hi Tootall99,
Can you tell me whether or not you are still experiencing the browser redirects? It's very important that you answer the questions that I ask. It will help the process greatly.
Could you please follow the instructions below.
Step 1
MBAM Logs
I know that you said MBAM was ineffective, however, looking through the previous logs may give me an idea of what's going on with your machine. Within the MBAM interface can you please click the Logs tab and copy and paste your three most recent MBAM logs.
Step 2
ComboFix
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
* Double click on combofix.exe & follow the prompts.
When finished, it will produce a logfile located at C:\ComboFix.txt.
*Post the contents of that log in your next reply with a new DDS log.
Note: ComboFix will open a window which will detail its progress. It may take several minutes to complete. Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
*Note: Combofix is an extremely powerful tool and should not be used unsupervised. If used inappropriately it can cause irreparable damage to your computer.*
In your next reply:
Have the redirects stopped? the previous MBAM logs
Combofix.txt
gahixon1
62 Posts
0
June 23rd, 2011 20:00
Are you still with us? Let me know if you are having any difficulty with my last set of instructions.
George
tootall99
27 Posts
0
June 23rd, 2011 23:00
Here is the second most recent MBAM log
04:17:05 Tom Cuthbertson MESSAGE IP Protection stopped
04:17:05 Tom Cuthbertson MESSAGE Scheduled update executed successfully
04:17:09 Tom Cuthbertson MESSAGE Database updated successfully
04:17:11 Tom Cuthbertson MESSAGE IP Protection started successfully
08:41:36 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
08:41:39 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
08:41:45 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
08:41:58 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
08:42:01 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
08:42:07 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
08:42:19 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
08:42:22 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
08:42:28 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
08:42:40 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
08:42:43 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
08:42:49 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
08:48:16 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
08:48:19 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
08:48:25 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
08:48:37 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
08:48:40 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
08:48:46 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
08:48:58 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
08:49:01 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
08:49:07 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
08:49:19 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
08:49:22 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
08:49:28 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
08:53:39 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
08:53:42 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
08:53:48 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
08:54:00 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
08:54:03 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
08:54:09 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
08:54:21 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
08:54:24 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
08:54:30 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
08:54:42 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
08:54:45 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
08:54:51 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
08:59:47 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
08:59:50 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
08:59:56 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
09:00:08 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
09:00:11 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
09:00:17 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
09:00:29 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
09:00:32 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
09:00:38 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
09:00:50 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
09:00:53 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
09:00:59 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
09:07:21 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
09:07:24 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
09:07:30 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
09:08:03 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
09:08:06 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
09:08:12 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
09:08:24 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
09:08:27 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
09:08:33 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
09:08:45 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
09:08:48 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
09:08:54 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
tootall99
27 Posts
0
June 23rd, 2011 23:00
Here is the third most recent MBAM log
00:26:21 Tom Cuthbertson MESSAGE Protection started successfully
00:26:26 Tom Cuthbertson MESSAGE IP Protection started successfully
04:17:10 Tom Cuthbertson MESSAGE IP Protection stopped
04:17:10 Tom Cuthbertson MESSAGE Scheduled update executed successfully
04:17:13 Tom Cuthbertson MESSAGE Database updated successfully
04:17:14 Tom Cuthbertson MESSAGE IP Protection started successfully
18:04:01 Tom Cuthbertson IP-BLOCK 94.102.60.6 (Type: outgoing)
18:04:04 Tom Cuthbertson IP-BLOCK 94.102.60.6 (Type: outgoing)
18:04:29 Tom Cuthbertson IP-BLOCK 94.102.60.6 (Type: outgoing)
18:04:32 Tom Cuthbertson IP-BLOCK 94.102.60.6 (Type: outgoing)
18:04:38 Tom Cuthbertson IP-BLOCK 94.102.60.6 (Type: outgoing)
22:47:33 Tom Cuthbertson IP-BLOCK 94.102.60.6 (Type: outgoing)
22:47:36 Tom Cuthbertson IP-BLOCK 94.102.60.6 (Type: outgoing)
22:47:42 Tom Cuthbertson IP-BLOCK 94.102.60.6 (Type: outgoing)
22:52:52 Tom Cuthbertson IP-BLOCK 94.102.60.6 (Type: outgoing)
22:52:55 Tom Cuthbertson IP-BLOCK 94.102.60.6 (Type: outgoing)
22:53:01 Tom Cuthbertson IP-BLOCK 94.102.60.6 (Type: outgoing)
22:56:15 Tom Cuthbertson IP-BLOCK 94.102.60.6 (Type: outgoing)
22:56:18 Tom Cuthbertson IP-BLOCK 94.102.60.6 (Type: outgoing)
22:56:24 Tom Cuthbertson IP-BLOCK 94.102.60.6 (Type: outgoing)
22:56:28 Tom Cuthbertson MESSAGE Added 94.102.60.6 to ignore list
22:56:28 Tom Cuthbertson MESSAGE IP Protection stopped
22:56:29 Tom Cuthbertson MESSAGE IP Protection started successfully
tootall99
27 Posts
0
June 23rd, 2011 23:00
Yes redirects are still occurring.
When I said that Malwarebytes was ineffective, in fact it is blocking the redirects, but that doesn't help me get to my intended search target. When I click on a Google search item, Malwarebytes pops up and says it has successfully blocked access to a malicious website. If I want to get to the actual website I wanted to see, I have to copy and paste the URL
Here is most recent MBAM log
04:17:05 Tom Cuthbertson MESSAGE Scheduled update executed successfully
04:17:05 Tom Cuthbertson MESSAGE IP Protection stopped
04:17:10 Tom Cuthbertson MESSAGE Database updated successfully
04:17:12 Tom Cuthbertson MESSAGE IP Protection started successfully
14:41:04 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
14:41:07 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
14:41:13 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
14:41:25 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
14:41:28 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
14:41:34 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
14:41:47 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
14:41:50 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
14:41:56 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
14:42:08 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
14:42:11 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
14:42:17 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
14:47:02 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
14:47:05 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
14:47:11 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
14:47:44 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
14:47:47 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
14:47:53 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
14:48:05 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
14:48:08 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
14:48:14 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
14:48:26 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
14:48:29 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
14:48:35 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
14:54:27 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
14:54:30 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
14:54:36 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
14:54:51 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
14:54:54 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
14:55:00 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
14:55:12 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
14:55:15 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
14:55:21 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
14:55:33 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
14:55:36 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
14:55:42 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:01:03 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:01:06 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:01:12 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:01:27 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:01:30 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:01:36 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:01:48 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:01:51 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:01:57 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:02:09 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:02:12 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:02:18 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:07:22 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:07:25 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:07:31 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:07:43 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:07:46 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:07:52 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:08:04 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:08:07 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:08:13 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:08:25 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:08:28 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:08:34 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:14:48 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:14:51 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:14:57 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:15:09 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:15:12 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:15:18 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:15:30 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:15:33 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:15:39 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:15:51 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:15:54 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:16:00 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:20:13 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
15:20:16 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
15:20:22 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
15:20:35 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
15:20:37 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
15:20:43 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
15:20:55 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
15:20:58 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
15:21:04 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
15:21:16 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
15:21:19 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
15:21:25 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
15:25:51 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
15:25:54 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
15:26:00 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
15:26:12 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
15:26:15 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
15:26:21 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
15:26:33 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
15:26:36 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
15:26:42 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
15:26:54 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
15:26:57 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
15:27:04 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
15:33:29 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:33:32 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:33:38 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:33:53 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:33:56 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:34:02 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:34:14 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:34:17 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:34:23 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:34:35 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:34:38 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:34:44 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
15:40:15 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
15:40:18 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
15:40:24 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
15:40:37 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
15:40:40 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
15:40:46 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
15:40:58 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
15:41:01 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
15:41:07 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
15:41:19 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
15:41:22 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
15:41:28 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
15:59:09 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
15:59:12 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
15:59:18 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
15:59:33 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
15:59:36 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
15:59:42 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
15:59:54 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
15:59:57 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
16:00:03 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
16:00:15 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
16:00:18 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
16:00:24 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
16:17:38 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
16:17:41 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
16:17:47 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
16:18:20 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
16:18:23 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
16:18:29 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
16:18:41 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
16:18:44 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
16:18:50 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
16:19:02 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
16:19:05 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
16:19:11 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
16:35:04 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
16:35:07 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
16:35:13 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
16:35:28 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
16:35:31 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
16:35:37 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
16:35:49 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
16:35:52 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
16:35:58 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
16:36:10 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
16:36:13 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
16:36:19 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
16:53:53 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
16:53:56 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
16:54:02 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
16:54:23 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
16:54:26 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
16:54:32 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
16:54:44 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
16:54:47 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
16:54:53 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
16:55:05 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
16:55:08 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
16:55:14 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
17:07:02 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
17:07:05 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
17:07:11 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
17:07:44 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
17:07:47 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
17:07:53 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
17:08:05 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
17:08:08 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
17:08:14 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
17:08:26 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
17:08:29 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
17:08:35 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
17:26:42 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
17:26:45 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
17:26:51 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
17:27:12 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
17:27:15 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
17:27:21 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
17:27:33 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
17:27:36 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
17:27:42 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
17:27:54 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
17:27:57 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
17:28:03 Tom Cuthbertson IP-BLOCK 94.75.207.74 (Type: outgoing)
17:47:34 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
17:47:37 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
17:47:43 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
17:47:55 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
17:47:58 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
17:48:04 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
17:48:16 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
17:48:19 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
17:48:25 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
17:48:37 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
17:48:40 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
17:48:46 Tom Cuthbertson IP-BLOCK 94.75.207.75 (Type: outgoing)
23:13:02 Tom Cuthbertson IP-BLOCK 208.73.210.125 (Type: outgoing)
23:13:05 Tom Cuthbertson IP-BLOCK 208.73.210.125 (Type: outgoing)
23:13:11 Tom Cuthbertson IP-BLOCK 208.73.210.125 (Type: outgoing)
tootall99
27 Posts
0
June 24th, 2011 00:00
Here is the Combofix log.
ComboFix 11-06-23.03 - Tom Cuthbertson 24/06/2011 0:03.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.3062.2055 [GMT -6:00]
Running from: c:\documents and settings\Tom Cuthbertson\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((( Files Created from 2011-05-24 to 2011-06-24 )))))))))))))))))))))))))))))))
.
.
2011-06-21 05:30 . 2011-06-21 05:30 388096 ----a-r- c:\documents and settings\Tom Cuthbertson\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-21 05:30 . 2011-06-21 05:30 -------- d-----w- c:\program files\Trend Micro
2011-06-20 13:07 . 2011-06-20 13:07 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-16 09:03 . 2011-06-16 09:23 -------- d-----w- c:\windows\SxsCaPendDel
2011-06-14 03:31 . 2011-06-24 06:03 -------- d-----w- c:\documents and settings\Tom Cuthbertson\Local Settings\Application Data\AskToolbar
2011-06-13 01:12 . 2011-06-16 10:01 -------- d-----w- c:\program files\Ask.com
2011-06-13 01:12 . 2011-06-13 01:12 -------- d-----w- C:\Firefox
2011-06-13 01:12 . 2011-06-19 17:13 -------- d-----w- c:\documents and settings\Tom Cuthbertson\Application Data\Sammsoft
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-29 15:11 . 2011-05-20 03:14 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 15:11 . 2011-05-20 03:14 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-02 15:31 . 2008-04-25 21:27 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 16:19 . 2008-04-25 16:16 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11 . 2008-04-25 16:16 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2008-04-25 16:16 43520 ------w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2008-04-25 16:16 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2008-04-25 16:16 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2008-04-25 16:16 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-04-14 20:01 . 2010-07-25 04:24 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-04-14 20:01 . 2010-07-25 04:24 88736 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-04-14 20:01 . 2010-07-25 04:24 84488 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-04-14 20:01 . 2010-07-25 04:24 84200 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-04-14 20:01 . 2010-07-25 04:24 56064 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-04-14 20:01 . 2010-07-25 04:24 314088 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-04-14 20:01 . 2010-06-01 02:32 95824 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-04-14 20:01 . 2010-02-16 06:29 52320 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-04-14 20:01 . 2010-02-16 06:29 387480 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-04-14 20:01 . 2010-02-16 06:29 153280 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-05-17 19:29 1490312 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-05-17 1490312]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-05-17 1490312]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-04-14 02:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-04-14 02:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-04-14 02:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-13 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-02-21 159744]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-21 16855552]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"OEM13Mon.exe"="c:\windows\OEM13Mon.exe" [2008-07-16 36864]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-06-30 2220032]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2008-02-22 1245184]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-28 75136]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-06 30192]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-28 17920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"Logitech Hardware Abstraction Layer"="c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2007-01-12 101136]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-12 101136]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-04-05 1195408]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-05-17 395144]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2008-2-22 2938184]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
SetPoint.lnk - c:\program files\SetPoint\SetPoint.exe [2008-12-7 679936]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [24/07/2010 10:24 PM 84200]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [24/07/2010 10:25 PM 54776]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [16/09/2008 3:02 PM 163840]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [19/05/2011 9:14 PM 366640]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [24/07/2010 10:24 PM 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [24/07/2010 10:24 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [24/07/2010 10:24 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [24/07/2010 10:24 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [24/07/2010 10:24 PM 141792]
R2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [13/04/2010 8:11 PM 229688]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [24/07/2010 10:24 PM 56064]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [19/05/2011 9:14 PM 22712]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [24/07/2010 10:24 PM 314088]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [24/07/2010 10:24 PM 88736]
R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [13/11/2008 5:06 AM 51288]
R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [13/11/2008 5:06 AM 43608]
R3 OEM13Afx;Provides a software interface to control audio effects of OEM013 camera.;c:\windows\system32\drivers\OEM13Afx.sys [13/11/2008 5:06 AM 141376]
R3 OEM13Vfx;Creative Camera OEM013 Video VFX Driver;c:\windows\system32\drivers\OEM13Vfx.sys [13/11/2008 5:06 AM 7424]
R3 OEM13Vid;Creative Camera OEM013 Driver;c:\windows\system32\drivers\OEM13Vid.sys [13/11/2008 5:06 AM 235840]
S2 gupdate1c98bec61cc55b6;Google Update Service (gupdate1c98bec61cc55b6);c:\program files\Google\Update\GoogleUpdate.exe [10/02/2009 7:59 PM 133104]
S2 McAfee SiteAdvisor Enterprise Service;McAfee SiteAdvisor Enterprise Service;"c:\program files\McAfee\SiteAdvisor Enterprise\McSACore.exe" --> c:\program files\McAfee\SiteAdvisor Enterprise\McSACore.exe [?]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [13/11/2008 3:25 AM 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/02/2009 7:59 PM 133104]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [15/01/2010 6:49 AM 227232]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [24/07/2010 10:24 PM 88736]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [24/07/2010 10:24 PM 84488]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [25/04/2008 10:16 AM 14336]
S4 McOobeSv;McAfee OOBE Service;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [24/07/2010 10:24 PM 271480]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 17:50]
.
2011-06-24 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-13 01:58]
.
2011-06-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-11 01:59]
.
2011-06-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-11 01:59]
.
2011-06-24 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2011-05-17 19:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 10.0.1.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
AddRemove-Canon_IJ_Network_UTILITY - c:\program files\Canon\Canon IJ Network Tool\CNMNUU.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-24 00:12
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1904)
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(5040)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~2\saHook.dll
c:\program files\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\McAfee Online Backup\MOBKshell.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\DRIVERS\o2flash.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\System32\vssvc.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\Apntex.exe
c:\program files\DellTPad\HidFind.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\progra~1\mcafee\VIRUSS~1\mcvsshld.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
c:\progra~1\mcafee.com\agent\mcupdate.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2011-06-24 00:17:41 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-24 06:17
.
Pre-Run: 274,572,673,024 bytes free
Post-Run: 275,185,229,824 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 35FCE5E80CEC294BA9AD41F7C3CE4222
gahixon1
62 Posts
0
June 24th, 2011 09:00
Hi Tootall99,
I'd like you to run another tool that will search for deeply hidden rootkits. So far I can't see any evidence of what is causing your browser redirects.
Are you connected through a router? Do you have other devices in your house connected through the same router? If so are those also having browser redirects. <<-----Very important
Step 1
GMER
Download the GMER Rootkit Scanner. Unzip it to your Desktop.
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
Double-click gmer.exe. The program will begin to run.
**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!
If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
Once the scan is complete, you may receive another notice about rootkit activity.
Post the contents of GMER.txt in your next reply.
In your next reply:
The answer to my initial questions
GMER.txt
tootall99
27 Posts
0
June 24th, 2011 12:00
Hi there
The computer is connected through a router, but the other devices on the router are not experiencing the problem. However, they are Apple based instead of IBM based,if that means anything.
Interestingly enough, after I ran the Combofix last night, the redirect doesn't seem to be there any more. Combofix seemed to make a few changes to the internet configuration, as I had to tell the computer afterwards to set Explorer as my default browser again. Is it possible that Combofix would have made changes that fixed the problem?
I have to go out of town tonight, so I wont be able to run the Rootkit tool for about 36 hours from now (1:PM MST)
tootall99
27 Posts
0
June 25th, 2011 22:00
Here is the GMER scan
GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-25 22:49:24
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD32 rev.11.0
Running: gmer.exe; Driver: C:\DOCUME~1\TOMCUT~1\LOCALS~1\Temp\fxtdipow.sys
---- System - GMER 1.0.15 ----
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9DE8210]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9DE8224]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9DE8250]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9DE82A6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9DE81FC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9DE81D4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9DE81E8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9DE823A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB9DE827C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9DE8266]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9DE82D0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9DE82BC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9DE8290]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwYieldExecution 80504B08 7 Bytes JMP B9DE8294 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B203A 7 Bytes JMP B9DE82AA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E48 5 Bytes JMP B9DE82C0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetSecurityObject 805C062E 5 Bytes JMP B9DE8280 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB440 5 Bytes JMP B9DE81D8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB6CC 5 Bytes JMP B9DE81EC mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29E2 5 Bytes JMP B9DE82D4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80622662 7 Bytes JMP B9DE826A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80623B12 7 Bytes JMP B9DE823E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806240F0 5 Bytes JMP B9DE8214 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 8062458C 7 Bytes JMP B9DE8228 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8062475C 7 Bytes JMP B9DE8254 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 806254CE 5 Bytes JMP B9DE8200 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
? Combo-Fix.sys The system cannot find the file specified. !
init C:\WINDOWS\system32\Drivers\OEM13Afx.sys entry point in "init" section [0xA3DE4310]
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\svchost.exe[272] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00FD0FE5
.text C:\WINDOWS\system32\svchost.exe[272] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00FD0000
.text C:\WINDOWS\system32\svchost.exe[272] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FD0FD4
.text C:\WINDOWS\system32\svchost.exe[272] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FC0FEF
.text C:\WINDOWS\system32\svchost.exe[272] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FC007D
.text C:\WINDOWS\system32\svchost.exe[272] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FC0F88
.text C:\WINDOWS\system32\svchost.exe[272] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FC006C
.text C:\WINDOWS\system32\svchost.exe[272] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FC005B
.text C:\WINDOWS\system32\svchost.exe[272] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FC002F
.text C:\WINDOWS\system32\svchost.exe[272] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FC00AB
.text C:\WINDOWS\system32\svchost.exe[272] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FC008E
.text C:\WINDOWS\system32\svchost.exe[272] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FC0F3E
.text C:\WINDOWS\system32\svchost.exe[272] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FC00D7
.text C:\WINDOWS\system32\svchost.exe[272] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FC0F23
.text C:\WINDOWS\system32\svchost.exe[272] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FC0040
.text C:\WINDOWS\system32\svchost.exe[272] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FC000A
.text C:\WINDOWS\system32\svchost.exe[272] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FC0F63
.text C:\WINDOWS\system32\svchost.exe[272] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FC0FB9
.text C:\WINDOWS\system32\svchost.exe[272] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FC0FD4
.text C:\WINDOWS\system32\svchost.exe[272] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FC00C6
.text C:\WINDOWS\system32\svchost.exe[272] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02410FAF
.text C:\WINDOWS\system32\svchost.exe[272] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02410F68
.text C:\WINDOWS\system32\svchost.exe[272] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02410FC0
.text C:\WINDOWS\system32\svchost.exe[272] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02410FDB
.text C:\WINDOWS\system32\svchost.exe[272] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02410F83
.text C:\WINDOWS\system32\svchost.exe[272] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02410000
.text C:\WINDOWS\system32\svchost.exe[272] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02410F94
.text C:\WINDOWS\system32\svchost.exe[272] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [61, 8A]
.text C:\WINDOWS\system32\svchost.exe[272] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02410025
.text C:\WINDOWS\system32\svchost.exe[272] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FF0FC8
.text C:\WINDOWS\system32\svchost.exe[272] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FF0FE3
.text C:\WINDOWS\system32\svchost.exe[272] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FF002E
.text C:\WINDOWS\system32\svchost.exe[272] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\svchost.exe[272] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FF0053
.text C:\WINDOWS\system32\svchost.exe[272] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FF001D
.text C:\WINDOWS\system32\svchost.exe[272] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\svchost.exe[376] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00D60FE5
.text C:\WINDOWS\system32\svchost.exe[376] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00D60FCA
.text C:\WINDOWS\system32\svchost.exe[376] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D60000
.text C:\WINDOWS\system32\svchost.exe[376] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D50000
.text C:\WINDOWS\system32\svchost.exe[376] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D500BA
.text C:\WINDOWS\system32\svchost.exe[376] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D500A9
.text C:\WINDOWS\system32\svchost.exe[376] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D5008E
.text C:\WINDOWS\system32\svchost.exe[376] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D50FD1
.text C:\WINDOWS\system32\svchost.exe[376] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D50062
.text C:\WINDOWS\system32\svchost.exe[376] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D500FC
.text C:\WINDOWS\system32\svchost.exe[376] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D50FAA
.text C:\WINDOWS\system32\svchost.exe[376] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D50F74
.text C:\WINDOWS\system32\svchost.exe[376] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D50117
.text C:\WINDOWS\system32\svchost.exe[376] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D50128
.text C:\WINDOWS\system32\svchost.exe[376] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D50073
.text C:\WINDOWS\system32\svchost.exe[376] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D50025
.text C:\WINDOWS\system32\svchost.exe[376] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D500D5
.text C:\WINDOWS\system32\svchost.exe[376] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D50051
.text C:\WINDOWS\system32\svchost.exe[376] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D50040
.text C:\WINDOWS\system32\svchost.exe[376] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D50F99
.text C:\WINDOWS\system32\svchost.exe[376] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D90F9E
.text C:\WINDOWS\system32\svchost.exe[376] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D90F79
.text C:\WINDOWS\system32\svchost.exe[376] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D90FB9
.text C:\WINDOWS\system32\svchost.exe[376] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D90FDE
.text C:\WINDOWS\system32\svchost.exe[376] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D90036
.text C:\WINDOWS\system32\svchost.exe[376] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D90FEF
.text C:\WINDOWS\system32\svchost.exe[376] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D90025
.text C:\WINDOWS\system32\svchost.exe[376] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D9000A
.text C:\WINDOWS\system32\svchost.exe[376] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D80FBC
.text C:\WINDOWS\system32\svchost.exe[376] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D80047
.text C:\WINDOWS\system32\svchost.exe[376] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D8001B
.text C:\WINDOWS\system32\svchost.exe[376] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D80000
.text C:\WINDOWS\system32\svchost.exe[376] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D80036
.text C:\WINDOWS\system32\svchost.exe[376] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D80FD7
.text C:\WINDOWS\system32\svchost.exe[376] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D70FEF
.text C:\WINDOWS\System32\svchost.exe[412] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 02780FEF
.text C:\WINDOWS\System32\svchost.exe[412] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0278000A
.text C:\WINDOWS\System32\svchost.exe[412] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 02780FD4
.text C:\WINDOWS\System32\svchost.exe[412] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02770FEF
.text C:\WINDOWS\System32\svchost.exe[412] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02770F39
.text C:\WINDOWS\System32\svchost.exe[412] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02770038
.text C:\WINDOWS\System32\svchost.exe[412] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02770F5E
.text C:\WINDOWS\System32\svchost.exe[412] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02770F6F
.text C:\WINDOWS\System32\svchost.exe[412] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02770FAF
.text C:\WINDOWS\System32\svchost.exe[412] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02770064
.text C:\WINDOWS\System32\svchost.exe[412] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02770F28
.text C:\WINDOWS\System32\svchost.exe[412] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 0277007F
.text C:\WINDOWS\System32\svchost.exe[412] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02770EF0
.text C:\WINDOWS\System32\svchost.exe[412] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02770ECB
.text C:\WINDOWS\System32\svchost.exe[412] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02770F94
.text C:\WINDOWS\System32\svchost.exe[412] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02770FD4
.text C:\WINDOWS\System32\svchost.exe[412] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02770053
.text C:\WINDOWS\System32\svchost.exe[412] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0277001B
.text C:\WINDOWS\System32\svchost.exe[412] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0277000A
.text C:\WINDOWS\System32\svchost.exe[412] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02770F01
.text C:\WINDOWS\System32\svchost.exe[412] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0448002C
.text C:\WINDOWS\System32\svchost.exe[412] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 04480051
.text C:\WINDOWS\System32\svchost.exe[412] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 04480FE5
.text C:\WINDOWS\System32\svchost.exe[412] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0448001B
.text C:\WINDOWS\System32\svchost.exe[412] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 04480F94
.text C:\WINDOWS\System32\svchost.exe[412] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0448000A
.text C:\WINDOWS\System32\svchost.exe[412] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 04480FA5
.text C:\WINDOWS\System32\svchost.exe[412] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [68, 8C]
.text C:\WINDOWS\System32\svchost.exe[412] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 04480FC0
.text C:\WINDOWS\System32\svchost.exe[412] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0447005A
.text C:\WINDOWS\System32\svchost.exe[412] msvcrt.dll!system 77C293C7 5 Bytes JMP 04470049
.text C:\WINDOWS\System32\svchost.exe[412] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 04470027
.text C:\WINDOWS\System32\svchost.exe[412] msvcrt.dll!_open 77C2F566 5 Bytes JMP 04470000
.text C:\WINDOWS\System32\svchost.exe[412] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 04470038
.text C:\WINDOWS\System32\svchost.exe[412] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 04470FE3
.text C:\WINDOWS\System32\svchost.exe[412] WS2_32.dll!socket 71AB4211 5 Bytes JMP 04460000
.text C:\WINDOWS\System32\svchost.exe[412] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 04430000
.text C:\WINDOWS\System32\svchost.exe[412] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 04430FDB
.text C:\WINDOWS\System32\svchost.exe[412] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0443001B
.text C:\WINDOWS\System32\svchost.exe[412] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 04430036
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[596] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[596] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\svchost.exe[680] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 007E000A
.text C:\WINDOWS\system32\svchost.exe[680] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 007E002F
.text C:\WINDOWS\system32\svchost.exe[680] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007E0FEF
.text C:\WINDOWS\system32\svchost.exe[680] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007D0FE5
.text C:\WINDOWS\system32\svchost.exe[680] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007D0F7E
.text C:\WINDOWS\system32\svchost.exe[680] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007D0073
.text C:\WINDOWS\system32\svchost.exe[680] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007D0062
.text C:\WINDOWS\system32\svchost.exe[680] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007D0051
.text C:\WINDOWS\system32\svchost.exe[680] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007D001B
.text C:\WINDOWS\system32\svchost.exe[680] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007D0F2B
.text C:\WINDOWS\system32\svchost.exe[680] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007D0F48
.text C:\WINDOWS\system32\svchost.exe[680] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007D0EFF
.text C:\WINDOWS\system32\svchost.exe[680] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007D0F1A
.text C:\WINDOWS\system32\svchost.exe[680] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007D00BD
.text C:\WINDOWS\system32\svchost.exe[680] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 007D0036
.text C:\WINDOWS\system32\svchost.exe[680] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 007D0FD4
.text C:\WINDOWS\system32\svchost.exe[680] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 007D0F63
.text C:\WINDOWS\system32\svchost.exe[680] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 007D0FB9
.text C:\WINDOWS\system32\svchost.exe[680] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 007D000A
.text C:\WINDOWS\system32\svchost.exe[680] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007D0098
.text C:\WINDOWS\system32\svchost.exe[680] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00810025
.text C:\WINDOWS\system32\svchost.exe[680] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0081006C
.text C:\WINDOWS\system32\svchost.exe[680] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00810FD4
.text C:\WINDOWS\system32\svchost.exe[680] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0081000A
.text C:\WINDOWS\system32\svchost.exe[680] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00810051
.text C:\WINDOWS\system32\svchost.exe[680] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00810FE5
.text C:\WINDOWS\system32\svchost.exe[680] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00810040
.text C:\WINDOWS\system32\svchost.exe[680] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00810FB9
.text C:\WINDOWS\system32\svchost.exe[680] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00800055
.text C:\WINDOWS\system32\svchost.exe[680] msvcrt.dll!system 77C293C7 5 Bytes JMP 00800044
.text C:\WINDOWS\system32\svchost.exe[680] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00800022
.text C:\WINDOWS\system32\svchost.exe[680] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00800000
.text C:\WINDOWS\system32\svchost.exe[680] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00800033
.text C:\WINDOWS\system32\svchost.exe[680] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00800011
.text C:\WINDOWS\system32\svchost.exe[680] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007F0000
.text C:\WINDOWS\system32\svchost.exe[724] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 009E0000
.text C:\WINDOWS\system32\svchost.exe[724] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 009E0FE5
.text C:\WINDOWS\system32\svchost.exe[724] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009E001B
.text C:\WINDOWS\system32\svchost.exe[724] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009D0000
.text C:\WINDOWS\system32\svchost.exe[724] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009D008B
.text C:\WINDOWS\system32\svchost.exe[724] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009D007A
.text C:\WINDOWS\system32\svchost.exe[724] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009D0069
.text C:\WINDOWS\system32\svchost.exe[724] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009D0FB6
.text C:\WINDOWS\system32\svchost.exe[724] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009D003D
.text C:\WINDOWS\system32\svchost.exe[724] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009D00B7
.text C:\WINDOWS\system32\svchost.exe[724] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009D009C
.text C:\WINDOWS\system32\svchost.exe[724] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009D00D2
.text C:\WINDOWS\system32\svchost.exe[724] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009D0F39
.text C:\WINDOWS\system32\svchost.exe[724] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009D00E3
.text C:\WINDOWS\system32\svchost.exe[724] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009D0058
.text C:\WINDOWS\system32\svchost.exe[724] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009D001B
.text C:\WINDOWS\system32\svchost.exe[724] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009D0F71
.text C:\WINDOWS\system32\svchost.exe[724] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009D002C
.text C:\WINDOWS\system32\svchost.exe[724] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009D0FDB
.text C:\WINDOWS\system32\svchost.exe[724] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009D0F4A
.text C:\WINDOWS\system32\svchost.exe[724] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A5002F
.text C:\WINDOWS\system32\svchost.exe[724] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A5005B
.text C:\WINDOWS\system32\svchost.exe[724] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A50FD4
.text C:\WINDOWS\system32\svchost.exe[724] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A5000A
.text C:\WINDOWS\system32\svchost.exe[724] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A50F9E
.text C:\WINDOWS\system32\svchost.exe[724] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A50FEF
.text C:\WINDOWS\system32\svchost.exe[724] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00A5004A
.text C:\WINDOWS\system32\svchost.exe[724] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A50FC3
.text C:\WINDOWS\system32\svchost.exe[724] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A00FB9
.text C:\WINDOWS\system32\svchost.exe[724] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A00FCA
.text C:\WINDOWS\system32\svchost.exe[724] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A0003A
.text C:\WINDOWS\system32\svchost.exe[724] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A0000C
.text C:\WINDOWS\system32\svchost.exe[724] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A00FE5
.text C:\WINDOWS\system32\svchost.exe[724] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A0001D
.text C:\WINDOWS\system32\svchost.exe[724] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009F0FE5
.text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00D00FE5
.text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00D00011
.text C:\WINDOWS\system32\svchost.exe[848] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D00000
.text C:\WINDOWS\system32\svchost.exe[848] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CB0FEF
.text C:\WINDOWS\system32\svchost.exe[848] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CB00A4
.text C:\WINDOWS\system32\svchost.exe[848] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CB0089
.text C:\WINDOWS\system32\svchost.exe[848] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CB006C
.text C:\WINDOWS\system32\svchost.exe[848] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CB005B
.text C:\WINDOWS\system32\svchost.exe[848] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CB0040
.text C:\WINDOWS\system32\svchost.exe[848] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CB0F77
.text C:\WINDOWS\system32\svchost.exe[848] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CB0F94
.text C:\WINDOWS\system32\svchost.exe[848] kernel32.dll!CreateProcessW 7C802336 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[848] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CB0F3A
.text C:\WINDOWS\system32\svchost.exe[848] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CB0F4B
.text C:\WINDOWS\system32\svchost.exe[848] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CB00EE
.text C:\WINDOWS\system32\svchost.exe[848] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CB0FB9
.text C:\WINDOWS\system32\svchost.exe[848] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CB0FD4
.text C:\WINDOWS\system32\svchost.exe[848] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CB00B5
.text C:\WINDOWS\system32\svchost.exe[848] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CB0025
.text C:\WINDOWS\system32\svchost.exe[848] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CB0014
.text C:\WINDOWS\system32\svchost.exe[848] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CB0F66
.text C:\WINDOWS\system32\svchost.exe[848] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FE0036
.text C:\WINDOWS\system32\svchost.exe[848] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FE005B
.text C:\WINDOWS\system32\svchost.exe[848] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FE001B
.text C:\WINDOWS\system32\svchost.exe[848] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\svchost.exe[848] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FE0F9E
.text C:\WINDOWS\system32\svchost.exe[848] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FE0FE5
.text C:\WINDOWS\system32\svchost.exe[848] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00FE0FB9
.text C:\WINDOWS\system32\svchost.exe[848] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [1E, 89]
.text C:\WINDOWS\system32\svchost.exe[848] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FE0FCA
.text C:\WINDOWS\system32\svchost.exe[848] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FD004B
.text C:\WINDOWS\system32\svchost.exe[848] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FD0FC0
.text C:\WINDOWS\system32\svchost.exe[848] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FD0029
.text C:\WINDOWS\system32\svchost.exe[848] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FD000C
.text C:\WINDOWS\system32\svchost.exe[848] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FD003A
.text C:\WINDOWS\system32\svchost.exe[848] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FD0FEF
.text C:\WINDOWS\system32\svchost.exe[848] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FC0FE5
.text C:\WINDOWS\system32\svchost.exe[1172] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes JMP 0091000A
.text C:\WINDOWS\system32\svchost.exe[1172] ntdll.dll!NtCreateFile + 4 7C90D0B2 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[1172] ntdll.dll!NtCreateProcess 7C90D14E 3 Bytes JMP 00910025
.text C:\WINDOWS\system32\svchost.exe[1172] ntdll.dll!NtCreateProcess + 4 7C90D152 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[1172] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 00910FEF
.text C:\WINDOWS\system32\svchost.exe[1172] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00900FEF
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00900082
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00900F8D
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00900F9E
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0090005B
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00900FB9
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009000A4
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00900F68
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009000F5
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009000E4
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00900F41
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00900040
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00900000
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00900093
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00900025
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00900FD4
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009000C9
.text C:\WINDOWS\system32\svchost.exe[1172] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BF002F
.text C:\WINDOWS\system32\svchost.exe[1172] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BF0F83
.text C:\WINDOWS\system32\svchost.exe[1172] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BF001E
.text C:\WINDOWS\system32\svchost.exe[1172] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BF0FDE
.text C:\WINDOWS\system32\svchost.exe[1172] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BF0F9E
.text C:\WINDOWS\system32\svchost.exe[1172] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\system32\svchost.exe[1172] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BF0040
.text C:\WINDOWS\system32\svchost.exe[1172] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BF0FC3
.text C:\WINDOWS\system32\svchost.exe[1172] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BE0FB7
.text C:\WINDOWS\system32\svchost.exe[1172] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BE0038
.text C:\WINDOWS\system32\svchost.exe[1172] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BE0027
.text C:\WINDOWS\system32\svchost.exe[1172] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\svchost.exe[1172] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BE0FC8
.text C:\WINDOWS\system32\svchost.exe[1172] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BE0FE3
.text C:\WINDOWS\system32\svchost.exe[1172] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 0092000A
.text C:\WINDOWS\system32\svchost.exe[1172] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00920FEF
.text C:\WINDOWS\system32\svchost.exe[1172] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00920FCA
.text C:\WINDOWS\system32\svchost.exe[1172] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 0092001B
.text C:\WINDOWS\system32\svchost.exe[1172] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00930000
.text C:\WINDOWS\system32\SearchIndexer.exe[1268] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\system32\services.exe[1948] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\services.exe[1948] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0005002C
.text C:\WINDOWS\system32\services.exe[1948] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0005001B
.text C:\WINDOWS\system32\services.exe[1948] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\services.exe[1948] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00040F6D
.text C:\WINDOWS\system32\services.exe[1948] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00040F7E
.text C:\WINDOWS\system32\services.exe[1948] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00040058
.text C:\WINDOWS\system32\services.exe[1948] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00040F9B
.text C:\WINDOWS\system32\services.exe[1948] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0004003D
.text C:\WINDOWS\system32\services.exe[1948] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 000400AB
.text C:\WINDOWS\system32\services.exe[1948] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0004009A
.text C:\WINDOWS\system32\services.exe[1948] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00040F1C
.text C:\WINDOWS\system32\services.exe[1948] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00040F2D
.text C:\WINDOWS\system32\services.exe[1948] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00040F0B
.text C:\WINDOWS\system32\services.exe[1948] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00040FAC
.text C:\WINDOWS\system32\services.exe[1948] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00040FE5
.text C:\WINDOWS\system32\services.exe[1948] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0004007D
.text C:\WINDOWS\system32\services.exe[1948] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0004002C
.text C:\WINDOWS\system32\services.exe[1948] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0004001B
.text C:\WINDOWS\system32\services.exe[1948] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00040F48
.text C:\WINDOWS\system32\services.exe[1948] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E20036
.text C:\WINDOWS\system32\services.exe[1948] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E20FA5
.text C:\WINDOWS\system32\services.exe[1948] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E20FDB
.text C:\WINDOWS\system32\services.exe[1948] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E20011
.text C:\WINDOWS\system32\services.exe[1948] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E20FB6
.text C:\WINDOWS\system32\services.exe[1948] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E20000
.text C:\WINDOWS\system32\services.exe[1948] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00E20062
.text C:\WINDOWS\system32\services.exe[1948] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E20051
.text C:\WINDOWS\system32\services.exe[1948] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00070F92
.text C:\WINDOWS\system32\services.exe[1948] msvcrt.dll!system 77C293C7 5 Bytes JMP 00070FB7
.text C:\WINDOWS\system32\services.exe[1948] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00070FD2
.text C:\WINDOWS\system32\services.exe[1948] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[1948] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00070027
.text C:\WINDOWS\system32\services.exe[1948] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0007000C
.text C:\WINDOWS\system32\services.exe[1948] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\lsass.exe[1960] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00DC0000
.text C:\WINDOWS\system32\lsass.exe[1960] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00DC0FCA
.text C:\WINDOWS\system32\lsass.exe[1960] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DC0FE5
.text C:\WINDOWS\system32\lsass.exe[1960] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DB0FEF
.text C:\WINDOWS\system32\lsass.exe[1960] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DB0F83
.text C:\WINDOWS\system32\lsass.exe[1960] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DB0078
.text C:\WINDOWS\system32\lsass.exe[1960] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DB005B
.text C:\WINDOWS\system32\lsass.exe[1960] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DB0F9E
.text C:\WINDOWS\system32\lsass.exe[1960] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DB0025
.text C:\WINDOWS\system32\lsass.exe[1960] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DB0F41
.text C:\WINDOWS\system32\lsass.exe[1960] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DB0F68
.text C:\WINDOWS\system32\lsass.exe[1960] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DB0F15
.text C:\WINDOWS\system32\lsass.exe[1960] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DB00A4
.text C:\WINDOWS\system32\lsass.exe[1960] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DB0F04
.text C:\WINDOWS\system32\lsass.exe[1960] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DB0036
.text C:\WINDOWS\system32\lsass.exe[1960] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DB0FCA
.text C:\WINDOWS\system32\lsass.exe[1960] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DB0093
.text C:\WINDOWS\system32\lsass.exe[1960] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DB0014
.text C:\WINDOWS\system32\lsass.exe[1960] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DB0FB9
.text C:\WINDOWS\system32\lsass.exe[1960] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DB0F26
.text C:\WINDOWS\system32\lsass.exe[1960] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F90FCD
.text C:\WINDOWS\system32\lsass.exe[1960] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F90065
.text C:\WINDOWS\system32\lsass.exe[1960] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F90FDE
.text C:\WINDOWS\system32\lsass.exe[1960] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F9000A
.text C:\WINDOWS\system32\lsass.exe[1960] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F90FA8
.text C:\WINDOWS\system32\lsass.exe[1960] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F90FEF
.text C:\WINDOWS\system32\lsass.exe[1960] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F90054
.text C:\WINDOWS\system32\lsass.exe[1960] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F90043
.text C:\WINDOWS\system32\lsass.exe[1960] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DE0F8B
.text C:\WINDOWS\system32\lsass.exe[1960] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DE0020
.text C:\WINDOWS\system32\lsass.exe[1960] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DE0FB7
.text C:\WINDOWS\system32\lsass.exe[1960] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DE0FE3
.text C:\WINDOWS\system32\lsass.exe[1960] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DE0FA6
.text C:\WINDOWS\system32\lsass.exe[1960] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DE0FD2
.text C:\WINDOWS\system32\lsass.exe[1960] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DD0FEF
.text C:\WINDOWS\explorer.exe[5040] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00090000
.text C:\WINDOWS\explorer.exe[5040] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0009001B
.text C:\WINDOWS\explorer.exe[5040] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00090FE5
.text C:\WINDOWS\explorer.exe[5040] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0FE5
.text C:\WINDOWS\explorer.exe[5040] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0F7E
.text C:\WINDOWS\explorer.exe[5040] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0F8F
.text C:\WINDOWS\explorer.exe[5040] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0073
.text C:\WINDOWS\explorer.exe[5040] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0062
.text C:\WINDOWS\explorer.exe[5040] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B002C
.text C:\WINDOWS\explorer.exe[5040] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B00A4
.text C:\WINDOWS\explorer.exe[5040] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0F52
.text C:\WINDOWS\explorer.exe[5040] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0F26
.text C:\WINDOWS\explorer.exe[5040] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B0F37
.text C:\WINDOWS\explorer.exe[5040] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B00D0
.text C:\WINDOWS\explorer.exe[5040] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B0047
.text C:\WINDOWS\explorer.exe[5040] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B0FCA
.text C:\WINDOWS\explorer.exe[5040] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B0F63
.text C:\WINDOWS\explorer.exe[5040] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B001B
.text C:\WINDOWS\explorer.exe[5040] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B0000
.text C:\WINDOWS\explorer.exe[5040] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B00B5
.text C:\WINDOWS\explorer.exe[5040] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A0022
.text C:\WINDOWS\explorer.exe[5040] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A0F80
.text C:\WINDOWS\explorer.exe[5040] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A0011
.text C:\WINDOWS\explorer.exe[5040] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A0FE5
.text C:\WINDOWS\explorer.exe[5040] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002A003D
.text C:\WINDOWS\explorer.exe[5040] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002A0000
.text C:\WINDOWS\explorer.exe[5040] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002A0FA5
.text C:\WINDOWS\explorer.exe[5040] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4A, 88]
.text C:\WINDOWS\explorer.exe[5040] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002A0FC0
.text C:\WINDOWS\explorer.exe[5040] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002B005D
.text C:\WINDOWS\explorer.exe[5040] msvcrt.dll!system 77C293C7 5 Bytes JMP 002B0042
.text C:\WINDOWS\explorer.exe[5040] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002B0FD2
.text C:\WINDOWS\explorer.exe[5040] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002B0FE3
.text C:\WINDOWS\explorer.exe[5040] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002B0027
.text C:\WINDOWS\explorer.exe[5040] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002B0000
.text C:\WINDOWS\explorer.exe[5040] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 002D0FEF
.text C:\WINDOWS\explorer.exe[5040] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 002D0000
.text C:\WINDOWS\explorer.exe[5040] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 002D0FCA
.text C:\WINDOWS\explorer.exe[5040] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 002D0FAF
.text C:\WINDOWS\explorer.exe[5040] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00EB0FEF
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[660] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [00407740] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
IAT C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[660] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [004077A0] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs MOBK.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat MOBK.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher@TracesProcessed 403
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher@TracesSuccessful 352
---- EOF - GMER 1.0.15 ----
tootall99
27 Posts
0
June 25th, 2011 22:00
By the way, it seemed like the redirects had stopped after the Combofix, but the most recent one I tried was redirected. so the problem still exists
gahixon1
62 Posts
0
June 26th, 2011 10:00
Hi Tootall99,
It seems that your problem is very well hidden indeed. I'd like you next to run a CF script from a tool we have just used. Then another rootkit scanning tool. It is imperative that you tell me if the redirects have stopped at any point. As this will be a strong indication the bulk of the infection has been removed.
Let's see if MBAM will find anything. Combofix sometimes allows MBAM to run more effective by unhiding certain nasties.
As follows please.
Step 1
MBAM Quick Scan
1. Open MBAM and click on the Settings tab. Be sure there is a check at "Automatically save log file after scan completes."
2. Click on the Update tab and then on the "Check for Updates" button.
3. Click the Scanner tab and select "Perform quick scan," then click Scan.
4. Copy and paste the log here.
Step 2
CFScript
Please open Notepad and copy/paste this code into the notepad: Quote:
Save this as CFScript.txt and change the 'Save as type' to 'All Files' and place it on your desktop. Make sure your AV is disabled while we do this.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
Step 3
AswMBR
You could be infected with a new variant of the TDL Rootkit, please follow these instructions exactly as written.
Please DO NOT click any fix button until instructed to do so by your analyst. Failure to comply with this may result in an unbootable system
Please download the Avast ASWMBR.exe Anti-Rootkit Tool and save it to you Desktop
Please DO NOT copy/paste the contents of the .dat file as it will become unreadable
In your next reply
MBAM.txt
Combofix.txt
AswMBR.txt
Have the redirects stopped?