Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ComboFix log 2

Status
Not open for further replies.

electricpete

Technical User
Oct 1, 2002
289
US
My computer is Windows Vista machine. It was taken over by a fake anti-virus called Vista Security or something like that. All attempts at removal were unsuccessful, so I ran combofix.

I actually I ran ComboFix twice and both logs are posted below.

The first time I ran ComboFix, at certain steps I got errors that I could not complete certain activities due to lack of administrator priveleges.

The second time, I ran it by right-clicking and selected "run as administrator". The results seemed roughly the same (still got errors about administrator priveleges and still ran to completion.

My question: Do you recommend any actions based on results of these ComboFix logs below?

First ComboFix Log said:
ComboFix 11-04-15.06 - admin 04/16/2011 22:21:42.1.1 - x86 MINIMAL
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.1918.1431 [GMT -5:00]
Running from: E:\ComboFix.exe
AV: RULE_COMPONENT_MNM *Disabled/Outdated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: RULE_COMPONENT_MNM *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: RULE_COMPONENT_MNM *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\26205960.exe
c:\programdata\43179784.exe
c:\programdata\AIAkiwgpWK.exe
c:\users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Repair
c:\users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Repair\Uninstall Windows Repair.lnk
c:\users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Repair\Windows Repair.lnk
c:\users\admin\Desktop\Windows Repair.lnk
c:\windows\system32\config\systemprofile\wuaucldt.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\null0.8717782285845986.exe
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\wpcap.dll
c:\windows\system32\wuaucldt.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-03-17 to 2011-04-17 )))))))))))))))))))))))))))))))
.
.
2011-04-17 03:25 . 2011-04-17 03:25 -------- d-----w- c:\users\admin\AppData\Local\temp
2011-04-17 03:25 . 2011-04-17 03:25 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-04-01 14:32 . 2011-04-01 14:32 -------- d-----w- C:\Windows Repair
2011-03-28 19:00 . 2011-03-28 19:00 119296 --sha-r- c:\windows\system32\itirclh.dll
2011-03-27 00:42 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-27 00:42 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-26 01:35 . 2011-03-26 01:35 -------- d--h--w- c:\program files\MalwarebytesAntiMalware2
2011-03-26 00:08 . 2011-03-26 00:08 -------- d--h--w- c:\users\admin\AppData\Roaming\Malwarebytes
2011-03-26 00:08 . 2011-03-26 00:08 -------- d--h--w- c:\programdata\Malwarebytes
2011-03-26 00:08 . 2011-03-26 00:08 -------- d--h--w- c:\program files\Malwarebytes' Anti-Malware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-23 22:25 . 2009-11-24 22:06 119808 ---ha-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-21 2153472]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-14 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13535776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-02 92704]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-23 6183456]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware6\mbam.exe" [2010-12-20 963976]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Play Wireless USB Adapter Utility.lnk - c:\program files\Belkin\F7D4101\V1\PBN.exe [2009-11-25 110592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GOEC62~1.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 ETService;Empowering Technology Service;c:\program files\EMACHINES\eMachines Recovery Management\Service\ETService.exe [2008-06-11 24576]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 135664]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-01-23 203280]
R2 WLANBelkinService;Belkin WLAN service;c:\program files\Belkin\F7D4101\V1\wlansrv.exe [2009-12-28 36864]
R3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\DRIVERS\athrusb.sys [2008-07-29 904192]
R3 BCMH43XX;N+ Wireless USB Adapter Driver;c:\windows\system32\DRIVERS\bcmwlhigh6.sys [2009-11-06 699896]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-06-23 30192]
R3 STSService;STSService;c:\program files\SoundTaxi Media Suite\STSService.exe [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ECACHE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 03:33]
.
2011-04-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 03:33]
.
2011-02-12 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2011-02-11 18:22]
.
2011-02-12 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2011-02-11 18:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: ataretail.com
Trusted Zone: bdsmktg.com\ic
Trusted Zone: claops.com\www
Trusted Zone: clareps.com\intranet
Trusted Zone: fgxi.com\ross
Trusted Zone: intersourcing.com\Trusted Zone: jcprewards.com\www
Trusted Zone: paychex.com\eservices
FF - ProfilePath - c:\users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\0a5p0b5b.default\
.
.
------- File Associations -------
.
exefile="c:\windows\system32\config\systemprofile\AppData\Local\qca.exe" -a "%1" %*
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-AIAkiwgpWK - c:\programdata\AIAkiwgpWK.exe
HKCU-Run-Regedit32 - c:\windows\system32\regedit.exe
HKLM-RunOnce-<NO NAME> - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, Rootkit scan 2011-04-16 22:25
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-04-16 22:27:01
ComboFix-quarantined-files.txt 2011-04-17 03:26
.
Pre-Run: 92,754,616,320 bytes free
Post-Run: 93,978,804,224 bytes free
.
- - End Of File - - 19B61BA8653D76E4723D4109A3FE8409
Second ComboFix Log said:
ComboFix 11-04-15.06 - admin 04/16/2011 22:30:33.1.1 - x86 MINIMAL
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.1918.1277 [GMT -5:00]
Running from: C:\ComboFix.exe
AV: RULE_COMPONENT_MNM *Disabled/Outdated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: RULE_COMPONENT_MNM *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: RULE_COMPONENT_MNM *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-03-17 to 2011-04-17 )))))))))))))))))))))))))))))))
.
.
2011-04-17 03:32 . 2011-04-17 03:32 -------- d-----w- c:\users\admin\AppData\Local\temp
2011-04-17 03:32 . 2011-04-17 03:32 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-04-01 14:32 . 2011-04-01 14:32 -------- d-----w- C:\Windows Repair
2011-03-28 19:00 . 2011-03-28 19:00 119296 --sha-r- c:\windows\system32\itirclh.dll
2011-03-27 00:42 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-27 00:42 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-26 01:35 . 2011-03-26 01:35 -------- d-----w- c:\program files\MalwarebytesAntiMalware2
2011-03-26 00:08 . 2011-03-26 00:08 -------- d-----w- c:\users\admin\AppData\Roaming\Malwarebytes
2011-03-26 00:08 . 2011-03-26 00:08 -------- d-----w- c:\programdata\Malwarebytes
2011-03-26 00:08 . 2011-03-26 00:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-23 22:25 . 2009-11-24 22:06 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-21 2153472]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-14 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13535776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-02 92704]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-23 6183456]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware6\mbam.exe" [2010-12-20 963976]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Play Wireless USB Adapter Utility.lnk - c:\program files\Belkin\F7D4101\V1\PBN.exe [2009-11-25 110592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GOEC62~1.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 ETService;Empowering Technology Service;c:\program files\EMACHINES\eMachines Recovery Management\Service\ETService.exe [2008-06-11 24576]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 135664]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-01-23 203280]
R2 WLANBelkinService;Belkin WLAN service;c:\program files\Belkin\F7D4101\V1\wlansrv.exe [2009-12-28 36864]
R3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\DRIVERS\athrusb.sys [2008-07-29 904192]
R3 BCMH43XX;N+ Wireless USB Adapter Driver;c:\windows\system32\DRIVERS\bcmwlhigh6.sys [2009-11-06 699896]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-06-23 30192]
R3 STSService;STSService;c:\program files\SoundTaxi Media Suite\STSService.exe [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ECACHE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 03:33]
.
2011-04-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 03:33]
.
2011-02-12 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2011-02-11 18:22]
.
2011-02-12 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2011-02-11 18:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: ataretail.com
Trusted Zone: bdsmktg.com\ic
Trusted Zone: claops.com\www
Trusted Zone: clareps.com\intranet
Trusted Zone: fgxi.com\ross
Trusted Zone: intersourcing.com\Trusted Zone: jcprewards.com\www
Trusted Zone: paychex.com\eservices
FF - ProfilePath - c:\users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\0a5p0b5b.default\
.
.
------- File Associations -------
.
exefile="c:\windows\system32\config\systemprofile\AppData\Local\qca.exe" -a "%1" %*
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-RunOnce-<NO NAME> - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, Rootkit scan 2011-04-16 22:32
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-04-16 22:33:57
ComboFix-quarantined-files.txt 2011-04-17 03:33
ComboFix2.txt 2011-04-17 03:27
.
Pre-Run: 94,033,887,232 bytes free
Post-Run: 94,002,577,408 bytes free
.
- - End Of File - - 48E334A4D1BC32D2664A118CF2BA9BDF
 
This reads like you need some qualified help, I suggest the Majorgeeks Malware forum, start by reading and following the instructions here they have no auto-lock thread after x days of inactivity and only qualified Malware helpers and yourself can post in your topic.

good luck and let us know how it goes :)
 
Those error are "normal" when running it on Vista. Disregard them. If the PC is running normally again, don't worry.

Actions - I would run a full MBAM scan, followed by:

Run RKILL, GMER and HijackThis (in that order) just to see that any 2nd/3rd/4th opinions don't find any bad stuff.

Then if things are running well, I would turn your system restore OFF and then reboot. Turn it back on again.
 
By the way - thanks Satrow also. I have stumbled onto a similar site bleepingcomputer. The only problem is that it seems that people have to wait a long time for response there.
 
Yup, bleeping is very good but it can be slow for malware, excellent site for troubleshooting BSOD's though.
 
Plus they EXPLICITLY tell you NOT to run combofix on your own and maintain a "do what I say" attitude if you tell them that you're half way technically competent.

I wouldn't fiddle with them to actually help with malware removal.
 
After completion of ComboFix, most symptoms are gone. Two anomalies remain:
1 - Mozilla Firefox does nothing when double-clicked to launch. Internet Explorer works fine.
2 – Upon startup I get a systray icon labeled “blocked startup programs”. When I right-click and select “show blocked programs”, I get an error message: “Windows Defender… Appliation failed to initialize 0x80070006. The handle is invalid”
Item 2 may or may not have been present before my infection (I wasn’t paying close attention). Some internet links suggests that McAfee doesn’t coexist well with Windows Defender.

Here are sequence of stuff done (sorry, not in order requested):
I let McAfee repair itself, and ran full McAfee virus scan – no problems.
I upgraded Vista to Service Pak 2.
I ran Malware Bytes Anti-Malware, only one item found:
Files Infected: c:\Windows\System32\config\systemprofile\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\URNQL19N\load[4].php (Trojan.Downloader) -> Quarantined and deleted successfully

I ran DDS (results below).
I ran defogger (in prep for GMER)
I ran GMER (results below)
I ran Rkill (results below)
I ran Hijack This (results below)


DDS said:
DDS (Ver_11-03-05.01) - NTFSx86
Run by admin at 14:52:44.54 on Sun 04/17/2011
Internet Explorer: 8.0.6001.19048 BrowserJavaVersion: 1.6.0_15
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1918.931 [GMT -5:00]
.
AV: product_keys/key *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: product_keys/key *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: product_keys/key *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\rundll32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\rundll32.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Belkin\F7D4101\V1\PBN.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Windows\system32\rundll32.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Belkin\F7D4101\V1\wlansrv.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10d.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\admin\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware6\mbam.exe" /runcleanupscript
mRun: [Trend Micro RUBotted V2.0 Beta] c:\program files\trend micro\rubotted\RUBottedGUI.exe
mRun: [Skytel] Skytel.exe
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\playwi~1.lnk - c:\program files\belkin\f7d4101\v1\PBN.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-explorer: HideSCAHealth = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: ataretail.com
Trusted Zone: bdsmktg.com\ic
Trusted Zone: claops.com\www
Trusted Zone: clareps.com\intranet
Trusted Zone: fgxi.com\ross
Trusted Zone: intersourcing.com\Trusted Zone: jcprewards.com\www
Trusted Zone: paychex.com\eservices
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://bdsmarketing.webex.com/client/T27L/nbr/ieatgpc1.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\admin\appdata\roaming\mozilla\firefox\profiles\0a5p0b5b.default\
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-6-14 386840]
R2 ETService;Empowering Technology Service;c:\program files\emachines\emachines recovery management\service\ETService.exe [2009-3-27 24576]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2011-2-11 203280]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2011-2-11 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2011-2-11 144704]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
R2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\trend micro\rubotted\RUBotSrv.exe [2011-4-17 439632]
R2 WLANBelkinService;Belkin WLAN service;c:\program files\belkin\f7d4101\v1\wlansrv.exe [2009-12-28 36864]
R3 BCMH43XX;N+ Wireless USB Adapter Driver;c:\windows\system32\drivers\bcmwlhigh6.sys [2009-11-6 699896]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2011-2-11 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-2-11 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-2-11 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2011-2-11 40552]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-29 135664]
S3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\drivers\athrusb.sys [2008-7-29 904192]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-1-19 30192]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2011-2-11 34248]
S3 STSService;STSService;"c:\program files\soundtaxi media suite\stsservice.exe" --> c:\program files\soundtaxi media suite\STSService.exe [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-04-17 17:18:38 -------- d-----w- c:\windows\system32\eu-ES
2011-04-17 17:18:38 -------- d-----w- c:\windows\system32\ca-ES
2011-04-17 17:18:36 -------- d-----w- c:\windows\system32\vi-VN
2011-04-17 16:38:02 12240896 ----a-w- c:\windows\system32\NlsLexicons0007.dll
2011-04-17 16:36:59 450560 ----a-w- c:\windows\system32\comdlg32.dll
2011-04-17 16:35:42 83968 ----a-w- c:\windows\system32\wbem\wmiutils.dll
2011-04-17 16:35:42 744448 ----a-w- c:\windows\system32\wbem\wbemcore.dll
2011-04-17 16:35:42 614912 ----a-w- c:\windows\system32\wbem\fastprox.dll
2011-04-17 16:35:42 30208 ----a-w- c:\windows\system32\wbem\wbemprox.dll
2011-04-17 16:35:42 265728 ----a-w- c:\windows\system32\wbem\repdrvfs.dll
2011-04-17 16:35:42 265728 ----a-w- c:\windows\system32\wbem\esscli.dll
2011-04-17 16:35:42 189440 ----a-w- c:\windows\system32\wbem\mofd.dll
2011-04-17 16:35:39 705536 ----a-w- c:\windows\system32\SmiEngine.dll
2011-04-17 16:35:35 218624 ----a-w- c:\windows\system32\wdscore.dll
2011-04-17 16:35:35 130560 ----a-w- c:\windows\system32\PkgMgr.exe
2011-04-17 16:35:21 247808 ----a-w- c:\windows\system32\drvstore.dll
2011-04-17 06:46:42 -------- d-----w- c:\progra~2\Trend Micro
2011-04-17 05:56:57 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-04-17 05:56:56 25088 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-04-17 05:56:45 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-04-17 05:51:31 -------- d-----w- c:\program files\WinPcap
2011-04-17 05:50:32 -------- d-----w- c:\program files\Trend Micro
2011-04-17 03:33:58 -------- d-----w- c:\users\admin\appdata\local\temp
2011-04-17 03:33:36 -------- d-sh--w- C:\$RECYCLE.BIN
2011-04-17 03:30:04 -------- d-----w- C:\ComboFix
2011-04-17 03:29:28 4322776 ----a-r- C:\ComboFix.exe
2011-04-17 03:18:41 98816 ----a-w- c:\windows\sed.exe
2011-04-17 03:18:41 89088 ----a-w- c:\windows\MBR.exe
2011-04-17 03:18:41 256512 ----a-w- c:\windows\PEV.exe
2011-04-17 03:18:41 161792 ----a-w- c:\windows\SWREG.exe
2011-04-01 14:32:47 -------- d-----w- C:\Windows Repair
2011-03-28 19:00:33 119296 --sha-r- c:\windows\system32\itirclh.dll
2011-03-27 00:42:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-27 00:42:43 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-27 00:42:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware6
2011-03-26 23:11:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware5
2011-03-26 21:50:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware4
2011-03-26 20:51:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware3
2011-03-26 01:35:36 -------- d-----w- c:\program files\MalwarebytesAntiMalware2
2011-03-26 00:08:58 -------- d-----w- c:\users\admin\appdata\roaming\Malwarebytes
2011-03-26 00:08:48 -------- d-----w- c:\progra~2\Malwarebytes
2011-03-26 00:08:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
==================== Find3M ====================
.
2011-03-10 17:03:51 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03:51 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-03-03 15:42:03 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 13:25:11 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 06:21:28 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 06:17:08 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 06:16:53 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 06:16:40 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-02-22 06:16:40 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-02-22 05:20:39 385024 ----a-w- c:\windows\system32\html.iec
2011-02-22 04:43:54 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-02-22 04:42:38 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-02-17 06:23:50 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-02-16 16:16:37 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-02-16 14:02:23 292864 ----a-w- c:\windows\system32\atmfd.dll

GMER said:
GMER 1.0.15.15570 - Rootkit scan 2011-04-17 18:01:06
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\00000053 ST316081 rev.4.AA
Running: gmer.exe; Driver: C:\Users\admin\AppData\Local\Temp\pglorpod.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateFile [0x877A20E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x877A2132]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x877A20F4]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x877A20B8]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x877A2161]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x877A2148]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x877A211E]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 82075982 5 Bytes JMP 877A2122 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8BE03340, 0x3D9767, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\services.exe[604] kernel32.dll!GetStartupInfoW 76C91929 5 Bytes JMP 008200A4
.text C:\Windows\system32\services.exe[604] kernel32.dll!GetStartupInfoA 76C919C9 5 Bytes JMP 00820093
.text C:\Windows\system32\services.exe[604] kernel32.dll!CreateProcessW 76C91BF3 5 Bytes JMP 00820F28
.text C:\Windows\system32\services.exe[604] kernel32.dll!CreateProcessA 76C91C28 5 Bytes JMP 00820F43
.text C:\Windows\system32\services.exe[604] kernel32.dll!VirtualProtect 76C91DC3 5 Bytes JMP 00820F83
.text C:\Windows\system32\services.exe[604] kernel32.dll!CreateNamedPipeA 76C92EF5 5 Bytes JMP 00820000
.text C:\Windows\system32\services.exe[604] kernel32.dll!CreateNamedPipeW 76C95C0C 5 Bytes JMP 00820FAF
.text C:\Windows\system32\services.exe[604] kernel32.dll!CreatePipe 76CB8E6E 5 Bytes JMP 00820082
.text C:\Windows\system32\services.exe[604] kernel32.dll!LoadLibraryExW 76CB9109 5 Bytes JMP 00820F94
.text C:\Windows\system32\services.exe[604] kernel32.dll!LoadLibraryW 76CB9362 5 Bytes JMP 00820040
.text C:\Windows\system32\services.exe[604] kernel32.dll!LoadLibraryExA 76CB94B4 5 Bytes JMP 00820051
.text C:\Windows\system32\services.exe[604] kernel32.dll!LoadLibraryA 76CB94DC 5 Bytes JMP 0082001B
.text C:\Windows\system32\services.exe[604] kernel32.dll!VirtualProtectEx 76CBDBDA 5 Bytes JMP 00820F72
.text C:\Windows\system32\services.exe[604] kernel32.dll!GetProcAddress 76CD903B 5 Bytes JMP 008200DA
.text C:\Windows\system32\services.exe[604] kernel32.dll!CreateFileW 76CDAECB 5 Bytes JMP 00820FCA
.text C:\Windows\system32\services.exe[604] kernel32.dll!CreateFileA 76CDCE5F 5 Bytes JMP 00820FE5
.text C:\Windows\system32\services.exe[604] kernel32.dll!WinExec 76D25CF7 5 Bytes JMP 008200B5
.text C:\Windows\system32\services.exe[604] ADVAPI32.dll!RegCreateKeyExA 76FF39AB 5 Bytes JMP 0083005B
.text C:\Windows\system32\services.exe[604] ADVAPI32.dll!RegCreateKeyA 76FF3BA9 5 Bytes JMP 00830040
.text C:\Windows\system32\services.exe[604] ADVAPI32.dll!RegOpenKeyA 76FF89C7 5 Bytes JMP 00830000
.text C:\Windows\system32\services.exe[604] ADVAPI32.dll!RegCreateKeyW 7700391E 5 Bytes JMP 00830FB9
.text C:\Windows\system32\services.exe[604] ADVAPI32.dll!RegCreateKeyExW 770041F1 5 Bytes JMP 00830F94
.text C:\Windows\system32\services.exe[604] ADVAPI32.dll!RegOpenKeyExA 77007C42 5 Bytes JMP 00830FD4
.text C:\Windows\system32\services.exe[604] ADVAPI32.dll!RegOpenKeyW 7700E2B5 5 Bytes JMP 00830FE5
.text C:\Windows\system32\services.exe[604] ADVAPI32.dll!RegOpenKeyExW 77017BA1 5 Bytes JMP 00830025
.text C:\Windows\system32\services.exe[604] msvcrt.dll!_wsystem 76C37F2F 5 Bytes JMP 00240FAD
.text C:\Windows\system32\services.exe[604] msvcrt.dll!system 76C3804B 5 Bytes JMP 00240042
.text C:\Windows\system32\services.exe[604] msvcrt.dll!_creat 76C3BBE1 5 Bytes JMP 00240016
.text C:\Windows\system32\services.exe[604] msvcrt.dll!_open 76C3D106 5 Bytes JMP 00240FEF
.text C:\Windows\system32\services.exe[604] msvcrt.dll!_wcreat 76C3D326 5 Bytes JMP 00240027
.text C:\Windows\system32\services.exe[604] msvcrt.dll!_wopen 76C3D501 5 Bytes JMP 00240FDE
.text C:\Windows\system32\services.exe[604] WS2_32.dll!socket 758D36D1 5 Bytes JMP 001B0000
.text C:\Windows\system32\lsass.exe[652] kernel32.dll!GetStartupInfoW 76C91929 5 Bytes JMP 001300CC
.text C:\Windows\system32\lsass.exe[652] kernel32.dll!GetStartupInfoA 76C919C9 5 Bytes JMP 001300B1
.text C:\Windows\system32\lsass.exe[652] kernel32.dll!CreateProcessW 76C91BF3 5 Bytes JMP 00130F57
.text C:\Windows\system32\lsass.exe[652] kernel32.dll!CreateProcessA 76C91C28 5 Bytes JMP 001300F8
.text C:\Windows\system32\lsass.exe[652] kernel32.dll!VirtualProtect 76C91DC3 5 Bytes JMP 00130FA8
.text C:\Windows\system32\lsass.exe[652] kernel32.dll!CreateNamedPipeA 76C92EF5 5 Bytes JMP 00130FDE
.text C:\Windows\system32\lsass.exe[652] kernel32.dll!CreateNamedPipeW 76C95C0C 5 Bytes JMP 00130025
.text C:\Windows\system32\lsass.exe[652] kernel32.dll!CreatePipe 76CB8E6E 5 Bytes JMP 00130F86
.text C:\Windows\system32\lsass.exe[652] kernel32.dll!LoadLibraryExW 76CB9109 5 Bytes JMP 00130FB9
.text C:\Windows\system32\lsass.exe[652] kernel32.dll!LoadLibraryW 76CB9362 5 Bytes JMP 0013005B
.text C:\Windows\system32\lsass.exe[652] kernel32.dll!LoadLibraryExA 76CB94B4 5 Bytes JMP 0013006C
.text C:\Windows\system32\lsass.exe[652] kernel32.dll!LoadLibraryA 76CB94DC 5 Bytes JMP 00130040
.text C:\Windows\system32\lsass.exe[652] kernel32.dll!VirtualProtectEx 76CBDBDA 5 Bytes JMP 00130F97
.text C:\Windows\system32\lsass.exe[652] kernel32.dll!GetProcAddress 76CD903B 5 Bytes JMP 00130109
.text C:\Windows\system32\lsass.exe[652] kernel32.dll!CreateFileW 76CDAECB 5 Bytes JMP 00130FEF
.text C:\Windows\system32\lsass.exe[652] kernel32.dll!CreateFileA 76CDCE5F 5 Bytes JMP 0013000A
.text C:\Windows\system32\lsass.exe[652] kernel32.dll!WinExec 76D25CF7 5 Bytes JMP 001300DD
.text C:\Windows\system32\lsass.exe[652] ADVAPI32.dll!RegCreateKeyExA 76FF39AB 5 Bytes JMP 0087005B
.text C:\Windows\system32\lsass.exe[652] ADVAPI32.dll!RegCreateKeyA 76FF3BA9 5 Bytes JMP 00870FCA
.text C:\Windows\system32\lsass.exe[652] ADVAPI32.dll!RegOpenKeyA 76FF89C7 5 Bytes JMP 00870000
.text C:\Windows\system32\lsass.exe[652] ADVAPI32.dll!RegCreateKeyW 7700391E 5 Bytes JMP 00870FB9
.text C:\Windows\system32\lsass.exe[652] ADVAPI32.dll!RegCreateKeyExW 770041F1 5 Bytes JMP 00870076
.text C:\Windows\system32\lsass.exe[652] ADVAPI32.dll!RegOpenKeyExA 77007C42 5 Bytes JMP 00870FEF
.text C:\Windows\system32\lsass.exe[652] ADVAPI32.dll!RegOpenKeyW 7700E2B5 5 Bytes JMP 0087001B
.text C:\Windows\system32\lsass.exe[652] ADVAPI32.dll!RegOpenKeyExW 77017BA1 5 Bytes JMP 00870036
.text C:\Windows\system32\lsass.exe[652] msvcrt.dll!_wsystem 76C37F2F 5 Bytes JMP 0012003D
.text C:\Windows\system32\lsass.exe[652] msvcrt.dll!system 76C3804B 5 Bytes JMP 00120FB2
.text C:\Windows\system32\lsass.exe[652] msvcrt.dll!_creat 76C3BBE1 5 Bytes JMP 00120FDE
.text C:\Windows\system32\lsass.exe[652] msvcrt.dll!_open 76C3D106 5 Bytes JMP 0012000C
.text C:\Windows\system32\lsass.exe[652] msvcrt.dll!_wcreat 76C3D326 5 Bytes JMP 00120FCD
.text C:\Windows\system32\lsass.exe[652] msvcrt.dll!_wopen 76C3D501 5 Bytes JMP 00120FEF
.text C:\Windows\system32\lsass.exe[652] WS2_32.dll!socket 758D36D1 5 Bytes JMP 00110000
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!GetStartupInfoW 76C91929 5 Bytes JMP 007B0F07
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!GetStartupInfoA 76C919C9 5 Bytes JMP 007B0F22
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!CreateProcessW 76C91BF3 5 Bytes JMP 007B0EF6
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!CreateProcessA 76C91C28 5 Bytes JMP 007B008D
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!VirtualProtect 76C91DC3 5 Bytes JMP 007B0F4E
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!CreateNamedPipeA 76C92EF5 5 Bytes JMP 007B0FC3
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!CreateNamedPipeW 76C95C0C 5 Bytes JMP 007B0014
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!CreatePipe 76CB8E6E 5 Bytes JMP 007B004D
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!LoadLibraryExW 76CB9109 5 Bytes JMP 007B0F5F
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!LoadLibraryW 76CB9362 5 Bytes JMP 007B0F97
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!LoadLibraryExA 76CB94B4 5 Bytes JMP 007B0F86
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!LoadLibraryA 76CB94DC 5 Bytes JMP 007B0FB2
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!VirtualProtectEx 76CBDBDA 5 Bytes JMP 007B0F3D
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!GetProcAddress 76CD903B 5 Bytes JMP 007B0EDB
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!CreateFileW 76CDAECB 5 Bytes JMP 007B0FD4
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!CreateFileA 76CDCE5F 5 Bytes JMP 007B0FEF
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!WinExec 76D25CF7 5 Bytes JMP 007B0072
.text C:\Windows\system32\svchost.exe[816] msvcrt.dll!_wsystem 76C37F2F 5 Bytes JMP 00210FA6
.text C:\Windows\system32\svchost.exe[816] msvcrt.dll!system 76C3804B 5 Bytes JMP 00210FB7
.text C:\Windows\system32\svchost.exe[816] msvcrt.dll!_creat 76C3BBE1 5 Bytes JMP 0021000C
.text C:\Windows\system32\svchost.exe[816] msvcrt.dll!_open 76C3D106 5 Bytes JMP 00210FEF
.text C:\Windows\system32\svchost.exe[816] msvcrt.dll!_wcreat 76C3D326 5 Bytes JMP 00210031
.text C:\Windows\system32\svchost.exe[816] msvcrt.dll!_wopen 76C3D501 5 Bytes JMP 00210FD2
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!RegCreateKeyExA 76FF39AB 5 Bytes JMP 007C0054
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!RegCreateKeyA 76FF3BA9 5 Bytes JMP 007C0FC3
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!RegOpenKeyA 76FF89C7 5 Bytes JMP 007C0FEF
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!RegCreateKeyW 7700391E 5 Bytes JMP 007C0FA8
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!RegCreateKeyExW 770041F1 5 Bytes JMP 007C0065
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!RegOpenKeyExA 77007C42 5 Bytes JMP 007C0014
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!RegOpenKeyW 7700E2B5 5 Bytes JMP 007C0FD4
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!RegOpenKeyExW 77017BA1 5 Bytes JMP 007C002F
.text C:\Windows\system32\svchost.exe[816] WS2_32.dll!socket 758D36D1 5 Bytes JMP 001C0FE5
.text C:\Windows\system32\svchost.exe[888] kernel32.dll!GetStartupInfoW 76C91929 5 Bytes JMP 00160098
.text C:\Windows\system32\svchost.exe[888] kernel32.dll!GetStartupInfoA 76C919C9 5 Bytes JMP 00160F5C
.text C:\Windows\system32\svchost.exe[888] kernel32.dll!CreateProcessW 76C91BF3 5 Bytes JMP 00160F12
.text C:\Windows\system32\svchost.exe[888] kernel32.dll!CreateProcessA 76C91C28 5 Bytes JMP 00160F2D
.text C:\Windows\system32\svchost.exe[888] kernel32.dll!VirtualProtect 76C91DC3 5 Bytes JMP 00160087
.text C:\Windows\system32\svchost.exe[888] kernel32.dll!CreateNamedPipeA 76C92EF5 5 Bytes JMP 0016001B
.text C:\Windows\system32\svchost.exe[888] kernel32.dll!CreateNamedPipeW 76C95C0C 5 Bytes JMP 00160036
.text C:\Windows\system32\svchost.exe[888] kernel32.dll!CreatePipe 76CB8E6E 5 Bytes JMP 00160F77
.text C:\Windows\system32\svchost.exe[888] kernel32.dll!LoadLibraryExW 76CB9109 5 Bytes JMP 00160FA3
.text C:\Windows\system32\svchost.exe[888] kernel32.dll!LoadLibraryW 76CB9362 5 Bytes JMP 00160FD4
.text C:\Windows\system32\svchost.exe[888] kernel32.dll!LoadLibraryExA 76CB94B4 5 Bytes JMP 0016006C
.text C:\Windows\system32\svchost.exe[888] kernel32.dll!LoadLibraryA 76CB94DC 5 Bytes JMP 00160051
.text C:\Windows\system32\svchost.exe[888] kernel32.dll!VirtualProtectEx 76CBDBDA 5 Bytes JMP 00160F88
.text C:\Windows\system32\svchost.exe[888] kernel32.dll!GetProcAddress 76CD903B 5 Bytes JMP 00160F01
.text C:\Windows\system32\svchost.exe[888] kernel32.dll!CreateFileW 76CDAECB 5 Bytes JMP 00160FE5
.text C:\Windows\system32\svchost.exe[888] kernel32.dll!CreateFileA 76CDCE5F 5 Bytes JMP 00160000
.text C:\Windows\system32\svchost.exe[888] kernel32.dll!WinExec 76D25CF7 5 Bytes JMP 001600A9
.text C:\Windows\system32\svchost.exe[888] msvcrt.dll!_wsystem 76C37F2F 5 Bytes JMP 0015003B
.text C:\Windows\system32\svchost.exe[888] msvcrt.dll!system 76C3804B 5 Bytes JMP 00150FB0
.text C:\Windows\system32\svchost.exe[888] msvcrt.dll!_creat 76C3BBE1 5 Bytes JMP 0015000C
.text C:\Windows\system32\svchost.exe[888] msvcrt.dll!_open 76C3D106 5 Bytes JMP 00150FEF
.text C:\Windows\system32\svchost.exe[888] msvcrt.dll!_wcreat 76C3D326 5 Bytes JMP 00150FC1
.text C:\Windows\system32\svchost.exe[888] msvcrt.dll!_wopen 76C3D501 5 Bytes JMP 00150FD2
.text C:\Windows\system32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyExA 76FF39AB 5 Bytes JMP 00170040
.text C:\Windows\system32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyA 76FF3BA9 5 Bytes JMP 00170FA8
.text C:\Windows\system32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyA 76FF89C7 5 Bytes JMP 00170FEF
.text C:\Windows\system32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyW 7700391E 5 Bytes JMP 00170025
.text C:\Windows\system32\svchost.exe[888] ADVAPI32.dll!RegCreateKeyExW 770041F1 5 Bytes JMP 00170F83
.text C:\Windows\system32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyExA 77007C42 5 Bytes JMP 00170FCA
.text C:\Windows\system32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyW 7700E2B5 5 Bytes JMP 00170000
.text C:\Windows\system32\svchost.exe[888] ADVAPI32.dll!RegOpenKeyExW 77017BA1 5 Bytes JMP 00170FB9
.text C:\Windows\system32\svchost.exe[888] WS2_32.dll!socket 758D36D1 5 Bytes JMP 00140000
.text C:\Windows\System32\svchost.exe[928] kernel32.dll!GetStartupInfoW 76C91929 5 Bytes JMP 00A100F5
.text C:\Windows\System32\svchost.exe[928] kernel32.dll!GetStartupInfoA 76C919C9 5 Bytes JMP 00A10FA5
.text C:\Windows\System32\svchost.exe[928] kernel32.dll!CreateProcessW 76C91BF3 5 Bytes JMP 00A1012B
.text C:\Windows\System32\svchost.exe[928] kernel32.dll!CreateProcessA 76C91C28 5 Bytes JMP 00A10F94
.text C:\Windows\System32\svchost.exe[928] kernel32.dll!VirtualProtect 76C91DC3 5 Bytes JMP 00A100B5
.text C:\Windows\System32\svchost.exe[928] kernel32.dll!CreateNamedPipeA 76C92EF5 5 Bytes JMP 00A10011
.text C:\Windows\System32\svchost.exe[928] kernel32.dll!CreateNamedPipeW 76C95C0C 5 Bytes JMP 00A10036
.text C:\Windows\System32\svchost.exe[928] kernel32.dll!CreatePipe 76CB8E6E 5 Bytes JMP 00A100D0
.text C:\Windows\System32\svchost.exe[928] kernel32.dll!LoadLibraryExW 76CB9109 5 Bytes JMP 00A100A4
.text C:\Windows\System32\svchost.exe[928] kernel32.dll!LoadLibraryW 76CB9362 5 Bytes JMP 00A10062
.text C:\Windows\System32\svchost.exe[928] kernel32.dll!LoadLibraryExA 76CB94B4 5 Bytes JMP 00A10087
.text C:\Windows\System32\svchost.exe[928] kernel32.dll!LoadLibraryA 76CB94DC 5 Bytes JMP 00A10051
.text C:\Windows\System32\svchost.exe[928] kernel32.dll!VirtualProtectEx 76CBDBDA 5 Bytes JMP 00A10FC0
.text C:\Windows\System32\svchost.exe[928] kernel32.dll!GetProcAddress 76CD903B 5 Bytes JMP 00A10146
.text C:\Windows\System32\svchost.exe[928] kernel32.dll!CreateFileW 76CDAECB 5 Bytes JMP 00A10000
.text C:\Windows\System32\svchost.exe[928] kernel32.dll!CreateFileA 76CDCE5F 5 Bytes JMP 00A10FEF
.text C:\Windows\System32\svchost.exe[928] kernel32.dll!WinExec 76D25CF7 5 Bytes JMP 00A10110
.text C:\Windows\System32\svchost.exe[928] msvcrt.dll!_wsystem 76C37F2F 5 Bytes JMP 00A00FB7
.text C:\Windows\System32\svchost.exe[928] msvcrt.dll!system 76C3804B 5 Bytes JMP 00A00038
.text C:\Windows\System32\svchost.exe[928] msvcrt.dll!_creat 76C3BBE1 5 Bytes JMP 00A00FD2
.text C:\Windows\System32\svchost.exe[928] msvcrt.dll!_open 76C3D106 5 Bytes JMP 00A00000
.text C:\Windows\System32\svchost.exe[928] msvcrt.dll!_wcreat 76C3D326 5 Bytes JMP 00A0001D
.text C:\Windows\System32\svchost.exe[928] msvcrt.dll!_wopen 76C3D501 5 Bytes JMP 00A00FE3
.text C:\Windows\System32\svchost.exe[928] ADVAPI32.dll!RegCreateKeyExA 76FF39AB 5 Bytes JMP 00AA007D
.text C:\Windows\System32\svchost.exe[928] ADVAPI32.dll!RegCreateKeyA 76FF3BA9 5 Bytes JMP 00AA0FDB
.text C:\Windows\System32\svchost.exe[928] ADVAPI32.dll!RegOpenKeyA 76FF89C7 5 Bytes JMP 00AA000A
.text C:\Windows\System32\svchost.exe[928] ADVAPI32.dll!RegCreateKeyW 7700391E 5 Bytes JMP 00AA0062
.text C:\Windows\System32\svchost.exe[928] ADVAPI32.dll!RegCreateKeyExW 770041F1 5 Bytes JMP 00AA0FB6
.text C:\Windows\System32\svchost.exe[928] ADVAPI32.dll!RegOpenKeyExA 77007C42 5 Bytes JMP 00AA0036
.text C:\Windows\System32\svchost.exe[928] ADVAPI32.dll!RegOpenKeyW 7700E2B5 5 Bytes JMP 00AA001B
.text C:\Windows\System32\svchost.exe[928] ADVAPI32.dll!RegOpenKeyExW 77017BA1 5 Bytes JMP 00AA0047
.text C:\Windows\System32\svchost.exe[928] WS2_32.dll!socket 758D36D1 5 Bytes JMP 009F0FEF
.text C:\Windows\System32\svchost.exe[1024] kernel32.dll!GetStartupInfoW 76C91929 5 Bytes JMP 00DE00BC
.text C:\Windows\System32\svchost.exe[1024] kernel32.dll!GetStartupInfoA 76C919C9 5 Bytes JMP 00DE00AB
.text C:\Windows\System32\svchost.exe[1024] kernel32.dll!CreateProcessW 76C91BF3 5 Bytes JMP 00DE00F2
.text C:\Windows\System32\svchost.exe[1024] kernel32.dll!CreateProcessA 76C91C28 5 Bytes JMP 00DE00D7
.text C:\Windows\System32\svchost.exe[1024] kernel32.dll!VirtualProtect 76C91DC3 5 Bytes JMP 00DE007F
.text C:\Windows\System32\svchost.exe[1024] kernel32.dll!CreateNamedPipeA 76C92EF5 5 Bytes JMP 00DE0FCA
.text C:\Windows\System32\svchost.exe[1024] kernel32.dll!CreateNamedPipeW 76C95C0C 5 Bytes JMP 00DE001B
.text C:\Windows\System32\svchost.exe[1024] kernel32.dll!CreatePipe 76CB8E6E 5 Bytes JMP 00DE0090
.text C:\Windows\System32\svchost.exe[1024] kernel32.dll!LoadLibraryExW 76CB9109 5 Bytes JMP 00DE0064
.text C:\Windows\System32\svchost.exe[1024] kernel32.dll!LoadLibraryW 76CB9362 5 Bytes JMP 00DE0036
.text C:\Windows\System32\svchost.exe[1024] kernel32.dll!LoadLibraryExA 76CB94B4 5 Bytes JMP 00DE0047
.text C:\Windows\System32\svchost.exe[1024] kernel32.dll!LoadLibraryA 76CB94DC 5 Bytes JMP 00DE0FB9
.text C:\Windows\System32\svchost.exe[1024] kernel32.dll!VirtualProtectEx 76CBDBDA 5 Bytes JMP 00DE0F80
.text C:\Windows\System32\svchost.exe[1024] kernel32.dll!GetProcAddress 76CD903B 5 Bytes JMP 00DE0F40
.text C:\Windows\System32\svchost.exe[1024] kernel32.dll!CreateFileW 76CDAECB 5 Bytes JMP 00DE000A
.text C:\Windows\System32\svchost.exe[1024] kernel32.dll!CreateFileA 76CDCE5F 5 Bytes JMP 00DE0FEF
.text C:\Windows\System32\svchost.exe[1024] kernel32.dll!WinExec 76D25CF7 5 Bytes JMP 00DE0F5B
.text C:\Windows\System32\svchost.exe[1024] msvcrt.dll!_wsystem 76C37F2F 5 Bytes JMP 00D9003B
.text C:\Windows\System32\svchost.exe[1024] msvcrt.dll!system 76C3804B 5 Bytes JMP 00D90020
.text C:\Windows\System32\svchost.exe[1024] msvcrt.dll!_creat 76C3BBE1 5 Bytes JMP 00D90FB7
.text C:\Windows\System32\svchost.exe[1024] msvcrt.dll!_open 76C3D106 5 Bytes JMP 00D90FEF
.text C:\Windows\System32\svchost.exe[1024] msvcrt.dll!_wcreat 76C3D326 5 Bytes JMP 00D90FA6
.text C:\Windows\System32\svchost.exe[1024] msvcrt.dll!_wopen 76C3D501 5 Bytes JMP 00D90FD2
.text C:\Windows\System32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyExA 76FF39AB 1 Byte [E9]
.text C:\Windows\System32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyExA 76FF39AB 5 Bytes JMP 00DF0FAF
.text C:\Windows\System32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyA 76FF3BA9 5 Bytes JMP 00DF0FD4
.text C:\Windows\System32\svchost.exe[1024] ADVAPI32.dll!RegOpenKeyA 76FF89C7 5 Bytes JMP 00DF0000
.text C:\Windows\System32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyW 7700391E 5 Bytes JMP 00DF0051
.text C:\Windows\System32\svchost.exe[1024] ADVAPI32.dll!RegCreateKeyExW 770041F1 5 Bytes JMP 00DF0062
.text C:\Windows\System32\svchost.exe[1024] ADVAPI32.dll!RegOpenKeyExA 77007C42 5 Bytes JMP 00DF0025
.text C:\Windows\System32\svchost.exe[1024] ADVAPI32.dll!RegOpenKeyW 7700E2B5 5 Bytes JMP 00DF0FE5
.text C:\Windows\System32\svchost.exe[1024] ADVAPI32.dll!RegOpenKeyExW 77017BA1 5 Bytes JMP 00DF0040
.text C:\Windows\System32\svchost.exe[1024] WS2_32.dll!socket 758D36D1 5 Bytes JMP 00D60FE5
.text C:\Windows\system32\svchost.exe[1064] kernel32.dll!GetStartupInfoW 76C91929 5 Bytes JMP 010500CB
.text C:\Windows\system32\svchost.exe[1064] kernel32.dll!GetStartupInfoA 76C919C9 5 Bytes JMP 01050F8F
.text C:\Windows\system32\svchost.exe[1064] kernel32.dll!CreateProcessW 76C91BF3 5 Bytes JMP 01050F3E
.text C:\Windows\system32\svchost.exe[1064] kernel32.dll!CreateProcessA 76C91C28 5 Bytes JMP 01050F59
.text C:\Windows\system32\svchost.exe[1064] kernel32.dll!VirtualProtect 76C91DC3 5 Bytes JMP 01050FAA
.text C:\Windows\system32\svchost.exe[1064] kernel32.dll!CreateNamedPipeA 76C92EF5 5 Bytes JMP 01050FDB
.text C:\Windows\system32\svchost.exe[1064] kernel32.dll!CreateNamedPipeW 76C95C0C 5 Bytes JMP 0105002C
.text C:\Windows\system32\svchost.exe[1064] kernel32.dll!CreatePipe 76CB8E6E 5 Bytes JMP 010500BA
.text C:\Windows\system32\svchost.exe[1064] kernel32.dll!LoadLibraryExW 76CB9109 5 Bytes JMP 01050084
.text C:\Windows\system32\svchost.exe[1064] kernel32.dll!LoadLibraryW 76CB9362 5 Bytes JMP 0105004E
.text C:\Windows\system32\svchost.exe[1064] kernel32.dll!LoadLibraryExA 76CB94B4 5 Bytes JMP 01050069
.text C:\Windows\system32\svchost.exe[1064] kernel32.dll!LoadLibraryA 76CB94DC 5 Bytes JMP 0105003D
.text C:\Windows\system32\svchost.exe[1064] kernel32.dll!VirtualProtectEx 76CBDBDA 5 Bytes JMP 0105009F
.text C:\Windows\system32\svchost.exe[1064] kernel32.dll!GetProcAddress 76CD903B 5 Bytes JMP 01050F2D
.text C:\Windows\system32\svchost.exe[1064] kernel32.dll!CreateFileW 76CDAECB 5 Bytes JMP 01050011
.text C:\Windows\system32\svchost.exe[1064] kernel32.dll!CreateFileA 76CDCE5F 5 Bytes JMP 01050000
.text C:\Windows\system32\svchost.exe[1064] kernel32.dll!WinExec 76D25CF7 5 Bytes JMP 01050F6A
.text C:\Windows\system32\svchost.exe[1064] msvcrt.dll!_wsystem 76C37F2F 5 Bytes JMP 01000FB9
.text C:\Windows\system32\svchost.exe[1064] msvcrt.dll!system 76C3804B 5 Bytes JMP 01000044
.text C:\Windows\system32\svchost.exe[1064] msvcrt.dll!_creat 76C3BBE1 5 Bytes JMP 01000FEF
.text C:\Windows\system32\svchost.exe[1064] msvcrt.dll!_open 76C3D106 5 Bytes JMP 01000000
.text C:\Windows\system32\svchost.exe[1064] msvcrt.dll!_wcreat 76C3D326 5 Bytes JMP 01000FDE
.text C:\Windows\system32\svchost.exe[1064] msvcrt.dll!_wopen 76C3D501 5 Bytes JMP 01000029
.text C:\Windows\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyExA 76FF39AB 5 Bytes JMP 01060036
.text C:\Windows\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyA 76FF3BA9 5 Bytes JMP 01060F9E
.text C:\Windows\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyA 76FF89C7 5 Bytes JMP 01060FEF
.text C:\Windows\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyW 7700391E 5 Bytes JMP 01060025
.text C:\Windows\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyExW 770041F1 5 Bytes JMP 01060051
.text C:\Windows\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyExA 77007C42 5 Bytes JMP 01060FC3
.text C:\Windows\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyW 7700E2B5 5 Bytes JMP 01060FDE
.text C:\Windows\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyExW 77017BA1 5 Bytes JMP 0106000A
.text C:\Windows\system32\svchost.exe[1064] WS2_32.dll!socket 758D36D1 5 Bytes JMP 00DF000A
.text C:\Windows\system32\svchost.exe[1064] WININET.dll!InternetOpenA 7580D690 5 Bytes JMP 010F0000
.text C:\Windows\system32\svchost.exe[1064] WININET.dll!InternetOpenW 7580DB09 5 Bytes JMP 010F0011
.text C:\Windows\system32\svchost.exe[1064] WININET.dll!InternetOpenUrlA 7580F3A4 5 Bytes JMP 010F0FD1
.text C:\Windows\system32\svchost.exe[1064] WININET.dll!InternetOpenUrlW 75856D5F 5 Bytes JMP 010F0FC0
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!GetStartupInfoW 76C91929 5 Bytes JMP 00230F46
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!GetStartupInfoA 76C919C9 5 Bytes JMP 00230F57
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!CreateProcessW 76C91BF3 5 Bytes JMP 002300BB
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!CreateProcessA 76C91C28 5 Bytes JMP 00230F24
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!VirtualProtect 76C91DC3 5 Bytes JMP 00230F97
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!CreateNamedPipeA 76C92EF5 5 Bytes JMP 0023001B
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!CreateNamedPipeW 76C95C0C 5 Bytes JMP 0023002C
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!CreatePipe 76CB8E6E 5 Bytes JMP 00230F68
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!LoadLibraryExW 76CB9109 5 Bytes JMP 00230FA8
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!LoadLibraryW 76CB9362 5 Bytes JMP 0023005B
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!LoadLibraryExA 76CB94B4 5 Bytes JMP 00230FB9
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!LoadLibraryA 76CB94DC 5 Bytes JMP 00230FCA
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!VirtualProtectEx 76CBDBDA 5 Bytes JMP 00230082
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!GetProcAddress 76CD903B 5 Bytes JMP 002300CC
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!CreateFileW 76CDAECB 5 Bytes JMP 0023000A
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!CreateFileA 76CDCE5F 5 Bytes JMP 00230FE5
.text C:\Windows\system32\svchost.exe[1148] kernel32.dll!WinExec 76D25CF7 5 Bytes JMP 00230F35
.text C:\Windows\system32\svchost.exe[1148] msvcrt.dll!_wsystem 76C37F2F 5 Bytes JMP 00220053
.text C:\Windows\system32\svchost.exe[1148] msvcrt.dll!system 76C3804B 5 Bytes JMP 0022002E
.text C:\Windows\system32\svchost.exe[1148] msvcrt.dll!_creat 76C3BBE1 5 Bytes JMP 0022001D
.text C:\Windows\system32\svchost.exe[1148] msvcrt.dll!_open 76C3D106 5 Bytes JMP 00220000
.text C:\Windows\system32\svchost.exe[1148] msvcrt.dll!_wcreat 76C3D326 5 Bytes JMP 00220FC8
.text C:\Windows\system32\svchost.exe[1148] msvcrt.dll!_wopen 76C3D501 5 Bytes JMP 00220FE3
.text C:\Windows\system32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyExA 76FF39AB 5 Bytes JMP 007E004A
.text C:\Windows\system32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyA 76FF3BA9 5 Bytes JMP 007E0FC3
.text C:\Windows\system32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyA 76FF89C7 5 Bytes JMP 007E0FE5
.text C:\Windows\system32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyW 7700391E 5 Bytes JMP 007E0FB2
.text C:\Windows\system32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyExW 770041F1 5 Bytes JMP 007E0F8D
.text C:\Windows\system32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyExA 77007C42 5 Bytes JMP 007E000A
.text C:\Windows\system32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyW 7700E2B5 5 Bytes JMP 007E0FD4
.text C:\Windows\system32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyExW 77017BA1 5 Bytes JMP 007E0025
.text C:\Windows\system32\svchost.exe[1148] WS2_32.dll!socket 758D36D1 5 Bytes JMP 00210FE5
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!GetStartupInfoW 76C91929 5 Bytes JMP 010200D5
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!GetStartupInfoA 76C919C9 5 Bytes JMP 01020F99
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!CreateProcessW 76C91BF3 5 Bytes JMP 01020F6D
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!CreateProcessA 76C91C28 5 Bytes JMP 01020F7E
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!VirtualProtect 76C91DC3 5 Bytes JMP 01020098
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!CreateNamedPipeA 76C92EF5 5 Bytes JMP 01020040
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!CreateNamedPipeW 76C95C0C 5 Bytes JMP 0102005B
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!CreatePipe 76CB8E6E 5 Bytes JMP 010200C4
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!LoadLibraryExW 76CB9109 5 Bytes JMP 01020087
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!LoadLibraryW 76CB9362 5 Bytes JMP 0102006C
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!LoadLibraryExA 76CB94B4 5 Bytes JMP 01020FCA
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!LoadLibraryA 76CB94DC 5 Bytes JMP 01020FEF
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!VirtualProtectEx 76CBDBDA 5 Bytes JMP 010200B3
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!GetProcAddress 76CD903B 5 Bytes JMP 01020F5C
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!CreateFileW 76CDAECB 5 Bytes JMP 0102001B
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!CreateFileA 76CDCE5F 5 Bytes JMP 0102000A
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!WinExec 76D25CF7 5 Bytes JMP 010200FA
.text C:\Windows\system32\svchost.exe[1216] msvcrt.dll!_wsystem 76C37F2F 5 Bytes JMP 01010FE3
.text C:\Windows\system32\svchost.exe[1216] msvcrt.dll!system 76C3804B 5 Bytes JMP 01010064
.text C:\Windows\system32\svchost.exe[1216] msvcrt.dll!_creat 76C3BBE1 5 Bytes JMP 0101002E
.text C:\Windows\system32\svchost.exe[1216] msvcrt.dll!_open 76C3D106 5 Bytes JMP 0101000C
.text C:\Windows\system32\svchost.exe[1216] msvcrt.dll!_wcreat 76C3D326 5 Bytes JMP 01010049
.text C:\Windows\system32\svchost.exe[1216] msvcrt.dll!_wopen 76C3D501 5 Bytes JMP 0101001D
.text C:\Windows\system32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyExA 76FF39AB 5 Bytes JMP 01030065
.text C:\Windows\system32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyA 76FF3BA9 5 Bytes JMP 01030FC3
.text C:\Windows\system32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyA 76FF89C7 5 Bytes JMP 01030FEF
.text C:\Windows\system32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyW 7700391E 5 Bytes JMP 01030054
.text C:\Windows\system32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyExW 770041F1 5 Bytes JMP 01030076
.text C:\Windows\system32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyExA 77007C42 5 Bytes JMP 01030FD4
.text C:\Windows\system32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyW 7700E2B5 5 Bytes JMP 0103000A
.text C:\Windows\system32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyExW 77017BA1 5 Bytes JMP 01030025
.text C:\Windows\system32\svchost.exe[1216] WS2_32.dll!socket 758D36D1 5 Bytes JMP 01000FEF
.text C:\Windows\system32\svchost.exe[1216] WinInet.dll!InternetOpenA 7580D690 3 Bytes JMP 000C0FEF
.text C:\Windows\system32\svchost.exe[1216] WinInet.dll!InternetOpenA + 4 7580D694 1 Byte [8A]
.text C:\Windows\system32\svchost.exe[1216] WinInet.dll!InternetOpenW 7580DB09 3 Bytes JMP 000C0FDE
.text C:\Windows\system32\svchost.exe[1216] WinInet.dll!InternetOpenW + 4 7580DB0D 1 Byte [8A]
.text C:\Windows\system32\svchost.exe[1216] WinInet.dll!InternetOpenUrlA 7580F3A4 3 Bytes JMP 000C0014
.text C:\Windows\system32\svchost.exe[1216] WinInet.dll!InternetOpenUrlA + 4 7580F3A8 1 Byte [8A]
.text C:\Windows\system32\svchost.exe[1216] WinInet.dll!InternetOpenUrlW 75856D5F 5 Bytes JMP 000C0025
.text C:\Windows\system32\svchost.exe[1408] kernel32.dll!GetStartupInfoW 76C91929 5 Bytes JMP 009700A9
.text C:\Windows\system32\svchost.exe[1408] kernel32.dll!GetStartupInfoA 76C919C9 5 Bytes JMP 00970098
.text C:\Windows\system32\svchost.exe[1408] kernel32.dll!CreateProcessW 76C91BF3 5 Bytes JMP 009700DC
.text C:\Windows\system32\svchost.exe[1408] kernel32.dll!CreateProcessA 76C91C28 5 Bytes JMP 009700CB
.text C:\Windows\system32\svchost.exe[1408] kernel32.dll!VirtualProtect 76C91DC3 5 Bytes JMP 00970F81
.text C:\Windows\system32\svchost.exe[1408] kernel32.dll!CreateNamedPipeA 76C92EF5 5 Bytes JMP 00970025
.text C:\Windows\system32\svchost.exe[1408] kernel32.dll!CreateNamedPipeW 76C95C0C 5 Bytes JMP 00970FD4
.text C:\Windows\system32\svchost.exe[1408] kernel32.dll!CreatePipe 76CB8E6E 5 Bytes JMP 0097007D
.text C:\Windows\system32\svchost.exe[1408] kernel32.dll!LoadLibraryExW 76CB9109 5 Bytes JMP 00970F9E
.text C:\Windows\system32\svchost.exe[1408] kernel32.dll!LoadLibraryW 76CB9362 5 Bytes JMP 0097005B
.text C:\Windows\system32\svchost.exe[1408] kernel32.dll!LoadLibraryExA 76CB94B4 5 Bytes JMP 00970FAF
.text C:\Windows\system32\svchost.exe[1408] kernel32.dll!LoadLibraryA 76CB94DC 5 Bytes JMP 00970040
.text C:\Windows\system32\svchost.exe[1408] kernel32.dll!VirtualProtectEx 76CBDBDA 5 Bytes JMP 0097006C
.text C:\Windows\system32\svchost.exe[1408] kernel32.dll!GetProcAddress 76CD903B 5 Bytes JMP 009700ED
.text C:\Windows\system32\svchost.exe[1408] kernel32.dll!CreateFileW 76CDAECB 5 Bytes JMP 0097000A
.text C:\Windows\system32\svchost.exe[1408] kernel32.dll!CreateFileA 76CDCE5F 5 Bytes JMP 00970FEF
.text C:\Windows\system32\svchost.exe[1408] kernel32.dll!WinExec 76D25CF7 5 Bytes JMP 009700BA
.text C:\Windows\system32\svchost.exe[1408] msvcrt.dll!_wsystem 76C37F2F 5 Bytes JMP 00960FAD
.text C:\Windows\system32\svchost.exe[1408] msvcrt.dll!system 76C3804B 5 Bytes JMP 00960FC8
.text C:\Windows\system32\svchost.exe[1408] msvcrt.dll!_creat 76C3BBE1 5 Bytes JMP 0096001D
.text C:\Windows\system32\svchost.exe[1408] msvcrt.dll!_open 76C3D106 5 Bytes JMP 00960FEF
.text C:\Windows\system32\svchost.exe[1408] msvcrt.dll!_wcreat 76C3D326 5 Bytes JMP 0096002E
.text C:\Windows\system32\svchost.exe[1408] msvcrt.dll!_wopen 76C3D501 5 Bytes JMP 0096000C
.text C:\Windows\system32\svchost.exe[1408] ADVAPI32.dll!RegCreateKeyExA 76FF39AB 5 Bytes JMP 00990040
.text C:\Windows\system32\svchost.exe[1408] ADVAPI32.dll!RegCreateKeyA 76FF3BA9 5 Bytes JMP 00990FB2
.text C:\Windows\system32\svchost.exe[1408] ADVAPI32.dll!RegOpenKeyA 76FF89C7 5 Bytes JMP 00990FEF
.text C:\Windows\system32\svchost.exe[1408] ADVAPI32.dll!RegCreateKeyW 7700391E 5 Bytes JMP 0099002F
.text C:\Windows\system32\svchost.exe[1408] ADVAPI32.dll!RegCreateKeyExW 770041F1 5 Bytes JMP 0099005B
.text C:\Windows\system32\svchost.exe[1408] ADVAPI32.dll!RegOpenKeyExA 77007C42 5 Bytes JMP 00990FD4
.text C:\Windows\system32\svchost.exe[1408] ADVAPI32.dll!RegOpenKeyW 7700E2B5 5 Bytes JMP 0099000A
.text C:\Windows\system32\svchost.exe[1408] ADVAPI32.dll!RegOpenKeyExW 77017BA1 5 Bytes JMP 00990FC3
.text C:\Windows\system32\svchost.exe[1408] WS2_32.dll!socket 758D36D1 5 Bytes JMP 0095000A
.text C:\Windows\Explorer.EXE[1688] kernel32.dll!GetStartupInfoW 76C91929 5 Bytes JMP 034D00A9
.text C:\Windows\Explorer.EXE[1688] kernel32.dll!GetStartupInfoA
 
Whoops. It must have truncated my message due to length in the middle of GMER. I'll post rest of GMER if you want. Meanwhile, here are RKILL and HJT
RKILL said:
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 04/17/2011 at 19:15:07.
Operating System: Windows Vista (TM) Home Basic


Processes terminated by Rkill or while it was running:

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Windows\System32\grpconv.exe


Rkill completed on 04/17/2011 at 19:15:13.
HiJack This said:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:21:32 PM, on 4/17/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.19048)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\System32\rundll32.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Belkin\F7D4101\V1\PBN.exe
C:\Windows\system32\taskeng.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\Explorer.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\admin\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware6\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Trend Micro RUBotted V2.0 Beta] C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Play Wireless USB Adapter Utility.lnk = C:\Program Files\Belkin\F7D4101\V1\PBN.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\eMachines Games\eMachines Game Console\GameConsoleService.exe
O23 - Service: Google Desktop Manager 5.9.1005.12335 (GoogleDesktopManager-051210-111108) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Trend Micro RUBotted Service (RUBotSrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe
O23 - Service: STSService - Unknown owner - C:\Program Files\SoundTaxi Media Suite\STSService.exe (file missing)
O23 - Service: Belkin WLAN service (WLANBelkinService) - Unknown owner - C:\Program Files\Belkin\F7D4101\V1\wlansrv.exe

--
End of file - 8400 bytes
 
Geez - you've spent more time than reloading the system already!!! I'd say:
Uninstall Firefox
Registry repair with CCleaner (run unitl no errors & save backup before repairing each time)
Reboot
Reinstall Firefox
Call it a day (week)

Otherwise, you might as well have reloaded - don't you think?
 
And after you've reloaded or 'fixed' it, learn how to use ProcessExplorer to track down the malware that's running and suspend it all, then kill it and then use Autoruns to prevent it running again at boot. It might not enable you to pick out all malware that's in the wild but it'll deal with the vast majority.
 
Geez - you've spent more time than reloading the system already!!!

Yah, but think of all the experience he's getting. ;-)


James P. Cottingham
[sup]I'm number 1,229!
I'm number 1,229![/sup]
 
Experience often = pain with the possible exception of the opposite sex. But even then....................... pain, definitely pain.

But what you're saying is "no pain no gain". I can respect that.


I agree about using Process Explorer to see what's running on your PC and Autoruns to prevent things from starting up. However, some of the baddies are not visible using these tools. That's when we throw all the programs mentioned at it.

Not mentioned, but good are CWShredder, TDSSKiller


 
gombawahoo said:
Geez - you've spent more time than reloading the system already!!! I'd say:
Uninstall Firefox
Registry repair with CCleaner (run unitl no errors & save backup before repairing each time)
Reboot
Reinstall Firefox
Call it a day (week)

Otherwise, you might as well have reloaded - don't you think?
This computer came loaded with Windows, I did not purchase it. Computer OEM did not provide any CD ($300 for eMachines computer and monitor from Wal-Mart).

The checks that I ran supported posting at BleepingComputer. I also posted some of the items that were suggested above.

Does anyone have any comments on these logs?
 
In general
I would get rid of Google Desktop unless you really love it/use it as it will slow you down.
I would get rid of Mcafee because it will really slow you down.
I would disable the Indexing service because performance takes a hit when it kicks in.


You could turn the following off to shut some stuff down.
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE


O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
See if this disappears when (if) you uninstall Google Desktop. I'm always suspicious of the App Init DLL entry. Lots of malware tries to run itself from there.


O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
Kill this if you DON'T use your (old fashioned) modem.


O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\eMachines Games\eMachines Game Console\GameConsoleService.exe
Kill this if you don't play the wild tangent games
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top