Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

I keep getting pop ups [RESOLVED]

Started by furio , Jun 21 2008 03:59 AM

  • This topic is locked This topic is locked

#1
furio
Posted 21 June 2008 - 03:59 AM

furio

    Member

  • Member
  • PipPip
  • 16 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:58:05, on 21/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\WINDOWS\system32\dllhost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Auslogics\AusLogics BoostSpeed\Integrator.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebo...toUploader5.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6744 bytes
  • 0

Advertisements

#2
Gravity Gripp
Posted 21 June 2008 - 10:43 PM

Gravity Gripp

    Trusted Helper

  • Malware Removal
  • 1,815 posts
Hello furio, Welcome to Geeks-To-Go.

My name is Gravity Gripp and I'll be working with you on these issues. For now, I will be reviewing your log but will be responding back soon. Also, please note that I am still in training so there may be a slight delay in my responses because I will be working with an expert on this.

I look forward to working with you :)

Edited by Gravity Gripp, 21 June 2008 - 10:43 PM.

  • 0

#3
furio
Posted 23 June 2008 - 07:29 AM

furio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Well hello there,

Good luck with the analisis i have tryed everything every kind of spyware removal program changed to firefox, i even googles every process running on my system to see if any come up as unknown or as spyware. They were all legit!!! ive ran out of ideas mate.

Appretiate the help and look forward to seeing your diagnosis

Regards

John
  • 0

#4
Gravity Gripp
Posted 23 June 2008 - 10:40 AM

Gravity Gripp

    Trusted Helper

  • Malware Removal
  • 1,815 posts
Josh, The log that you provided looks clean. However, I'd like for you to run an online virus scan and provide me with a little more in-depth log. Follow the steps below to proceed.


STEP ONE
Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

STEP TWO
Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#5
furio
Posted 23 June 2008 - 02:42 PM

furio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Kaspersky online scan:

File name Threat name Threats count
C:\Documents and Settings\John Chilcott\Application Data\Auslogics\Rescue\One Button Checkup\080621011251750.rsc Infected: not-a-virus:AdWare.Win32.NewDotNet.m 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part01.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part02.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part03.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part04.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part05.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part06.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part07.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part08.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part09.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part10.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part11.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part12.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part13.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part14.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part15.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part16.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part17.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part18.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part19.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part20.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part21.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part22.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part23.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part24.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part25.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part26.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part27.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part28.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part29.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part30.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part31.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part32.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part33.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part34.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part35.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part36.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part37.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part38.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part39.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part40.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part41.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part42.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part43.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part44.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part45.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part46.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part47.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part48.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part49.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part50.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part51.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part52.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part53.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part54.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part55.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part56.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part57.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part58.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part59.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part60.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part61.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part62.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part63.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part64.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part65.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part66.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part67.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part68.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part69.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part70.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com].part71.rar Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack [App][English][www.zonatorrent.com]\setup\flstudio_8.0_install.exe Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\MessengerSkinner_setup.exe Infected: Trojan-Dropper.Win32.Agent.dtk 1
C:\Documents and Settings\John Chilcott\Desktop\setup\flstudio_8.0_install.exe Infected: Backdoor.Win32.Hupigon.cmry 1
C:\Documents and Settings\John Chilcott\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\John Chilcott\Desktop\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\09Q3SDEF\upgrade[1].cab Infected: not-a-virus:AdWare.Win32.NewDotNet.m 1
C:\Downloads\bitcomet_accelerator_31.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1
C:\Program Files\BitComet Accelerator\NNGLZA638.EXE Infected: not-a-virus:AdWare.Win32.NewDotNet 1
C:\System Volume Information\_restore{7B305774-1957-4547-B0FA-329ABF241E1D}\RP108\A0061787.dll Infected: not-a-virus:AdWare.Win32.NewDotNet 1
C:\System Volume Information\_restore{7B305774-1957-4547-B0FA-329ABF241E1D}\RP110\A0061907.dll Infected: not-a-virus:AdWare.Win32.NewDotNet.m 1
C:\System Volume Information\_restore{7B305774-1957-4547-B0FA-329ABF241E1D}\RP115\A0064233.dll Infected: not-a-virus:AdWare.Win32.NewDotNet.m 1
C:\System Volume Information\_restore{7B305774-1957-4547-B0FA-329ABF241E1D}\RP72\A0036875.exe Infected: Trojan.Win32.Obfuscated.aqn 1
C:\System Volume Information\_restore{7B305774-1957-4547-B0FA-329ABF241E1D}\RP74\A0039463.exe Infected: not-a-virus:AdWare.Win32.NaviPromo.cg 1
C:\System Volume Information\_restore{7B305774-1957-4547-B0FA-329ABF241E1D}\RP77\A0039617.dll Infected: not-a-virus:AdWare.Win32.NaviPromo.ec 1
C:\System Volume Information\_restore{7B305774-1957-4547-B0FA-329ABF241E1D}\RP84\A0047529.exe Infected: not-a-virus:AdWare.Win32.NaviPromo.cg 1
C:\System Volume Information\_restore{7B305774-1957-4547-B0FA-329ABF241E1D}\RP86\A0050745.exe Infected: Trojan.Win32.Obfuscated.aqn 1
C:\WINDOWS\NDNuninstall6_38.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1
C:\WINDOWS\system32\tbhkqxnfa.exe Infected: Trojan.Win32.Obfuscated.aqn 1
The selected area was scanned.

Deckard's System Scanner v20071014.68
Run by John Chilcott on 2008-06-23 21:31:30
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
54: 2008-06-23 20:31:41 UTC - RP117 - Deckard's System Scanner Restore Point
53: 2008-06-23 13:19:06 UTC - RP116 - AusLogics RegDefrag before defragmentation.
52: 2008-06-23 12:20:18 UTC - RP115 - System Checkpoint
51: 2008-06-21 23:44:35 UTC - RP114 - Installed Windows Media Player Firefox Plugin
50: 2008-06-21 02:00:34 UTC - RP113 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-03-26 20:33:03 UTC - RP64 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as John Chilcott.exe) ---------------------------------------

logfile has no content; running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-23 21:32:19
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
C:\Program Files\McAfee\VirusScan\Mcshield.exe
C:\WINDOWS\explorer.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\WLTRAY.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.bin
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\McAfee\VirusScan\mcsysmon.exe
C:\Documents and Settings\John Chilcott\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebo...toUploader5.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ent/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\Mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MpfSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\msksrver.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
O23 - Service: NNServ - Unknown owner - C:\Program Files\NewDotNet\nnrun.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\system32\WLTRYSVC.EXE


--
End of file - 8337 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - "regedit.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>
R1 StarOpen - c:\windows\system32\drivers\staropen.sys

S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>
S3 UIUSys (Conexant Setup API) - c:\windows\system32\drivers\uiusys.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 NICCONFIGSVC - c:\program files\dell\quickset\nicconfigsvc.exe <Not Verified; Dell Inc.; NicConfigSvc>

S4 NNServ - "c:\program files\newdotnet\nnrun.exe" "c:\program files\newdotnet\nncore.dll" servicestart (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Ethernet Controller
Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_01AF1028&REV_02\4&2FE911E8&0&00F0
Manufacturer:
Name: Ethernet Controller
PNP Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_01AF1028&REV_02\4&2FE911E8&0&00F0
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-06-23 21:06:04 270 --a------ C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
2008-03-01 02:00:25 368 --a------ C:\WINDOWS\Tasks\McQcTask.job
2008-01-15 02:19:48 366 --a------ C:\WINDOWS\Tasks\McDefragTask.job


-- Files created between 2008-05-23 and 2008-06-23 -----------------------------

2008-06-21 01:40:05 0 d-------- C:\WINDOWS\pss
2008-06-21 01:02:15 0 d-------- C:\Documents and Settings\John Chilcott\Application Data\Auslogics
2008-06-21 01:01:43 0 d-------- C:\Program Files\Auslogics
2008-06-21 00:24:07 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-21 00:24:01 0 d-------- C:\Documents and Settings\John Chilcott\Application Data\Mozilla
2008-06-17 14:48:07 765952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-06-17 14:48:06 180224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-06-17 14:48:06 0 d-------- C:\Program Files\Xvid
2008-06-16 22:05:00 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-06-16 21:58:56 8464 --a------ C:\WINDOWS\system32\sporder.dll <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
2008-06-16 21:58:56 50688 --a-s---- C:\WINDOWS\NDNuninstall6_38.exe
2008-06-16 21:58:56 0 d-a-s---- C:\Program Files\NewDotNet
2008-06-16 21:58:32 0 d-------- C:\Program Files\BitComet Accelerator
2008-06-16 01:07:19 0 d-------- C:\Program Files\PFConfig
2008-06-16 00:16:10 2560 --a------ C:\WINDOWS\system32\bitcometres.dll <Not Verified; BitComet; BitComet BCTP Helper>
2008-06-16 00:16:09 0 d-------- C:\Downloads
2008-06-16 00:15:26 0 d-------- C:\Program Files\BitComet
2008-06-11 22:17:51 0 d-------- C:\Program Files\Windows Live Safety Center
2008-06-11 00:05:30 0 d-------- C:\Program Files\Native Instruments
2008-06-11 00:05:30 0 d-------- C:\Program Files\Common Files\Native Instruments
2008-06-10 23:38:17 0 d-------- C:\Documents and Settings\John Chilcott\Application Data\BitZipper
2008-06-10 23:38:12 0 d-------- C:\Program Files\BitZipper
2008-06-09 01:16:36 0 d--h----- C:\WINDOWS\PIF
2008-06-05 23:19:56 0 d-------- C:\Documents and Settings\John Chilcott\Application Data\.BitTornado
2008-06-05 21:54:08 217088 --a------ C:\WINDOWS\system32\rewire.dll <Not Verified; Propellerhead Software AB; ReWire>
2008-06-05 21:54:08 0 d-------- C:\Program Files\VstPlugins
2008-06-05 21:52:54 0 d-------- C:\Program Files\Image-Line


-- Find3M Report ---------------------------------------------------------------

2008-06-23 17:06:51 0 d-------- C:\Documents and Settings\John Chilcott\Application Data\OpenOffice.org2
2008-06-23 12:39:15 0 d-------- C:\Program Files\McAfee
2008-06-20 15:42:45 0 d-------- C:\Documents and Settings\John Chilcott\Application Data\LimeWire
2008-06-20 14:26:47 0 d-------- C:\Program Files\Tibia
2008-06-17 12:08:11 0 d-------- C:\Program Files\Common Files
2008-06-17 11:49:14 0 d-------- C:\Program Files\Google
2008-06-16 21:19:15 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-06-16 19:41:15 0 d-------- C:\Program Files\Panda Security
2008-06-08 16:25:48 0 d-------- C:\Program Files\Common Files\John
2008-06-05 16:36:03 0 d-------- C:\Program Files\Common Files\McAfee
2008-05-19 22:09:18 0 d-------- C:\Program Files\LimeWire
2008-05-08 20:34:31 0 d-------- C:\Program Files\Trend Micro
2008-05-08 19:57:39 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE
2008-05-08 19:49:14 0 d-------- C:\Documents and Settings\John Chilcott\Application Data\SUPERAntiSpyware.com
2008-05-08 19:47:05 0 d-------- C:\Documents and Settings\John Chilcott\Application Data\Malwarebytes
2008-05-08 19:47:03 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-08 19:46:44 0 d-------- C:\Program Files\Common Files\Download Manager
2008-05-03 13:38:05 0 d-------- C:\Documents and Settings\John Chilcott\Application Data\Adobe
2008-05-03 13:36:03 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-01 22:06:04 1512 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-28 08:03:06 82944 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-04-28 08:03:06 82944 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-04-24 08:10:33 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{377C180E-6F0E-4D4C-980F-F45BD3D40CF4}]
26/11/2007 10:46 324936 --a------ c:\PROGRA~1\mcafee\msk\mcapbho.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [05/08/2005 14:56]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [01/11/2006 13:48]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [13/12/2005 18:44]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [13/12/2005 18:41]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [13/12/2005 18:45]
"SigmatelSysTrayApp"="stsystra.exe" [24/03/2006 18:30 C:\WINDOWS\stsystra.exe]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [03/08/2006 19:51]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [08/03/2006 13:48]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [23/03/2008 15:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 22:16]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [10/08/2004 12:00]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 12:34]
"ikkwukqy"="c:\documents and settings\john chilcott\local settings\application data\ikkwukqy.exe" [05/06/2008 16:37]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

C:\Documents and Settings\John Chilcott\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [21/01/2008 15:41:28]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ikkwukqy]
c:\documents and settings\john chilcott\local settings\application data\ikkwukqy.exe ikkwukqy

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NNServ"=2 (0x2)




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8118 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-06-23 21:33:03 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Genuine Intel® CPU T2080 @ 1.73GHz
CPU 1: Genuine Intel® CPU T2080 @ 1.73GHz
Percentage of Memory in Use: 35%
Physical Memory (total/avail): 1014.37 MiB / 651.26 MiB
Pagefile Memory (total/avail): 2441.4 MiB / 2099.47 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1925.47 MiB

C: is Fixed (NTFS) - 109.74 GiB total, 64.22 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - Hitachi HTS541612J9SA00 - 111.79 GiB - 3 partitions
\PARTITION0 - Unknown - 47.03 MiB
\PARTITION1 (bootable) - Installable File System - 109.74 GiB - C:
\PARTITION2 - Extended w/Extended Int 13 - 2.01 GiB



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

FW: McAfee Personal Firewall v (McAfee)
AV: McAfee VirusScan v (McAfee)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"="C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\John Chilcott\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=JOHN-D0D2E2772F
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\John Chilcott
LOGONSERVER=\\JOHN-D0D2E2772F
MOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Documents and Settings\John Chilcott\Application Data\Mozilla\Firefox\Crash Reports
MOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exe
MOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\crashreporter-override.ini
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\PROGRA~1\Java\JRE16~2.0_0\bin;C:\PROGRA~1\Java\JRE16~2.0_0\bin;C:\PROGRA~1\Java\JRE16~2.0_0\bin;C:\PROGRA~1\Java\JRE16~2.0_0\bin;C:\Program Files\Mozilla Firefox;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Samsung\Samsung PC Studio 3\;.;.
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 14 Stepping 12, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0e0c
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\JOHNCH~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\JOHNCH~1\LOCALS~1\Temp
USERDOMAIN=JOHN-D0D2E2772F
USERNAME=John Chilcott
USERPROFILE=C:\Documents and Settings\John Chilcott
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

John Chilcott (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7875FD9-6ADB-4D4B-A756-3A2306A3D5E1}\setup.exe" -l0x9 anything
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
AusLogics BoostSpeed --> "C:\Program Files\Auslogics\AusLogics BoostSpeed\unins000.exe"
BitComet 1.02 --> C:\Program Files\BitComet\uninst.exe
BitComet Accelerator 3.2 --> "C:\Program Files\BitComet Accelerator\unins000.exe"
Collab --> C:\Program Files\Image-Line\Collab\uninstall.exe
Conexant HDA D110 MDC V.92 Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3\HXFSETUP.EXE -U -Idel1028p.inf
Dell Resource CD --> MsiExec.exe /X{2764CA82-DFB9-4498-AF85-719340BF5305}
Dell Wireless WLAN Card --> "C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwlu00.exe" verbose /rootkey="Software\Broadcom\802.11\UninstallInfo" /rootdir="C:\Program Files\Dell\Dell Wireless WLAN Card"
FL Studio 5 --> C:\Program Files\Image-Line\FLStudio5\uninstall.exe
GemMaster Mystic --> "C:\Program Files\GemMaster\uninstallgemmaster.exe"
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
Highlight Viewer (Windows Live Toolbar) --> MsiExec.exe /X{A5C4AD72-25FE-4899-B6DF-6D8DF63C93CF}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Intel® Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_27A6 PCI\VEN_8086&DEV_27A2
Java™ 6 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160040}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
LimeWire 4.16.7 --> "C:\Program Files\LimeWire\uninstall.exe"
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Map Button (Windows Live Toolbar) --> MsiExec.exe /X{7745B7A9-F323-4BB9-9811-01BF57A028DA}
McAfee SecurityCenter --> C:\Program Files\McAfee\MSC\mcuninst.exe
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
Mozilla Firefox (3.0) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Native Instruments Massive v1.0.1.008 VSTi DXi RTAS --> C:\PROGRA~1\NATIVE~1\Massive\UNWISE.EXE C:\PROGRA~1\NATIVE~1\Massive\INSTALL.LOG
OpenOffice.org 2.4 --> MsiExec.exe /I{F87A8E11-02A4-4875-A3A5-5961081B0E4E}
Otto --> "C:\Program Files\EnglishOtto\uninstallotto.exe"
PFConfig 1.0.208 --> C:\Program Files\PFConfig\uninst.exe
QuickSet --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe" -l0x9 APPDRVNT4
SAMSUNG CDMA Modem Driver Set --> C:\WINDOWS\system32\Samsung_USB_Drivers\3\SSCDUninstall.exe
SAMSUNG Mobile Composite Device Software --> C:\WINDOWS\system32\Samsung_USB_Drivers\6\SSBCUninstall.exe
Samsung Mobile phone USB driver Software --> C:\WINDOWS\system32\Samsung_USB_Drivers\5\SSSDUninstall.exe
SAMSUNG Mobile USB Modem 1.0 Software --> C:\WINDOWS\system32\Samsung_USB_Drivers\1\SS_Uninstall.exe
SAMSUNG Mobile USB Modem Software --> C:\WINDOWS\system32\Samsung_USB_Drivers\2\SSM_Uninstall.exe
Samsung PC Studio 3 --> "C:\Program Files\InstallShield Installation Information\{C4A4722E-79F9-417C-BD72-8D359A090C97}\setup.exe" -runfromtemp -l0x0009 -removeonly
SigmaTel Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
Smart Menus (Windows Live Toolbar) --> MsiExec.exe /X{F084395C-40FB-4DB3-981C-B51E74E1E83D}
Sonic Encoders --> MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011}
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Tibia --> "C:\Program Files\Tibia\unins000.exe"
Tibia MULTI-ip changer --> C:\Program Files\Asprate\Tibia Multi IP Changer\UNinstaller.exe
Update Rollup 2 for Windows XP Media Center Edition 2005 --> C:\WINDOWS\$NtUninstallKB900325$\spuninst\spuninst.exe
Windows Driver Package - Ricoh Company Memorystick Host Controller (07/09/2005 1.00.01.12) --> C:\PROGRA~1\DIFX\DPInst.exe /u C:\WINDOWS\system32\DRVSTORE\rimsptsk_469677EEC4F8D39ABD61046D242B2A1651DE8AEF\rimsptsk.inf
Windows Driver Package - Ricoh Company MMC Host Controller (07/14/2005 1.00.00.06) --> C:\PROGRA~1\DIFX\DPInst.exe /u C:\WINDOWS\system32\DRVSTORE\rimmptsk_EA24AF82DAB6BA6CF6FB1A3004EE91F51D3FDCF9\rimmptsk.inf
Windows Driver Package - Ricoh Company xD-Picture Card/SmartMedia Host Controller (07/14/2005 1.00.02.04) --> C:\PROGRA~1\DIFX\DPInst.exe /u C:\WINDOWS\system32\DRVSTORE\rixdptsk_30B42BE4DA4D11DB80E5D3DD10180621BA0A53DD\rixdptsk.inf
Windows Live Favorites for Windows Live Toolbar --> MsiExec.exe /X{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live OneCare safety scanner --> RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Live Toolbar --> "C:\Program Files\Windows Live Toolbar\UnInstall.exe" {D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Live Toolbar --> MsiExec.exe /X{D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Live Toolbar Extension (Windows Live Toolbar) --> MsiExec.exe /X{341201D4-4F61-4ADB-987E-9CCE4D83A58D}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB925766 --> "C:\WINDOWS\$NtUninsta
  • 0

#6
furio
Posted 26 June 2008 - 03:49 PM

furio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hi Guys,

How long will this problem take to disect? you havent forgotten about poor spyware infested me have you?

Regards,

John
  • 0

#7
Gravity Gripp
Posted 29 June 2008 - 07:51 AM

Gravity Gripp

    Trusted Helper

  • Malware Removal
  • 1,815 posts
furio,
First let me state that it's apparent that you have some illegal software on your computer that is infected with a trojan. This is always a risk when downloading illegal software thus it is highly recommend against. These files will be included in my fix for you and will be deleted. My suggestion for the future is to refrain from downloading illegal/cracked software.

STEP ONE
Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:

    • c:\documents and settings\john chilcott\local settings\application data\ikkwukqy.exe
  • Click on the submit button
  • Please post the results in your next reply.

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack*
C:\Documents and Settings\John Chilcott\Desktop\MessengerSkinner_setup.exe
C:\Documents and Settings\John Chilcott\Desktop\setup\flstudio_8.0_install.exe
C:\Downloads\bitcomet_accelerator_31.exe
C:\Program Files\BitComet Accelerator\
C:\WINDOWS\system32\tbhkqxnfa.exe
C:\WINDOWS\NDNuninstall6_38.exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ikkwukqy
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\\ikkwukqy
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

STEP THREE
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
  • 0

#8
furio
Posted 29 June 2008 - 09:23 AM

furio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Yes im not sure how that got on there i think i have deleted.

here is the OTMoveIt2 report:
< C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack* >
File/Folder C:\Documents and Settings\John Chilcott\Desktop\Fruityloops.Studio.Producer.Edition.XXL.v8.0.0 + Crack* not found.
File/Folder C:\Documents and Settings\John Chilcott\Desktop\MessengerSkinner_setup.exe not found.
File/Folder C:\Documents and Settings\John Chilcott\Desktop\setup\flstudio_8.0_install.exe not found.
File/Folder C:\Downloads\bitcomet_accelerator_31.exe not found.
Folder C:\Program Files\BitComet Accelerator\ not found.
File/Folder C:\WINDOWS\system32\tbhkqxnfa.exe not found.
File/Folder C:\WINDOWS\NDNuninstall6_38.exe not found.
File/Folder not found.
< HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ikkwukqy >
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ikkwukqy deleted successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\\ikkwukqy >
Registry value HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\\ikkwukqy not found.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 06292008_162110

Here is the online scan result:
Service load:
0% 100%
File: ikkwukqy.exe
Status:
POSSIBLY INFECTED/MALWARE (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.)
MD5: 39c16abae4a59759fef7cbbc6adf0547
Packers detected:
-
Scanner results
Scan taken on 29 Jun 2008 15:09:21 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found Win32:Roodro
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

Good luck!
  • 0

#9
Gravity Gripp
Posted 01 July 2008 - 07:48 AM

Gravity Gripp

    Trusted Helper

  • Malware Removal
  • 1,815 posts
furio, the good news is that we are almost done. I just need you to finish out a few more steps and then we can cleanup.

STEP ONE
Please go to UploadMalware to upload a suspicious file for analysis.
  • Enter your username from this forum
  • Copy and paste the link to this thread
  • Copy and past this filename into one of the textboxs: c:\documents and settings\john chilcott\local settings\application data\ikkwukqy.exe
  • In the comments, please mention that I asked you to upload this file
  • Click on Send File

STEP TWO
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    c:\documents and settings\john chilcott\local settings\application data\ikkwukqy.exe
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

STEP THREE
  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

  • 0

#10
furio
Posted 01 July 2008 - 03:09 PM

furio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Thanks Gravity,

Did you mean that its done now? Im still getting Pop ups if thats the case.

Im not sure what you wanted me to do next but i will post a brand new hijack this log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:03:56, on 01/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\WINDOWS\system32\dllhost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Auslogics\AusLogics BoostSpeed\OneButtonCheckup.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebo...toUploader5.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7018 bytes
  • 0

Advertisements

#11
Gravity Gripp
Posted 02 July 2008 - 12:16 PM

Gravity Gripp

    Trusted Helper

  • Malware Removal
  • 1,815 posts
furio, you say you're still getting popups?

Let's try this, let's do a scan with SUPERAntiSpyware and see what turns up, I see that you already have it installed. In that case, just update it and run scan following the directions below.

STEP ONE
  • Double-click SUPERAntiSpyware.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

  • 0

#12
furio
Posted 02 July 2008 - 03:32 PM

furio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hello Mr Grip,

Looks like it has found a few things also hopefully there are no more...

Here is the log file from the scan

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/02/2008 at 10:09 PM

Application Version : 4.15.1000

Core Rules Database Version : 3495
Trace Rules Database Version: 1486

Scan type : Complete Scan
Total Scan Time : 01:16:38

Memory items scanned : 466
Memory threats detected : 0
Registry items scanned : 5002
Registry threats detected : 11
File items scanned : 60293
File threats detected : 113

Adware.Tracking Cookie
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@dcs8a1rrculeroaqmbjq87oq1_4s7l[1].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][2].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@overture[2].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][2].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][1].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][1].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][2].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][1].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@yadro[2].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@serving-sys[1].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@atwola[1].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][1].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][2].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@weborama[1].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@ufindus[2].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][1].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][1].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][2].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@adtech[1].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][2].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@adultfriendfinder[2].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@specificclick[2].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@a[1].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@1057043298[1].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@indexstats[2].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][2].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@whatcar[1].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@adecn[1].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@kuoni-uk[1].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@adbrite[2].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@revsci[2].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][2].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][2].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][1].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][2].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][1].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@2o7[1].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@247realmedia[2].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][1].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][2].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@socialmedia[1].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][2].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][1].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][1].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@1071783128[1].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@haymarket[1].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][1].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@thomascook-uk[1].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@roiservice[1].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][2].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@handbag[2].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@adserver[1].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@kuonigroup[1].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@tribalfusion[2].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][2].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][2].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][2].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][2].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@1072359897[1].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][2].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@1072268359[1].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@clicktorrent[1].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][1].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@cgi-bin[1].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@firstchoice[1].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][1].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@xiti[1].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][1].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][2].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][1].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@kontera[1].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][1].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@torrent-finder[2].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@plp[2].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][2].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][1].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@toplist[2].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][2].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][2].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][1].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][2].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][2].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][1].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@1071434589[2].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@partypoker[2].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@media6degrees[2].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@flythomascook[1].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][1].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][1].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@84678233[2].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@1072698340[1].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][1].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@tacoda[1].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@1067857083[1].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][1].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][2].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@1071647687[1].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@handbag[1].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][1].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@register[3].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@firstchoice[2].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@register[1].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@babyuk[1].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][2].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@questionmarket[2].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@azjmp[1].txt
C:\Documents and Settings\John Chilcott\Cookies\john [email protected][1].txt
C:\Documents and Settings\John Chilcott\Cookies\john chilcott@serving-sys[2].txt

Trojan.NewDotNet
HKU\.DEFAULT\Software\New.net
HKU\S-1-5-18\Software\New.net
HKLM\Software\New.net
HKLM\Software\New.net#Activity
HKLM\Software\New.net#InstalledPath
HKLM\Software\New.net#InstalledVersion
HKLM\Software\New.net#Tag
HKLM\Software\New.net#Prt
HKLM\Software\New.net#Source
HKLM\Software\New.net#NextUpgradeHi
HKLM\Software\New.net#NextUpgradeLo
C:\Program Files\NewDotNet
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7B305774-1957-4547-B0FA-329ABF241E1D}\RP122\A0064534.EXE

Trojan.NewDotNet-Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7B305774-1957-4547-B0FA-329ABF241E1D}\RP108\A0061787.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7B305774-1957-4547-B0FA-329ABF241E1D}\RP117\A0064262.EXE

Trojan.Unclassified/Dropper
C:\SYSTEM VOLUME INFORMATION\_RESTORE{7B305774-1957-4547-B0FA-329ABF241E1D}\RP83\A0046437.EXE
  • 0

#13
Gravity Gripp
Posted 03 July 2008 - 03:32 PM

Gravity Gripp

    Trusted Helper

  • Malware Removal
  • 1,815 posts
furio,
Are you still experiencing the pop-ups? If so, then it seems that something is still hiding from us. Lets take another look shall we? Also, I'm going to ask you to remove some P2P applications, while these applications may not be malware themselves, they are known to lead to malware infections.

STEP ONE
Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):


BitComet 1.02
BitComet Accelerator 3.2
LimeWire 4.16.7

After that, Reboot.

STEP TWO
Please rerun Deckard's System Scanner (DSS).
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.


STEP THREE
Download GMER from here:
http://www.gmer.net/gmer.zip

Unzip it to the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for Show All.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.

Logs to provide in your next post:
  • DSS Log
  • GMER log

Edited by Gravity Gripp, 03 July 2008 - 03:37 PM.

  • 0

#14
furio
Posted 04 July 2008 - 05:08 PM

furio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hi Gravety,
The extra text log didnt come up, here are the other 2.

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-07-05 00:06:42
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xAAAC4F20]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xAAA099AA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xAAA09A41]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xAAA09958]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xAAA0996C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xAAA09A55]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xAAA09A81]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xAAA09AEF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xAAA09AD9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xAAA099EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xAAA09B1B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xAAA09A2D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xAAA09930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xAAA09944]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xAAA099BE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xAAA09B57]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xAAA09AC3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xAAA09AAD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xAAA09A6B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xAAA09B43]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xAAA09B2F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xAAA09996]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xAAA09982]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xAAA09A97]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xAAA09A19]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xAAA09B05]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xAAA09A00]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xAAA099D4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!ZwYieldExecution 805040F8 7 Bytes JMP AAA099D8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80577F46 5 Bytes JMP AAA099AE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B0BC4 7 Bytes JMP AAA099EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B19D2 5 Bytes JMP AAA09A04 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B6F98 7 Bytes JMP AAA099C2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805C9EBA 5 Bytes JMP AAA09934 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CA146 5 Bytes JMP AAA09948 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CC904 5 Bytes JMP AAA09986 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805CFBDA 7 Bytes JMP AAA09970 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805CFC90 5 Bytes JMP AAA0995C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D019A 5 Bytes JMP AAA0999A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D13E4 5 Bytes JMP AAA09A1D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 8062038C 7 Bytes JMP AAA09AB1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 806206DA 5 Bytes JMP AAA09B33 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80620992 7 Bytes JMP AAA09A9B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80620C5A 7 Bytes JMP AAA09B09 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 806214A0 7 Bytes JMP AAA09AC7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80621CF8 7 Bytes JMP AAA09A6F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806222D2 5 Bytes JMP AAA09A45 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80622762 7 Bytes JMP AAA09A59 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80622932 7 Bytes JMP AAA09A85 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 80622B12 7 Bytes JMP AAA09AF3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 80622D7C 7 Bytes JMP AAA09ADD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80623668 5 Bytes JMP AAA09A31 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 8062398C 7 Bytes JMP AAA09B5B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 80623EB2 5 Bytes JMP AAA09B47 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80623FCC 5 Bytes JMP AAA09B1F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[208] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\Program Files\Mozilla Firefox\firefox.exe[208] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\Program Files\Mozilla Firefox\firefox.exe[208] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\Mozilla Firefox\firefox.exe[208] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\Mozilla Firefox\firefox.exe[208] WS2_32.dll!send 71AB428A 5 Bytes JMP 100030E6
.text C:\Program Files\Mozilla Firefox\firefox.exe[208] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 100032CC
.text C:\Program Files\Mozilla Firefox\firefox.exe[208] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 100035BC
.text C:\Program Files\McAfee\MSK\MskSrver.exe[248] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\Program Files\McAfee\MSK\MskSrver.exe[248] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\Program Files\McAfee\MSK\MskSrver.exe[248] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\McAfee\MSK\MskSrver.exe[248] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[412] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[412] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[412] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe[412] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[452] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[452] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[452] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[452] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\svchost.exe[544] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 008B0000
.text C:\WINDOWS\system32\svchost.exe[544] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 008B0F77
.text C:\WINDOWS\system32\svchost.exe[544] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 008B0F92
.text C:\WINDOWS\system32\svchost.exe[544] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 008B006C
.text C:\WINDOWS\system32\svchost.exe[544] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 008B005B
.text C:\WINDOWS\system32\svchost.exe[544] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 008B0039
.text C:\WINDOWS\system32\svchost.exe[544] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 008B0093
.text C:\WINDOWS\system32\svchost.exe[544] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 008B0F4B
.text C:\WINDOWS\system32\svchost.exe[544] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 008B0F26
.text C:\WINDOWS\system32\svchost.exe[544] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 008B00B5
.text C:\WINDOWS\system32\svchost.exe[544] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 008B00DA
.text C:\WINDOWS\system32\svchost.exe[544] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 008B004A
.text C:\WINDOWS\system32\svchost.exe[544] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 008B0FEF
.text C:\WINDOWS\system32\svchost.exe[544] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 008B0F5C
.text C:\WINDOWS\system32\svchost.exe[544] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 008B0FC3
.text C:\WINDOWS\system32\svchost.exe[544] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 008B0FD4
.text C:\WINDOWS\system32\svchost.exe[544] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 008B00A4
.text C:\WINDOWS\system32\svchost.exe[544] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 008A002C
.text C:\WINDOWS\system32\svchost.exe[544] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 008A0073
.text C:\WINDOWS\system32\svchost.exe[544] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 008A001B
.text C:\WINDOWS\system32\svchost.exe[544] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 008A0000
.text C:\WINDOWS\system32\svchost.exe[544] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 008A0062
.text C:\WINDOWS\system32\svchost.exe[544] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 008A0047
.text C:\WINDOWS\system32\svchost.exe[544] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 008A0FE5
.text C:\WINDOWS\system32\svchost.exe[544] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 008A0FB6
.text C:\WINDOWS\system32\svchost.exe[544] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 0088000A
.text C:\WINDOWS\system32\csrss.exe[684] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\WINDOWS\system32\csrss.exe[684] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\WINDOWS\system32\csrss.exe[684] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\WINDOWS\system32\csrss.exe[684] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\services.exe[752] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\WINDOWS\system32\services.exe[752] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\WINDOWS\system32\services.exe[752] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\WINDOWS\system32\services.exe[752] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 0007000A
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00070F92
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00070FAD
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00070FCA
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00070FDB
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00070062
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 000700CE
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 000700BD
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 0007010E
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateProcessA 7C802367 1 Byte [ E9 ]
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateProcessA + 2 7C802369 3 Bytes [ EB, 86, 83 ]
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 0007011F
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 0007007D
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00070025
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 000700A2
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00070051
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00070040
.text C:\WINDOWS\system32\services.exe[752] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 000700DF
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00060FC3
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00060F6B
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00060FD4
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00060F7C
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00060F8D
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 0006000A
.text C:\WINDOWS\system32\services.exe[752] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00060FA8
.text C:\WINDOWS\system32\services.exe[752] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00F7000A
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00F7007F
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00F7006E
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00F70051
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00F70F9E
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00F70FAF
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00F70F5E
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00F70F6F
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00F700ED
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00F700C8
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00F70108
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00F70036
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00F70025
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00F7009A
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00F70FCA
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00F70FEF
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00F700B7
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00F60FCD
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00F60054
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00F60FDE
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00F60FEF
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00F60FA1
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00F60039
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00F6000A
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00F60FB2
.text C:\WINDOWS\system32\lsass.exe[764] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00E30FEF
.text C:\WINDOWS\system32\svchost.exe[932] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\WINDOWS\system32\svchost.exe[932] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\WINDOWS\system32\svchost.exe[932] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\WINDOWS\system32\svchost.exe[932] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00CD0FEF
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00CD0047
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00CD002C
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00CD0F5E
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00CD0F79
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00CD0F9B
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00CD0F2D
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00CD0075
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00CD00A1
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00CD0090
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00CD0EED
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00CD0F8A
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00CD0000
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00CD0058
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00CD0FC0
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00CD0011
.text C:\WINDOWS\system32\svchost.exe[932] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00CD0F12
.text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00CC0FCA
.text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00CC0058
.text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00CC001B
.text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00CC0FEF
.text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00CC0047
.text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00CC0FAF
.text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00CC0000
.text C:\WINDOWS\system32\svchost.exe[932] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00CC0036
.text C:\WINDOWS\system32\svchost.exe[932] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00CA0FE5
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00A10FEF
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00A10F3C
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00A10F57
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00A10025
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00A10014
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00A10F8D
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00A10067
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00A10F2B
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A10EE9
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A10EFA
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00A10ECE
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00A10F72
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00A10FD4
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00A1004C
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00A10F9E
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00A10FB9
.text C:\WINDOWS\system32\svchost.exe[1000] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00A10082
.text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00A00FCA
.text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00A00FAF
.text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00A00FDB
.text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00A00011
.text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00A00062
.text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00A00047
.text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00A00000
.text C:\WINDOWS\system32\svchost.exe[1000] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00A00036
.text C:\WINDOWS\system32\svchost.exe[1000] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 009E0000
.text C:\WINDOWS\System32\svchost.exe[1040] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\WINDOWS\System32\svchost.exe[1040] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\WINDOWS\System32\svchost.exe[1040] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\WINDOWS\System32\svchost.exe[1040] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 02CE0000
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 02CE0F83
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 02CE0078
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 02CE0067
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 02CE0F9E
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 02CE0FC0
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 02CE00A4
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 02CE0093
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 02CE00DA
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 02CE00C9
.text C:\WINDOWS\System32\svchost.exe[1040] kernel32.dll!GetProcAddress 7C80ADA0 5 B
  • 0

#15
Gravity Gripp
Posted 06 July 2008 - 07:51 AM

Gravity Gripp

    Trusted Helper

  • Malware Removal
  • 1,815 posts
furio,
It looks like there isn't a rootkit on your system so I still haven't figured out why you are still getting popups. You didn't include the DSS log that I had asked for so if you could, please attach one in your next reply.

STEP TWO
Please rerun Deckard's System Scanner (DSS).

* Close all other windows before proceeding.
* Double-click on dss.exe and follow the prompts.
* When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP