Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winweb Security Issues


  • This topic is locked This topic is locked
24 replies to this topic

#1 Akkord29

Akkord29

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 03 December 2008 - 09:06 PM

Hi,

I had a few trojans and this seems to be the last one left. Please review.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:44:57 PM, on 12/3/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\AOL\1138659137\ee\AOLSoftware.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\All Users\Application Data\1596185467\524988226.exe
C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\NetMeeting\conf.exe
C:\WINDOWS\system32\rundll32.exe
c:\program files\common files\aol\1138659137\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1138659137\ee\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\WINDOWS\System32\rsvp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
c:\PROGRA~1\mcafee.com\agent\mcupdate.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://windiwsfsearch.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://windiwsfsearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://windiwsfsearch.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://windiwsfsearch.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://windiwsfsearch.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9090
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: BHOws Object - {D5DF7C9D-6069-4552-8B0C-D02A912FC889} - ws.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {2EEF94DF-75F6-42E9-B7FB-AF5A170A6E2E} - (no file)
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1138659137\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB002" /M "Stylus CX4600"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [hytxixoxjfn] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\xgfhyayvddiyyen.dll"
O4 - HKLM\..\Run: [524988226] "C:\Documents and Settings\All Users\Application Data\1596185467\524988226.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [!CleanupNetMeetingDispDriver] "C:\WINDOWS\system32\rundll32.exe" msconf.dll,CleanupNetMeetingDispDriver 0
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - HKLM\..\Policies\Explorer\Run: [VMware hptray] C:\Program Files\WebMediaViewer\hpmon.exe
O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.expresstoolie.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IExplorer Security - {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.expresstoolie.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1134102322851
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://chill.comcast.net/Gameshell/GameHos...ronGameHost.cab
O20 - AppInit_DLLs: karna.dat
O22 - SharedTaskScheduler: demobilisation - {dfb3c1dc-1212-4235-88fd-98539540f423} - (no file)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bonjour Service (Bonjour Service) - Unknown owner - C:\Program Files\tinyproxy\tinyproxy.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 10917 bytes

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:27 AM

Posted 06 December 2008 - 10:26 PM

Hello Akkord29,


Important Note to Other Users Reading this Topic: The instructions provided in this topic below this point are for the original topic starter only. Even if you have similar problems or log entries to those given here, please do not follow the directions, especially those involving specific tools and scripts. Doing so can result in serious damage to your computer. Instead, please start your own topic. Feel free to link to any relevant topics as needed.


Please run HijackThis and click "Scan." Place checks next to the following entries, if present:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9090
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O4 - HKLM\..\Run: [hytxixoxjfn] C:\WINDOWS\System32\regsvr32.exe /s
"C:\WINDOWS\system32\xgfhyayvddiyyen.dll"
O4 - HKLM\..\Run: [524988226] "C:\Documents and Settings\All Users\Application Data\1596185467\524988226.exe
O20 - AppInit_DLLs: karna.dat
O23 - Service: Bonjour Service (Bonjour Service) - Unknown owner - C:\Program Files\tinyproxy\tinyproxy.exe (file missing)


Close all browsers and other windows except for HijackThis, and click "Fix checked"



Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the code box to Notepad.
Save it to your desktop, make sure the file type is All File and name it FixService.bat


@echo off
sc stop Bonjour Service
sc delete Bonjour Service
exit

Double click FixService.bat.
It should now look like this icon now.

Posted Image

Now double click this file, won't see much happen.
A window will open and close. This is normal.
A quick flash is about all.
Then you may delete the FixService.bat file we just made.



*******************************************

Please download OTMoveIt3 by OldTimer and save it to your desktop.
Double click the icon on your desktop to run it.
(Note: If you are running on Vista, right-click on the file and choose Run As Administrator).


Copy the lines in the code box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Do not include the word "Code".


:files
C:\WINDOWS\system32\xgfhyayvddiyyen.dll
C:\Documents and Settings\All Users\Application Data\1596185467\524988226.exe
C:\WINDOWS\system32\karna.dat
:commands
[emptytemp]
[Reboot]

Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.

Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.



*******************************************

Reboot your computer, post a new Hijackthis log, OTMoveIt3 log, and tell me how your computer is running.

Edited by SifuMike, 06 December 2008 - 10:27 PM.
typo

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Akkord29

Akkord29
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 07 December 2008 - 11:00 AM

Hello, attached are the updated logs. The computer is running a little better now. There is a windows update icon in the system tray which doesn't seem to go away even after windows updates.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:54:04 AM, on 12/7/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\AOL\1138659137\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\NetMeeting\conf.exe
C:\WINDOWS\system32\rundll32.exe
c:\program files\common files\aol\1138659137\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1138659137\ee\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\System32\rsvp.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://windiwsfsearch.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://windiwsfsearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://windiwsfsearch.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://windiwsfsearch.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://windiwsfsearch.com
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {2EEF94DF-75F6-42E9-B7FB-AF5A170A6E2E} - (no file)
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1138659137\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB002" /M "Stylus CX4600"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [!CleanupNetMeetingDispDriver] "C:\WINDOWS\system32\rundll32.exe" msconf.dll,CleanupNetMeetingDispDriver 0
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - HKLM\..\Policies\Explorer\Run: [VMware hptray] C:\Program Files\WebMediaViewer\hpmon.exe
O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.expresstoolie.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IExplorer Security - {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.expresstoolie.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1134102322851
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://chill.comcast.net/Gameshell/GameHos...ronGameHost.cab
O22 - SharedTaskScheduler: demobilisation - {dfb3c1dc-1212-4235-88fd-98539540f423} - (no file)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 10216 bytes


========== FILES ==========
File/Folder C:\WINDOWS\system32\xgfhyayvddiyyen.dll not found.
File/Folder C:\Documents and Settings\All Users\Application Data\1596185467\524988226.exe not found.
File/Folder C:\WINDOWS\system32\karna.dat not found.
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\mcafee_dcT7ca4wxx7GdZK scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_AO6dWq7utQrgKwN scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_gqHvOmUZrLtonPY scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_J3YnAFR39T9XLus scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_MvlHU9nQxtz7f5d scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_740.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\WFV374.tmp scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12072008_104139

Files moved on Reboot...
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\mcafee_dcT7ca4wxx7GdZK not found!
File C:\WINDOWS\temp\mcmsc_AO6dWq7utQrgKwN not found!
File C:\WINDOWS\temp\mcmsc_gqHvOmUZrLtonPY not found!
File C:\WINDOWS\temp\mcmsc_J3YnAFR39T9XLus not found!
File C:\WINDOWS\temp\mcmsc_MvlHU9nQxtz7f5d not found!
File C:\WINDOWS\temp\Perflib_Perfdata_740.dat not found!
File C:\WINDOWS\temp\WFV374.tmp not found!

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:27 AM

Posted 07 December 2008 - 11:05 AM

Hi Akkord29,


Download    Lop S&D
Lop S&D will only run on Windows XP and Windows Vista

Disable your antivirus and antimalware programs so they do not interfere with the running of Lop S&D.
To see how to disable security programs visit this tutorial:
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

You can enable them after the scan.

You can find a detailed instructions with visuals here

Double-click Lop S&D.exe

If you are using Windows Vista, right-click on LopSD.exe icon and select 'Run as administrator' to perform this scan.

Choose the language, then choose Option 1 (Search)
Wait till the end of the scan
Post the log which is created: (%SystemDrive%\lopR.txt)
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Akkord29

Akkord29
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 07 December 2008 - 12:21 PM

--------------------\\ Lop S&D 4.2.4-9c XP/Vista

Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 3
X86-based PC ( Uniprocessor Free : AMD Athlon™ XP 2000+ )
BIOS : Award Modular BIOS v6.00PG
USER : Chiman ( Administrator )
BOOT : Normal boot
Antivirus : McAfee VirusScan (Not Activated)
Firewall : McAfee Personal Firewall (Not Activated)
A:\ (USB)
C:\ (Local Disk) - NTFS - Total:127 Go (Free:112 Go)
D:\ (CD or DVD)
E:\ (CD or DVD)

"C:\Lop SD" ( MAJ : 01-11-2008|16:30 )
Option : [1] ( Sun 12/07/2008|12:17 )

--------------------\\ Listing folders in APPLIC~1

[11/05/2007|09:57] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe
[11/19/2008|07:48] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> AOL
[07/07/2007|09:47] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> AOL Downloads
[07/07/2007|09:48] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> AOL OCP
[04/21/2008|06:27] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple
[11/26/2006|05:32] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple Computer
[10/28/2008|04:19] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Comcast
[12/09/2005|12:18] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> CyberLink
[12/03/2008|08:09] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Google
[10/19/2008|09:17] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Hewlett-Packard
[10/19/2008|08:59] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> HP
[10/19/2008|08:59] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> HP Product Assistant
[10/20/2008|09:38] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Lavasoft
[03/26/2007|07:26] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Macrovision
[10/21/2008|08:41] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Malwarebytes
[12/02/2008|08:55] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> McAfee
[07/03/2006|11:07] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft
[01/30/2006|06:01] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> MSN6
[01/30/2006|05:12] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Pure Networks
[01/30/2006|05:13] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> QuickTime
[06/25/2006|09:59] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Sony Corporation
[10/17/2008|06:39] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> SupportSoft
[11/25/2008|07:44] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> TEMP
[10/17/2008|05:52] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Trymedia
[01/30/2006|05:12] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Viewpoint
[10/19/2008|09:18] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> WEBREG
[07/27/2006|09:56] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Windows Genuine Advantage
[07/08/2008|05:58] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> WLInstaller
[10/17/2008|07:02] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> yahoo!

[11/11/2008|10:45] C:\DOCUME~1\Chiman\APPLIC~1\<DIR> Adobe
[11/11/2008|08:38] C:\DOCUME~1\Chiman\APPLIC~1\<DIR> AdobeUM
[07/02/2006|05:08] C:\DOCUME~1\Chiman\APPLIC~1\<DIR> AOL
[10/19/2008|01:58] C:\DOCUME~1\Chiman\APPLIC~1\<DIR> Apple Computer
[12/29/2007|04:43] C:\DOCUME~1\Chiman\APPLIC~1\<DIR> Google
[10/20/2008|07:57] C:\DOCUME~1\Chiman\APPLIC~1\<DIR> HP
[10/19/2008|11:07] C:\DOCUME~1\Chiman\APPLIC~1\<DIR> HPAppData
[07/02/2006|05:06] C:\DOCUME~1\Chiman\APPLIC~1\<DIR> Identities
[07/02/2006|05:08] C:\DOCUME~1\Chiman\APPLIC~1\<DIR> Macromedia
[10/21/2008|08:41] C:\DOCUME~1\Chiman\APPLIC~1\<DIR> Malwarebytes
[12/07/2008|11:36] C:\DOCUME~1\Chiman\APPLIC~1\<DIR> Microsoft
[11/01/2008|06:55] C:\DOCUME~1\Chiman\APPLIC~1\<DIR> Roxio
[09/03/2006|08:56] C:\DOCUME~1\Chiman\APPLIC~1\<DIR> Sun
[09/29/2007|07:26] C:\DOCUME~1\Chiman\APPLIC~1\<DIR> Viewpoint
[10/19/2008|10:46] C:\DOCUME~1\Chiman\APPLIC~1\<DIR> Yahoo!

[12/08/2005|11:08] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Microsoft

[11/03/2006|03:30] C:\DOCUME~1\Hansa\APPLIC~1\<DIR> AOL
[11/03/2006|03:30] C:\DOCUME~1\Hansa\APPLIC~1\<DIR> Identities
[11/03/2006|03:30] C:\DOCUME~1\Hansa\APPLIC~1\<DIR> Microsoft
[11/03/2006|03:30] C:\DOCUME~1\Hansa\APPLIC~1\<DIR> Roxio

[03/28/2006|09:26] C:\DOCUME~1\Jay\APPLIC~1\<DIR> acccore
[11/05/2007|09:07] C:\DOCUME~1\Jay\APPLIC~1\<DIR> Adobe
[05/09/2006|12:58] C:\DOCUME~1\Jay\APPLIC~1\<DIR> AdobeUM
[01/30/2006|05:14] C:\DOCUME~1\Jay\APPLIC~1\<DIR> AOL
[11/26/2006|05:32] C:\DOCUME~1\Jay\APPLIC~1\<DIR> Apple Computer
[12/02/2006|07:21] C:\DOCUME~1\Jay\APPLIC~1\<DIR> ArcSoft
[10/18/2008|10:41] C:\DOCUME~1\Jay\APPLIC~1\<DIR> Chessmaster Challenge
[05/06/2007|06:06] C:\DOCUME~1\Jay\APPLIC~1\<DIR> Google
[10/19/2008|09:18] C:\DOCUME~1\Jay\APPLIC~1\<DIR> HP
[10/19/2008|09:19] C:\DOCUME~1\Jay\APPLIC~1\<DIR> HPAppData
[12/08/2005|11:15] C:\DOCUME~1\Jay\APPLIC~1\<DIR> Identities
[06/23/2006|02:01] C:\DOCUME~1\Jay\APPLIC~1\<DIR> Leadertech
[01/30/2006|05:41] C:\DOCUME~1\Jay\APPLIC~1\<DIR> Macromedia
[10/17/2008|07:00] C:\DOCUME~1\Jay\APPLIC~1\<DIR> Microsoft
[07/24/2007|06:20] C:\DOCUME~1\Jay\APPLIC~1\<DIR> MSN6
[10/11/2008|06:57] C:\DOCUME~1\Jay\APPLIC~1\<DIR> Roxio
[06/25/2006|10:05] C:\DOCUME~1\Jay\APPLIC~1\<DIR> Sony Corporation
[09/18/2006|11:11] C:\DOCUME~1\Jay\APPLIC~1\<DIR> Sun
[02/26/2007|08:46] C:\DOCUME~1\Jay\APPLIC~1\<DIR> Viewpoint
[10/19/2008|09:14] C:\DOCUME~1\Jay\APPLIC~1\<DIR> yahoo!
[01/30/2006|05:13] C:\DOCUME~1\Jay\APPLIC~1\<DIR> You've Got Pictures Screensaver

[05/07/2006|11:03] C:\DOCUME~1\Kelly\APPLIC~1\<DIR> AOL
[09/19/2008|07:46] C:\DOCUME~1\Kelly\APPLIC~1\<DIR> Google
[01/28/2006|01:52] C:\DOCUME~1\Kelly\APPLIC~1\<DIR> Identities
[10/12/2006|07:23] C:\DOCUME~1\Kelly\APPLIC~1\<DIR> Macromedia
[10/12/2006|07:28] C:\DOCUME~1\Kelly\APPLIC~1\<DIR> Microsoft
[05/07/2006|11:03] C:\DOCUME~1\Kelly\APPLIC~1\<DIR> Roxio

[12/08/2005|11:12] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Microsoft

[12/03/2008|09:37] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Adobe
[12/03/2008|10:00] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> AdobeUM
[11/26/2008|04:01] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Macromedia
[12/08/2005|11:12] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Microsoft

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[12/02/2008 08:49 PM][--a------] C:\WINDOWS\tasks\McDefragTask.job
[12/02/2008 08:49 PM][--a------] C:\WINDOWS\tasks\McQcTask.job
[12/03/2008 10:00 PM][--a------] C:\WINDOWS\tasks\At71.job
[12/02/2008 11:00 PM][--a------] C:\WINDOWS\tasks\At72.job
[12/03/2008 09:00 PM][--a------] C:\WINDOWS\tasks\At70.job
[12/02/2008 08:12 PM][--a------] C:\WINDOWS\tasks\At68.job
[12/03/2008 08:00 PM][--a------] C:\WINDOWS\tasks\At69.job
[12/02/2008 08:12 PM][--a------] C:\WINDOWS\tasks\At67.job
[12/02/2008 08:12 PM][--a------] C:\WINDOWS\tasks\At66.job
[12/02/2008 08:12 PM][--a------] C:\WINDOWS\tasks\At65.job
[12/02/2008 08:12 PM][--a------] C:\WINDOWS\tasks\At64.job
[12/02/2008 08:12 PM][--a------] C:\WINDOWS\tasks\At63.job
[12/07/2008 12:00 PM][--a------] C:\WINDOWS\tasks\At61.job
[12/02/2008 08:12 PM][--a------] C:\WINDOWS\tasks\At62.job
[12/07/2008 11:00 AM][--a------] C:\WINDOWS\tasks\At60.job
[12/02/2008 08:12 PM][--a------] C:\WINDOWS\tasks\At59.job
[12/02/2008 08:12 PM][--a------] C:\WINDOWS\tasks\At58.job
[12/02/2008 08:12 PM][--a------] C:\WINDOWS\tasks\At56.job
[12/02/2008 08:12 PM][--a------] C:\WINDOWS\tasks\At57.job
[12/02/2008 08:12 PM][--a------] C:\WINDOWS\tasks\At55.job
[12/02/2008 08:12 PM][--a------] C:\WINDOWS\tasks\At54.job
[12/02/2008 08:12 PM][--a------] C:\WINDOWS\tasks\At53.job
[12/02/2008 08:12 PM][--a------] C:\WINDOWS\tasks\At51.job
[12/02/2008 08:12 PM][--a------] C:\WINDOWS\tasks\At52.job
[12/02/2008 08:12 PM][--a------] C:\WINDOWS\tasks\At50.job
[12/02/2008 08:12 PM][--a------] C:\WINDOWS\tasks\At49.job
[12/02/2008 11:00 PM][--a------] C:\WINDOWS\tasks\At48.job
[12/03/2008 10:00 PM][--a------] C:\WINDOWS\tasks\At47.job
[12/03/2008 08:00 PM][--a------] C:\WINDOWS\tasks\At45.job
[12/03/2008 09:00 PM][--a------] C:\WINDOWS\tasks\At46.job
[11/30/2008 11:46 AM][--a------] C:\WINDOWS\tasks\At43.job
[11/30/2008 11:46 AM][--a------] C:\WINDOWS\tasks\At44.job
[11/30/2008 11:46 AM][--a------] C:\WINDOWS\tasks\At42.job
[11/30/2008 11:46 AM][--a------] C:\WINDOWS\tasks\At41.job
[11/30/2008 11:46 AM][--a------] C:\WINDOWS\tasks\At40.job
[11/30/2008 11:46 AM][--a------] C:\WINDOWS\tasks\At39.job
[11/30/2008 11:46 AM][--a------] C:\WINDOWS\tasks\At38.job
[12/07/2008 12:00 PM][--a------] C:\WINDOWS\tasks\At37.job
[12/07/2008 11:00 AM][--a------] C:\WINDOWS\tasks\At36.job
[11/30/2008 11:46 AM][--a------] C:\WINDOWS\tasks\At35.job
[11/30/2008 11:46 AM][--a------] C:\WINDOWS\tasks\At34.job
[11/30/2008 11:46 AM][--a------] C:\WINDOWS\tasks\At33.job
[11/30/2008 11:46 AM][--a------] C:\WINDOWS\tasks\At30.job
[11/30/2008 11:46 AM][--a------] C:\WINDOWS\tasks\At32.job
[11/30/2008 11:46 AM][--a------] C:\WINDOWS\tasks\At31.job
[11/30/2008 11:46 AM][--a------] C:\WINDOWS\tasks\At29.job
[11/30/2008 11:46 AM][--a------] C:\WINDOWS\tasks\At28.job
[11/30/2008 11:46 AM][--a------] C:\WINDOWS\tasks\At27.job
[11/30/2008 11:46 AM][--a------] C:\WINDOWS\tasks\At26.job
[11/30/2008 11:46 AM][--a------] C:\WINDOWS\tasks\At25.job
[12/02/2008 11:03 PM][--a------] C:\WINDOWS\tasks\At24.job
[12/03/2008 10:00 PM][--a------] C:\WINDOWS\tasks\At23.job
[12/03/2008 09:08 PM][--a------] C:\WINDOWS\tasks\At22.job
[12/03/2008 08:03 PM][--a------] C:\WINDOWS\tasks\At21.job
[11/25/2008 07:41 PM][--a------] C:\WINDOWS\tasks\At20.job
[11/25/2008 07:41 PM][--a------] C:\WINDOWS\tasks\At18.job
[11/27/2008 06:03 PM][--a------] C:\WINDOWS\tasks\At19.job
[11/26/2008 07:35 PM][--a------] C:\WINDOWS\tasks\At17.job
[11/25/2008 07:41 PM][--a------] C:\WINDOWS\tasks\At16.job
[11/25/2008 07:41 PM][--a------] C:\WINDOWS\tasks\At15.job
[11/25/2008 07:41 PM][--a------] C:\WINDOWS\tasks\At14.job
[12/07/2008 11:00 AM][--a------] C:\WINDOWS\tasks\At12.job
[12/07/2008 12:00 PM][--a------] C:\WINDOWS\tasks\At13.job
[11/25/2008 07:41 PM][--a------] C:\WINDOWS\tasks\At11.job
[11/25/2008 07:41 PM][--a------] C:\WINDOWS\tasks\At10.job
[11/25/2008 07:41 PM][--a------] C:\WINDOWS\tasks\At9.job
[11/25/2008 07:41 PM][--a------] C:\WINDOWS\tasks\At8.job
[11/25/2008 07:41 PM][--a------] C:\WINDOWS\tasks\At6.job
[11/25/2008 07:41 PM][--a------] C:\WINDOWS\tasks\At5.job
[11/25/2008 07:41 PM][--a------] C:\WINDOWS\tasks\At7.job
[11/25/2008 07:41 PM][--a------] C:\WINDOWS\tasks\At4.job
[11/25/2008 07:41 PM][--a------] C:\WINDOWS\tasks\At3.job
[11/25/2008 07:41 PM][--a------] C:\WINDOWS\tasks\At2.job
[11/25/2008 07:41 PM][--a------] C:\WINDOWS\tasks\At1.job
[12/02/2008 08:25 PM][--a------] C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[12/07/2008 10:44 AM][--ah-----] C:\WINDOWS\tasks\SA.DAT
[08/23/2001 07:00 AM][-r-h-----] C:\WINDOWS\tasks\desktop.ini

--------------------\\ Listing Folders in C:\Program Files

[03/26/2007|07:23] C:\Program Files\<DIR> Adobe
[12/09/2005|12:14] C:\Program Files\<DIR> ahead
[07/07/2007|09:48] C:\Program Files\<DIR> AIM6
[05/25/2007|11:21] C:\Program Files\<DIR> America Online 9.0
[04/29/2007|11:49] C:\Program Files\<DIR> AOD
[07/30/2006|11:15] C:\Program Files\<DIR> AOL
[04/21/2008|06:28] C:\Program Files\<DIR> Apple Software Update
[06/23/2006|01:58] C:\Program Files\<DIR> ArcSoft
[12/02/2008|10:22] C:\Program Files\<DIR> AvirTrsoftware
[04/21/2008|06:30] C:\Program Files\<DIR> Bonjour
[11/15/2008|02:24] C:\Program Files\<DIR> CCleaner
[10/17/2008|06:39] C:\Program Files\<DIR> Comcast
[12/03/2008|08:06] C:\Program Files\<DIR> Common Files
[12/08/2005|11:06] C:\Program Files\<DIR> ComPlus Applications
[12/09/2005|12:18] C:\Program Files\<DIR> CyberLink
[02/07/2007|07:46] C:\Program Files\<DIR> DVDFab Decrypter 3
[11/30/2008|08:19] C:\Program Files\<DIR> Enigma Software Group
[10/17/2008|07:18] C:\Program Files\<DIR> epson
[10/18/2008|06:10] C:\Program Files\<DIR> Fogware
[12/10/2005|11:17] C:\Program Files\<DIR> Gigabyte
[12/03/2008|08:09] C:\Program Files\<DIR> Google
[10/12/2008|11:09] C:\Program Files\<DIR> Grolier Interactive
[10/17/2008|06:51] C:\Program Files\<DIR> Hewlett-Packard
[10/19/2008|08:59] C:\Program Files\<DIR> Hp
[12/03/2008|08:14] C:\Program Files\<DIR> InstallShield Installation Information
[11/01/2008|07:46] C:\Program Files\<DIR> Internet Explorer
[04/21/2008|06:31] C:\Program Files\<DIR> iPod
[04/21/2008|06:31] C:\Program Files\<DIR> iTunes
[12/03/2008|08:24] C:\Program Files\<DIR> Java
[10/20/2008|09:37] C:\Program Files\<DIR> Lavasoft
[04/01/2008|07:43] C:\Program Files\<DIR> LimeWire
[01/28/2006|03:34] C:\Program Files\<DIR> MA311 PCI Adapter Configuration Utility
[11/15/2008|03:14] C:\Program Files\<DIR> Malwarebytes' Anti-Malware
[12/02/2008|10:51] C:\Program Files\<DIR> McAfee
[12/02/2008|08:49] C:\Program Files\<DIR> McAfee.com
[11/01/2008|07:51] C:\Program Files\<DIR> Messenger
[12/08/2005|11:20] C:\Program Files\<DIR> Microsoft ActiveSync
[12/08/2005|11:09] C:\Program Files\<DIR> microsoft frontpage
[07/27/2008|06:47] C:\Program Files\<DIR> Microsoft Office
[12/08/2005|11:20] C:\Program Files\<DIR> Microsoft.NET
[11/01/2008|07:46] C:\Program Files\<DIR> Movie Maker
[07/27/2008|06:47] C:\Program Files\<DIR> MSECache
[12/08/2005|11:05] C:\Program Files\<DIR> MSN
[12/08/2005|11:05] C:\Program Files\<DIR> MSN Gaming Zone
[01/19/2008|03:31] C:\Program Files\<DIR> MSXML 4.0
[11/01/2008|07:56] C:\Program Files\<DIR> NetMeeting
[12/08/2005|11:07] C:\Program Files\<DIR> Online Services
[11/01/2008|07:42] C:\Program Files\<DIR> Outlook Express
[01/30/2006|05:12] C:\Program Files\<DIR> Pure Networks
[04/21/2008|06:30] C:\Program Files\<DIR> QuickTime
[01/30/2006|05:13] C:\Program Files\<DIR> Real
[05/01/2006|03:06] C:\Program Files\<DIR> Roxio
[06/25/2006|10:00] C:\Program Files\<DIR> Sony
[06/25/2006|10:00] C:\Program Files\<DIR> Sony Corporation
[10/20/2008|09:28] C:\Program Files\<DIR> Spybot - Search & Destroy
[11/01/2008|06:55] C:\Program Files\<DIR> Sun
[10/17/2008|06:34] C:\Program Files\<DIR> support.com
[12/02/2008|08:48] C:\Program Files\<DIR> tinyproxy
[11/15/2008|02:02] C:\Program Files\<DIR> Trend Micro
[12/08/2005|11:14] C:\Program Files\<DIR> Uninstall Information
[01/30/2006|05:12] C:\Program Files\<DIR> Viewpoint
[10/18/2008|05:48] C:\Program Files\<DIR> Viva Media
[12/02/2008|09:32] C:\Program Files\<DIR> WebMediaViewer
[07/08/2008|05:59] C:\Program Files\<DIR> Windows Live
[11/13/2008|10:05] C:\Program Files\<DIR> Windows Media Connect 2
[11/13/2008|10:05] C:\Program Files\<DIR> Windows Media Player
[11/01/2008|07:42] C:\Program Files\<DIR> Windows NT
[12/08/2005|11:26] C:\Program Files\<DIR> WindowsUpdate
[12/08/2005|11:09] C:\Program Files\<DIR> xerox
[10/21/2008|08:26] C:\Program Files\<DIR> Yahoo!

--------------------\\ Listing Folders in C:\Program Files\Common Files

[03/26/2007|07:25] C:\Program Files\Common Files\<DIR> Adobe
[03/26/2007|07:26] C:\Program Files\Common Files\<DIR> Adobe Systems Shared
[12/20/2006|10:46] C:\Program Files\Common Files\<DIR> AOL
[01/30/2006|05:12] C:\Program Files\Common Files\<DIR> AolCoach
[01/30/2006|05:13] C:\Program Files\Common Files\<DIR> aolshare
[04/21/2008|06:27] C:\Program Files\Common Files\<DIR> Apple
[12/08/2005|11:20] C:\Program Files\Common Files\<DIR> DESIGNER
[10/19/2008|08:58] C:\Program Files\Common Files\<DIR> Hewlett-Packard
[10/19/2008|08:58] C:\Program Files\Common Files\<DIR> HP
[06/25/2006|09:58] C:\Program Files\Common Files\<DIR> InstallShield
[12/02/2008|08:50] C:\Program Files\Common Files\<DIR> McAfee
[07/27/2008|06:47] C:\Program Files\Common Files\<DIR> Microsoft Shared
[12/08/2005|11:06] C:\Program Files\Common Files\<DIR> MSSoap
[01/30/2006|05:13] C:\Program Files\Common Files\<DIR> Nullsoft
[12/08/2005|05:59] C:\Program Files\Common Files\<DIR> ODBC
[01/30/2006|05:13] C:\Program Files\Common Files\<DIR> Real
[05/01/2006|03:07] C:\Program Files\Common Files\<DIR> Roxio Shared
[02/26/2007|08:57] C:\Program Files\Common Files\<DIR> Scanner
[12/08/2005|11:06] C:\Program Files\Common Files\<DIR> Services
[06/25/2006|10:00] C:\Program Files\Common Files\<DIR> Sony Shared
[12/08/2005|05:59] C:\Program Files\Common Files\<DIR> SpeechEngines
[10/17/2008|06:34] C:\Program Files\Common Files\<DIR> SupportSoft
[11/01/2008|07:42] C:\Program Files\Common Files\<DIR> System
[07/08/2008|05:59] C:\Program Files\Common Files\<DIR> WindowsLiveInstaller
[10/20/2008|09:36] C:\Program Files\Common Files\<DIR> Wise Installation Wizard

--------------------\\ Process

( 63 Processes )

... OK !

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

No Lop folder found !

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN


--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-07 12:19:04
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden files: 0

--------------------\\ Searching for other infections

C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At49.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At50.job
C:\WINDOWS\Tasks\At51.job
C:\WINDOWS\Tasks\At52.job
C:\WINDOWS\Tasks\At53.job
C:\WINDOWS\Tasks\At54.job
C:\WINDOWS\Tasks\At55.job
C:\WINDOWS\Tasks\At56.job
C:\WINDOWS\Tasks\At57.job
C:\WINDOWS\Tasks\At58.job
C:\WINDOWS\Tasks\At59.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At60.job
C:\WINDOWS\Tasks\At61.job
C:\WINDOWS\Tasks\At62.job
C:\WINDOWS\Tasks\At63.job
C:\WINDOWS\Tasks\At64.job
C:\WINDOWS\Tasks\At65.job
C:\WINDOWS\Tasks\At66.job
C:\WINDOWS\Tasks\At67.job
C:\WINDOWS\Tasks\At68.job
C:\WINDOWS\Tasks\At69.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At70.job
C:\WINDOWS\Tasks\At71.job
C:\WINDOWS\Tasks\At72.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job

--------------------\\ ROOTKIT !!

Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV.SYS]
Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TDSSSERV.SYS]
Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV.SYS]
Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv.sys]
Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys]
Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys]

--------------------\\ KoobFace !

C:\Program Files\TinyProxy

--------------------\\ Suspect ..

C:\WINDOWS\system32\TDSSkkbi.log
C:\WINDOWS\system32\TDSSlrvd.dat
C:\WINDOWS\system32\TDSSlxwp.dll
C:\WINDOWS\system32\TDSSosvd.dat



[F:7][D:2]-> C:\DOCUME~1\Chiman\LOCALS~1\Temp
[F:25][D:0]-> C:\DOCUME~1\Chiman\Cookies
[F:203][D:4]-> C:\DOCUME~1\Chiman\LOCALS~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - Sun 12/07/2008|12:12 - Option : [1]
2 - "C:\Lop SD\LopR_2.txt" - Sun 12/07/2008|12:19 - Option : [1]

--------------------\\ Scan completed at 12:19:44

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:27 AM

Posted 07 December 2008 - 12:49 PM

Hello Akkord29,

Important Note to Other Users Reading this Topic: The instructions provided in this topic below this point are for the original topic starter only. Even if you have similar problems or log entries to those given here, please do not follow the directions, especially those involving specific tools and scripts. Doing so can result in serious damage to your computer. Instead, please start your own topic. Feel free to link to any relevant topics as needed.


You are still heavily infected with a very nasty rootkit.
We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


You need to disable your McAfee Antivirus and Spybot Teatimer before running ComboFix, as they will prevent it from running.


To disable McAfee Virusscan:
Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
  • right-click it -> chose "Exit."
  • a popup will warn that protection will now be disabled. Click on "Yes" to disable the Antivirus guard.
You succesfully disabled the McAfee Guard.


To disable McAfee antivirus in McAfee Security Center

OK here goes.... Security Center itself cannot be turned off, but it is only the vessel housing all the different pieces of software.

Double-click the taskbar icon to open Security Center
Click Advanced Menu (bottom left)
Click Configure (left)
Click Computer & Files (top left)
You can disable VirusScan in the right-hand module**


**Choose "Never" from the menu presented for when you wish them to resume if the installation you are doing will involve a reboot to complete, but don't forget to re-enable them afterwards. You'll see a warning taskbar icon in any case.




Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop.

When following the instructions install the Windows XP Recovery Console if you are using XP. <== IMPORTANT
It is a simple procedure that will only take a few moments of your time. It is our safety net.


You DO NOT need to have the Windows CD to install Recovery Console!

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.


We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged.
Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log.

Edited by SifuMike, 07 December 2008 - 12:58 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Akkord29

Akkord29
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 07 December 2008 - 01:38 PM

ComboFix 08-12-06.06 - Chiman 2008-12-07 13:11:57.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.205 [GMT -5:00]
Running from: c:\documents and settings\Chiman\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Chiman\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Chiman\Cookies\acatazi._sy
c:\documents and settings\Chiman\Cookies\apilahutyx.bat
c:\documents and settings\Chiman\Cookies\equwite.dll
c:\documents and settings\Chiman\Cookies\kanuqug._sy
c:\documents and settings\Chiman\Cookies\mefyxy.dat
c:\documents and settings\Chiman\Cookies\odikokez.sys
c:\documents and settings\Chiman\Cookies\xebezijod.bat
c:\documents and settings\Chiman\Cookies\xobeb.vbs
c:\documents and settings\Chiman\Cookies\xybiwoxa.dat
c:\documents and settings\Jay\Local Settings\Temporary Internet Files\temp.dmf
c:\program files\TinyProxy
c:\program files\tinyproxy\tinyproxy.exe
c:\program files\webmediaviewer
c:\program files\webmediaviewer\hpmun.exe
c:\program files\webmediaviewer\myd.ico
c:\program files\webmediaviewer\mym.ico
c:\program files\webmediaviewer\myp.ico
c:\program files\webmediaviewer\myv.ico
c:\program files\webmediaviewer\ot.ico
c:\program files\webmediaviewer\ts.ico
C:\resycled
c:\resycled\boot.com
c:\windows\Downloaded Program Files\setup.inf
c:\windows\jestertb.dll
c:\windows\system32\TDSSkkbi.log
c:\windows\system32\TDSSlrvd.dat
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSosvd.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BONJOUR_SERVICE_(BONJOUR_SERVICE)_
-------\Legacy_TDSSSERV.SYS
-------\Service_Bonjour Service (Bonjour Service)
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-07 12:04 . 2008-12-07 12:19 <DIR> d-------- C:\Lop SD
2008-12-07 10:41 . 2008-12-07 10:41 <DIR> d-------- C:\_OTMoveIt
2008-12-03 22:00 . 2008-12-03 22:00 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\AdobeUM
2008-12-03 20:25 . 2008-12-03 20:25 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-03 20:25 . 2008-12-03 20:25 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-02 20:55 . 2008-12-07 13:18 10,557 --a------ c:\windows\system32\Config.MPF
2008-12-02 20:54 . 2006-03-03 08:07 143,360 --a------ c:\windows\system32\dunzip32.dll
2008-12-02 20:50 . 2007-11-22 06:44 201,320 --a------ c:\windows\system32\drivers\mfehidk.sys
2008-12-02 20:50 . 2007-07-13 06:20 113,952 --a------ c:\windows\system32\drivers\Mpfp.sys
2008-12-02 20:50 . 2007-11-22 06:44 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys
2008-12-02 20:50 . 2007-12-02 12:51 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys
2008-12-02 20:50 . 2007-11-22 06:44 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys
2008-12-02 20:50 . 2007-11-22 06:44 33,832 --a------ c:\windows\system32\drivers\mferkdk.sys
2008-12-02 20:49 . 2008-12-02 20:49 <DIR> d-------- c:\program files\McAfee.com
2008-12-02 20:49 . 2008-12-02 22:51 <DIR> d-------- c:\program files\McAfee
2008-12-02 20:49 . 2008-12-02 20:50 <DIR> d-------- c:\program files\Common Files\McAfee
2008-12-02 20:37 . 2008-12-02 20:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-11-30 20:19 . 2008-11-30 20:19 <DIR> d-------- c:\program files\Enigma Software Group
2008-11-25 20:02 . 2008-11-25 20:02 27,904 --a------ c:\windows\system32\drivers\ndisprot.sys
2008-11-23 18:23 . 2008-12-02 22:22 <DIR> d-------- c:\program files\AvirTrsoftware
2008-11-23 18:22 . 2008-11-25 20:07 <DIR> d-------- c:\windows\system32\512686
2008-11-23 18:22 . 2008-04-13 19:12 26,112 --a------ c:\windows\system32\stus.exe
2008-11-15 14:24 . 2008-11-15 14:24 <DIR> d-------- c:\program files\CCleaner
2008-11-15 14:02 . 2008-11-15 14:02 <DIR> d-------- c:\program files\Trend Micro
2008-11-15 12:15 . 2008-11-15 15:14 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-15 12:15 . 2008-09-08 00:11 38,528 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-15 12:15 . 2008-09-08 00:11 17,200 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-13 22:05 . 2008-11-13 22:05 <DIR> d-------- c:\program files\Windows Media Connect 2
2008-11-13 20:05 . 2008-11-13 20:05 19,711 --a------ c:\windows\foxoryb.sys
2008-11-13 20:05 . 2008-11-13 20:05 18,050 --a------ c:\windows\zope.inf
2008-11-13 20:05 . 2008-11-13 20:05 17,208 --a------ c:\windows\system32\ytagoq.com
2008-11-13 20:05 . 2008-11-13 20:05 17,195 --a------ c:\windows\system32\asic.sys
2008-11-13 20:05 . 2008-11-13 20:05 16,597 --a------ c:\windows\nyqubuzyqu.dl
2008-11-13 20:05 . 2008-11-13 20:05 16,142 --a------ c:\documents and settings\Chiman\Application Data\mahibi.reg
2008-11-13 20:05 . 2008-11-13 20:05 15,647 --a------ c:\windows\system32\kenydobef._dl
2008-11-13 20:05 . 2008-11-13 20:05 14,353 --a------ c:\documents and settings\All Users\Application Data\pekupo.dll
2008-11-13 20:05 . 2008-11-13 20:05 13,260 --a------ c:\documents and settings\Chiman\Application Data\nuvamahu.exe
2008-11-13 20:05 . 2008-11-13 20:05 12,114 --a------ c:\program files\Common Files\unemesy.dat
2008-11-13 20:05 . 2008-11-13 20:05 11,744 --a------ c:\documents and settings\All Users\Application Data\curud.reg
2008-11-13 20:05 . 2008-11-13 20:05 11,557 --a------ c:\windows\system32\ozugebec.dl
2008-11-13 20:05 . 2008-11-13 20:05 11,274 --a------ c:\program files\Common Files\azozati.bin
2008-11-13 20:05 . 2008-11-13 20:05 10,994 --a------ c:\windows\sekotyfehe.scr
2008-11-13 20:05 . 2008-11-13 20:05 10,079 --a------ c:\windows\system32\ojuhow._dl
2008-11-13 15:35 . 2008-11-13 15:54 102,172 --a------ c:\windows\system32\cont_offersfortoday-remove.exe
2008-11-11 20:38 . 2008-11-11 20:38 <DIR> d-------- c:\documents and settings\Chiman\Application Data\AdobeUM
2008-11-11 14:59 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-11 14:59 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-10 15:41 . 2008-11-11 10:47 <DIR> d-------- c:\windows\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-04 01:24 --------- d-----w c:\program files\Java
2008-12-04 01:14 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-04 01:09 --------- d-----w c:\program files\Google
2008-11-26 00:44 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-20 00:48 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-11-01 23:55 --------- d-----w c:\program files\Sun
2008-11-01 23:55 --------- d-----w c:\documents and settings\Chiman\Application Data\Roxio
2008-11-01 11:55 108,144 ----a-w c:\windows\system32\CmdLineExt.dll
2008-10-28 21:19 --------- d-----w c:\documents and settings\All Users\Application Data\Comcast
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 01:41 --------- d-----w c:\documents and settings\Chiman\Application Data\Malwarebytes
2008-10-22 01:41 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-22 01:26 --------- d-----w c:\program files\Yahoo!
2008-10-21 02:38 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-21 02:37 --------- d-----w c:\program files\Lavasoft
2008-10-21 02:36 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-21 02:28 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-10-21 00:57 --------- d-----w c:\documents and settings\Chiman\Application Data\HP
2008-10-19 18:58 --------- d-----w c:\documents and settings\Chiman\Application Data\Apple Computer
2008-10-19 16:07 --------- d-----w c:\documents and settings\Chiman\Application Data\HPAppData
2008-10-19 15:46 --------- d-----w c:\documents and settings\Chiman\Application Data\Yahoo!
2008-10-19 14:19 --------- d-----w c:\documents and settings\Jay\Application Data\HPAppData
2008-10-19 14:18 --------- d-----w c:\documents and settings\Jay\Application Data\HP
2008-10-19 14:18 --------- d-----w c:\documents and settings\All Users\Application Data\WEBREG
2008-10-19 14:17 --------- d-----w c:\documents and settings\All Users\Application Data\Hewlett-Packard
2008-10-19 14:14 --------- d--h--r c:\documents and settings\Jay\Application Data\yahoo!
2008-10-19 13:59 --------- d-----w c:\program files\Hp
2008-10-19 13:59 --------- d-----w c:\documents and settings\All Users\Application Data\HP Product Assistant
2008-10-19 13:59 --------- d-----w c:\documents and settings\All Users\Application Data\HP
2008-10-19 13:58 --------- d-----w c:\program files\Common Files\HP
2008-10-19 13:58 --------- d-----w c:\program files\Common Files\Hewlett-Packard
2008-10-18 23:10 --------- d-----w c:\program files\Fogware
2008-10-18 22:48 --------- d-----w c:\program files\Viva Media
2008-10-18 15:41 --------- d-----w c:\documents and settings\Jay\Application Data\Chessmaster Challenge
2008-10-17 22:52 --------- d-----w c:\documents and settings\All Users\Application Data\Trymedia
2008-10-17 19:56 10,920 ----a-w C:\aolconnfix.exe
2008-10-17 12:18 --------- d-----w c:\program files\epson
2008-10-17 12:02 --------- d--h--r c:\documents and settings\All Users\Application Data\yahoo!
2008-10-17 11:51 --------- d-----w c:\program files\Hewlett-Packard
2008-10-17 11:39 --------- d-----w c:\program files\Comcast
2008-10-17 11:39 --------- d-----w c:\documents and settings\All Users\Application Data\SupportSoft
2008-10-17 11:34 --------- d-----w c:\program files\support.com
2008-10-17 11:34 --------- d-----w c:\program files\Common Files\SupportSoft
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-12 16:09 --------- d-----w c:\program files\Grolier Interactive
2008-10-11 23:57 --------- d-----w c:\documents and settings\Jay\Application Data\Roxio
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2006-11-26 22:30 36,808,256 ----a-w c:\program files\iTunesSetup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AOL Fast Start"="c:\program files\America Online 9.0\AOL.EXE" [2005-07-12 50776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HostManager"="c:\program files\Common Files\AOL\1138659137\ee\AOLSoftware.exe" [2006-09-25 50736]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-07-15 319488]
"EPSON Stylus CX4600 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE" [2004-03-04 98304]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-03 136600]
"SoundMan"="SOUNDMAN.EXE" [2002-06-18 c:\windows\SOUNDMAN.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Configuration Utility.lnk - c:\program files\MA311 PCI Adapter Configuration Utility\wlanutil.exe [2006-01-28 890368]
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1138659137\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Common Files\\AOL\\1138659137\\EE\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1138659137\\EE\\aim6.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=

S3 MA311;NETGEAR Wireless LAN Driver;c:\windows\system32\DRIVERS\ma311n51.sys [2006-01-28 54784]
S3 Ndisprot;ArcNet NDIS Protocol Driver;\??\c:\windows\system32\drivers\Ndisprot.sys [2008-11-25 27904]
S4 Idco54xpcs;Idco54xpcs;c:\windows\system32\drivers\npfs.sys [2001-08-23 30848]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2008-12-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]

2008-11-26 c:\windows\Tasks\At1.job
- c:\windows\system32\7v0d5r3B.exe []

2008-11-26 c:\windows\Tasks\At10.job
- c:\windows\system32\7v0d5r3B.exe []

2008-11-26 c:\windows\Tasks\At11.job
- c:\windows\system32\7v0d5r3B.exe []

2008-12-07 c:\windows\Tasks\At12.job
- c:\windows\system32\7v0d5r3B.exe []

2008-12-07 c:\windows\Tasks\At13.job
- c:\windows\system32\7v0d5r3B.exe []

2008-12-07 c:\windows\Tasks\At14.job
- c:\windows\system32\7v0d5r3B.exe []

2008-11-26 c:\windows\Tasks\At15.job
- c:\windows\system32\7v0d5r3B.exe []

2008-11-26 c:\windows\Tasks\At16.job
- c:\windows\system32\7v0d5r3B.exe []

2008-11-27 c:\windows\Tasks\At17.job
- c:\windows\system32\7v0d5r3B.exe []

2008-11-26 c:\windows\Tasks\At18.job
- c:\windows\system32\7v0d5r3B.exe []

2008-11-27 c:\windows\Tasks\At19.job
- c:\windows\system32\7v0d5r3B.exe []

2008-11-26 c:\windows\Tasks\At2.job
- c:\windows\system32\7v0d5r3B.exe []

2008-11-26 c:\windows\Tasks\At20.job
- c:\windows\system32\7v0d5r3B.exe []

2008-12-04 c:\windows\Tasks\At21.job
- c:\windows\system32\7v0d5r3B.exe []

2008-12-04 c:\windows\Tasks\At22.job
- c:\windows\system32\7v0d5r3B.exe []

2008-12-04 c:\windows\Tasks\At23.job
- c:\windows\system32\7v0d5r3B.exe []

2008-12-03 c:\windows\Tasks\At24.job
- c:\windows\system32\7v0d5r3B.exe []

2008-11-30 c:\windows\Tasks\At25.job
- c:\windows\system32\7v0d5r3B.exe []

2008-11-30 c:\windows\Tasks\At26.job
- c:\windows\system32\7v0d5r3B.exe []

2008-11-30 c:\windows\Tasks\At27.job
- c:\windows\system32\7v0d5r3B.exe []

2008-11-30 c:\windows\Tasks\At28.job
- c:\windows\system32\7v0d5r3B.exe []

2008-11-30 c:\windows\Tasks\At29.job
- c:\windows\system32\7v0d5r3B.exe []

2008-11-26 c:\windows\Tasks\At3.job
- c:\windows\system32\7v0d5r3B.exe []

2008-11-30 c:\windows\Tasks\At30.job
- c:\windows\system32\7v0d5r3B.exe []

2008-11-30 c:\windows\Tasks\At31.job
- c:\windows\system32\7v0d5r3B.exe []

2008-11-30 c:\windows\Tasks\At32.job
- c:\windows\system32\7v0d5r3B.exe []

2008-11-30 c:\windows\Tasks\At33.job
- c:\windows\system32\7v0d5r3B.exe []

2008-11-30 c:\windows\Tasks\At34.job
- c:\windows\system32\7v0d5r3B.exe []

2008-11-30 c:\windows\Tasks\At35.job
- c:\windows\system32\7v0d5r3B.exe []

2008-12-07 c:\windows\Tasks\At36.job
- c:\windows\system32\7v0d5r3B.exe []

2008-12-07 c:\windows\Tasks\At37.job
- c:\windows\system32\7v0d5r3B.exe []

2008-12-07 c:\windows\Tasks\At38.job
- c:\windows\system32\7v0d5r3B.exe []

2008-11-30 c:\windows\Tasks\At39.job
- c:\windows\system32\7v0d5r3B.exe []

2008-11-26 c:\windows\Tasks\At4.job
- c:\windows\system32\7v0d5r3B.exe []

2008-11-30 c:\windows\Tasks\At40.job
- c:\windows\system32\7v0d5r3B.exe []

2008-11-30 c:\windows\Tasks\At41.job
- c:\windows\system32\7v0d5r3B.exe []

2008-11-30 c:\windows\Tasks\At42.job
- c:\windows\system32\7v0d5r3B.exe []

2008-11-30 c:\windows\Tasks\At43.job
- c:\windows\system32\7v0d5r3B.exe []

2008-11-30 c:\windows\Tasks\At44.job
- c:\windows\system32\7v0d5r3B.exe []

2008-12-04 c:\windows\Tasks\At45.job
- c:\windows\system32\7v0d5r3B.exe []

2008-12-04 c:\windows\Tasks\At46.job
- c:\windows\system32\7v0d5r3B.exe []

2008-12-04 c:\windows\Tasks\At47.job
- c:\windows\system32\7v0d5r3B.exe []

2008-12-03 c:\windows\Tasks\At48.job
- c:\windows\system32\7v0d5r3B.exe []

2008-12-03 c:\windows\Tasks\At49.job
- c:\windows\system32\7v0d5r3B.exe []

2008-11-26 c:\windows\Tasks\At5.job
- c:\windows\system32\7v0d5r3B.exe []

2008-12-03 c:\windows\Tasks\At50.job
- c:\windows\system32\7v0d5r3B.exe []

2008-12-03 c:\windows\Tasks\At51.job
- c:\windows\system32\7v0d5r3B.exe []

2008-12-03 c:\windows\Tasks\At52.job
- c:\windows\system32\7v0d5r3B.exe []

2008-12-03 c:\windows\Tasks\At53.job
- c:\windows\system32\7v0d5r3B.exe []

2008-12-03 c:\windows\Tasks\At54.job
- c:\windows\system32\7v0d5r3B.exe []

2008-12-03 c:\windows\Tasks\At55.job
- c:\windows\system32\7v0d5r3B.exe []

2008-12-03 c:\windows\Tasks\At56.job
- c:\windows\system32\7v0d5r3B.exe []

2008-12-03 c:\windows\Tasks\At57.job
- c:\windows\system32\7v0d5r3B.exe []

2008-12-03 c:\windows\Tasks\At58.job
- c:\windows\system32\7v0d5r3B.exe []

2008-12-03 c:\windows\Tasks\At59.job
- c:\windows\system32\7v0d5r3B.exe []

2008-11-26 c:\windows\Tasks\At6.job
- c:\windows\system32\7v0d5r3B.exe []

2008-12-07 c:\windows\Tasks\At60.job
- c:\windows\system32\7v0d5r3B.exe []

2008-12-07 c:\windows\Tasks\At61.job
- c:\windows\system32\7v0d5r3B.exe []

2008-12-07 c:\windows\Tasks\At62.job
- c:\windows\system32\7v0d5r3B.exe []

2008-12-03 c:\windows\Tasks\At63.job
- c:\windows\system32\7v0d5r3B.exe []

2008-12-03 c:\windows\Tasks\At64.job
- c:\windows\system32\7v0d5r3B.exe []

2008-12-03 c:\windows\Tasks\At65.job
- c:\windows\system32\7v0d5r3B.exe []

2008-12-03 c:\windows\Tasks\At66.job
- c:\windows\system32\7v0d5r3B.exe []

2008-12-03 c:\windows\Tasks\At67.job
- c:\windows\system32\7v0d5r3B.exe []

2008-12-03 c:\windows\Tasks\At68.job
- c:\windows\system32\7v0d5r3B.exe []

2008-12-04 c:\windows\Tasks\At69.job
- c:\windows\system32\7v0d5r3B.exe []

2008-11-26 c:\windows\Tasks\At7.job
- c:\windows\system32\7v0d5r3B.exe []

2008-12-04 c:\windows\Tasks\At70.job
- c:\windows\system32\7v0d5r3B.exe []

2008-12-04 c:\windows\Tasks\At71.job
- c:\windows\system32\7v0d5r3B.exe []

2008-12-03 c:\windows\Tasks\At72.job
- c:\windows\system32\7v0d5r3B.exe []

2008-11-26 c:\windows\Tasks\At8.job
- c:\windows\system32\7v0d5r3B.exe []

2008-11-26 c:\windows\Tasks\At9.job
- c:\windows\system32\7v0d5r3B.exe []

2008-12-03 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-12-03 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Explorer_Run-VMware hptray - c:\program files\WebMediaViewer\hpmon.exe
SharedTaskScheduler-{dfb3c1dc-1212-4235-88fd-98539540f423} - (no file)
MSConfigStartUp-brastk - brastk.exe



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-07 13:18:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(636)
c:\windows\system32\connwsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\America Online 9.0\waol.exe
c:\program files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
c:\program files\Common Files\AOL\1138659137\EE\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Hp\Digital Imaging\bin\hpqste08.exe
c:\program files\Hp\Digital Imaging\bin\hpqbam08.exe
c:\program files\Hp\Digital Imaging\bin\hpqgpc01.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
c:\program files\America Online 9.0\shellmon.exe
.
**************************************************************************
.
Completion time: 2008-12-07 13:22:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-07 18:22:02

Pre-Run: 120,531,570,688 bytes free
Post-Run: 121,662,402,560 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

435 --- E O F --- 2008-11-18 17:56:44

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:27 AM

Posted 07 December 2008 - 02:47 PM

Hello Akkord29,

You deserve the prize for the most infected computer today. LOL



Close/disable all McAfee anti virus and anti malware programs so they do not interfere with the running of ComboFix.

If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/



Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
c:\windows\system32\stus.exe
c:\windows\foxoryb.sys
c:\windows\nyqubuzyqu.dl
c:\windows\system32\ytagoq.com
c:\windows\system32\asic.sys
c:\documents and settings\Chiman\Application Data\mahibi.reg
c:\windows\system32\kenydobef._dl
c:\documents and settings\All Users\Application Data\pekupo.dll
c:\documents and settings\Chiman\Application Data\nuvamahu.exe
c:\windows\system32\drivers\Ndisprot.sys
c:\windows\system32\7v0d5r3B.exe
c:\windows\system32\cont_offersfortoday-remove.exe
c:\windows\system32\ojuhow._dl
c:\windows\sekotyfehe.scr
c:\windows\system32\ozugebec.dl
c:\documents and settings\All Users\Application Data\curud.reg
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At49.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At50.job
c:\windows\Tasks\At51.job
c:\windows\Tasks\At52.job
c:\windows\Tasks\At53.job
c:\windows\Tasks\At54.job
c:\windows\Tasks\At55.job
c:\windows\Tasks\At56.job
c:\windows\Tasks\At57.job
c:\windows\Tasks\At58.job
c:\windows\Tasks\At59.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At60.job
c:\windows\Tasks\At61.job
c:\windows\Tasks\At62.job
c:\windows\system32\7v0d5r3B.exe []
c:\windows\Tasks\At63.job
c:\windows\Tasks\At64.job
c:\windows\Tasks\At65.job
c:\windows\Tasks\At66.job
c:\windows\Tasks\At67.job
c:\windows\Tasks\At68.job
c:\windows\Tasks\At69.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At70.job
c:\windows\Tasks\At71.job
c:\windows\Tasks\At72.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
Registry:: 
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
Driver:: 
Ndisprot


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Akkord29

Akkord29
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 07 December 2008 - 03:17 PM

Haha at least I win something. Wish it could have been the lotto instead. We didn't really use this computer before and we gave it to my dad to use. He just got Comast internet service and started having issues. Although if there were issues previously I probably just overlooked them. Thanks for your ongoing assistance.

ComboFix 08-12-06.06 - Chiman 2008-12-07 14:59:53.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.236 [GMT -5:00]
Running from: c:\documents and settings\Chiman\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Chiman\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\documents and settings\All Users\Application Data\curud.reg
c:\documents and settings\All Users\Application Data\pekupo.dll
c:\documents and settings\Chiman\Application Data\mahibi.reg
c:\documents and settings\Chiman\Application Data\nuvamahu.exe
c:\windows\foxoryb.sys
c:\windows\nyqubuzyqu.dl
c:\windows\sekotyfehe.scr
c:\windows\system32\7v0d5r3B.exe
c:\windows\system32\7v0d5r3B.exe []
c:\windows\system32\asic.sys
c:\windows\system32\cont_offersfortoday-remove.exe
c:\windows\system32\drivers\Ndisprot.sys
c:\windows\system32\kenydobef._dl
c:\windows\system32\ojuhow._dl
c:\windows\system32\ozugebec.dl
c:\windows\system32\stus.exe
c:\windows\system32\ytagoq.com
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At49.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At50.job
c:\windows\Tasks\At51.job
c:\windows\Tasks\At52.job
c:\windows\Tasks\At53.job
c:\windows\Tasks\At54.job
c:\windows\Tasks\At55.job
c:\windows\Tasks\At56.job
c:\windows\Tasks\At57.job
c:\windows\Tasks\At58.job
c:\windows\Tasks\At59.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At60.job
c:\windows\Tasks\At61.job
c:\windows\Tasks\At62.job
c:\windows\Tasks\At63.job
c:\windows\Tasks\At64.job
c:\windows\Tasks\At65.job
c:\windows\Tasks\At66.job
c:\windows\Tasks\At67.job
c:\windows\Tasks\At68.job
c:\windows\Tasks\At69.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At70.job
c:\windows\Tasks\At71.job
c:\windows\Tasks\At72.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\curud.reg
c:\documents and settings\All Users\Application Data\pekupo.dll
c:\documents and settings\Chiman\Application Data\mahibi.reg
c:\documents and settings\Chiman\Application Data\nuvamahu.exe
c:\windows\foxoryb.sys
c:\windows\nyqubuzyqu.dl
c:\windows\sekotyfehe.scr
c:\windows\system32\asic.sys
c:\windows\system32\cont_offersfortoday-remove.exe
c:\windows\system32\drivers\Ndisprot.sys
c:\windows\system32\kenydobef._dl
c:\windows\system32\ojuhow._dl
c:\windows\system32\ozugebec.dl
c:\windows\system32\stus.exe
c:\windows\system32\ytagoq.com
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At49.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At50.job
c:\windows\Tasks\At51.job
c:\windows\Tasks\At52.job
c:\windows\Tasks\At53.job
c:\windows\Tasks\At54.job
c:\windows\Tasks\At55.job
c:\windows\Tasks\At56.job
c:\windows\Tasks\At57.job
c:\windows\Tasks\At58.job
c:\windows\Tasks\At59.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At60.job
c:\windows\Tasks\At61.job
c:\windows\Tasks\At62.job
c:\windows\Tasks\At63.job
c:\windows\Tasks\At64.job
c:\windows\Tasks\At65.job
c:\windows\Tasks\At66.job
c:\windows\Tasks\At67.job
c:\windows\Tasks\At68.job
c:\windows\Tasks\At69.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At70.job
c:\windows\Tasks\At71.job
c:\windows\Tasks\At72.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NDISPROT
-------\Service_Ndisprot


((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-07 12:04 . 2008-12-07 12:19 <DIR> d-------- C:\Lop SD
2008-12-07 10:41 . 2008-12-07 10:41 <DIR> d-------- C:\_OTMoveIt
2008-12-03 22:00 . 2008-12-03 22:00 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\AdobeUM
2008-12-03 20:25 . 2008-12-03 20:25 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-03 20:25 . 2008-12-03 20:25 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-02 20:55 . 2008-12-07 15:02 10,557 --a------ c:\windows\system32\Config.MPF
2008-12-02 20:54 . 2006-03-03 08:07 143,360 --a------ c:\windows\system32\dunzip32.dll
2008-12-02 20:50 . 2007-11-22 06:44 201,320 --a------ c:\windows\system32\drivers\mfehidk.sys
2008-12-02 20:50 . 2007-07-13 06:20 113,952 --a------ c:\windows\system32\drivers\Mpfp.sys
2008-12-02 20:50 . 2007-11-22 06:44 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys
2008-12-02 20:50 . 2007-12-02 12:51 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys
2008-12-02 20:50 . 2007-11-22 06:44 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys
2008-12-02 20:50 . 2007-11-22 06:44 33,832 --a------ c:\windows\system32\drivers\mferkdk.sys
2008-12-02 20:49 . 2008-12-02 20:49 <DIR> d-------- c:\program files\McAfee.com
2008-12-02 20:49 . 2008-12-02 22:51 <DIR> d-------- c:\program files\McAfee
2008-12-02 20:49 . 2008-12-02 20:50 <DIR> d-------- c:\program files\Common Files\McAfee
2008-12-02 20:37 . 2008-12-02 20:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-11-30 20:19 . 2008-11-30 20:19 <DIR> d-------- c:\program files\Enigma Software Group
2008-11-23 18:23 . 2008-12-02 22:22 <DIR> d-------- c:\program files\AvirTrsoftware
2008-11-23 18:22 . 2008-11-25 20:07 <DIR> d-------- c:\windows\system32\512686
2008-11-15 14:24 . 2008-11-15 14:24 <DIR> d-------- c:\program files\CCleaner
2008-11-15 14:02 . 2008-11-15 14:02 <DIR> d-------- c:\program files\Trend Micro
2008-11-15 12:15 . 2008-11-15 15:14 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-15 12:15 . 2008-09-08 00:11 38,528 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-15 12:15 . 2008-09-08 00:11 17,200 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-13 22:05 . 2008-11-13 22:05 <DIR> d-------- c:\program files\Windows Media Connect 2
2008-11-13 20:05 . 2008-11-13 20:05 18,050 --a------ c:\windows\zope.inf
2008-11-13 20:05 . 2008-11-13 20:05 12,114 --a------ c:\program files\Common Files\unemesy.dat
2008-11-13 20:05 . 2008-11-13 20:05 11,274 --a------ c:\program files\Common Files\azozati.bin
2008-11-11 20:38 . 2008-11-11 20:38 <DIR> d-------- c:\documents and settings\Chiman\Application Data\AdobeUM
2008-11-11 14:59 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-11 14:59 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-10 15:41 . 2008-11-11 10:47 <DIR> d-------- c:\windows\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-04 01:24 --------- d-----w c:\program files\Java
2008-12-04 01:14 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-04 01:09 --------- d-----w c:\program files\Google
2008-11-26 00:44 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-20 00:48 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-11-01 23:55 --------- d-----w c:\program files\Sun
2008-11-01 23:55 --------- d-----w c:\documents and settings\Chiman\Application Data\Roxio
2008-10-28 21:19 --------- d-----w c:\documents and settings\All Users\Application Data\Comcast
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 01:41 --------- d-----w c:\documents and settings\Chiman\Application Data\Malwarebytes
2008-10-22 01:41 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-22 01:26 --------- d-----w c:\program files\Yahoo!
2008-10-21 02:38 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-21 02:37 --------- d-----w c:\program files\Lavasoft
2008-10-21 02:36 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-21 02:28 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-10-21 00:57 --------- d-----w c:\documents and settings\Chiman\Application Data\HP
2008-10-19 18:58 --------- d-----w c:\documents and settings\Chiman\Application Data\Apple Computer
2008-10-19 18:48 19,908 ----a-w c:\program files\Common Files\ofecotokek.vbs
2008-10-19 18:48 18,733 ----a-w c:\windows\kekiz.vbs
2008-10-19 18:48 18,533 ----a-w c:\windows\jihytufiq.bin
2008-10-19 18:48 18,249 ----a-w c:\documents and settings\Chiman\Application Data\adewocuk.dat
2008-10-19 18:48 16,072 ----a-w c:\program files\Common Files\obimady.sys
2008-10-19 18:48 15,404 ----a-w c:\windows\edixyqolud.sys
2008-10-19 18:48 14,988 ----a-w c:\windows\edijuqedi.vbs
2008-10-19 18:48 14,077 ----a-w c:\documents and settings\All Users\Application Data\ezyhyweze.sys
2008-10-19 18:48 13,651 ----a-w c:\documents and settings\All Users\Application Data\ucic.bat
2008-10-19 18:48 13,327 ----a-w c:\documents and settings\All Users\Application Data\yzynek.dat
2008-10-19 16:07 --------- d-----w c:\documents and settings\Chiman\Application Data\HPAppData
2008-10-19 15:46 --------- d-----w c:\documents and settings\Chiman\Application Data\Yahoo!
2008-10-19 14:19 --------- d-----w c:\documents and settings\Jay\Application Data\HPAppData
2008-10-19 14:18 --------- d-----w c:\documents and settings\Jay\Application Data\HP
2008-10-19 14:18 --------- d-----w c:\documents and settings\All Users\Application Data\WEBREG
2008-10-19 14:17 --------- d-----w c:\documents and settings\All Users\Application Data\Hewlett-Packard
2008-10-19 14:14 --------- d--h--r c:\documents and settings\Jay\Application Data\yahoo!
2008-10-19 13:59 --------- d-----w c:\program files\Hp
2008-10-19 13:59 --------- d-----w c:\documents and settings\All Users\Application Data\HP Product Assistant
2008-10-19 13:59 --------- d-----w c:\documents and settings\All Users\Application Data\HP
2008-10-19 13:58 --------- d-----w c:\program files\Common Files\HP
2008-10-19 13:58 --------- d-----w c:\program files\Common Files\Hewlett-Packard
2008-10-18 23:10 --------- d-----w c:\program files\Fogware
2008-10-18 22:48 --------- d-----w c:\program files\Viva Media
2008-10-18 15:41 --------- d-----w c:\documents and settings\Jay\Application Data\Chessmaster Challenge
2008-10-17 22:52 --------- d-----w c:\documents and settings\All Users\Application Data\Trymedia
2008-10-17 19:56 10,920 ----a-w C:\aolconnfix.exe
2008-10-17 12:18 --------- d-----w c:\program files\epson
2008-10-17 12:02 --------- d--h--r c:\documents and settings\All Users\Application Data\yahoo!
2008-10-17 11:51 --------- d-----w c:\program files\Hewlett-Packard
2008-10-17 11:39 --------- d-----w c:\program files\Comcast
2008-10-17 11:39 --------- d-----w c:\documents and settings\All Users\Application Data\SupportSoft
2008-10-17 11:34 --------- d-----w c:\program files\support.com
2008-10-17 11:34 --------- d-----w c:\program files\Common Files\SupportSoft
2008-10-12 16:09 --------- d-----w c:\program files\Grolier Interactive
2008-10-11 23:57 --------- d-----w c:\documents and settings\Jay\Application Data\Roxio
2006-11-26 22:30 36,808,256 ----a-w c:\program files\iTunesSetup.exe
.

((((((((((((((((((((((((((((( snapshot@2008-12-07_13.21.15.87 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-07 20:04:16 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_690.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AOL Fast Start"="c:\program files\America Online 9.0\AOL.EXE" [2005-07-12 50776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HostManager"="c:\program files\Common Files\AOL\1138659137\ee\AOLSoftware.exe" [2006-09-25 50736]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-07-15 319488]
"EPSON Stylus CX4600 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE" [2004-03-04 98304]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-03 136600]
"SoundMan"="SOUNDMAN.EXE" [2002-06-18 c:\windows\SOUNDMAN.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Configuration Utility.lnk - c:\program files\MA311 PCI Adapter Configuration Utility\wlanutil.exe [2006-01-28 890368]
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1138659137\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Common Files\\AOL\\1138659137\\EE\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1138659137\\EE\\aim6.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=

S3 MA311;NETGEAR Wireless LAN Driver;c:\windows\system32\DRIVERS\ma311n51.sys [2006-01-28 54784]
S4 Idco54xpcs;Idco54xpcs;c:\windows\system32\drivers\npfs.sys [2001-08-23 30848]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2008-12-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]

2008-12-03 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-12-03 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-07 15:04:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(636)
c:\windows\system32\connwsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\America Online 9.0\waol.exe
c:\program files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
c:\program files\Common Files\AOL\1138659137\EE\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\America Online 9.0\shellmon.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Hp\Digital Imaging\bin\hpqste08.exe
c:\program files\Hp\Digital Imaging\bin\hpqbam08.exe
c:\program files\Hp\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2008-12-07 15:08:08 - machine was rebooted [Chiman]
ComboFix-quarantined-files.txt 2008-12-07 20:07:58
ComboFix2.txt 2008-12-07 18:22:12

Pre-Run: 121,871,716,352 bytes free
Post-Run: 121,863,049,216 bytes free

406 --- E O F --- 2008-11-18 17:56:44


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:14:06 PM, on 12/7/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\AOL\1138659137\ee\AOLSoftware.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe
c:\program files\common files\aol\1138659137\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
c:\program files\common files\aol\1138659137\ee\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\America Online 9.0\shellmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\explorer.exe
C:\Program Files\NetMeeting\conf.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\rsvp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://windiwsfsearch.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://windiwsfsearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://windiwsfsearch.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://windiwsfsearch.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1138659137\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB002" /M "Stylus CX4600"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [!CleanupNetMeetingDispDriver] "C:\WINDOWS\system32\rundll32.exe" msconf.dll,CleanupNetMeetingDispDriver 0
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1134102322851
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://chill.comcast.net/Gameshell/GameHos...ronGameHost.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 9254 bytes

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:27 AM

Posted 07 December 2008 - 03:27 PM

Hi Akkord29,

Close/disable all McAfee anti virus and anti malware programs so they do not interfere with the running of ComboFix.

If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/



Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
c:\program files\Common Files\ofecotokek.vbs
c:\windows\kekiz.vbs
c:\windows\jihytufiq.bin
c:\documents and settings\Chiman\Application Data\adewocuk.dat
c:\program files\Common Files\obimady.sys
c:\windows\edixyqolud.sys
c:\windows\edijuqedi.vbs
c:\documents and settings\All Users\Application Data\ezyhyweze.sys
c:\documents and settings\All Users\Application Data\ucic.bat
c:\documents and settings\All Users\Application Data\yzynek.dat


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Akkord29

Akkord29
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 07 December 2008 - 03:43 PM

ComboFix 08-12-06.06 - Chiman 2008-12-07 15:34:40.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.244 [GMT -5:00]
Running from: c:\documents and settings\Chiman\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Chiman\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\documents and settings\All Users\Application Data\ezyhyweze.sys
c:\documents and settings\All Users\Application Data\ucic.bat
c:\documents and settings\All Users\Application Data\yzynek.dat
c:\documents and settings\Chiman\Application Data\adewocuk.dat
c:\program files\Common Files\obimady.sys
c:\program files\Common Files\ofecotokek.vbs
c:\windows\edijuqedi.vbs
c:\windows\edixyqolud.sys
c:\windows\jihytufiq.bin
c:\windows\kekiz.vbs
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\ezyhyweze.sys
c:\documents and settings\All Users\Application Data\ucic.bat
c:\documents and settings\All Users\Application Data\yzynek.dat
c:\documents and settings\Chiman\Application Data\adewocuk.dat
c:\program files\Common Files\obimady.sys
c:\program files\Common Files\ofecotokek.vbs
c:\windows\edijuqedi.vbs
c:\windows\edixyqolud.sys
c:\windows\jihytufiq.bin
c:\windows\kekiz.vbs

.
((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-07 12:04 . 2008-12-07 12:19 <DIR> d-------- C:\Lop SD
2008-12-07 10:41 . 2008-12-07 10:41 <DIR> d-------- C:\_OTMoveIt
2008-12-03 22:00 . 2008-12-03 22:00 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\AdobeUM
2008-12-03 20:25 . 2008-12-03 20:25 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-03 20:25 . 2008-12-03 20:25 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-02 20:55 . 2008-12-07 15:32 10,557 --a------ c:\windows\system32\Config.MPF
2008-12-02 20:54 . 2006-03-03 08:07 143,360 --a------ c:\windows\system32\dunzip32.dll
2008-12-02 20:50 . 2007-11-22 06:44 201,320 --a------ c:\windows\system32\drivers\mfehidk.sys
2008-12-02 20:50 . 2007-07-13 06:20 113,952 --a------ c:\windows\system32\drivers\Mpfp.sys
2008-12-02 20:50 . 2007-11-22 06:44 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys
2008-12-02 20:50 . 2007-12-02 12:51 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys
2008-12-02 20:50 . 2007-11-22 06:44 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys
2008-12-02 20:50 . 2007-11-22 06:44 33,832 --a------ c:\windows\system32\drivers\mferkdk.sys
2008-12-02 20:49 . 2008-12-02 20:49 <DIR> d-------- c:\program files\McAfee.com
2008-12-02 20:49 . 2008-12-02 22:51 <DIR> d-------- c:\program files\McAfee
2008-12-02 20:49 . 2008-12-02 20:50 <DIR> d-------- c:\program files\Common Files\McAfee
2008-12-02 20:37 . 2008-12-02 20:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-11-30 20:19 . 2008-11-30 20:19 <DIR> d-------- c:\program files\Enigma Software Group
2008-11-23 18:23 . 2008-12-02 22:22 <DIR> d-------- c:\program files\AvirTrsoftware
2008-11-23 18:22 . 2008-11-25 20:07 <DIR> d-------- c:\windows\system32\512686
2008-11-15 14:24 . 2008-11-15 14:24 <DIR> d-------- c:\program files\CCleaner
2008-11-15 14:02 . 2008-11-15 14:02 <DIR> d-------- c:\program files\Trend Micro
2008-11-15 12:15 . 2008-11-15 15:14 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-15 12:15 . 2008-09-08 00:11 38,528 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-15 12:15 . 2008-09-08 00:11 17,200 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-13 22:05 . 2008-11-13 22:05 <DIR> d-------- c:\program files\Windows Media Connect 2
2008-11-13 20:05 . 2008-11-13 20:05 18,050 --a------ c:\windows\zope.inf
2008-11-13 20:05 . 2008-11-13 20:05 12,114 --a------ c:\program files\Common Files\unemesy.dat
2008-11-13 20:05 . 2008-11-13 20:05 11,274 --a------ c:\program files\Common Files\azozati.bin
2008-11-11 20:38 . 2008-11-11 20:38 <DIR> d-------- c:\documents and settings\Chiman\Application Data\AdobeUM
2008-11-11 14:59 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-11 14:59 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-10 15:41 . 2008-11-11 10:47 <DIR> d-------- c:\windows\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-04 01:24 --------- d-----w c:\program files\Java
2008-12-04 01:14 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-04 01:09 --------- d-----w c:\program files\Google
2008-11-26 00:44 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-20 00:48 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-11-01 23:55 --------- d-----w c:\program files\Sun
2008-11-01 23:55 --------- d-----w c:\documents and settings\Chiman\Application Data\Roxio
2008-11-01 11:55 108,144 ----a-w c:\windows\system32\CmdLineExt.dll
2008-10-28 21:19 --------- d-----w c:\documents and settings\All Users\Application Data\Comcast
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 01:41 --------- d-----w c:\documents and settings\Chiman\Application Data\Malwarebytes
2008-10-22 01:41 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-22 01:26 --------- d-----w c:\program files\Yahoo!
2008-10-21 02:38 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-21 02:37 --------- d-----w c:\program files\Lavasoft
2008-10-21 02:36 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-21 02:28 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-10-21 00:57 --------- d-----w c:\documents and settings\Chiman\Application Data\HP
2008-10-19 18:58 --------- d-----w c:\documents and settings\Chiman\Application Data\Apple Computer
2008-10-19 18:48 17,316 ----a-w c:\windows\system32\jikobitiq.bat
2008-10-19 18:48 12,834 ----a-w c:\windows\system32\sebytykuma.com
2008-10-19 18:48 11,275 ----a-w c:\windows\system32\xiguqecidy.bin
2008-10-19 16:07 --------- d-----w c:\documents and settings\Chiman\Application Data\HPAppData
2008-10-19 15:46 --------- d-----w c:\documents and settings\Chiman\Application Data\Yahoo!
2008-10-19 14:19 --------- d-----w c:\documents and settings\Jay\Application Data\HPAppData
2008-10-19 14:18 --------- d-----w c:\documents and settings\Jay\Application Data\HP
2008-10-19 14:18 --------- d-----w c:\documents and settings\All Users\Application Data\WEBREG
2008-10-19 14:17 --------- d-----w c:\documents and settings\All Users\Application Data\Hewlett-Packard
2008-10-19 14:14 --------- d--h--r c:\documents and settings\Jay\Application Data\yahoo!
2008-10-19 13:59 --------- d-----w c:\program files\Hp
2008-10-19 13:59 --------- d-----w c:\documents and settings\All Users\Application Data\HP Product Assistant
2008-10-19 13:59 --------- d-----w c:\documents and settings\All Users\Application Data\HP
2008-10-19 13:58 --------- d-----w c:\program files\Common Files\HP
2008-10-19 13:58 --------- d-----w c:\program files\Common Files\Hewlett-Packard
2008-10-18 23:10 --------- d-----w c:\program files\Fogware
2008-10-18 22:48 --------- d-----w c:\program files\Viva Media
2008-10-18 15:41 --------- d-----w c:\documents and settings\Jay\Application Data\Chessmaster Challenge
2008-10-17 22:52 --------- d-----w c:\documents and settings\All Users\Application Data\Trymedia
2008-10-17 19:56 10,920 ----a-w C:\aolconnfix.exe
2008-10-17 12:18 --------- d-----w c:\program files\epson
2008-10-17 12:02 --------- d--h--r c:\documents and settings\All Users\Application Data\yahoo!
2008-10-17 11:51 --------- d-----w c:\program files\Hewlett-Packard
2008-10-17 11:39 --------- d-----w c:\program files\Comcast
2008-10-17 11:39 --------- d-----w c:\documents and settings\All Users\Application Data\SupportSoft
2008-10-17 11:34 --------- d-----w c:\program files\support.com
2008-10-17 11:34 --------- d-----w c:\program files\Common Files\SupportSoft
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-12 16:09 --------- d-----w c:\program files\Grolier Interactive
2008-10-11 23:57 --------- d-----w c:\documents and settings\Jay\Application Data\Roxio
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2006-11-26 22:30 36,808,256 ----a-w c:\program files\iTunesSetup.exe
.

((((((((((((((((((((((((((((( snapshot@2008-12-07_13.21.15.87 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-07 15:28:16 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-07 20:19:53 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-07 15:28:16 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-07 20:19:53 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-12-07 15:28:16 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-07 20:19:53 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-07 20:26:32 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_4a4.dat
+ 2008-12-07 20:04:16 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_690.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AOL Fast Start"="c:\program files\America Online 9.0\AOL.EXE" [2005-07-12 50776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HostManager"="c:\program files\Common Files\AOL\1138659137\ee\AOLSoftware.exe" [2006-09-25 50736]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-07-15 319488]
"EPSON Stylus CX4600 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE" [2004-03-04 98304]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-03 136600]
"SoundMan"="SOUNDMAN.EXE" [2002-06-18 c:\windows\SOUNDMAN.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
"!CleanupNetMeetingDispDriver"="msconf.dll" [2008-04-13 c:\windows\system32\msconf.dll]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Configuration Utility.lnk - c:\program files\MA311 PCI Adapter Configuration Utility\wlanutil.exe [2006-01-28 890368]
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1138659137\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Common Files\\AOL\\1138659137\\EE\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1138659137\\EE\\aim6.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=

S3 MA311;NETGEAR Wireless LAN Driver;c:\windows\system32\DRIVERS\ma311n51.sys [2006-01-28 54784]
S4 Idco54xpcs;Idco54xpcs;c:\windows\system32\drivers\npfs.sys [2001-08-23 30848]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-12-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]

2008-12-03 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-12-03 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-07 15:36:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(636)
c:\windows\system32\connwsp.dll
.
Completion time: 2008-12-07 15:37:32
ComboFix-quarantined-files.txt 2008-12-07 20:37:26
ComboFix2.txt 2008-12-07 20:08:15
ComboFix3.txt 2008-12-07 18:22:12

Pre-Run: 121,844,346,880 bytes free


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:42:10 PM, on 12/7/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\AOL\1138659137\ee\AOLSoftware.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe
c:\program files\common files\aol\1138659137\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
c:\program files\common files\aol\1138659137\ee\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\NetMeeting\conf.exe
C:\WINDOWS\System32\rsvp.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://windiwsfsearch.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://windiwsfsearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://windiwsfsearch.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://windiwsfsearch.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1138659137\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB002" /M "Stylus CX4600"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [!CleanupNetMeetingDispDriver] "C:\WINDOWS\system32\rundll32.exe" msconf.dll,CleanupNetMeetingDispDriver 0
O4 - HKLM\..\RunOnce: [GrpConv] grpconv -o
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1134102322851
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://chill.comcast.net/Gameshell/GameHos...ronGameHost.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 9272 bytes

Post-Run: 121,833,766,912 bytes free

239 --- E O F --- 2008-11-18 17:56:44

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:27 AM

Posted 07 December 2008 - 04:09 PM

Hi Akkord29,


Sorry, I missed a few files, so we will have to run this again.

Close/disable all McAfee anti virus and anti malware programs so they do not interfere with the running of ComboFix.

If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/



Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
c:\windows\system32\jikobitiq.bat
c:\windows\system32\sebytykuma.com
c:\windows\system32\xiguqecidy.bin


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

We need to scan for rootkits with GMER
  • Please download gmer.zip and save to your desktop.
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.)
  • When you have done this, disconnect from the Internet and close all running programs.
    Note: There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click on "Settings", then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
  • Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
    Important! Please do not select the "Show all" checkbox during the scan.
  • Click on the "Scan" and wait for the scan to finish.
    • Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in Safe Mode
In your next reply, please include the following:
  • GMER's Log
  • Combofix.txt
  • Hijackthis log

Edited by SifuMike, 07 December 2008 - 04:12 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 Akkord29

Akkord29
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 07 December 2008 - 04:19 PM

ComboFix 08-12-06.06 - Chiman 2008-12-07 16:13:24.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.242 [GMT -5:00]
Running from: c:\documents and settings\Chiman\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Chiman\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\jikobitiq.bat
c:\windows\system32\sebytykuma.com
c:\windows\system32\xiguqecidy.bin
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\jikobitiq.bat
c:\windows\system32\sebytykuma.com
c:\windows\system32\xiguqecidy.bin

.
((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-07 12:04 . 2008-12-07 12:19 <DIR> d-------- C:\Lop SD
2008-12-07 10:41 . 2008-12-07 10:41 <DIR> d-------- C:\_OTMoveIt
2008-12-03 22:00 . 2008-12-03 22:00 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\AdobeUM
2008-12-03 20:25 . 2008-12-03 20:25 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-03 20:25 . 2008-12-03 20:25 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-02 20:55 . 2008-12-07 16:12 10,557 --a------ c:\windows\system32\Config.MPF
2008-12-02 20:54 . 2006-03-03 08:07 143,360 --a------ c:\windows\system32\dunzip32.dll
2008-12-02 20:50 . 2007-11-22 06:44 201,320 --a------ c:\windows\system32\drivers\mfehidk.sys
2008-12-02 20:50 . 2007-07-13 06:20 113,952 --a------ c:\windows\system32\drivers\Mpfp.sys
2008-12-02 20:50 . 2007-11-22 06:44 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys
2008-12-02 20:50 . 2007-12-02 12:51 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys
2008-12-02 20:50 . 2007-11-22 06:44 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys
2008-12-02 20:50 . 2007-11-22 06:44 33,832 --a------ c:\windows\system32\drivers\mferkdk.sys
2008-12-02 20:49 . 2008-12-02 20:49 <DIR> d-------- c:\program files\McAfee.com
2008-12-02 20:49 . 2008-12-02 22:51 <DIR> d-------- c:\program files\McAfee
2008-12-02 20:49 . 2008-12-02 20:50 <DIR> d-------- c:\program files\Common Files\McAfee
2008-12-02 20:37 . 2008-12-02 20:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-11-30 20:19 . 2008-11-30 20:19 <DIR> d-------- c:\program files\Enigma Software Group
2008-11-23 18:23 . 2008-12-02 22:22 <DIR> d-------- c:\program files\AvirTrsoftware
2008-11-23 18:22 . 2008-11-25 20:07 <DIR> d-------- c:\windows\system32\512686
2008-11-15 14:24 . 2008-11-15 14:24 <DIR> d-------- c:\program files\CCleaner
2008-11-15 14:02 . 2008-11-15 14:02 <DIR> d-------- c:\program files\Trend Micro
2008-11-15 12:15 . 2008-11-15 15:14 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-15 12:15 . 2008-09-08 00:11 38,528 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-15 12:15 . 2008-09-08 00:11 17,200 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-13 22:05 . 2008-11-13 22:05 <DIR> d-------- c:\program files\Windows Media Connect 2
2008-11-13 20:05 . 2008-11-13 20:05 18,050 --a------ c:\windows\zope.inf
2008-11-13 20:05 . 2008-11-13 20:05 12,114 --a------ c:\program files\Common Files\unemesy.dat
2008-11-13 20:05 . 2008-11-13 20:05 11,274 --a------ c:\program files\Common Files\azozati.bin
2008-11-11 20:38 . 2008-11-11 20:38 <DIR> d-------- c:\documents and settings\Chiman\Application Data\AdobeUM
2008-11-11 14:59 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-11 14:59 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-10 15:41 . 2008-11-11 10:47 <DIR> d-------- c:\windows\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-04 01:24 --------- d-----w c:\program files\Java
2008-12-04 01:14 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-04 01:09 --------- d-----w c:\program files\Google
2008-11-26 00:44 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-20 00:48 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-11-01 23:55 --------- d-----w c:\program files\Sun
2008-11-01 23:55 --------- d-----w c:\documents and settings\Chiman\Application Data\Roxio
2008-11-01 11:55 108,144 ----a-w c:\windows\system32\CmdLineExt.dll
2008-10-28 21:19 --------- d-----w c:\documents and settings\All Users\Application Data\Comcast
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 01:41 --------- d-----w c:\documents and settings\Chiman\Application Data\Malwarebytes
2008-10-22 01:41 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-22 01:26 --------- d-----w c:\program files\Yahoo!
2008-10-21 02:38 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-21 02:37 --------- d-----w c:\program files\Lavasoft
2008-10-21 02:36 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-21 02:28 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-10-21 00:57 --------- d-----w c:\documents and settings\Chiman\Application Data\HP
2008-10-19 18:58 --------- d-----w c:\documents and settings\Chiman\Application Data\Apple Computer
2008-10-19 16:07 --------- d-----w c:\documents and settings\Chiman\Application Data\HPAppData
2008-10-19 15:46 --------- d-----w c:\documents and settings\Chiman\Application Data\Yahoo!
2008-10-19 14:19 --------- d-----w c:\documents and settings\Jay\Application Data\HPAppData
2008-10-19 14:18 --------- d-----w c:\documents and settings\Jay\Application Data\HP
2008-10-19 14:18 --------- d-----w c:\documents and settings\All Users\Application Data\WEBREG
2008-10-19 14:17 --------- d-----w c:\documents and settings\All Users\Application Data\Hewlett-Packard
2008-10-19 14:14 --------- d--h--r c:\documents and settings\Jay\Application Data\yahoo!
2008-10-19 13:59 --------- d-----w c:\program files\Hp
2008-10-19 13:59 --------- d-----w c:\documents and settings\All Users\Application Data\HP Product Assistant
2008-10-19 13:59 --------- d-----w c:\documents and settings\All Users\Application Data\HP
2008-10-19 13:58 --------- d-----w c:\program files\Common Files\HP
2008-10-19 13:58 --------- d-----w c:\program files\Common Files\Hewlett-Packard
2008-10-18 23:10 --------- d-----w c:\program files\Fogware
2008-10-18 22:48 --------- d-----w c:\program files\Viva Media
2008-10-18 15:41 --------- d-----w c:\documents and settings\Jay\Application Data\Chessmaster Challenge
2008-10-17 22:52 --------- d-----w c:\documents and settings\All Users\Application Data\Trymedia
2008-10-17 19:56 10,920 ----a-w C:\aolconnfix.exe
2008-10-17 12:18 --------- d-----w c:\program files\epson
2008-10-17 12:02 --------- d--h--r c:\documents and settings\All Users\Application Data\yahoo!
2008-10-17 11:51 --------- d-----w c:\program files\Hewlett-Packard
2008-10-17 11:39 --------- d-----w c:\program files\Comcast
2008-10-17 11:39 --------- d-----w c:\documents and settings\All Users\Application Data\SupportSoft
2008-10-17 11:34 --------- d-----w c:\program files\support.com
2008-10-17 11:34 --------- d-----w c:\program files\Common Files\SupportSoft
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-12 16:09 --------- d-----w c:\program files\Grolier Interactive
2008-10-11 23:57 --------- d-----w c:\documents and settings\Jay\Application Data\Roxio
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2006-11-26 22:30 36,808,256 ----a-w c:\program files\iTunesSetup.exe
.

((((((((((((((((((((((((((((( snapshot@2008-12-07_13.21.15.87 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-07 15:28:16 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-07 20:19:53 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-07 15:28:16 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-07 20:19:53 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-12-07 15:28:16 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-07 20:19:53 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-07 20:26:32 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_4a4.dat
+ 2008-12-07 20:04:16 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_690.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AOL Fast Start"="c:\program files\America Online 9.0\AOL.EXE" [2005-07-12 50776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HostManager"="c:\program files\Common Files\AOL\1138659137\ee\AOLSoftware.exe" [2006-09-25 50736]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-07-15 319488]
"EPSON Stylus CX4600 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE" [2004-03-04 98304]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-03 136600]
"SoundMan"="SOUNDMAN.EXE" [2002-06-18 c:\windows\SOUNDMAN.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
"!CleanupNetMeetingDispDriver"="msconf.dll" [2008-04-13 c:\windows\system32\msconf.dll]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Configuration Utility.lnk - c:\program files\MA311 PCI Adapter Configuration Utility\wlanutil.exe [2006-01-28 890368]
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1138659137\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Common Files\\AOL\\1138659137\\EE\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1138659137\\EE\\aim6.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=

S3 MA311;NETGEAR Wireless LAN Driver;c:\windows\system32\DRIVERS\ma311n51.sys [2006-01-28 54784]
S4 Idco54xpcs;Idco54xpcs;c:\windows\system32\drivers\npfs.sys [2001-08-23 30848]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-12-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]

2008-12-03 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-12-03 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-07 16:14:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(636)
c:\windows\system32\connwsp.dll
.
Completion time: 2008-12-07 16:15:59
ComboFix-quarantined-files.txt 2008-12-07 21:15:54
ComboFix2.txt 2008-12-07 20:37:34
ComboFix3.txt 2008-12-07 20:08:15
ComboFix4.txt 2008-12-07 18:22:12

Pre-Run: 121,815,240,704 bytes free
Post-Run: 121,805,185,024 bytes free

223 --- E O F --- 2008-11-18 17:56:44



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:18:48 PM, on 12/7/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\AOL\1138659137\ee\AOLSoftware.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe
c:\program files\common files\aol\1138659137\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
c:\program files\common files\aol\1138659137\ee\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\NetMeeting\conf.exe
C:\WINDOWS\System32\rsvp.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://windiwsfsearch.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://windiwsfsearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://windiwsfsearch.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://windiwsfsearch.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1138659137\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB002" /M "Stylus CX4600"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [!CleanupNetMeetingDispDriver] "C:\WINDOWS\system32\rundll32.exe" msconf.dll,CleanupNetMeetingDispDriver 0
O4 - HKLM\..\RunOnce: [GrpConv] grpconv -o
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1134102322851
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://chill.comcast.net/Gameshell/GameHos...ronGameHost.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 9272 bytes

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:27 AM

Posted 07 December 2008 - 04:27 PM

Hi,

You forgot the GMER log. :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 Akkord29

Akkord29
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 07 December 2008 - 04:45 PM

DOH!

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-07 16:43:41
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xF6AAA9B2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xF6AAAA49]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xF6AAA95D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF6AAA976]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xF6AAAA5D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF6AAAA89]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xF6AAAAF7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xF6AAAAE1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF6AAA9F2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xF6AAAB23]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xF6AAAA35]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xF6AAA930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xF6AAA944]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF6AAA9C6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xF6AAAB5F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xF6AAAACB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xF6AAAAB5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xF6AAAA73]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xF6AAAB4B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xF6AAAB37]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xF6AAA99E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF6AAA98A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xF6AAAA9F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF6AAAA21]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xF6AAAB0D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF6AAAA08]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xF6AAA9DC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.14 ----

.text ntoskrnl.exe!ZwYieldExecution 804F0EA6 7 Bytes JMP F6AAA9E0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80568D59 5 Bytes JMP F6AAAA39 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryValueKey 8056A1F2 7 Bytes JMP F6AAAAB9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056CDC0 5 Bytes JMP F6AAA9B6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8056DC01 5 Bytes JMP F6AAA98E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateKey 8057065D 5 Bytes JMP F6AAAA4D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryKey 80570A6D 7 Bytes JMP F6AAAB63 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateKey 80570D64 7 Bytes JMP F6AAAAFB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 805717C7 5 Bytes JMP F6AAA934 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80571CB1 7 Bytes JMP F6AAA9CA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetValueKey 80572889 7 Bytes JMP F6AAAAA3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 805736E6 5 Bytes JMP F6AAAA0C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80573B61 7 Bytes JMP F6AAA9F6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 8057FC6C 7 Bytes JMP F6AAA97A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805822EC 5 Bytes JMP F6AAAA25 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058A1C9 5 Bytes JMP F6AAA948 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 8058A699 5 Bytes JMP F6AAAB27 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateValueKey 80590677 7 Bytes JMP F6AAAAE5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80592D5C 7 Bytes JMP F6AAAA8D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 805952CA 7 Bytes JMP F6AAAA61 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B136A 5 Bytes JMP F6AAA961 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062DCF7 5 Bytes JMP F6AAA9A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnloadKey 8064DA12 7 Bytes JMP F6AAAB11 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 8064E338 7 Bytes JMP F6AAAACF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8064E7B6 7 Bytes JMP F6AAAA77 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRestoreKey 8064ECA9 5 Bytes JMP F6AAAB3B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwReplaceKey 8064F112 5 Bytes JMP F6AAAB4F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\system32\svchost.exe[228] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AF0000
.text C:\WINDOWS\system32\svchost.exe[228] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AF0F46
.text C:\WINDOWS\system32\svchost.exe[228] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AF0F57
.text C:\WINDOWS\system32\svchost.exe[228] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AF0F68
.text C:\WINDOWS\system32\svchost.exe[228] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AF0F83
.text C:\WINDOWS\system32\svchost.exe[228] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AF0F9E
.text C:\WINDOWS\system32\svchost.exe[228] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AF0F1A
.text C:\WINDOWS\system32\svchost.exe[228] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AF0F2B
.text C:\WINDOWS\system32\svchost.exe[228] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AF0098
.text C:\WINDOWS\system32\svchost.exe[228] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AF0EF5
.text C:\WINDOWS\system32\svchost.exe[228] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00AF0EE4
.text C:\WINDOWS\system32\svchost.exe[228] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00AF0025
.text C:\WINDOWS\system32\svchost.exe[228] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00AF0FE5
.text C:\WINDOWS\system32\svchost.exe[228] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00AF0056
.text C:\WINDOWS\system32\svchost.exe[228] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00AF0FB9
.text C:\WINDOWS\system32\svchost.exe[228] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00AF0FCA
.text C:\WINDOWS\system32\svchost.exe[228] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00AF007D
.text C:\WINDOWS\system32\svchost.exe[228] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00AE0FA8
.text C:\WINDOWS\system32\svchost.exe[228] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00AE0039
.text C:\WINDOWS\system32\svchost.exe[228] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00AE0FB9
.text C:\WINDOWS\system32\svchost.exe[228] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00AE0FD4
.text C:\WINDOWS\system32\svchost.exe[228] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00AE0F72
.text C:\WINDOWS\system32\svchost.exe[228] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00AE0FEF
.text C:\WINDOWS\system32\svchost.exe[228] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00AE0F8D
.text C:\WINDOWS\system32\svchost.exe[228] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ CE, 88 ]
.text C:\WINDOWS\system32\svchost.exe[228] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00AE0014
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01090000
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01090F6D
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0109006C
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0109005B
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01090F9E
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01090FCA
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 010900A9
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01090098
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01090F1A
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01090F35
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 010900D8
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 01090FB9
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01090FE5
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 0109007D
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 01090036
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 0109001B
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 01090F46
.text C:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 01080FCA
.text C:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 01080062
.text C:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 01080FE5
.text C:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0108001B
.text C:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 01080047
.text C:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 01080000
.text C:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 01080036
.text C:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 01080FB9
.text C:\WINDOWS\system32\services.exe[628] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01060000
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA000A
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA0064
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA0F79
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA0F8A
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA0FA5
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA003D
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA0F2D
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA0075
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA00BC
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA00A1
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00BA00CD
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00BA0FB6
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00BA001B
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00BA0F4A
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00BA0FDB
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00BA002C
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00BA0090
.text C:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00B90FA8
.text C:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00B90F72
.text C:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00B90FB9
.text C:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00B90FDE
.text C:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00B90F8D
.text C:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00B90FEF
.text C:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00B9002F
.text C:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00B90014
.text C:\WINDOWS\system32\lsass.exe[640] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B70000
.text C:\WINDOWS\system32\svchost.exe[796] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\system32\svchost.exe[796] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BC0062
.text C:\WINDOWS\system32\svchost.exe[796] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BC0047
.text C:\WINDOWS\system32\svchost.exe[796] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BC0F79
.text C:\WINDOWS\system32\svchost.exe[796] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BC0F94
.text C:\WINDOWS\system32\svchost.exe[796] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BC0FA5
.text C:\WINDOWS\system32\svchost.exe[796] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BC0F46
.text C:\WINDOWS\system32\svchost.exe[796] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BC008E
.text C:\WINDOWS\system32\svchost.exe[796] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BC0F1A
.text C:\WINDOWS\system32\svchost.exe[796] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BC0F2B
.text C:\WINDOWS\system32\svchost.exe[796] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00BC00CE
.text C:\WINDOWS\system32\svchost.exe[796] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00BC0036
.text C:\WINDOWS\system32\svchost.exe[796] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00BC0FD4
.text C:\WINDOWS\system32\svchost.exe[796] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00BC007D
.text C:\WINDOWS\system32\svchost.exe[796] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00BC001B
.text C:\WINDOWS\system32\svchost.exe[796] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00BC000A
.text C:\WINDOWS\system32\svchost.exe[796] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00BC00A9
.text C:\WINDOWS\system32\svchost.exe[796] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00BB001B
.text C:\WINDOWS\system32\svchost.exe[796] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00BB0F65
.text C:\WINDOWS\system32\svchost.exe[796] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00BB000A
.text C:\WINDOWS\system32\svchost.exe[796] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00BB0FD4
.text C:\WINDOWS\system32\svchost.exe[796] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00BB0F8A
.text C:\WINDOWS\system32\svchost.exe[796] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\system32\svchost.exe[796] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00BB002C
.text C:\WINDOWS\system32\svchost.exe[796] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00BB0FA5
.text C:\WINDOWS\system32\svchost.exe[796] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B90FEF
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E7000A
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E70093
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E70FA8
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E70082
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E7005B
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E70FD4
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E70F6B
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E70F7C
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E70F50
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E700E9
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00E70F35
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00E70FB9
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00E70FEF
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00E70F8D
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00E70040
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00E7002F
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00E700CE
.text C:\WINDOWS\system32\svchost.exe[852] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00E60FA8
.text C:\WINDOWS\system32\svchost.exe[852] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00E6002F
.text C:\WINDOWS\system32\svchost.exe[852] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00E60FC3
.text C:\WINDOWS\system32\svchost.exe[852] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00E60FDE
.text C:\WINDOWS\system32\svchost.exe[852] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00E60F7C
.text C:\WINDOWS\system32\svchost.exe[852] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00E60FEF
.text C:\WINDOWS\system32\svchost.exe[852] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00E60F8D
.text C:\WINDOWS\system32\svchost.exe[852] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 06, 89 ]
.text C:\WINDOWS\system32\svchost.exe[852] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00E60014
.text C:\WINDOWS\system32\svchost.exe[852] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E40FEF
.text C:\WINDOWS\System32\svchost.exe[920] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01CB0000
.text C:\WINDOWS\System32\svchost.exe[920] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01CB007F
.text C:\WINDOWS\System32\svchost.exe[920] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01CB0F8A
.text C:\WINDOWS\System32\svchost.exe[920] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01CB0FA5
.text C:\WINDOWS\System32\svchost.exe[920] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01CB0062
.text C:\WINDOWS\System32\svchost.exe[920] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01CB0040
.text C:\WINDOWS\System32\svchost.exe[920] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01CB00B7
.text C:\WINDOWS\System32\svchost.exe[920] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01CB0F6F
.text C:\WINDOWS\System32\svchost.exe[920] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01CB00D2
.text C:\WINDOWS\System32\svchost.exe[920] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01CB0F39
.text C:\WINDOWS\System32\svchost.exe[920] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 01CB00ED
.text C:\WINDOWS\System32\svchost.exe[920] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 01CB0051
.text C:\WINDOWS\System32\svchost.exe[920] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01CB001B
.text C:\WINDOWS\System32\svchost.exe[920] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 01CB0090
.text C:\WINDOWS\System32\svchost.exe[920] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 01CB0FD4
.text C:\WINDOWS\System32\svchost.exe[920] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 01CB0FE5
.text C:\WINDOWS\System32\svchost.exe[920] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 01CB0F4A
.text C:\WINDOWS\System32\svchost.exe[920] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 019A0FC3
.text C:\WINDOWS\System32\svchost.exe[920] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 019A005E
.text C:\WINDOWS\System32\svchost.exe[920] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 019A0FDE
.text C:\WINDOWS\System32\svchost.exe[920] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 019A0014
.text C:\WINDOWS\System32\svchost.exe[920] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 019A0FA1
.text C:\WINDOWS\System32\svchost.exe[920] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 019A0FEF
.text C:\WINDOWS\System32\svchost.exe[920] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 019A0FB2
.text C:\WINDOWS\System32\svchost.exe[920] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ BA, 89 ]
.text C:\WINDOWS\System32\svchost.exe[920] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 019A002F
.text C:\WINDOWS\System32\svchost.exe[920] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01970FEF
.text C:\WINDOWS\System32\svchost.exe[920] WININET.dll!InternetOpenW 771BAF39 5 Bytes JMP 01980FDE
.text C:\WINDOWS\System32\svchost.exe[920] WININET.dll!InternetOpenA 771C5786 5 Bytes JMP 01980FEF
.text C:\WINDOWS\System32\svchost.exe[920] WININET.dll!InternetOpenUrlA 771C5A52 5 Bytes JMP 01980FC3
.text C:\WINDOWS\System32\svchost.exe[920] WININET.dll!InternetOpenUrlW 771D5BA2 5 Bytes JMP 01980014
.text C:\WINDOWS\System32\svchost.exe[988] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 008E0FEF
.text C:\WINDOWS\System32\svchost.exe[988] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 008E0F97
.text C:\WINDOWS\System32\svchost.exe[988] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 008E0FA8
.text C:\WINDOWS\System32\svchost.exe[988] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 008E0082
.text C:\WINDOWS\System32\svchost.exe[988] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 008E0065
.text C:\WINDOWS\System32\svchost.exe[988] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 008E004A
.text C:\WINDOWS\System32\svchost.exe[988] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008E00C2
.text C:\WINDOWS\System32\svchost.exe[988] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 008E00B1
.text C:\WINDOWS\System32\svchost.exe[988] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008E0F33
.text C:\WINDOWS\System32\svchost.exe[988] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008E0F4E
.text C:\WINDOWS\System32\svchost.exe[988] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 008E00F1
.text C:\WINDOWS\System32\svchost.exe[988] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 008E0FC3
.text C:\WINDOWS\System32\svchost.exe[988] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 008E000A
.text C:\WINDOWS\System32\svchost.exe[988] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 008E0F86
.text C:\WINDOWS\System32\svchost.exe[988] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 008E0FD4
.text C:\WINDOWS\System32\svchost.exe[988] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 008E0025
.text C:\WINDOWS\System32\svchost.exe[988] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 008E0F5F
.text C:\WINDOWS\System32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 008D003D
.text C:\WINDOWS\System32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 008D0091
.text C:\WINDOWS\System32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 008D002C
.text C:\WINDOWS\System32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 008D001B
.text C:\WINDOWS\System32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 008D0FCA
.text C:\WINDOWS\System32\svchost.exe[988] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 008D000A
.text C:\WINDOWS\System32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 008D0FDB
.text C:\WINDOWS\System32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ AD, 88 ]
.text C:\WINDOWS\System32\svchost.exe[988] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 008D0058
.text C:\WINDOWS\System32\svchost.exe[988] WS2_32.dll!socket 71AB4211 5 Bytes JMP 008B0FEF
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1016] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C340 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1016] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0041C3C0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AD0FEF
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AD0082
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AD0071
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AD0060
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AD0043
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AD001E
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AD0F55
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AD0F72
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AD00C9
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AD0F30
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00AD0F15
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00AD0FA1
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00AD0FDE
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00AD009D
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00AD0FB2
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00AD0FCD
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00AD00B8
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 009C002C
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 009C004E
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 009C0011
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 009C0FDB
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 009C0F9B
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 009C0000
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 009C003D
.text C:\WINDOWS\system32\svchost.exe[1068] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 009C0FB6
.text C:\WINDOWS\system32\svchost.exe[1068] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00990FEF
.text C:\WINDOWS\system32\svchost.exe[1068] WININET.dll!InternetOpenW 771BAF39 5 Bytes JMP 009A0000
.text C:\WINDOWS\system32\svchost.exe[1068] WININET.dll!InternetOpenA 771C5786 5 Bytes JMP 009A0FE5
.text C:\WINDOWS\system32\svchost.exe[1068] WININET.dll!InternetOpenUrlA 771C5A52 5 Bytes JMP 009A0011
.text C:\WINDOWS\system32\svchost.exe[1068] WININET.dll!InternetOpenUrlW 771D5BA2 5 Bytes JMP 009A002C
.text C:\WINDOWS\Explorer.EXE[1368] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01A40FE5
.text C:\WINDOWS\Explorer.EXE[1368] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01A40081
.text C:\WINDOWS\Explorer.EXE[1368] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01A40F8C
.text C:\WINDOWS\Explorer.EXE[1368] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01A40070
.text C:\WINDOWS\Explorer.EXE[1368] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01A4005F
.text C:\WINDOWS\Explorer.EXE[1368] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01A4003D
.text C:\WINDOWS\Explorer.EXE[1368] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01A400AD
.text C:\WINDOWS\Explorer.EXE[1368] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01A40092
.text C:\WINDOWS\Explorer.EXE[1368] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01A40F14
.text C:\WINDOWS\Explorer.EXE[1368] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01A40F2F
.text C:\WINDOWS\Explorer.EXE[1368] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 01A400C8
.text C:\WINDOWS\Explorer.EXE[1368] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 01A4004E
.text C:\WINDOWS\Explorer.EXE[1368] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01A40000
.text C:\WINDOWS\Explorer.EXE[1368] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 01A40F67
.text C:\WINDOWS\Explorer.EXE[1368] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 01A40022
.text C:\WINDOWS\Explorer.EXE[1368] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 01A40011
.text C:\WINDOWS\Explorer.EXE[1368] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 01A40F4A
.text C:\WINDOWS\Explorer.EXE[1368] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 01A30025
.text C:\WINDOWS\Explorer.EXE[1368] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 01A30FAF
.text C:\WINDOWS\Explorer.EXE[1368] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 01A30014
.text C:\WINDOWS\Explorer.EXE[1368] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 01A30FDE
.text C:\WINDOWS\Explorer.EXE[1368] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 01A3006C
.text C:\WINDOWS\Explorer.EXE[1368] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 01A30FEF
.text C:\WINDOWS\Explorer.EXE[1368] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 01A3005B
.text C:\WINDOWS\Explorer.EXE[1368] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 01A30040
.text C:\WINDOWS\Explorer.EXE[1368] WININET.dll!InternetOpenW 771BAF39 5 Bytes JMP 01950FD4
.text C:\WINDOWS\Explorer.EXE[1368] WININET.dll!InternetOpenA 771C5786 5 Bytes JMP 01950FEF
.text C:\WINDOWS\Explorer.EXE[1368] WININET.dll!InternetOpenUrlA 771C5A52 5 Bytes JMP 0195000A
.text C:\WINDOWS\Explorer.EXE[1368] WININET.dll!InternetOpenUrlW 771D5BA2 5 Bytes JMP 01950FB7
.text C:\WINDOWS\Explorer.EXE[1368] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E30FEF
.text C:\WINDOWS\System32\svchost.exe[1392] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006C0FEF
.text C:\WINDOWS\System32\svchost.exe[1392] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006C0FAD
.text C:\WINDOWS\System32\svchost.exe[1392] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006C0FBE
.text C:\WINDOWS\System32\svchost.exe[1392] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006C0098
.text C:\WINDOWS\System32\svchost.exe[1392] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006C0087
.text C:\WINDOWS\System32\svchost.exe[1392] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006C0051
.text C:\WINDOWS\System32\svchost.exe[1392] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006C00DF
.text C:\WINDOWS\System32\svchost.exe[1392] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006C00CE
.text C:\WINDOWS\System32\svchost.exe[1392] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006C0F6B
.text C:\WINDOWS\System32\svchost.exe[1392] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006C0104
.text C:\WINDOWS\System32\svchost.exe[1392] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 006C0F46
.text C:\WINDOWS\System32\svchost.exe[1392] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 006C006C
.text C:\WINDOWS\System32\svchost.exe[1392] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 006C000A
.text C:\WINDOWS\System32\svchost.exe[1392] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 006C00BD
.text C:\WINDOWS\System32\svchost.exe[1392] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 006C0040
.text C:\WINDOWS\System32\svchost.exe[1392] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 006C0025
.text C:\WINDOWS\System32\svchost.exe[1392] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 006C0F7C
.text C:\WINDOWS\System32\svchost.exe[1392] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 006B0022
.text C:\WINDOWS\System32\svchost.exe[1392] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 006B0F6F
.text C:\WINDOWS\System32\svchost.exe[1392] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 006B0FD1
.text C:\WINDOWS\System32\svchost.exe[1392] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 006B0011
.text C:\WINDOWS\System32\svchost.exe[1392] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 006B0F8A
.text C:\WINDOWS\System32\svchost.exe[1392] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 006B0000
.text C:\WINDOWS\System32\svchost.exe[1392] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 006B0F9B
.text C:\WINDOWS\System32\svchost.exe[1392] ADVAPI32.dll!RegCreateKeyW + 4 77DFBA29 1 Byte [ 88 ]
.text C:\WINDOWS\System32\svchost.exe[1392] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 3 Bytes JMP 006B0FB6
.text C:\WINDOWS\System32\svchost.exe[1392] ADVAPI32.dll!RegCreateKeyA + 4 77DFBCC7 1 Byte [ 88 ]
.text C:\WINDOWS\System32\svchost.exe[1392] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00690FEF
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006C0FEF
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006C004A
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006C0F55
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006C0F66
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006C0F83
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006C0FA8
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006C006F
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006C0F1D
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006C0EE0
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006C0EF1
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 006C0EC5
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 006C002F
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 006C0014
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 006C0F3A
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 006C0FC3
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 006C0FDE
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 006C0F0C
.text C:\WINDOWS\System32\svchost.exe[1520] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 006B0FE5
.text C:\WINDOWS\System32\svchost.exe[1520] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 006B007D
.text C:\WINDOWS\System32\svchost.exe[1520] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 006B0036
.text C:\WINDOWS\System32\svchost.exe[1520] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 006B0025
.text C:\WINDOWS\System32\svchost.exe[1520] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 006B0062
.text C:\WINDOWS\System32\svchost.exe[1520] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 006B0000
.text C:\WINDOWS\System32\svchost.exe[1520] ADVAPI32.dll!RegCreateKeyW 77DFBA25 3 Bytes JMP 006B0051
.text C:\WINDOWS\System32\svchost.exe[1520] ADVAPI32.dll!RegCreateKeyW + 4 77DFBA29 1 Byte [ 88 ]
.text C:\WINDOWS\System32\svchost.exe[1520] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 3 Bytes JMP 006B0FD4
.text C:\WINDOWS\System32\svchost.exe[1520] ADVAPI32.dll!RegCreateKeyA + 4 77DFBCC7 1 Byte [ 88 ]
.text C:\WINDOWS\System32\svchost.exe[1520] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00690FE5
.text C:\WINDOWS\System32\svchost.exe[1744] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B80FEF
.text C:\WINDOWS\System32\svchost.exe[1744] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B80F69
.text C:\WINDOWS\System32\svchost.exe[1744] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B8005E
.text C:\WINDOWS\System32\svchost.exe[1744] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B80043
.text C:\WINDOWS\System32\svchost.exe[1744] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B80F86
.text C:\WINDOWS\System32\svchost.exe[1744] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B80FA8
.text C:\WINDOWS\System32\svchost.exe[1744] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B800A0
.text C:\WINDOWS\System32\svchost.exe[1744] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B80F58
.text C:\WINDOWS\System32\svchost.exe[1744] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B80F33
.text C:\WINDOWS\System32\svchost.exe[1744] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B800C2
.text C:\WINDOWS\System32\svchost.exe[1744] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00B80F18
.text C:\WINDOWS\System32\svchost.exe[1744] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00B80F97
.text C:\WINDOWS\System32\svchost.exe[1744] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00B80FDE
.text C:\WINDOWS\System32\svchost.exe[1744] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00B80079
.text C:\WINDOWS\System32\svchost.exe[1744] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00B80014
.text C:\WINDOWS\System32\svchost.exe[1744] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00B80FC3
.text C:\WINDOWS\System32\svchost.exe[1744] kernel32.dll!WinExec 7C8623AD 1 Byte [ E9 ]
.text C:\WINDOWS\System32\svchost.exe[1744] kernel32.dll!WinExec + 2 7C8623AF 3 Bytes [ DC, 31, 84 ]
.text C:\WINDOWS\System32\svchost.exe[1744] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00B70036
.text C:\WINDOWS\System32\svchost.exe[1744] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00B7006C
.text C:\WINDOWS\System32\svchost.exe[1744] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00B7001B
.text C:\WINDOWS\System32\svchost.exe[1744] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00B7000A
.text C:\WINDOWS\System32\svchost.exe[1744] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00B70FAF
.text C:\WINDOWS\System32\svchost.exe[1744] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00B70FEF
.text C:\WINDOWS\System32\svchost.exe[1744] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00B70FCA
.text C:\WINDOWS\System32\svchost.exe[1744] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ D7, 88 ]
.text C:\WINDOWS\System32\svchost.exe[1744] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00B70047
.text C:\WINDOWS\system32\wuauclt.exe[3304] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0000
.text C:\WINDOWS\system32\wuauclt.exe[3304] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0086
.text C:\WINDOWS\system32\wuauclt.exe[3304] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0F91
.text C:\WINDOWS\system32\wuauclt.exe[3304] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0FAC
.text C:\WINDOWS\system32\wuauclt.exe[3304] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0069
.text C:\WINDOWS\system32\wuauclt.exe[3304] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0058
.text C:\WINDOWS\system32\wuauclt.exe[3304] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B00A3
.text C:\WINDOWS\system32\wuauclt.exe[3304] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0F5B
.text C:\WINDOWS\system32\wuauclt.exe[3304] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0F14
.text C:\WINDOWS\system32\wuauclt.exe[3304] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B0F25
.text C:\WINDOWS\system32\wuauclt.exe[3304] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001B0F03
.text C:\WINDOWS\system32\wuauclt.exe[3304] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001B0FD1
.text C:\WINDOWS\system32\wuauclt.exe[3304] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001B001B
.text C:\WINDOWS\system32\wuauclt.exe[3304] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001B0F76
.text C:\WINDOWS\system32\wuauclt.exe[3304] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001B003D
.text C:\WINDOWS\system32\wuauclt.exe[3304] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001B002C
.text C:\WINDOWS\system32\wuauclt.exe[3304] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001B0F36
.text C:\WINDOWS\system32\wuauclt.exe[3304] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 002B0FDB
.text C:\WINDOWS\system32\wuauclt.exe[3304] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 002B007A
.text C:\WINDOWS\system32\wuauclt.exe[3304] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 002B002C
.text C:\WINDOWS\system32\wuauclt.exe[3304] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 002B001B
.text C:\WINDOWS\system32\wuauclt.exe[3304] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 002B0069
.text C:\WINDOWS\system32\wuauclt.exe[3304] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 002B000A
.text C:\WINDOWS\system32\wuauclt.exe[3304] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 002B0058
.text C:\WINDOWS\system32\wuauclt.exe[3304] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 002B0047
.text C:\WINDOWS\system32\wuauclt.exe[3304] WS2_32.dll!socket 71AB4211 5 Bytes JMP 003C0000
.text C:\WINDOWS\system32\wuauclt.exe[3456] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\system32\wuauclt.exe[3456] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0F6F
.text C:\WINDOWS\system32\wuauclt.exe[3456] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0F80
.text C:\WINDOWS\system32\wuauclt.exe[3456] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B004E
.text C:\WINDOWS\system32\wuauclt.exe[3456] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0F91
.text C:\WINDOWS\system32\wuauclt.exe[3456] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B002C
.text C:\WINDOWS\system32\wuauclt.exe[3456] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B00C1
.text C:\WINDOWS\system32\wuauclt.exe[3456] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B009A
.text C:\WINDOWS\system32\wuauclt.exe[3456] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0F54
.text C:\WINDOWS\system32\wuauclt.exe[3456] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B00F7
.text C:\WINDOWS\system32\wuauclt.exe[3456] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001B0108
.text C:\WINDOWS\system32\wuauclt.exe[3456] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001B003D
.text C:\WINDOWS\system32\wuauclt.exe[3456] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001B0000
.text C:\WINDOWS\system32\wuauclt.exe[3456] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001B007F
.text C:\WINDOWS\system32\wuauclt.exe[3456] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001B0FC0
.text C:\WINDOWS\system32\wuauclt.exe[3456] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001B001B
.text C:\WINDOWS\system32\wuauclt.exe[3456] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001B00DC
.text C:\WINDOWS\system32\wuauclt.exe[3456] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 002B0FB9
.text C:\WINDOWS\system32\wuauclt.exe[3456] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 002B0F61
.text C:\WINDOWS\system32\wuauclt.exe[3456] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 002B0FCA
.text C:\WINDOWS\system32\wuauclt.exe[3456] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\system32\wuauclt.exe[3456] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 002B0F72
.text C:\WINDOWS\system32\wuauclt.exe[3456] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 002B000A
.text C:\WINDOWS\system32\wuauclt.exe[3456] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 002B0F8D
.text C:\WINDOWS\system32\wuauclt.exe[3456] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 4B, 88 ]
.text C:\WINDOWS\system32\wuauclt.exe[3456] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 002B0F9E

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[2012] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[2012] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[2012] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[2012] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[2012] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[2012] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[2012] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[2012] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[2012] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[2012] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[2012] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[2012] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[2012] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[2012] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[2012] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[2012] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[2012] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[2012] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[2012] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[2012] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[2012] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[2012] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[2012] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[2012] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[2012] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[2012] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[2012] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[2012] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[2012] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[2012] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[2012] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[2012] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[2012] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[2012] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[2012] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[2012] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[2012] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[2012] @ C:\WINDOWS\system32\psapi.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[2012] @ C:\WINDOWS\system32\psapi.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[2012] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[2012] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[2012] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[2012] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[2012] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[2012] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[2012] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1138659137\ee\AOLSoftware.exe[2116] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1138659137\ee\AOLSoftware.exe[2116] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1138659137\ee\AOLSoftware.exe[2116] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1138659137\ee\AOLSoftware.exe[2116] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1138659137\ee\AOLSoftware.exe[2116] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1138659137\ee\AOLSoftware.exe[2116] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1138659137\ee\AOLSoftware.exe[2116] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1138659137\ee\AOLSoftware.exe[2116] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1138659137\ee\AOLSoftware.exe[2116] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1138659137\ee\AOLSoftware.exe[2116] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1138659137\ee\AOLSoftware.exe[2116] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1138659137\ee\AOLSoftware.exe[2116] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1138659137\ee\AOLSoftware.exe[2116] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1138659137\ee\AOLSoftware.exe[2116] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1138659137\ee\AOLSoftware.exe[2116] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1138659137\ee\AOLSoftware.exe[2116] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1138659137\ee\AOLSoftware.exe[2116] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1138659137\ee\AOLSoftware.exe[2116] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1138659137\ee\AOLSoftware.exe[2116] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1138659137\ee\AOLSoftware.exe[2116] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1138659137\ee\AOLSoftware.exe[2116] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1138659137\ee\AOLSoftware.exe[2116] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1138659137\ee\AOLSoftware.exe[2116] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[2124] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[2124] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[2124] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[2124] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[2124] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[2124] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[2124] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[2124] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[2124] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[2124] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[2124] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[2124] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[2124] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[2124] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[2124] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[2124] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[2124] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[2124] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[2124] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[2124] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[2124] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[2124] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[2124] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[2124] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[2124] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[2124] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[2124] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[2124] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[2124] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[2124] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[2124] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[2124] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[2124] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[2124] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[2124] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[2124] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLDial.exe[2124] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\Iphlpapi.DLL [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\Iphlpapi.DLL [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\America Online 9.0\waol.exe[2368] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT c:\program files\common files\aol\1138659137\ee\aolsoftware.exe[2520] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT c:\program files\common files\aol\1138659137\ee\aolsoftware.exe[2520] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT c:\program files\common files\aol\1138659137\ee\aolsoftware.exe[2520] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT c:\program files\common files\aol\1138659137\ee\aolsoftware.exe[2520] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT c:\program files\common files\aol\1138659137\ee\aolsoftware.exe[2520] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT c:\program files\common files\aol\1138659137\ee\aolsoftware.exe[2520] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT c:\program files\common files\aol\1138659137\ee\aolsoftware.exe[2520] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT c:\program files\common files\aol\1138659137\ee\aolsoftware.exe[2520] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT c:\program files\common files\aol\1138659137\ee\aolsoftware.exe[2520] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT c:\program files\common files\aol\1138659137\ee\aolsoftware.exe[2520] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT c:\program files\common files\aol\1138659137\ee\aolsoftware.exe[2520] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT c:\program files\common files\aol\1138659137\ee\aolsoftware.exe[2520] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT c:\program files\common files\aol\1138659137\ee\aolsoftware.exe[2520] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT c:\program files\common files\aol\1138659137\ee\aolsoftware.exe[2520] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT c:\program files\common files\aol\1138659137\ee\aolsoftware.exe[2520] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT c:\program files\common files\aol\1138659137\ee\aolsoftware.exe[2520] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT c:\program files\common files\aol\1138659137\ee\aolsoftware.exe[2520] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT c:\program files\common files\aol\1138659137\ee\aolsoftware.exe[2520] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT c:\program files\common files\aol\1138659137\ee\aolsoftware.exe[2520] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT c:\program files\common files\aol\1138659137\ee\aolsoftware.exe[2520] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT c:\program files\common files\aol\1138659137\ee\aolsoftware.exe[2520] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT c:\program files\common files\aol\1138659137\ee\aolsoftware.exe[2520] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT c:\program files\common files\aol\1138659137\ee\aolsoftware.exe[2520] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT c:\program files\common files\aol\1138659137\ee\aolsoftware.exe[2520] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT c:\program files\common files\aol\1138659137\ee\aolsoftware.exe[2520] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT c:\program files\common files\aol\1138659137\ee\aolsoftware.exe[2520] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT c:\program files\common files\aol\1138659137\ee\aolsoftware.exe[2520] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT c:\program files\common files\aol\1138659137\ee\aolsoftware.exe[2520] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT c:\program files\common files\aol\1138659137\ee\aolsoftware.exe[2520] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT c:\program files\common files\aol\1138659137\ee\aolsoftware.exe[2520] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT c:\program files\common files\aol\1138659137\ee\aolsoftware.exe[2520] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT c:\program files\common files\aol\1138659137\ee\aolsoftware.exe[2520] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT c:\program files\common files\aol\1138659137\ee\aolsoftware.exe[2520] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT c:\program files\common files\aol\1138659137\ee\aolsoftware.exe[2520] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT c:\program files\common files\aol\1138659137\ee\aolsoftware.exe[2520] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT c:\program files\common files\aol\1138659137\ee\aolsoftware.exe[2520] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT c:\program files\common files\aol\1138659137\ee\aolsoftware.exe[2520] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT c:\program files\common files\aol\1138659137\ee\aolsoftware.exe[2520] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT c:\program files\common files\aol\1138659137\ee\aolsoftware.exe[2520] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT c:\program files\common files\aol\1138659137\ee\aolsoftware.exe[2520] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT c:\program files\common files\aol\1138659137\ee\aolsoftware.exe[2520] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT c:\program files\common files\aol\1138659137\ee\aolsoftware.exe[2520] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT c:\program files\common files\aol\1138659137\ee\aolsoftware.exe[2520] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT c:\program files\common files\aol\1138659137\ee\aolsoftware.exe[2520] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device ACPI.sys (ACPI Driver for NT/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- Files - GMER 1.0.14 ----

File C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\Localities.new 0 bytes

---- EOF - GMER 1.0.14 ----




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users