Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple issues. IE 8 being stopped. Google/Bing redirected


  • Please log in to reply
24 replies to this topic

#1 lazyvista

lazyvista

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 18 August 2009 - 09:53 PM

I'm typing this from my machine at my house. My brother's machine(at his house) is having a few issues and I need help getting them removed.

Sometimes it is a pain to be the computer nerd in the family.

The first problem is at least 50% of the time, I get redirected when trying to navigate a link returned from a search with google or bing.

The second problem is IE 8 is stopped whenever I try t access one of the forums at bleepingcomputer.com or if I attempt to access any url that contains the text 'hijackthis'. For example, if I do a search on 'hijackthis' and click one of the links, all IE windows close abruptly.

Right now I'm pretty limited on what I can do with bleepingcomputer.com forums from his machine, but I'm willing to download any programs to a flash drive to work on his machine.

Anyone want to help me?

Thanks
Steve

BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:51 PM

Posted 18 August 2009 - 10:22 PM

Hi Steve,
Welcome to BC.

First off. Careful with that flashdrive!! You don't want to infect your computer. I would recommend that you download the programs to your clean computer and burn them to CD then transfer to your brothers infected PC.

Lets try this....

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt burn it to CD and save it to your brothers desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
==========

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location, burn it to CD and save it to your brothers desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
==========

With your next post please provide:

* DrWeb log
* RootRepeal log

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 lazyvista

lazyvista
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 23 August 2009 - 08:18 PM

I attempted scan using dr.web. There were over 90 hits listed when we checked the machine after 7 hours. Most were attached to mp3 or wma files.

After 8 hours and almost 600k files, the machine suddenly rebooted.

I have started the RootRepeal scan now and after it completes, I'll redo the dr.web scan.

I'll let you know the results.

#4 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:51 PM

Posted 23 August 2009 - 09:13 PM

Hi,
Are you having the same problems or has there been any improvement after the DrWeb run? What does you brother use in the way of an Antivirus application? Is it up to date? Can you run a scan and post a log for my review also?

With your next post please provide:

* Answer to questions
* Currently installed Antivirus scan results if able
* RootRepeal log <-- This is important!!

Thanks,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#5 lazyvista

lazyvista
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 24 August 2009 - 07:35 PM

The machine still seems sluggish.

There was an old expired copy of Norton on the machine that I removed. When I tried to install a copy of McAfee on the machine last week, I was unable to perform the download from cox.net because the web browser consistently stop executing. Tonight I was able to install McAee and it is reporting some problems.

I gave up trying to execute DrWeb cure it. When I tried to rerun it a second time it abended. I can upload a jpg of the abend window. The reported program was 9m4ca.exe. I was able to capture the initial part of the scan. Here is what is showed:

adedebd.dll;c:\windows\system32;Trojan.Siggen.3005;Deleted.;
ccdeceabc.dll;c:\windows\system32;Probably DLOADER.Trojan;;

Also here is what was produced by rootrepeal.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/23 20:14
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF233D000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A00000 Size: 8192 File Visible: No Signed: -
Status: -

Name: dwshd.sys
Image Path: dwshd.sys
Address: 0xF7127000 Size: 183424 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEFD17000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\dad\local settings\temp\perflib_perfdata_c4c.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\dad\local settings\temp\~dfc818.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\dad\local settings\temp\~dfad9e.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xf750c87e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xf750cbfe

==EOF==

Let me know what the next step would be.

Steve

#6 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:51 PM

Posted 24 August 2009 - 08:41 PM

Tough one.
Try this please...

Please download Malwarebytes Anti-Malware

alternate download link 1
alternate download link 2

NOTE: Before saving MBAM please rename it to thcbytes.exe then save it to the desktop of your clean computer.

The program will want to Update when you install it on the infected computer. Your infection might block the Update. So manually download the Update from here and Save it to the desktop of your clean computer.

Now copy both thcbytes.exe and mbam-rules.exe to your flashdrive. Transfer them to the infected computer and double click thcbytes.exe. After it installs then just double-click on mbam-rules.exe to install the Updates.

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

If MBAM will not install, try renaming it this way.
  • Right-click on the mbam-setup.exe file file and rename it to mysetup.exe.
  • Double-click on mysetup.exe to start the installation.
  • If that did not work, then try renaming and changing the file extension. <- click this link if you do not see the file extension
  • Right-click on the mbam-setup.exe file, rename it to mysetup and change the .exe extension to .scr, .com, .pif, or .bat.
  • Then double-click on mysetup.scr (or whatever extension you renamed it) to begin installation.
If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files.
  • Right-click on mbam.exe, rename it to myscan.exe.
  • Double-click on myscan.exe to launch the program.
  • If that did not work, then try renaming and change the .exe extension in the same way as noted above.
  • Double-click on myscan.scr (or whatever extension you renamed it) to launch the program.
If using Windows Vista, refer to How to Change a File Extension in Windows Vista.

==========

What OS are you running? Vista, Xp??
What Antivirus, Antispyware, and Firewall are you using?
Are you still getting redirected?
Describe any other problems.

==========

With your next post please provide:

* MBAM log
* Answer to questions

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#7 lazyvista

lazyvista
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 29 August 2009 - 04:04 PM

I now have my brother's computer at my place.

Malwarebytes cleaned up a bunch of crap. Here is the answer to your questions, and the log from Malwarebytes.

OS - Windows XP Service Pack 3
Antivirus - McAfee - Just installed in last week and it replaced an expired copy of Norton
Anispyware - Nothing
Fireware - McAfee

Still getting redirected when using google search. I am able to use IE 7 to access bleeping computer and the forums.
Machine very slow.
Machine is running slow.
NO pops when using IE.


Here is the log from Malwarebytes. Let me know the next step.

Malwarebytes' Anti-Malware 1.40
Database version: 2712
Windows 5.1.2600 Service Pack 3

8/29/2009 3:25:23 PM
mbam-log-2009-08-29 (15-25-23).txt

Scan type: Quick Scan
Objects scanned: 241500
Time elapsed: 41 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 138
Registry Values Infected: 7
Registry Data Items Infected: 2
Folders Infected: 15
Files Infected: 69

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\apar (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{6c5ba655-5cec-47bb-a6d3-82a4afe7da87} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{43143878-efed-4d03-b1f8-b8a5e5520109} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6b3e26a3-c1e2-4125-8c8f-f1303f748c3a} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6b3e26a3-c1e2-4125-8c8f-f1303f748c3a} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6b3e26a3-c1e2-4125-8c8f-f1303f748c3a} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.datacontrol (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c8cecde3-1ae1-4c4a-ad82-6d5b00212144} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17de5e5e-bfe3-4e83-8e1f-8755795359ec} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1f52a5fa-a705-4415-b975-88503b291728} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.datacontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historykillerscheduler (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{8ca01f0e-987c-49c3-b852-2f1ac4a7094c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1093995a-ba37-41d2-836e-091067c4ad17} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{120927bf-1700-43bc-810f-fab92549b390} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{247a115f-06c2-4fb3-967d-2d62d3cf4f0a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e53e2cb-86db-4a4a-8bd9-ffeb7a64df82} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{90449521-d834-4703-bb4e-d3aa44042ff8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{991aac62-b100-47ce-8b75-253965244f69} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bbabdc90-f3d5-4801-863a-ee6ae529862d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d6ff3684-ad3b-48eb-bbb4-b9e6c5a355c1} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{eb9e5c1c-b1f9-4c2b-be8a-27d6446fdaf8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0f8ecf4f-3646-4c3a-8881-8e138ffcaf70} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b813095c-81c0-4e40-aa14-67520372b987} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c9d7be3e-141a-4c85-8cd6-32461f3df2c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{cff4ce82-3aa2-451f-9b77-7165605fb835} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historykillerscheduler.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historyswattercontrolbar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historyswattercontrolbar.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{e47caee0-deea-464a-9326-3f2801535a4d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e1656ed-f60e-4597-b6aa-b6a58e171495} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu.2 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.iecookiesmanager (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.iecookiesmanager.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.killerobjmanager (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.killerobjmanager.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswatterbarbutton (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{8e6f1830-9607-4440-8530-13be7c4b1d14} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63d0ed2b-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63d0ed2d-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8e6f1832-9607-4440-8530-13be7c4b1d14} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a9571378-68a1-443d-b082-284f960c6d17} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswatterbarbutton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswattersettingscontrol (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswattersettingscontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.shellviewcontrol (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{621feacd-8857-43a6-ae26-451d670d5370} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2763e333-b168-41a0-a112-d35f96f410c0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2eff3cf7-99c1-4c29-bc2b-68e057e22340} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.shellviewcontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.htmlpanel (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{3e720450-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e720451-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e720453-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3e720452-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3e720452-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.htmlpanel.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.outlookaddin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{adb01e81-3c79-4272-a0f1-7b2be7a782dc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.outlookaddin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{7473d290-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d291-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d293-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d295-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d297-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7473d292-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7473d294-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7473d296-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.settingsplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.settingsplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.toolbarplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.toolbarplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\parttimeb (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\screensavercontrol.screensaverinstaller (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\screensavercontrol.screensaverinstaller.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{07b18eaa-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{07b18eac-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e3537fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e74766c-4d93-4cc0-96d1-47b8e07ff9ca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{de38c398-b328-4f4c-a3ad-1b5e4ed93477} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25f} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1e0de227-5ce4-4ea3-ab0c-8b03e1aa76bc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{53ced2d0-5e9a-4761-9005-648404e6f7e5} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{84da4fdf-a1cf-4195-8688-3e961f505983} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{938aa51a-996c-4884-98ce-80dd16a5c9da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d9fffb27-d62a-4d64-8cec-1ff006528805} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{07b18ea0-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{0d26bc71-a633-4e71-ad31-eadc3a1b6a3a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{29d67d3c-509a-4544-903f-c8c1b8236554} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{f42228fb-e84e-479e-b922-fbbd096e792c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1428a472-5260-404e-9977-7ecdf1daf936} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d216076-93c9-477f-9bc7-9c39ad31640b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2502bbd0-d73b-11dd-b4ec-cebf56d89593} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f70f6880-3a4b-11de-8230-0b7c55d89593} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins\MyWebSearch.OutlookAddin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word\Addins\MyWebSearch.OutlookAddin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWebSearch bar Uninstall (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources\f3PopularScreensavers (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\SrchAstt (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\SrchAstt\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\dad\Start Menu\Programs\AntiVirus Plus (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\kdpini.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\dad\Local Settings\Temporary Internet Files\Content.IE5\6N3HWEDU\setup[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\dad\Local Settings\Temporary Internet Files\Content.IE5\6VGFMAZM\Antivirus_149[1].exe (Rogue.TotalSecurity) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images\0BC1B51B.urr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\MailStampBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\MyStationeryBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3BKGERR.JPG (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3SPACER.WMV (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\000270B1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\0002934D (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\0002C6F0 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\0146A7B7.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\0146A92E.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\0146AA48.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\01B3DA2F (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\046BFD6D.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\046BFF04.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\046C028E.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\046C0378.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\046C04B1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\12C9A6EF (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\12C9ADC5 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\12C9B0E2.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\12C9B268.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\12C9B3C0.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\12C9B4CA.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\12FCE141.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\12FCE306.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\12FCE3F0.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\29F0D63F (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\2DEB9978 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\files.ini (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History\search2 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\settings.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\dad\Start Menu\Programs\AntiVirus Plus\EULA.url (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\f3PSSavr.scr (Trojan.Agent) -> Quarantined and deleted successfully.

#8 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:51 PM

Posted 29 August 2009 - 07:16 PM

Still getting redirected with Google. :thumbsup:
MBAM did a nice job.

Please do this...

Please download Posted Image by OldTimer to your desktop from here.
  • Open the file and close any other windows.
  • It will close all programs itself when run; make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job.
  • After it is finished, it should reboot your machine, if not, do this yourself to ensure a complete clean.
==========

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).
==========

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
==========

With your next post please provide:

* Gooredfix.txt
* Superantispyware log
* How is it running now?

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#9 lazyvista

lazyvista
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 30 August 2009 - 09:43 AM

Very slow to boot. Something like 5 to 8 minutes
Very slow to response to program startups.
Can not get to www.google.com.
Can get to www.bing.com

Let me know what is next.

Here are te logs:

*****************************************************************************************

GooredFix by jpshortstuff (12.07.09)
Log created at 21:08 on 29/08/2009 (dad)
Firefox version 2.0.0.15 (en-US)

========== GooredScan ==========

C:\Program Files\Mozilla Firefox\extensions\
talkback@mozilla.org [14:26 17/10/2007]
{972ce4c6-7e08-4474-a285-3208198ce6fd} [14:26 17/10/2007]
{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [01:34 19/08/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [01:34 19/08/2009]
"{B7082FAA-CB62-4872-9106-E42DD88EDE45}"="C:\Program Files\McAfee\SiteAdvisor" [00:23 25/08/2009]

-=E.O.F=-

*****************************************************************************************

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/30/2009 at 04:42 AM

Application Version : 4.27.1002

Core Rules Database Version : 4076
Trace Rules Database Version: 2016

Scan type : Complete Scan
Total Scan Time : 07:08:01

Memory items scanned : 299
Memory threats detected : 0
Registry items scanned : 7851
Registry threats detected : 15
File items scanned : 141930
File threats detected : 314

Adware.MyWebSearch
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D}
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA}
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA}
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D}
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA}
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA}
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{07B18EA9-A523-4961-B6BB-170DE4475CCA}
HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{07B18EA9-A523-4961-B6BB-170DE4475CCA}
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\URLSearchHooks#{00A6FAF6-072E-44cf-8957-5838F569A31D}
HKU\S-1-5-18\Software\Microsoft\Internet Explorer\URLSearchHooks#{00A6FAF6-072E-44cf-8957-5838F569A31D}

Trojan.Agent/Gen-Vumer
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6B3E26A3-C1E2-4125-8C8F-F1303F748C3A}
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6B3E26A3-C1E2-4125-8C8F-F1303F748C3A}

Adware.Tracking Cookie
C:\Documents and Settings\dad\Cookies\dad@media6degrees[1].txt
C:\Documents and Settings\dad\Cookies\dad@a1.interclick[1].txt
C:\Documents and Settings\dad\Cookies\dad@questionmarket[2].txt
C:\Documents and Settings\dad\Cookies\dad@zedo[2].txt
C:\Documents and Settings\dad\Cookies\dad@advertising[2].txt
C:\Documents and Settings\dad\Cookies\dad@invitemedia[1].txt
C:\Documents and Settings\dad\Cookies\dad@mediaplex[1].txt
C:\Documents and Settings\dad\Cookies\dad@insightexpressai[1].txt
C:\Documents and Settings\dad\Cookies\dad@coxhsi.112.2o7[1].txt
C:\Documents and Settings\dad\Cookies\dad@casalemedia[2].txt
C:\Documents and Settings\dad\Cookies\dad@revsci[2].txt
C:\Documents and Settings\dad\Cookies\dad@specificmedia[1].txt
C:\Documents and Settings\dad\Cookies\dad@doubleclick[1].txt
C:\Documents and Settings\dad\Cookies\dad@citi.bridgetrack[2].txt
C:\Documents and Settings\dad\Cookies\dad@nextag[2].txt
C:\Documents and Settings\dad\Cookies\dad@richmedia.yahoo[3].txt
C:\Documents and Settings\dad\Cookies\dad@ads.bridgetrack[2].txt
C:\Documents and Settings\dad\Cookies\dad@content.yieldmanager[1].txt
C:\Documents and Settings\dad\Cookies\dad@tacoda[2].txt
C:\Documents and Settings\dad\Cookies\dad@counter.surfcounters[1].txt
C:\Documents and Settings\dad\Cookies\dad@yieldmanager[1].txt
C:\Documents and Settings\dad\Cookies\dad@tracking.foundry42[3].txt
C:\Documents and Settings\dad\Cookies\dad@trafficmp[2].txt
C:\Documents and Settings\dad\Cookies\dad@realmedia[2].txt
C:\Documents and Settings\dad\Cookies\dad@atwola[1].txt
C:\Documents and Settings\dad\Cookies\dad@tracking.foundry42[2].txt
C:\Documents and Settings\dad\Cookies\dad@adserver.adtechus[1].txt
C:\Documents and Settings\dad\Cookies\dad@socialmedia[2].txt
C:\Documents and Settings\dad\Cookies\dad@clickbank[2].txt
C:\Documents and Settings\dad\Cookies\dad@2o7[2].txt
C:\Documents and Settings\dad\Cookies\dad@interclick[1].txt
C:\Documents and Settings\dad\Cookies\dad@imrworldwide[2].txt
C:\Documents and Settings\dad\Cookies\dad@ad1.clickhype[1].txt
C:\Documents and Settings\dad\Cookies\dad@specificclick[2].txt
C:\Documents and Settings\dad\Cookies\dad@burstnet[2].txt
C:\Documents and Settings\dad\Cookies\dad@247realmedia[1].txt
C:\Documents and Settings\dad\Cookies\dad@collective-media[1].txt
C:\Documents and Settings\dad\Cookies\dad@ads.pointroll[1].txt
C:\Documents and Settings\dad\Cookies\dad@intermundomedia[2].txt
C:\Documents and Settings\dad\Cookies\dad@serving-sys[1].txt
C:\Documents and Settings\dad\Cookies\dad@beacon.dmsinsights[2].txt
C:\Documents and Settings\dad\Cookies\dad@msnportal.112.2o7[1].txt
C:\Documents and Settings\dad\Cookies\dad@ad.yieldmanager[2].txt
C:\Documents and Settings\dad\Cookies\dad@fastclick[1].txt
C:\Documents and Settings\dad\Cookies\dad@www.burstnet[2].txt
C:\Documents and Settings\dad\Cookies\dad@at.atwola[2].txt
C:\Documents and Settings\dad\Cookies\dad@apmebf[2].txt
C:\Documents and Settings\dad\Cookies\dad@atdmt[1].txt
C:\Documents and Settings\dad\Cookies\dad@couponmountain[1].txt
C:\Documents and Settings\dad\Cookies\dad@shopica[2].txt
C:\Documents and Settings\dad\Cookies\dad@cdn4.specificclick[2].txt
C:\Documents and Settings\dad\Cookies\dad@waterfrontmedia.112.2o7[1].txt
C:\Documents and Settings\dad\Cookies\dad@statse.webtrendslive[2].txt
C:\Documents and Settings\dad\Cookies\dad@content.yieldmanager[3].txt
C:\Documents and Settings\dad\Cookies\dad@bs.serving-sys[1].txt
.collective-media.net [ C:\Documents and Settings\dad\Application Data\Mozilla\Firefox\Profiles\phzb4r1x.default\cookies.txt ]
.collective-media.net [ C:\Documents and Settings\dad\Application Data\Mozilla\Firefox\Profiles\phzb4r1x.default\cookies.txt ]
.collective-media.net [ C:\Documents and Settings\dad\Application Data\Mozilla\Firefox\Profiles\phzb4r1x.default\cookies.txt ]
.collective-media.net [ C:\Documents and Settings\dad\Application Data\Mozilla\Firefox\Profiles\phzb4r1x.default\cookies.txt ]
.interclick.com [ C:\Documents and Settings\dad\Application Data\Mozilla\Firefox\Profiles\phzb4r1x.default\cookies.txt ]
.interclick.com [ C:\Documents and Settings\dad\Application Data\Mozilla\Firefox\Profiles\phzb4r1x.default\cookies.txt ]
.adinterax.com [ C:\Documents and Settings\dad\Application Data\Mozilla\Firefox\Profiles\phzb4r1x.default\cookies.txt ]
.adinterax.com [ C:\Documents and Settings\dad\Application Data\Mozilla\Firefox\Profiles\phzb4r1x.default\cookies.txt ]
ads.revsci.net [ C:\Documents and Settings\dad\Application Data\Mozilla\Firefox\Profiles\phzb4r1x.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\dad\Application Data\Mozilla\Firefox\Profiles\phzb4r1x.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\dad\Application Data\Mozilla\Firefox\Profiles\phzb4r1x.default\cookies.txt ]
.clicktracks.aristotle.net [ C:\Documents and Settings\dad\Application Data\Mozilla\Firefox\Profiles\phzb4r1x.default\cookies.txt ]
.clicktracks.aristotle.net [ C:\Documents and Settings\dad\Application Data\Mozilla\Firefox\Profiles\phzb4r1x.default\cookies.txt ]
.clicktracks.aristotle.net [ C:\Documents and Settings\dad\Application Data\Mozilla\Firefox\Profiles\phzb4r1x.default\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\dad\Application Data\Mozilla\Firefox\Profiles\phzb4r1x.default\cookies.txt ]
mediamgr.ugo.com [ C:\Documents and Settings\dad\Application Data\Mozilla\Firefox\Profiles\phzb4r1x.default\cookies.txt ]
.pornaccess.com [ C:\Documents and Settings\dad\Application Data\Mozilla\Firefox\Profiles\phzb4r1x.default\cookies.txt ]
.adultadworld.com [ C:\Documents and Settings\dad\Application Data\Mozilla\Firefox\Profiles\phzb4r1x.default\cookies.txt ]
.amateurporn.to [ C:\Documents and Settings\dad\Application Data\Mozilla\Firefox\Profiles\phzb4r1x.default\cookies.txt ]
.sexyclips.in [ C:\Documents and Settings\dad\Application Data\Mozilla\Firefox\Profiles\phzb4r1x.default\cookies.txt ]
.kinxxx.com [ C:\Documents and Settings\dad\Application Data\Mozilla\Firefox\Profiles\phzb4r1x.default\cookies.txt ]
.hornymatches.com [ C:\Documents and Settings\dad\Application Data\Mozilla\Firefox\Profiles\phzb4r1x.default\cookies.txt ]
.couplesseduceteens.com [ C:\Documents and Settings\dad\Application Data\Mozilla\Firefox\Profiles\phzb4r1x.default\cookies.txt ]
.sexape.com [ C:\Documents and Settings\dad\Application Data\Mozilla\Firefox\Profiles\phzb4r1x.default\cookies.txt ]
.qnsr.com [ C:\Documents and Settings\dad\Application Data\Mozilla\Firefox\Profiles\phzb4r1x.default\cookies.txt ]
C:\Documents and Settings\dad\Cookies\dad@richmedia.yahoo[2].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@a.websponsors[1].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@ad.contentmedianetwork[1].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@adinterax[1].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@adknowledge[2].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@ads.addesktop[2].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@ads.buddyprofile[2].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@ads.cnn[1].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@ads.ecrush[1].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@ads.glispa[2].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@ads.newgrounds[1].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@adserver[1].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@advert.runescape[1].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@affiliate.budsinc[2].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@ath.belnk[2].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@atwola[1].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@azjmp[2].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@bannerads[2].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@belnk[2].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@bluestreak[2].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@burstnet[2].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@clicksor[1].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@clicktorrent[2].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@coolsavings[1].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@cpvfeed[2].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@dist.belnk[1].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@entrepreneur[2].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@h.starware[1].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@hits.clickandtrack[2].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@i.screensavers[1].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@image.masterstats[1].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@interclick[2].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@kanoodle[1].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@login.tracking101[2].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@nbads[2].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@nextag[1].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@onetruemedia[2].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@qnsr[2].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@redorbit[2].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@regalinteractive[1].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@revsci[1].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@screensavers[2].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@server.cpmstar[1].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@smileycentral[1].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@stats.espinthebottle[1].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@tracker.myspacemaps[1].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@try.starware[1].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@www.burstbeacon[2].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@www.redorbit[2].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@www.screensavers[2].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika is a cool bean@yadro[2].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika_is_a_cool_bean@mywebsearch[2].txt
C:\Documents and Settings\Erika is a cool Bean\Cookies\erika_is_a_cool_bean@yieldmanager[1].txt
C:\Documents and Settings\jerod..yea\Cookies\jerod..yea@a.websponsors[1].txt
C:\Documents and Settings\jerod..yea\Cookies\jerod..yea@ad.contentmedianetwork[1].txt
C:\Documents and Settings\jerod..yea\Cookies\jerod..yea@ad1.clickhype[1].txt
C:\Documents and Settings\jerod..yea\Cookies\jerod..yea@adecn[1].txt
C:\Documents and Settings\jerod..yea\Cookies\jerod..yea@adinterax[2].txt
C:\Documents and Settings\jerod..yea\Cookies\jerod..yea@adknowledge[2].txt
C:\Documents and Settings\jerod..yea\Cookies\jerod..yea@ads.aol.co[2].txt
C:\Documents and Settings\jerod..yea\Cookies\jerod..yea@ads.buddyprofile[1].txt
C:\Documents and Settings\jerod..yea\Cookies\jerod..yea@ads.cartoonnetwork[2].txt
C:\Documents and Settings\jerod..yea\Cookies\jerod..yea@ads.cc214142[2].txt
C:\Documents and Settings\jerod..yea\Cookies\jerod..yea@ads.foxkidseurope[1].txt
C:\Documents and Settings\jerod..yea\Cookies\jerod..yea@ads.glispa[2].txt
C:\Documents and Settings\jerod..yea\Cookies\jerod..yea@ads.monster[1].txt
C:\Documents and Settings\jerod..yea\Cookies\jerod..yea@ads.newgrounds[2].txt
C:\Documents and Settings\jerod..yea\Cookies\jerod..yea@ads2.blastro[1].txt
C:\Documents and Settings\jerod..yea\Cookies\jerod..yea@ads4.blastro[1].txt
C:\Documents and Settings\jerod..yea\Cookies\jerod..yea@atwola[1].txt
C:\Documents and Settings\jerod..yea\Cookies\jerod..yea@azjmp[1].txt
C:\Documents and Settings\jerod..yea\Cookies\jerod..yea@belnk[1].txt
C:\Documents and Settings\jerod..yea\Cookies\jerod..yea@bluestreak[1].txt
C:\Documents and Settings\jerod..yea\Cookies\jerod..yea@burstnet[2].txt
C:\Documents and Settings\jerod..yea\Cookies\jerod..yea@campaign.indieclick[1].txt
C:\Documents and Settings\jerod..yea\Cookies\jerod..yea@clicks.emarketmakers[1].txt
C:\Documents and Settings\jerod..yea\Cookies\jerod..yea@dist.belnk[2].txt
C:\Documents and Settings\jerod..yea\Cookies\jerod..yea@emarketmakers[2].txt
C:\Documents and Settings\jerod..yea\Cookies\jerod..yea@h.starware[1].txt
C:\Documents and Settings\jerod..yea\Cookies\jerod..yea@image.masterstats[1].txt
C:\Documents and Settings\jerod..yea\Cookies\jerod..yea@interclick[2].txt
C:\Documents and Settings\jerod..yea\Cookies\jerod..yea@kanoodle[2].txt
C:\Documents and Settings\jerod..yea\Cookies\jerod..yea@linkstattrack[1].txt
C:\Documents and Settings\jerod..yea\Cookies\jerod..yea@login.tracking101[2].txt
C:\Documents and Settings\jerod..yea\Cookies\jerod..yea@lynxtrack[1].txt
C:\Documents and Settings\jerod..yea\Cookies\jerod..yea@mediavantage[1].txt
C:\Documents and Settings\jerod..yea\Cookies\jerod..yea@mywebsearch[2].txt
C:\Documents and Settings\jerod..yea\Cookies\jerod..yea@partner2profit[2].txt
C:\Documents and Settings\jerod..yea\Cookies\jerod..yea@precisionclick[1].txt
C:\Documents and Settings\jerod..yea\Cookies\jerod..yea@publishers.clickbooth[2].txt
C:\Documents and Settings\jerod..yea\Cookies\jerod..yea@qnsr[1].txt
C:\Documents and Settings\jerod..yea\Cookies\jerod..yea@revsci[1].txt
C:\Documents and Settings\jerod..yea\Cookies\jerod..yea@server.cpmstar[1].txt
C:\Documents and Settings\jerod..yea\Cookies\jerod..yea@try.starware[1].txt
C:\Documents and Settings\jerod..yea\Cookies\jerod..yea@www.burstbeacon[2].txt
C:\Documents and Settings\jerod..yea\Cookies\jerod..yea@www.rowise[1].txt
C:\Documents and Settings\jerod..yea\Cookies\jerod..yea@www.screensaver[2].txt
C:\Documents and Settings\jerod..yea\Cookies\jerod..yea@www.soundclick[1].txt
C:\Documents and Settings\jerod..yea\Cookies\jerod..yea@yieldmanager[1].txt
.doubleclick.net [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.kontera.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.kontera.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.casalemedia.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.casalemedia.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.casalemedia.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.casalemedia.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.casalemedia.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.clickbank.net [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
www.googleadservices.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
www.googleadservices.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
www.googleadservices.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.atdmt.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
anad.tacoda.net [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.adrevolver.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.adrevolver.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
media.adrevolver.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
counter.hitslink.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.tribalfusion.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.fastclick.net [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.fastclick.net [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.fastclick.net [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
www.burstnet.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.fastclick.net [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.burstnet.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.burstnet.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.insightexpressai.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.questionmarket.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.questionmarket.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.questionmarket.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
www.googleadservices.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.linksynergy.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.linksynergy.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.linksynergy.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.statcounter.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
www.googleadservices.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.apmebf.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.dmtracker.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.zedo.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.zedo.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.zedo.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.zedo.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
www.googleadservices.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.bluestreak.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.trafficmp.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.nhl.112.2o7.net [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\sam\Application Data\Mozilla\Firefox\Profiles\cs4ec7dp.default\cookies.txt ]
C:\Documents and Settings\sam\Cookies\sam@a.websponsors[2].txt
C:\Documents and Settings\sam\Cookies\sam@a1.interclick[1].txt
C:\Documents and Settings\sam\Cookies\sam@ad.associatedcontent[2].txt
C:\Documents and Settings\sam\Cookies\sam@adopt.euroclick[2].txt
C:\Documents and Settings\sam\Cookies\sam@advert.runescape[1].txt
C:\Documents and Settings\sam\Cookies\sam@ar.atwola[2].txt
C:\Documents and Settings\sam\Cookies\sam@at.atwola[1].txt
C:\Documents and Settings\sam\Cookies\sam@atwola[1].txt
C:\Documents and Settings\sam\Cookies\sam@azjmp[1].txt
C:\Documents and Settings\sam\Cookies\sam@belnk[1].txt
C:\Documents and Settings\sam\Cookies\sam@bet.burstnet[2].txt
C:\Documents and Settings\sam\Cookies\sam@bluestreak[1].txt
C:\Documents and Settings\sam\Cookies\sam@burstnet[1].txt
C:\Documents and Settings\sam\Cookies\sam@clicksor[2].txt
C:\Documents and Settings\sam\Cookies\sam@collective-media[2].txt
C:\Documents and Settings\sam\Cookies\sam@content.yieldmanager.edgesuite[1].txt
C:\Documents and Settings\sam\Cookies\sam@content.yieldmanager[2].txt
C:\Documents and Settings\sam\Cookies\sam@content.yieldmanager[3].txt
C:\Documents and Settings\sam\Cookies\sam@discountsportinggoodz[1].txt
C:\Documents and Settings\sam\Cookies\sam@dist.belnk[2].txt
C:\Documents and Settings\sam\Cookies\sam@dmtracker[1].txt
C:\Documents and Settings\sam\Cookies\sam@euroclick[1].txt
C:\Documents and Settings\sam\Cookies\sam@eyewonder[1].txt
C:\Documents and Settings\sam\Cookies\sam@findarticles[1].txt
C:\Documents and Settings\sam\Cookies\sam@findaway[1].txt
C:\Documents and Settings\sam\Cookies\sam@fliptrack[1].txt
C:\Documents and Settings\sam\Cookies\sam@h.starware[2].txt
C:\Documents and Settings\sam\Cookies\sam@i.screensavers[1].txt
C:\Documents and Settings\sam\Cookies\sam@imrworldwide[1].txt
C:\Documents and Settings\sam\Cookies\sam@insightexpressai[1].txt
C:\Documents and Settings\sam\Cookies\sam@interclick[2].txt
C:\Documents and Settings\sam\Cookies\sam@media.mtvnservices[1].txt
C:\Documents and Settings\sam\Cookies\sam@media6degrees[2].txt
C:\Documents and Settings\sam\Cookies\sam@mywebsearch[2].txt
C:\Documents and Settings\sam\Cookies\sam@nbads[2].txt
C:\Documents and Settings\sam\Cookies\sam@nextag[2].txt
C:\Documents and Settings\sam\Cookies\sam@partner2profit[2].txt
C:\Documents and Settings\sam\Cookies\sam@revsci[1].txt
C:\Documents and Settings\sam\Cookies\sam@rm.yieldmanager[1].txt
C:\Documents and Settings\sam\Cookies\sam@sales.liveperson[2].txt
C:\Documents and Settings\sam\Cookies\sam@sales.liveperson[3].txt
C:\Documents and Settings\sam\Cookies\sam@smileycentral[2].txt
C:\Documents and Settings\sam\Cookies\sam@socialmedia[1].txt
C:\Documents and Settings\sam\Cookies\sam@specificmedia[1].txt
C:\Documents and Settings\sam\Cookies\sam@stat.dealtime[1].txt
C:\Documents and Settings\sam\Cookies\sam@stats.espinthebottle[2].txt
C:\Documents and Settings\sam\Cookies\sam@teenwire[2].txt
C:\Documents and Settings\sam\Cookies\sam@www.burstbeacon[2].txt
C:\Documents and Settings\sam\Cookies\sam@www.macromedia[1].txt
C:\Documents and Settings\sam\Cookies\sam@www.screensavers[1].txt
C:\Documents and Settings\sam\Cookies\sam@www.starware[1].txt
C:\Documents and Settings\sam\Cookies\sam@www.trackspace[1].txt

Adware.MyWebSearch/FunWebProducts
HKU\S-1-5-21-688876849-3228375642-1222528406-1009\SOFTWARE\FunWebProducts
HKU\.DEFAULT\SOFTWARE\MyWebSearch
HKU\S-1-5-18\SOFTWARE\MyWebSearch

Adware.Vundo/Variant
C:\DOCUMENTS AND SETTINGS\DAD\DOCTORWEB\QUARANTINE\CCDECEAB0.DLL
C:\DOCUMENTS AND SETTINGS\DAD\DOCTORWEB\QUARANTINE\CCDECEABC.DLL

#10 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:51 PM

Posted 30 August 2009 - 11:47 AM

Before we go any further I need to rule out a very nasty new Rootkit that has been terrorizing users.

Please do this...

Download and run Win32kDiag:Next......


Download and run a batch file (peek.bat):
  • Download peek.bat from the download link below and save it to your Desktop.
  • Double-click peek.bat to run it.A black Command Prompt window will appear shortly: the program is running.
  • Once it is finished, copy and paste the entire contents of the Log.txt file it creates as a reply to this post.
==========

With your next post please provide:

* Win32kDiag.txt
* Log.txt

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#11 lazyvista

lazyvista
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 30 August 2009 - 12:18 PM

Here are the logs:

Log file is located at: C:\Documents and Settings\dad\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!



Volume in drive C is HP_PAVILION
Volume Serial Number is 20C4-2DD8

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/10/2004 02:00 PM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/10/2004 02:00 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/10/2004 02:00 PM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 07:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 07:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 07:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

04/13/2008 07:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

04/13/2008 07:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

04/13/2008 07:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Total Files Listed:
9 File(s) 1,932,288 bytes
0 Dir(s) 156,804,009,984 bytes free

#12 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:51 PM

Posted 30 August 2009 - 12:42 PM

Nope. Clean.

Lets proceed....

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

==========

Please run the F-Secure Online Scanner
Note: This Scanner is for Internet Explorer Only!
Follow the Instruction here for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes, the scan will begin automatically.
The scan will take some time to finish, so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.

==========

With your next post please provide:

* Gmer log
* F-Secure log

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#13 lazyvista

lazyvista
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 30 August 2009 - 05:48 PM

Here are the logs:

***********************************************************************************************

GMER 1.0.15.15077 [y8ucj5jl.exe] - http://www.gmer.net
Rootkit scan 2009-08-30 14:57:28
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF750C87E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF750CBFE]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF24AA0B0]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xF23264EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xF2326498]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF23264AC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF232652A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xF2326470]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xF2326484]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF23264FE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xF23264D6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF23264C2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF2326559]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF2326540]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xF2326514]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP F2326518 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP F23264EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP F232652E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 5 Bytes JMP F2326544 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E6 7 Bytes JMP F2326502 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB408 5 Bytes JMP F2326474 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB694 5 Bytes JMP F2326488 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE52 5 Bytes JMP F23264C6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1142 7 Bytes JMP F23264B0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11F8 5 Bytes JMP F232649C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1702 5 Bytes JMP F23264DA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AA 5 Bytes JMP F232655D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[196] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A000A
.text C:\WINDOWS\Explorer.EXE[196] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0089
.text C:\WINDOWS\Explorer.EXE[196] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0078
.text C:\WINDOWS\Explorer.EXE[196] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A005B
.text C:\WINDOWS\Explorer.EXE[196] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A004A
.text C:\WINDOWS\Explorer.EXE[196] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A002F
.text C:\WINDOWS\Explorer.EXE[196] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A00BA
.text C:\WINDOWS\Explorer.EXE[196] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F68
.text C:\WINDOWS\Explorer.EXE[196] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0F3C
.text C:\WINDOWS\Explorer.EXE[196] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F57
.text C:\WINDOWS\Explorer.EXE[196] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A0F2B
.text C:\WINDOWS\Explorer.EXE[196] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0FA8
.text C:\WINDOWS\Explorer.EXE[196] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\Explorer.EXE[196] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0F79
.text C:\WINDOWS\Explorer.EXE[196] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0FC3
.text C:\WINDOWS\Explorer.EXE[196] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0FD4
.text C:\WINDOWS\Explorer.EXE[196] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A00CB
.text C:\WINDOWS\Explorer.EXE[196] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290FC0
.text C:\WINDOWS\Explorer.EXE[196] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00290069
.text C:\WINDOWS\Explorer.EXE[196] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290011
.text C:\WINDOWS\Explorer.EXE[196] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00290FDB
.text C:\WINDOWS\Explorer.EXE[196] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290058
.text C:\WINDOWS\Explorer.EXE[196] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290000
.text C:\WINDOWS\Explorer.EXE[196] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0029003D
.text C:\WINDOWS\Explorer.EXE[196] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0029002C
.text C:\WINDOWS\Explorer.EXE[196] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0FB0
.text C:\WINDOWS\Explorer.EXE[196] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A0031
.text C:\WINDOWS\Explorer.EXE[196] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A0FC1
.text C:\WINDOWS\Explorer.EXE[196] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\Explorer.EXE[196] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0020
.text C:\WINDOWS\Explorer.EXE[196] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A0FD2
.text C:\WINDOWS\Explorer.EXE[196] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 002C000A
.text C:\WINDOWS\Explorer.EXE[196] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 002C0FE5
.text C:\WINDOWS\Explorer.EXE[196] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 002C001B
.text C:\WINDOWS\Explorer.EXE[196] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 002C0FD4
.text C:\WINDOWS\Explorer.EXE[196] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\svchost.exe[556] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C00FEF
.text C:\WINDOWS\system32\svchost.exe[556] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C00F66
.text C:\WINDOWS\system32\svchost.exe[556] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C0005B
.text C:\WINDOWS\system32\svchost.exe[556] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C00F81
.text C:\WINDOWS\system32\svchost.exe[556] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C0004A
.text C:\WINDOWS\system32\svchost.exe[556] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C00FA8
.text C:\WINDOWS\system32\svchost.exe[556] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C0009D
.text C:\WINDOWS\system32\svchost.exe[556] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C00F55
.text C:\WINDOWS\system32\svchost.exe[556] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C00F29
.text C:\WINDOWS\system32\svchost.exe[556] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C000C2
.text C:\WINDOWS\system32\svchost.exe[556] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C00F0E
.text C:\WINDOWS\system32\svchost.exe[556] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C0002F
.text C:\WINDOWS\system32\svchost.exe[556] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C00FDE
.text C:\WINDOWS\system32\svchost.exe[556] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C00080
.text C:\WINDOWS\system32\svchost.exe[556] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C0000A
.text C:\WINDOWS\system32\svchost.exe[556] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C00FB9
.text C:\WINDOWS\system32\svchost.exe[556] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C00F44
.text C:\WINDOWS\system32\svchost.exe[556] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BF002F
.text C:\WINDOWS\system32\svchost.exe[556] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BF0F97
.text C:\WINDOWS\system32\svchost.exe[556] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BF0FDE
.text C:\WINDOWS\system32\svchost.exe[556] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BF0014
.text C:\WINDOWS\system32\svchost.exe[556] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BF005E
.text C:\WINDOWS\system32\svchost.exe[556] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\system32\svchost.exe[556] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BF0FBC
.text C:\WINDOWS\system32\svchost.exe[556] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DF, 88]
.text C:\WINDOWS\system32\svchost.exe[556] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BF0FCD
.text C:\WINDOWS\system32\svchost.exe[556] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BE000A
.text C:\WINDOWS\system32\svchost.exe[556] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BE0F89
.text C:\WINDOWS\system32\svchost.exe[556] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BE0FB5
.text C:\WINDOWS\system32\svchost.exe[556] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BE0FE3
.text C:\WINDOWS\system32\svchost.exe[556] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BE0FA4
.text C:\WINDOWS\system32\svchost.exe[556] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BE0FD2
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070FA2
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 000700A1
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070090
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070073
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070058
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070F76
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070F87
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000700F4
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 000700E3
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0007010F
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00070FD1
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0007001B
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 000700B2
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00070047
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00070036
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00070F65
.text C:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00060FB9
.text C:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00060F5E
.text C:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00060FCA
.text C:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00060F83
.text C:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00060FE5
.text C:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00060F94
.text C:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [26, 88]
.text C:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0006001B
.text C:\WINDOWS\system32\services.exe[628] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0005005F
.text C:\WINDOWS\system32\services.exe[628] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050FD4
.text C:\WINDOWS\system32\services.exe[628] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0005003A
.text C:\WINDOWS\system32\services.exe[628] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\services.exe[628] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\services.exe[628] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0005001D
.text C:\WINDOWS\system32\services.exe[628] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FE5
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C20FEF
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C20F72
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C20F8D
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C20F9E
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C2005B
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C2002F
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C20F3F
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C20F50
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C200AC
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C20F13
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C20F02
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C2004A
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C2000A
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C20F61
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C20FC3
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C20FD4
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C20F2E
.text C:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C10025
.text C:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C10FA5
.text C:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C10FD4
.text C:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C10FE5
.text C:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C10062
.text C:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C10000
.text C:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C10051
.text C:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C10036
.text C:\WINDOWS\system32\lsass.exe[640] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C00F97
.text C:\WINDOWS\system32\lsass.exe[640] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C00022
.text C:\WINDOWS\system32\lsass.exe[640] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C00FCD
.text C:\WINDOWS\system32\lsass.exe[640] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C00000
.text C:\WINDOWS\system32\lsass.exe[640] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C00FBC
.text C:\WINDOWS\system32\lsass.exe[640] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C00011
.text C:\WINDOWS\system32\lsass.exe[640] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B20FEF
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B20F4B
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B20F66
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B20F8D
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B2004A
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B20FA8
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B2006C
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B2005B
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B20EEE
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B2007D
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B20EC9
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B2002F
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B20FD4
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B20F30
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B20FB9
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B2000A
.text C:\WINDOWS\system32\svchost.exe[820] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B20F09
.text C:\WINDOWS\system32\svchost.exe[820] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B10FCA
.text C:\WINDOWS\system32\svchost.exe[820] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B10F83
.text C:\WINDOWS\system32\svchost.exe[820] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B1001B
.text C:\WINDOWS\system32\svchost.exe[820] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B10FE5
.text C:\WINDOWS\system32\svchost.exe[820] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B10F94
.text C:\WINDOWS\system32\svchost.exe[820] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B10000
.text C:\WINDOWS\system32\svchost.exe[820] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B10FA5
.text C:\WINDOWS\system32\svchost.exe[820] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D1, 88]
.text C:\WINDOWS\system32\svchost.exe[820] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B1002C
.text C:\WINDOWS\system32\svchost.exe[820] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B00FAB
.text C:\WINDOWS\system32\svchost.exe[820] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B00036
.text C:\WINDOWS\system32\svchost.exe[820] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B00FC6
.text C:\WINDOWS\system32\svchost.exe[820] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B00FE3
.text C:\WINDOWS\system32\svchost.exe[820] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B00025
.text C:\WINDOWS\system32\svchost.exe[820] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B00000
.text C:\WINDOWS\system32\svchost.exe[820] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AF0FEF
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B40FEF
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B4005B
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B40F66
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B40040
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B4002F
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B4000A
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B400A4
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B40087
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B400D0
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B400BF
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B400EB
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B40F83
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B40FDE
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B40076
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B40FA8
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B40FC3
.text C:\WINDOWS\system32\svchost.exe[900] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B40F41
.text C:\WINDOWS\system32\svchost.exe[900] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B30028
.text C:\WINDOWS\system32\svchost.exe[900] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B3006F
.text C:\WINDOWS\system32\svchost.exe[900] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B30FCD
.text C:\WINDOWS\system32\svchost.exe[900] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B30FDE
.text C:\WINDOWS\system32\svchost.exe[900] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B30FB2
.text C:\WINDOWS\system32\svchost.exe[900] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B30FEF
.text C:\WINDOWS\system32\svchost.exe[900] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B30054
.text C:\WINDOWS\system32\svchost.exe[900] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B30039
.text C:\WINDOWS\system32\svchost.exe[900] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B20053
.text C:\WINDOWS\system32\svchost.exe[900] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B20FC8
.text C:\WINDOWS\system32\svchost.exe[900] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B20038
.text C:\WINDOWS\system32\svchost.exe[900] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B20000
.text C:\WINDOWS\system32\svchost.exe[900] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B20FE3
.text C:\WINDOWS\system32\svchost.exe[900] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B2001D
.text C:\WINDOWS\system32\svchost.exe[900] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B10FEF
.text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02C90000
.text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02C90F30
.text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02C90F41
.text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02C9001B
.text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02C90F68
.text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02C90F9E
.text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02C9005B
.text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02C9004A
.text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02C90091
.text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02C90EF8
.text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02C900AC
.text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02C90F79
.text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02C90FE5
.text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02C90F1F
.text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02C90FAF
.text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02C90FCA
.text C:\WINDOWS\System32\svchost.exe[968] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02C90076
.text C:\WINDOWS\System32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02C8002C
.text C:\WINDOWS\System32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02C80F9E
.text C:\WINDOWS\System32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02C8001B
.text C:\WINDOWS\System32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02C80FDB
.text C:\WINDOWS\System32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02C80FAF
.text C:\WINDOWS\System32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02C80000
.text C:\WINDOWS\System32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02C80051
.text C:\WINDOWS\System32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02C80FCA
.text C:\WINDOWS\System32\svchost.exe[968] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02C70FA3
.text C:\WINDOWS\System32\svchost.exe[968] msvcrt.dll!system 77C293C7 5 Bytes JMP 02C70FBE
.text C:\WINDOWS\System32\svchost.exe[968] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02C7001D
.text C:\WINDOWS\System32\svchost.exe[968] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02C70FEF
.text C:\WINDOWS\System32\svchost.exe[968] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02C7002E
.text C:\WINDOWS\System32\svchost.exe[968] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02C7000C
.text C:\WINDOWS\System32\svchost.exe[968] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02C60FE5
.text C:\WINDOWS\System32\svchost.exe[968] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 02C50FE5
.text C:\WINDOWS\System32\svchost.exe[968] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 02C50FCA
.text C:\WINDOWS\System32\svchost.exe[968] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 02C5000A
.text C:\WINDOWS\System32\svchost.exe[968] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 02C5001B
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00780000
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007800C3
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007800B2
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00780095
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00780084
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0078004E
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00780F96
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00780FB3
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00780F60
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00780F71
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00780F45
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00780073
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0078001B
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 007800DE
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0078003D
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0078002C
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007800EF
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00770FE5
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00770FB9
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00770036
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0077001B
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00770076
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00770000
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00770FD4
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [97, 88]
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00770051
.text C:\WINDOWS\system32\svchost.exe[1016] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00760FC8
.text C:\WINDOWS\system32\svchost.exe[1016] msvcrt.dll!system 77C293C7 5 Bytes JMP 00760FD9
.text C:\WINDOWS\system32\svchost.exe[1016] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0076002E
.text C:\WINDOWS\system32\svchost.exe[1016] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00760000
.text C:\WINDOWS\system32\svchost.exe[1016] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0076003F
.text C:\WINDOWS\system32\svchost.exe[1016] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00760011
.text C:\WINDOWS\system32\svchost.exe[1016] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0075000A
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B10FEF
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B10067
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B10056
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B10F7C
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B10F8D
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B10025
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B10F4B
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B10093
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B10F0B
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B10F30
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B100BF
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B10F9E
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B1000A
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B10082
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B10FB9
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B10FCA
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B100AE
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B00FCD
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B00FB2
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B00014
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B00FDE
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B0006F
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B00FEF
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B00054
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B00039
.text C:\WINDOWS\system32\svchost.exe[1124] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AF0053
.text C:\WINDOWS\system32\svchost.exe[1124] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AF0038
.text C:\WINDOWS\system32\svchost.exe[1124] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AF001D
.text C:\WINDOWS\system32\svchost.exe[1124] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AF0FEF
.text C:\WINDOWS\system32\svchost.exe[1124] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AF0FC8
.text C:\WINDOWS\system32\svchost.exe[1124] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AF000C
.text C:\WINDOWS\system32\svchost.exe[1124] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AE000A
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BB0FE5
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BB0F5E
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BB0F79
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BB0F8A
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BB0047
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BB002C
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BB008B
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BB0F43
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BB0EF2
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BB0F0D
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BB009C
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BB0FA5
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BB0000
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BB006E
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BB0FC0
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BB001B
.text C:\WINDOWS\system32\svchost.exe[1316] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BB0F28
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0093001B
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00930051
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00930000
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00930FCA
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00930F94
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930FE5
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0093002C
.text C:\WINDOWS\system32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00930FA5
.text C:\WINDOWS\system32\svchost.exe[1316] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0092005D
.text C:\WINDOWS\system32\svchost.exe[1316] msvcrt.dll!system 77C293C7 5 Bytes JMP 00920FD2
.text C:\WINDOWS\system32\svchost.exe[1316] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00920FE3
.text C:\WINDOWS\system32\svchost.exe[1316] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920000
.text C:\WINDOWS\system32\svchost.exe[1316] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00920042
.text C:\WINDOWS\system32\svchost.exe[1316] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00920011
.text C:\WINDOWS\system32\svchost.exe[1316] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 00900FEF
.text C:\WINDOWS\system32\svchost.exe[1316] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 0090000A
.text C:\WINDOWS\system32\svchost.exe[1316] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 00900FD4
.text C:\WINDOWS\system32\svchost.exe[1316] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 0090002F
.text C:\WINDOWS\system32\svchost.exe[1316] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00910FE5
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1840] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1840] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\dllhost.exe[2736] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EC000A
.text C:\WINDOWS\system32\dllhost.exe[2736] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EC0F92
.text C:\WINDOWS\system32\dllhost.exe[2736] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EC0FA3
.text C:\WINDOWS\system32\dllhost.exe[2736] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EC007D
.text C:\WINDOWS\system32\dllhost.exe[2736] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EC0FCA
.text C:\WINDOWS\system32\dllhost.exe[2736] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EC0062
.text C:\WINDOWS\system32\dllhost.exe[2736] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EC00B5
.text C:\WINDOWS\system32\dllhost.exe[2736] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EC00A4
.text C:\WINDOWS\system32\dllhost.exe[2736] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EC00FC
.text C:\WINDOWS\system32\dllhost.exe[2736] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EC00E1
.text C:\WINDOWS\system32\dllhost.exe[2736] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EC0F48
.text C:\WINDOWS\system32\dllhost.exe[2736] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EC0FDB
.text C:\WINDOWS\system32\dllhost.exe[2736] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EC0025
.text C:\WINDOWS\system32\dllhost.exe[2736] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EC0F77
.text C:\WINDOWS\system32\dllhost.exe[2736] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EC0051
.text C:\WINDOWS\system32\dllhost.exe[2736] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EC0040
.text C:\WINDOWS\system32\dllhost.exe[2736] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EC00D0
.text C:\WINDOWS\system32\dllhost.exe[2736] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EA003A
.text C:\WINDOWS\system32\dllhost.exe[2736] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EA0FB9
.text C:\WINDOWS\system32\dllhost.exe[2736] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EA0018
.text C:\WINDOWS\system32\dllhost.exe[2736] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EA0FEF
.text C:\WINDOWS\system32\dllhost.exe[2736] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EA0029
.text C:\WINDOWS\system32\dllhost.exe[2736] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EA0FDE
.text C:\WINDOWS\system32\dllhost.exe[2736] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EB0FAF
.text C:\WINDOWS\system32\dllhost.exe[2736] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EB0F79
.text C:\WINDOWS\system32\dllhost.exe[2736] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EB0000
.text C:\WINDOWS\system32\dllhost.exe[2736] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EB0FD4
.text C:\WINDOWS\system32\dllhost.exe[2736] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EB0036
.text C:\WINDOWS\system32\dllhost.exe[2736] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EB0FE5
.text C:\WINDOWS\system32\dllhost.exe[2736] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00EB0F94
.text C:\WINDOWS\system32\dllhost.exe[2736] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [0B, 89]
.text C:\WINDOWS\system32\dllhost.exe[2736] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EB001B
.text C:\WINDOWS\system32\dllhost.exe[2736] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E90000
.text C:\Program Files\Messenger\msmsgs.exe[3580] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0000
.text C:\Program Files\Messenger\msmsgs.exe[3580] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F79
.text C:\Program Files\Messenger\msmsgs.exe[3580] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A006E
.text C:\Program Files\Messenger\msmsgs.exe[3580] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A005D
.text C:\Program Files\Messenger\msmsgs.exe[3580] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0F94
.text C:\Program Files\Messenger\msmsgs.exe[3580] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0036
.text C:\Program Files\Messenger\msmsgs.exe[3580] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A00B0
.text C:\Program Files\Messenger\msmsgs.exe[3580] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A009F
.text C:\Program Files\Messenger\msmsgs.exe[3580] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A00DC
.text C:\Program Files\Messenger\msmsgs.exe[3580] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A00CB
.text C:\Program Files\Messenger\msmsgs.exe[3580] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A0F32
.text C:\Program Files\Messenger\msmsgs.exe[3580] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0FA5
.text C:\Program Files\Messenger\msmsgs.exe[3580] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A001B
.text C:\Program Files\Messenger\msmsgs.exe[3580] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0F68
.text C:\Program Files\Messenger\msmsgs.exe[3580] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0FC0
.text C:\Program Files\Messenger\msmsgs.exe[3580] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0FE5
.text C:\Program Files\Messenger\msmsgs.exe[3580] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A0F4D
.text C:\Program Files\Messenger\msmsgs.exe[3580] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00290038
.text C:\Program Files\Messenger\msmsgs.exe[3580] msvcrt.dll!system 77C293C7 5 Bytes JMP 00290FAD
.text C:\Program Files\Messenger\msmsgs.exe[3580] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00290FC8
.text C:\Program Files\Messenger\msmsgs.exe[3580] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00290FEF
.text C:\Program Files\Messenger\msmsgs.exe[3580] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0029001D
.text C:\Program Files\Messenger\msmsgs.exe[3580] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0029000C
.text C:\Program Files\Messenger\msmsgs.exe[3580] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A0FCA
.text C:\Program Files\Messenger\msmsgs.exe[3580] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A0F80
.text C:\Program Files\Messenger\msmsgs.exe[3580] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A001B
.text C:\Program Files\Messenger\msmsgs.exe[3580] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A0FE5
.text C:\Program Files\Messenger\msmsgs.exe[3580] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002A0F9B
.text C:\Program Files\Messenger\msmsgs.exe[3580] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002A0000
.text C:\Program Files\Messenger\msmsgs.exe[3580] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002A003D
.text C:\Program Files\Messenger\msmsgs.exe[3580] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002A002C
.text C:\Program Files\Messenger\msmsgs.exe[3580] WS2_32.dll!socket 71AB4211 5 Bytes JMP 002B0FE5
.text C:\Program Files\Messenger\msmsgs.exe[3580] WININET.dll!InternetOpenA 3D95D688 5 Bytes JMP 002C0FEF
.text C:\Program Files\Messenger\msmsgs.exe[3580] WININET.dll!InternetOpenW 3D95DB01 5 Bytes JMP 002C0FD4
.text C:\Program Files\Messenger\msmsgs.exe[3580] WININET.dll!InternetOpenUrlA 3D95F39C 5 Bytes JMP 002C0FC3
.text C:\Program Files\Messenger\msmsgs.exe[3580] WININET.dll!InternetOpenUrlW 3D9A6F37 5 Bytes JMP 002C0FA8

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1360] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1360] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1360] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1360] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1360] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1360] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1360] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1360] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1360] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1360] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1360] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1360] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1360] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1360] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1360] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1360] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1360] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1360] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1360] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1360] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1360] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1360] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1360] @ C:\WINDOWS\system32\psapi.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1360] @ C:\WINDOWS\system32\psapi.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1360] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[1360] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1133289663\ee\AOLSoftware.exe[2828] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1133289663\ee\AOLSoftware.exe[2828] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1133289663\ee\AOLSoftware.exe[2828] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1133289663\ee\AOLSoftware.exe[2828] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1133289663\ee\AOLSoftware.exe[2828] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1133289663\ee\AOLSoftware.exe[2828] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1133289663\ee\AOLSoftware.exe[2828] @ C:\WINDOWS\system32\MSVCRT.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1133289663\ee\AOLSoftware.exe[2828] @ C:\WINDOWS\system32\MSVCRT.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1133289663\ee\AOLSoftware.exe[2828] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1133289663\ee\AOLSoftware.exe[2828] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1133289663\ee\AOLSoftware.exe[2828] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1133289663\ee\AOLSoftware.exe[2828] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1133289663\ee\AOLSoftware.exe[2828] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1133289663\ee\AOLSoftware.exe[2828] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\BAECDAC2AD5D6D445BCFD7EE78BAC3C0\Usage@Unload 991857454

---- EOF - GMER 1.0.15 ----

***********************************************************************************************

Scanning Report
Sunday, August 30, 2009 15:35:13 - 17:41:12
Computer name: BROBERTS1
Scanning type: Scan system for malware, spyware and rootkits
Target: C:\ D:\


--------------------------------------------------------------------------------

8 malware found
TrackingCookie.2o7 (spyware)
System (Disinfected)
TrackingCookie.Atdmt (spyware)
System (Disinfected)
TrackingCookie.Doubleclick (spyware)
System (Disinfected)
TrackingCookie.Revsci (spyware)
System (Disinfected)
TrackingCookie.Yieldmanager (spyware)
System (Disinfected)
TrackingCookie.Imrworldwide (spyware)
System (Disinfected)
Gen:Trojan.Heur.@xuorPyVVSfeu (virus)
C:\RECYCLER\S-1-5-21-688876849-3228375642-1222528406-1010\DC113.EXE (Renamed & Submitted)
Trojan.Generic.1007191 (virus)
C:\PROGRAM FILES\ONLINE SERVICES\PEOPLEPC\UTILITIES\ATLBROWSER.EXE (Renamed & Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 74749
System: 4103
Not scanned: 21
Actions:
Disinfected: 6
Renamed: 2
Deleted: 0
Not cleaned: 0
Submitted: 2
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\TEMP\MCAFEE_8URJC9NNTJVEKHQ
C:\WINDOWS\TEMP\MCMSC_86WIPSJXTASMKGH
C:\WINDOWS\TEMP\MCMSC_CGRNKELEVXDJUTA
C:\WINDOWS\TEMP\MCMSC_H7AK9P3ISWOBLBD
C:\WINDOWS\TEMP\SQLITE_2XKTR2GQUB76CGG
C:\WINDOWS\TEMP\SQLITE_ARMFSUAZZGEWNTR
C:\WINDOWS\TEMP\SQLITE_IWHNXV1VJLT7NC3
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\HP\BIN\KILLWIND.EXE
C:\DOCUMENTS AND SETTINGS\JEROD..YEA\LOCAL SETTINGS\TEMP\HSPERFDATA_JEROD..YEA\3200
C:\DOCUMENTS AND SETTINGS\DAD\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\TOOLBAR HISTORY\COUNTERS
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\E55C35C78FE41C76244D3B573CF514D5_73F4ABC1-0622-4D66-A79A-15E5ADD40F41
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\7D3761A5B4DC0EBD045E71FAED1A324D_73F4ABC1-0622-4D66-A79A-15E5ADD40F41
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\LAVASOFT\AD-AWARE\MINIMESSAGE\2
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\1BCC739B0CFA5C2C7C34AFDCC901BF83_73F4ABC1-0622-4D66-A79A-15E5ADD40F41

--------------------------------------------------------------------------------

Options
Scanning engines:
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use advanced heuristics

--------------------------------------------------------------------------------

Copyright 1998-2009 Product support | Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name. This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

#14 lazyvista

lazyvista
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 30 August 2009 - 06:01 PM

I found this in my hosts file. I removed all of these settings.

The machine is still running very slow.

212.95.49.214 www.google.com
212.95.49.214 www.google.de
212.95.49.214 www.google.fr
212.95.49.214 www.google.co.uk
212.95.49.214 www.google.com.br
212.95.49.214 www.google.it
212.95.49.214 www.google.es
212.95.49.214 www.google.co.jp
212.95.49.214 www.google.com.mx
212.95.49.214 www.google.ca
212.95.49.214 www.google.com.au
212.95.49.214 www.google.nl
212.95.49.214 www.google.co.za
212.95.49.214 www.google.be
212.95.49.214 www.google.gr
212.95.49.214 www.google.at
212.95.49.214 www.google.se
212.95.49.214 www.google.ch
212.95.49.214 www.google.pt
212.95.49.214 www.google.dk
212.95.49.214 www.google.fi
212.95.49.214 www.google.ie
212.95.49.214 www.google.no
212.95.49.214

#15 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:51 PM

Posted 30 August 2009 - 08:59 PM

Nice catch....host files.
I am kinda limited in this forum as to the tools which I can utilize. I would really like to get a more in depth look at your computer but lets try a few things before I send you over to the HjT forums.

==========

Do this please....
Keep all the logs in order and copy and paste them in to your reply in the order produced.

==========

* Go to start > Run copy/paste the contents of the code box excluding "code" in the run box and click OK.

cmd /c (ipconfig /all&nslookup google.com&ping -n 2 google.com&route print) >log.txt&log.txt&del log.txt
A command window opens. Wait until a log.txt file opens.

* Please copy/paste the log file in your reply.

==========

Reset TCP/IP Properties

First:

* Go to Start -> Control Panel -> Double click on Network Connections.
* Right click on your default connection (usually Local Area Connection or Wireless Network Connection) and select Properties.

* Select the General tab.
* Double click on Internet Protocol (TCP/IP).

Under General tab:

- Select "Obtain an IP address automatically".
- Select "Obtain DNS server address automatically".

* Click OK twice to save the settings.
* Reboot if you had to change any setting.

Next:

* Go to start > Run copy/paste the contents of the code box excluding "code" in the run box and click OK.

cmd /c (ipconfig /all&nslookup google.com&ping -n 2 google.com&route print) >log.txt&log.txt&del log.txt
A command window opens. Wait until a log.txt file opens.

* Please copy/paste the log file in your reply.

==========

Download HostsXpert.zip
  • Extract (unzip) HostsXpert.zip to a a permanent folder on your hard drive such as C:\HostsXpert
  • Double-click HostsXpert.exe to run the program.
  • Click "Make Hosts Writable?" in the upper right corner (If available).
  • Click "Restore Microsoft's Hosts file" and then click "OK".
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
==========

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

==========

With your next post please provide:

* Internet connection log before fix
* Internet connection log after fix
* SDFix Report.txt
* How is it running now?
* Still getting redirected?

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users