Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help - Not sure what I have


  • This topic is locked This topic is locked
26 replies to this topic

#1 SmileyD

SmileyD

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:57 PM

Posted 17 March 2010 - 01:39 PM

I've run every type of software to get my computer back to normal.

Malware
McAfee
PC Tools Antivirus

Everyone comes up with different problems which have been fixed except for one it says cannot be fixed in McAfee. Its still running really slow and is still redirecting in Explorer.

Below is my Hijack This Log.

Please Help!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:31:27 PM, on 3/17/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\MioNet\MioNetManager.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\MioNet\jvm\bin\MioNet.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\MioNet\jvm\bin\MioNet.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://midlandparkschools.schoolwires.com/...ite/default.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - _{9368D063-44BE-49B9-BD14-BB9663FD38FC} - (no file)
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [Msamelujolijef] rundll32.exe "C:\WINDOWS\ecokohodopuv.dll",Startup
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Tsl] C:\PROGRA~1\COMMON~1\tsa\tsl.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MioNet] C:\Program Files\MioNet\MioNetLauncher.exe /p
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [LELA] "C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" /minimized
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\conmgr.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Mom\Application Data\ttuh.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10a.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Dropbox.lnk = C:\Documents and Settings\Mom\Application Data\Dropbox\bin\Dropbox.exe
O4 - Startup: Konfabulator.lnk = C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
O4 - Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\digital imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\kswclwkq.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O20 - AppInit_DLLs: hijirike.dll c:\windows\system32\jebojope.dll
O20 - Winlogon Notify: msguard - eplrr0.dll (file missing)
O21 - SSODL: dohimipej - {e385c8fb-08d3-42c4-942e-70b19ae18505} - (no file)
O22 - SharedTaskScheduler: jugezatag - {e385c8fb-08d3-42c4-942e-70b19ae18505} - (no file)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: MioNet - Unknown owner - C:\Program Files\MioNet\MioNetManager.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 13163 bytes

Edited by boopme, 17 March 2010 - 04:04 PM.
Moved to Virus,Spyware and Malware Removal Logs~~boopme


BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:57 PM

Posted 17 March 2010 - 06:15 PM

Hello SmileyD,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.

We need to get a little deeper look in to you machine and check for Rootkits before we proceed with cleaning your machine.


1.
Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

2.
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Note: If you can't get Gmer to run in regular please try and run it in Safemode.

3.
Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

* When done, DDS will open two (2) logs:

1. DDS.txt
2. Attach.txt

Save both reports to your desktop post the contents of the DDS.txt log. Save the other report incase I need to look at it later.

Things to include in your next reply:
Gmer log
DDS.txt
Attach.txt

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 SmileyD

SmileyD
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:57 PM

Posted 18 March 2010 - 06:29 PM

Thanks for your help! Here are the logs that you requested. Hopefully they help - they are extremely long!

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-18 17:58:19
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Mom\LOCALS~1\Temp\pfdoapod.sys


---- System - GMER 1.0.15 ----

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF769B514]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF768A282]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF768A474]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF769BD00]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF769BFB8]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF769A3FA]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF769C422]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF769B7D8]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF7689F32]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xEB9E978C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xEB9E98D5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xEB9E98BF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xEB9E97CC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xEB9E9901]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xEB9E9710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xEB9E9724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xEB9E97A0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xEB9E993D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xEB9E98A9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xEB9E9893]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xEB9E9929]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xEB9E9915]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xEB9E9778]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xEB9E9764]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xEB9E98EB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xEB9E97E2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xEB9E97B6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 804F8B8D 7 Bytes JMP EB9E97BA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryValueKey 8056B103 7 Bytes JMP EB9E9897 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8056BD4D 5 Bytes JMP EB9E9768 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryKey 8056EBB9 7 Bytes JMP EB9E9941 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateKey 8056EEB0 7 Bytes JMP EB9E98D9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056FBF8 5 Bytes JMP EB9E9790 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 80571EF1 5 Bytes JMP EB9E97E6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 8057236C 7 Bytes JMP EB9E97D0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 80572D06 5 Bytes JMP EB9E9714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 805730B5 7 Bytes JMP EB9E97A4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateValueKey 8057FB78 7 Bytes JMP EB9E98C3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058C806 5 Bytes JMP EB9E9728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 80590E16 5 Bytes JMP EB9E9905 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062C403 5 Bytes JMP EB9E977C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRestoreKey 8064C042 5 Bytes JMP EB9E9919 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnloadKey 8064C317 7 Bytes JMP EB9E98EF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 8064CBE4 7 Bytes JMP EB9E98AD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwReplaceKey 8064D51E 5 Bytes JMP EB9E992D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF76EE394]
.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xF6543340, 0x121A5F, 0xF8000020]
.text C:\WINDOWS\System32\nv4_disp.dll section is writeable [0xBF9D5380, 0x25BA81, 0xF8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\wt\updater\wcmdmgr.exe[112] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\WINDOWS\wt\updater\wcmdmgr.exe[112] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe[156] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe[156] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe[172] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe[172] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[192] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\Program Files\McAfee.com\Agent\mcagent.exe[192] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe[220] C:\WINDOWS\system32\ws2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe[220] C:\WINDOWS\system32\ws2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\Program Files\iTunes\iTunesHelper.exe[236] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\Program Files\iTunes\iTunesHelper.exe[236] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\WINDOWS\system32\HPZipm12.exe[340] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\WINDOWS\system32\HPZipm12.exe[340] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00CD000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 00CE000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 00CC000C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00DD0FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00DD0F68
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00DD005D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00DD0F83
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00DD0F94
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00DD0FAF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00DD0F26
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00DD0F4D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00DD00B5
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00DD00A4
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00DD0F01
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00DD0036
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00DD0000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00DD0078
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00DD001B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00DD0FCA
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00DD0089
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00DC0FA8
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] ADVAPI32.dll!RegCreateKeyExW 77DD7535 1 Byte [E9]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00DC0039
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00DC0FB9
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00DC0FD4
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00DC0028
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00DC0F86
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00DC0FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00DC0F97
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DB0042
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DB001D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DB0FC1
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DB0FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DB000C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DB0FD2
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] WININET.dll!InternetOpenA 42C2C8A1 5 Bytes JMP 00D90000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] WININET.dll!InternetOpenW 42C2CED1 5 Bytes JMP 00D90FE5
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] WININET.dll!InternetOpenUrlA 42C30BFA 5 Bytes JMP 00D90FD4
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] WININET.dll!InternetOpenUrlW 42C7AC51 5 Bytes JMP 00D90FB9
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\Program Files\Internet Explorer\IEXPLORE.EXE[408] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\WINDOWS\system32\hphmon06.exe[432] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\WINDOWS\system32\hphmon06.exe[432] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe[488] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe[488] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[500] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[500] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe[528] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe[528] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\Program Files\HP\hpcoretech\hpcmpmgr.exe[540] C:\WINDOWS\system32\ws2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\Program Files\HP\hpcoretech\hpcmpmgr.exe[540] C:\WINDOWS\system32\ws2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\WINDOWS\System32\DSentry.exe[552] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\WINDOWS\System32\DSentry.exe[552] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[560] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\WINDOWS\System32\DLA\DLACTRLW.EXE[560] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\WINDOWS\BCMSMMSG.exe[568] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\WINDOWS\BCMSMMSG.exe[568] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[624] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[624] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\WINDOWS\system32\ctfmon.exe[628] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\WINDOWS\system32\ctfmon.exe[628] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\Program Files\Messenger\msmsgs.exe[656] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 011C0FEF
.text C:\Program Files\Messenger\msmsgs.exe[656] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 011C0065
.text C:\Program Files\Messenger\msmsgs.exe[656] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 011C0F66
.text C:\Program Files\Messenger\msmsgs.exe[656] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 011C0F83
.text C:\Program Files\Messenger\msmsgs.exe[656] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 011C0F94
.text C:\Program Files\Messenger\msmsgs.exe[656] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 011C002F
.text C:\Program Files\Messenger\msmsgs.exe[656] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 011C0093
.text C:\Program Files\Messenger\msmsgs.exe[656] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 011C0F4B
.text C:\Program Files\Messenger\msmsgs.exe[656] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 011C00C9
.text C:\Program Files\Messenger\msmsgs.exe[656] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 011C0F30
.text C:\Program Files\Messenger\msmsgs.exe[656] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 011C0F1F
.text C:\Program Files\Messenger\msmsgs.exe[656] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 011C0040
.text C:\Program Files\Messenger\msmsgs.exe[656] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 011C000A
.text C:\Program Files\Messenger\msmsgs.exe[656] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 011C0076
.text C:\Program Files\Messenger\msmsgs.exe[656] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 011C0FC3
.text C:\Program Files\Messenger\msmsgs.exe[656] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 011C0FD4
.text C:\Program Files\Messenger\msmsgs.exe[656] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 011C00A4
.text C:\Program Files\Messenger\msmsgs.exe[656] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FF0FA8
.text C:\Program Files\Messenger\msmsgs.exe[656] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FF0033
.text C:\Program Files\Messenger\msmsgs.exe[656] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FF0FC3
.text C:\Program Files\Messenger\msmsgs.exe[656] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FF0FEF
.text C:\Program Files\Messenger\msmsgs.exe[656] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FF0018
.text C:\Program Files\Messenger\msmsgs.exe[656] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FF0FDE
.text C:\Program Files\Messenger\msmsgs.exe[656] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 011B0FCA
.text C:\Program Files\Messenger\msmsgs.exe[656] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 011B005B
.text C:\Program Files\Messenger\msmsgs.exe[656] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 011B001B
.text C:\Program Files\Messenger\msmsgs.exe[656] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 011B0FE5
.text C:\Program Files\Messenger\msmsgs.exe[656] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 011B0F94
.text C:\Program Files\Messenger\msmsgs.exe[656] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 011B0040
.text C:\Program Files\Messenger\msmsgs.exe[656] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 011B0000
.text C:\Program Files\Messenger\msmsgs.exe[656] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 011B0FB9
.text C:\Program Files\Messenger\msmsgs.exe[656] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\Program Files\Messenger\msmsgs.exe[656] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\Program Files\Messenger\msmsgs.exe[656] WININET.dll!InternetOpenA 42C2C8A1 5 Bytes JMP 00FD0FEF
.text C:\Program Files\Messenger\msmsgs.exe[656] WININET.dll!InternetOpenW 42C2CED1 5 Bytes JMP 00FD0FDE
.text C:\Program Files\Messenger\msmsgs.exe[656] WININET.dll!InternetOpenUrlA 42C30BFA 5 Bytes JMP 00FD0014
.text C:\Program Files\Messenger\msmsgs.exe[656] WININET.dll!InternetOpenUrlW 42C7AC51 5 Bytes JMP 00FD0039
.text C:\WINDOWS\system32\winlogon.exe[684] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\WINDOWS\system32\winlogon.exe[684] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00BD00A1
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00BD0086
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00BD0069
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00BD0058
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00BD0FCA
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00BD0F76
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00BD00BE
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00BD0F40
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00BD00D9
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00BD0F2F
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00BD0047
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00BD001B
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00BD0F91
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00BD0036
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\services.exe[732] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00BD0F5B
.text C:\WINDOWS\system32\services.exe[732] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00060FA6
.text C:\WINDOWS\system32\services.exe[732] msvcrt.dll!system 77C293C7 5 Bytes JMP 00060027
.text C:\WINDOWS\system32\services.exe[732] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00060FC1
.text C:\WINDOWS\system32\services.exe[732] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[732] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0006000C
.text C:\WINDOWS\system32\services.exe[732] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00060FDE
.text C:\WINDOWS\system32\services.exe[732] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00070FA8
.text C:\WINDOWS\system32\services.exe[732] ADVAPI32.dll!RegCreateKeyExW 77DD7535 1 Byte [E9]
.text C:\WINDOWS\system32\services.exe[732] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00070039
.text C:\WINDOWS\system32\services.exe[732] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00070FC3
.text C:\WINDOWS\system32\services.exe[732] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[732] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00070F72
.text C:\WINDOWS\system32\services.exe[732] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00070014
.text C:\WINDOWS\system32\services.exe[732] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[732] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00070F97
.text C:\WINDOWS\system32\services.exe[732] WININET.dll!InternetOpenA 42C2C8A1 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\services.exe[732] WININET.dll!InternetOpenW 42C2CED1 5 Bytes JMP 00040014
.text C:\WINDOWS\system32\services.exe[732] WININET.dll!InternetOpenUrlA 42C30BFA 5 Bytes JMP 00040025
.text C:\WINDOWS\system32\services.exe[732] WININET.dll!InternetOpenUrlW 42C7AC51 5 Bytes JMP 0004004A
.text C:\WINDOWS\system32\services.exe[732] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\WINDOWS\system32\services.exe[732] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00F90FEF
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00F90073
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00F90F7E
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00F90058
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00F90047
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00F9002C
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00F900B2
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00F900A1
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00F90F34
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00F900CD
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00F900E8
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00F90FAF
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00F90FDE
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00F90084
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00F9001B
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00F9000A
.text C:\WINDOWS\system32\lsass.exe[744] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00F90F45
.text C:\WINDOWS\system32\lsass.exe[744] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00D30FCA
.text C:\WINDOWS\system32\lsass.exe[744] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00D30F79
.text C:\WINDOWS\system32\lsass.exe[744] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00D30011
.text C:\WINDOWS\system32\lsass.exe[744] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00D30000
.text C:\WINDOWS\system32\lsass.exe[744] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00D30F8A
.text C:\WINDOWS\system32\lsass.exe[744] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00D30FAF
.text C:\WINDOWS\system32\lsass.exe[744] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00D30FE5
.text C:\WINDOWS\system32\lsass.exe[744] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00D30036
.text C:\WINDOWS\system32\lsass.exe[744] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D20FC1
.text C:\WINDOWS\system32\lsass.exe[744] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D2004C
.text C:\WINDOWS\system32\lsass.exe[744] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D20FD2
.text C:\WINDOWS\system32\lsass.exe[744] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D20000
.text C:\WINDOWS\system32\lsass.exe[744] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D20031
.text C:\WINDOWS\system32\lsass.exe[744] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D20FE3
.text C:\WINDOWS\system32\lsass.exe[744] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\WINDOWS\system32\lsass.exe[744] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\WINDOWS\system32\lsass.exe[744] WININET.dll!InternetOpenA 42C2C8A1 5 Bytes JMP 00D0000A
.text C:\WINDOWS\system32\lsass.exe[744] WININET.dll!InternetOpenW 42C2CED1 5 Bytes JMP 00D0001B
.text C:\WINDOWS\system32\lsass.exe[744] WININET.dll!InternetOpenUrlA 42C30BFA 5 Bytes JMP 00D00040
.text C:\WINDOWS\system32\lsass.exe[744] WININET.dll!InternetOpenUrlW 42C7AC51 5 Bytes JMP 00D00051
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[860] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\Program Files\Microsoft ActiveSync\wcescomm.exe[860] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00E20FEF
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00E20096
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00E2007B
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00E20F97
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00E20054
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00E20FBC
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00E20F7A
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00E200C2
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00E200EE
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00E20F5F
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00E20F3A
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00E20043
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00E20FDE
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00E200B1
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00E20FCD
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00E20014
.text C:\WINDOWS\system32\svchost.exe[924] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00E200DD
.text C:\WINDOWS\system32\svchost.exe[924] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00E10FCA
.text C:\WINDOWS\system32\svchost.exe[924] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00E10F68
.text C:\WINDOWS\system32\svchost.exe[924] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00E1001B
.text C:\WINDOWS\system32\svchost.exe[924] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00E10FE5
.text C:\WINDOWS\system32\svchost.exe[924] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00E10F83
.text C:\WINDOWS\system32\svchost.exe[924] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00E10F9E
.text C:\WINDOWS\system32\svchost.exe[924] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00E10000
.text C:\WINDOWS\system32\svchost.exe[924] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00E10FAF
.text C:\WINDOWS\system32\svchost.exe[924] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E00FA8
.text C:\WINDOWS\system32\svchost.exe[924] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E00FB9
.text C:\WINDOWS\system32\svchost.exe[924] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E00FE5
.text C:\WINDOWS\system32\svchost.exe[924] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E00000
.text C:\WINDOWS\system32\svchost.exe[924] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E00FD4
.text C:\WINDOWS\system32\svchost.exe[924] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E00029
.text C:\WINDOWS\system32\svchost.exe[924] WININET.dll!InternetOpenA 42C2C8A1 5 Bytes JMP 00DE0FEF
.text C:\WINDOWS\system32\svchost.exe[924] WININET.dll!InternetOpenW 42C2CED1 5 Bytes JMP 00DE0FDE
.text C:\WINDOWS\system32\svchost.exe[924] WININET.dll!InternetOpenUrlA 42C30BFA 5 Bytes JMP 00DE0FCD
.text C:\WINDOWS\system32\svchost.exe[924] WININET.dll!InternetOpenUrlW 42C7AC51 5 Bytes JMP 00DE0FB2
.text C:\WINDOWS\system32\svchost.exe[924] c:\windows\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\WINDOWS\system32\svchost.exe[924] c:\windows\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\Program Files\AIM6\aim6.exe[944] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\Program Files\AIM6\aim6.exe[944] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00DD0FEF
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00DD0065
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00DD0F66
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00DD0F8D
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00DD0040
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00DD0FB9
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00DD0082
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00DD0F3A
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00DD0F04
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00DD00A7
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00DD0EF3
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00DD0F9E
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00DD000A
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00DD0F4B
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00DD0025
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00DD0FD4
.text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00DD0F29
.text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00BC0025
.text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00BC0FA5
.text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00BC0FD4
.text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00BC000A
.text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00BC0062
.text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00BC0051
.text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\system32\svchost.exe[992] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00BC0036
.text C:\WINDOWS\system32\svchost.exe[992] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BB0FB2
.text C:\WINDOWS\system32\svchost.exe[992] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BB0FC3
.text C:\WINDOWS\system32\svchost.exe[992] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BB0033
.text C:\WINDOWS\system32\svchost.exe[992] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BB000C
.text C:\WINDOWS\system32\svchost.exe[992] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BB0FD4
.text C:\WINDOWS\system32\svchost.exe[992] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\system32\svchost.exe[992] WININET.dll!InternetOpenA 42C2C8A1 5 Bytes JMP 00B90FEF
.text C:\WINDOWS\system32\svchost.exe[992] WININET.dll!InternetOpenW 42C2CED1 5 Bytes JMP 00B90014
.text C:\WINDOWS\system32\svchost.exe[992] WININET.dll!InternetOpenUrlA 42C30BFA 5 Bytes JMP 00B9002F
.text C:\WINDOWS\system32\svchost.exe[992] WININET.dll!InternetOpenUrlW 42C7AC51 5 Bytes JMP 00B90FDE
.text C:\WINDOWS\system32\svchost.exe[992] c:\windows\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\WINDOWS\system32\svchost.exe[992] c:\windows\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\WINDOWS\System32\svchost.exe[1108] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 008F000A
.text C:\WINDOWS\System32\svchost.exe[1108] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 0090000A
.text C:\WINDOWS\System32\svchost.exe[1108] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 008E000C
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 025A0000
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 025A0065
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 025A0054
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 025A0039
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 025A0F7C
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 025A0FB2
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 025A009B
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 025A0080
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 025A00D1
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 025A0F38
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 025A00E2
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 025A0FA1
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 025A0FEF
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 025A0F55
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 025A0FC3
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 025A0FD4
.text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 025A00B6
.text C:\WINDOWS\System32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 02590022
.text C:\WINDOWS\System32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 0259007A
.text C:\WINDOWS\System32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 02590FD1
.text C:\WINDOWS\System32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 02590011
.text C:\WINDOWS\System32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 02590069
.text C:\WINDOWS\System32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 0259004E
.text C:\WINDOWS\System32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 02590000
.text C:\WINDOWS\System32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 0259003D
.text C:\WINDOWS\System32\svchost.exe[1108] USER32.dll!GetCursorPos 7E41BD76 5 Bytes JMP 024E000A
.text C:\WINDOWS\System32\svchost.exe[1108] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 024D000A
.text C:\WINDOWS\System32\svchost.exe[1108] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02580066
.text C:\WINDOWS\System32\svchost.exe[1108] msvcrt.dll!system 77C293C7 5 Bytes JMP 0258004B
.text C:\WINDOWS\System32\svchost.exe[1108] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02580029
.text C:\WINDOWS\System32\svchost.exe[1108] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0258000C
.text C:\WINDOWS\System32\svchost.exe[1108] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0258003A
.text C:\WINDOWS\System32\svchost.exe[1108] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02580FEF
.text C:\WINDOWS\System32\svchost.exe[1108] WININET.dll!InternetOpenA 42C2C8A1 5 Bytes JMP 0256000A
.text C:\WINDOWS\System32\svchost.exe[1108] WININET.dll!InternetOpenW 42C2CED1 5 Bytes JMP 02560025
.text C:\WINDOWS\System32\svchost.exe[1108] WININET.dll!InternetOpenUrlA 42C30BFA 5 Bytes JMP 02560036
.text C:\WINDOWS\System32\svchost.exe[1108] WININET.dll!InternetOpenUrlW 42C7AC51 5 Bytes JMP 02560047
.text C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\System32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\WINDOWS\System32\svchost.exe[1108] C:\WINDOWS\System32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\WINDOWS\System32\svchost.exe[1268] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00C50000
.text C:\WINDOWS\System32\svchost.exe[1268] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00C5007D
.text C:\WINDOWS\System32\svchost.exe[1268] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00C50F88
.text C:\WINDOWS\System32\svchost.exe[1268] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00C50062
.text C:\WINDOWS\System32\svchost.exe[1268] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00C50047
.text C:\WINDOWS\System32\svchost.exe[1268] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00C50FB6
.text C:\WINDOWS\System32\svchost.exe[1268] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00C50F52
.text C:\WINDOWS\System32\svchost.exe[1268] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00C5009A
.text C:\WINDOWS\System32\svchost.exe[1268] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00C500DA
.text C:\WINDOWS\System32\svchost.exe[1268] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00C500B5
.text C:\WINDOWS\System32\svchost.exe[1268] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00C50F26
.text C:\WINDOWS\System32\svchost.exe[1268] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00C50FA5
.text C:\WINDOWS\System32\svchost.exe[1268] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00C50FE5
.text C:\WINDOWS\System32\svchost.exe[1268] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00C50F63
.text C:\WINDOWS\System32\svchost.exe[1268] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00C5002C
.text C:\WINDOWS\System32\svchost.exe[1268] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00C5001B
.text C:\WINDOWS\System32\svchost.exe[1268] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00C50F37
.text C:\WINDOWS\System32\svchost.exe[1268] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00C40FDB
.text C:\WINDOWS\System32\svchost.exe[1268] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00C40F94
.text C:\WINDOWS\System32\svchost.exe[1268] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00C4002C
.text C:\WINDOWS\System32\svchost.exe[1268] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00C4001B
.text C:\WINDOWS\System32\svchost.exe[1268] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00C40FA5
.text C:\WINDOWS\System32\svchost.exe[1268] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00C40051
.text C:\WINDOWS\System32\svchost.exe[1268] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00C40000
.text C:\WINDOWS\System32\svchost.exe[1268] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00C40FC0
.text C:\WINDOWS\System32\svchost.exe[1268] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C30064
.text C:\WINDOWS\System32\svchost.exe[1268] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C30049
.text C:\WINDOWS\System32\svchost.exe[1268] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C3002E
.text C:\WINDOWS\System32\svchost.exe[1268] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C30000
.text C:\WINDOWS\System32\svchost.exe[1268] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C30FE3
.text C:\WINDOWS\System32\svchost.exe[1268] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C3001D
.text C:\WINDOWS\System32\svchost.exe[1268] WININET.dll!InternetOpenA 42C2C8A1 5 Bytes JMP 00C10000
.text C:\WINDOWS\System32\svchost.exe[1268] WININET.dll!InternetOpenW 42C2CED1 5 Bytes JMP 00C1001B
.text C:\WINDOWS\System32\svchost.exe[1268] WININET.dll!InternetOpenUrlA 42C30BFA 5 Bytes JMP 00C10FE5
.text C:\WINDOWS\System32\svchost.exe[1268] WININET.dll!InternetOpenUrlW 42C7AC51 5 Bytes JMP 00C10FD4
.text C:\WINDOWS\System32\svchost.exe[1268] c:\windows\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\WINDOWS\System32\svchost.exe[1268] c:\windows\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1276] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\Program Files\Bonjour\mDNSResponder.exe[1276] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\WINDOWS\System32\svchost.exe[1472] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00AD000A
.text C:\WINDOWS\System32\svchost.exe[1472] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00AD0F70
.text C:\WINDOWS\System32\svchost.exe[1472] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00AD0F81
.text C:\WINDOWS\System32\svchost.exe[1472] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00AD0F9C
.text C:\WINDOWS\System32\svchost.exe[1472] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00AD0065
.text C:\WINDOWS\System32\svchost.exe[1472] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00AD0FD4
.text C:\WINDOWS\System32\svchost.exe[1472] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00AD009B
.text C:\WINDOWS\System32\svchost.exe[1472] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00AD0F55
.text C:\WINDOWS\System32\svchost.exe[1472] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00AD0F02
.text C:\WINDOWS\System32\svchost.exe[1472] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00AD0F1D
.text C:\WINDOWS\System32\svchost.exe[1472] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00AD00B6
.text C:\WINDOWS\System32\svchost.exe[1472] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00AD0FC3
.text C:\WINDOWS\System32\svchost.exe[1472] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00AD0FEF
.text C:\WINDOWS\System32\svchost.exe[1472] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00AD0080
.text C:\WINDOWS\System32\svchost.exe[1472] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00AD004A
.text C:\WINDOWS\System32\svchost.exe[1472] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00AD0025
.text C:\WINDOWS\System32\svchost.exe[1472] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00AD0F2E
.text C:\WINDOWS\System32\svchost.exe[1472] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00AC0047
.text C:\WINDOWS\System32\svchost.exe[1472] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00AC008E
.text C:\WINDOWS\System32\svchost.exe[1472] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00AC0036
.text C:\WINDOWS\System32\svchost.exe[1472] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00AC0025
.text C:\WINDOWS\System32\svchost.exe[1472] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00AC0073
.text C:\WINDOWS\System32\svchost.exe[1472] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00AC0058
.text C:\WINDOWS\System32\svchost.exe[1472] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00AC0000
.text C:\WINDOWS\System32\svchost.exe[1472] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00AC0FDB
.text C:\WINDOWS\System32\svchost.exe[1472] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AB0FA4
.text C:\WINDOWS\System32\svchost.exe[1472] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AB0025
.text C:\WINDOWS\System32\svchost.exe[1472] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AB0FB5
.text C:\WINDOWS\System32\svchost.exe[1472] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AB0FE3
.text C:\WINDOWS\System32\svchost.exe[1472] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AB000A
.text C:\WINDOWS\System32\svchost.exe[1472] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AB0FD2
.text C:\WINDOWS\System32\svchost.exe[1472] WININET.dll!InternetOpenA 42C2C8A1 5 Bytes JMP 00940000
.text C:\WINDOWS\System32\svchost.exe[1472] WININET.dll!InternetOpenW 42C2CED1 5 Bytes JMP 00940FDB
.text C:\WINDOWS\System32\svchost.exe[1472] WININET.dll!InternetOpenUrlA 42C30BFA 5 Bytes JMP 00940FCA
.text C:\WINDOWS\System32\svchost.exe[1472] WININET.dll!InternetOpenUrlW 42C7AC51 5 Bytes JMP 0094001B
.text C:\WINDOWS\System32\svchost.exe[1472] c:\windows\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\WINDOWS\System32\svchost.exe[1472] c:\windows\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\WINDOWS\system32\java.exe[1568] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\WINDOWS\system32\java.exe[1568] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\WINDOWS\Explorer.EXE[1576] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00B5000A
.text C:\WINDOWS\Explorer.EXE[1576] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 00BB000A
.text C:\WINDOWS\Explorer.EXE[1576] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 00B4000C
.text C:\WINDOWS\Explorer.EXE[1576] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 015C0000
.text C:\WINDOWS\Explorer.EXE[1576] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 015C0F63
.text C:\WINDOWS\Explorer.EXE[1576] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 015C0058
.text C:\WINDOWS\Explorer.EXE[1576] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 015C0047
.text C:\WINDOWS\Explorer.EXE[1576] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 015C0F8A
.text C:\WINDOWS\Explorer.EXE[1576] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 015C0022
.text C:\WINDOWS\Explorer.EXE[1576] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 015C0084
.text C:\WINDOWS\Explorer.EXE[1576] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 015C0F48
.text C:\WINDOWS\Explorer.EXE[1576] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 015C0F06
.text C:\WINDOWS\Explorer.EXE[1576] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 015C009F
.text C:\WINDOWS\Explorer.EXE[1576] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 015C0EF5
.text C:\WINDOWS\Explorer.EXE[1576] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 015C0FA5
.text C:\WINDOWS\Explorer.EXE[1576] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 015C0011
.text C:\WINDOWS\Explorer.EXE[1576] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 015C0073
.text C:\WINDOWS\Explorer.EXE[1576] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 015C0FB6
.text C:\WINDOWS\Explorer.EXE[1576] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 015C0FDB
.text C:\WINDOWS\Explorer.EXE[1576] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 015C0F21
.text C:\WINDOWS\Explorer.EXE[1576] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 01580FCA
.text C:\WINDOWS\Explorer.EXE[1576] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 0158006C
.text C:\WINDOWS\Explorer.EXE[1576] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 0158001B
.text C:\WINDOWS\Explorer.EXE[1576] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 0158000A
.text C:\WINDOWS\Explorer.EXE[1576] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 01580051
.text C:\WINDOWS\Explorer.EXE[1576] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 01580040
.text C:\WINDOWS\Explorer.EXE[1576] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 01580FE5
.text C:\WINDOWS\Explorer.EXE[1576] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 01580FB9
.text C:\WINDOWS\Explorer.EXE[1576] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 012D0033
.text C:\WINDOWS\Explorer.EXE[1576] msvcrt.dll!system 77C293C7 5 Bytes JMP 012D0FA8
.text C:\WINDOWS\Explorer.EXE[1576] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 012D0FC3
.text C:\WINDOWS\Explorer.EXE[1576] msvcrt.dll!_open 77C2F566 5 Bytes JMP 012D0FEF
.text C:\WINDOWS\Explorer.EXE[1576] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 012D0018
.text C:\WINDOWS\Explorer.EXE[1576] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 012D0FDE
.text C:\WINDOWS\Explorer.EXE[1576] WININET.dll!InternetOpenA 42C2C8A1 5 Bytes JMP 00C90000
.text C:\WINDOWS\Explorer.EXE[1576] WININET.dll!InternetOpenW 42C2CED1 5 Bytes JMP 00C90011
.text C:\WINDOWS\Explorer.EXE[1576] WININET.dll!InternetOpenUrlA 42C30BFA 5 Bytes JMP 00C9002C
.text C:\WINDOWS\Explorer.EXE[1576] WININET.dll!InternetOpenUrlW 42C7AC51 5 Bytes JMP 00C90047
.text C:\WINDOWS\Explorer.EXE[1576] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\WINDOWS\Explorer.EXE[1576] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\Program Files\Digital Line Detect\DLG.exe[1608] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\Program Files\Digital Line Detect\DLG.exe[1608] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\WINDOWS\system32\spoolsv.exe[1764] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\WINDOWS\system32\spoolsv.exe[1764] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe[1932] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe[1932] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[1992] C:\WINDOWS\system32\ws2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[1992] C:\WINDOWS\system32\ws2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\Program Files\SiteAdvisor\6253\SiteAdv.exe[2004] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\Program Files\SiteAdvisor\6253\SiteAdv.exe[2004] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\Program Files\QuickTime\qttask.exe[2012] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\Program Files\QuickTime\qttask.exe[2012] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\Program Files\PC Tools AntiVirus\PCTAV.exe[2028] C:\WINDOWS\system32\ws2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\Program Files\PC Tools AntiVirus\PCTAV.exe[2028] C:\WINDOWS\system32\ws2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe[2044] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe[2044] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\PROGRA~1\MICROS~3\rapimgr.exe[2084] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\PROGRA~1\MICROS~3\rapimgr.exe[2084] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[2200] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[2200] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text c:\program files\common files\mcafee\mna\mcnasvc.exe[2508] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data c:\program files\common files\mcafee\mna\mcnasvc.exe[2508] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe[2536] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe[2536] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe[2552] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe[2552] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe[2612] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe[2612] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2660] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2660] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2660] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2660] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[2804] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[2804] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\Program Files\MioNet\MioNetManager.exe[2924] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\Program Files\MioNet\MioNetManager.exe[2924] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\Documents and Settings\Mom\Desktop\gmer.exe[3028] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\Documents and Settings\Mom\Desktop\gmer.exe[3028] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[3092] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\Program Files\McAfee\MPF\MPFSrv.exe[3092] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\Program Files\MioNet\jvm\bin\MioNet.exe[3144] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\Program Files\MioNet\jvm\bin\MioNet.exe[3144] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\Program Files\AIM6\aolsoftware.exe[3216] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\Program Files\AIM6\aolsoftware.exe[3216] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\WINDOWS\System32\nvsvc32.exe[3256] C:\WINDOWS\System32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\WINDOWS\System32\nvsvc32.exe[3256] C:\WINDOWS\System32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe[3492] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe[3492] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\Program Files\MioNet\jvm\bin\MioNet.exe[3640] C:\WINDOWS\system32\WS2_32.dll section is writeable [0x71AB1000, 0x12133, 0xE0000040]
.data C:\Program Files\MioNet\jvm\bin\MioNet.exe[3640] C:\WINDOWS\system32\WS2_32.dll entry point in ".data" section [0x71AC4179]
.text C:\WINDOWS\System32\svchost.exe[3820] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00A50000
.text C:\WINDOWS\System32\svchost.exe[3820] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00A500A2
.text C:\WINDOWS\System32\svchost.exe[3820] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00A50087
.text C:\WINDOWS\System32\svchost.exe[3820] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00A5006C
.text C:\WINDOWS\System32\svchost.exe[3820] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00A5005B
.text C:\WINDOWS\System32\svchost.exe[3820] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00A50FB9
.text C:\WINDOWS\System32\svchost.exe[3820] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00A500C9
.text C:\WINDOWS\System32\svchost.exe[3820] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00A50F81
.text C:\WINDOWS\System32\svchost.exe[3820] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A500FC
.text C:\WINDOWS\System32\svchost.exe[3820] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A500EB
.text C:\WINDOWS\System32\svchost.exe[3820] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00A50117
.text C:\WINDOWS\System32\svchost.exe[3820] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00A50040
.text C:\WINDOWS\System32\svchost.exe[3820] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00A50FEF
.text C:\WINDOWS\System32\svchost.exe[3820] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00A50F92
.text C:\WINDOWS\System32\svchost.exe[3820] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00A50FCA
.text C:\WINDOWS\System32\svchost.exe[3820] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00A50025
.text C:\WINDOWS\System32\svchost.exe[3820] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00A500DA
.text C:\WINDOWS\System32\svchost.exe[3820] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00A40FCA
.text C:\WINDOWS\System32\svchost.exe[3820] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00A40F86
.text C:\WINDOWS\System32\svchost.exe[3820] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00A40025
.text C:\WINDOWS\System32\svchost.exe[3820] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00A4000A
.text C:\WINDOWS\System32\svchost.exe[3820] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00A40F97
.text C:\WINDOWS\System32\svchost.exe[3820] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00A40FA8
.text C:\WINDOWS\System32\svchost.exe[3820] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00A40FEF
.text C:\WINDOWS\System32\svchost.exe[3820] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00A40FB9
.text C:\WINDOWS\System32\svchost.exe[3820] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A30044
.text C:\WINDOWS\System32\svchost.exe[3820] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A30FB9
.text C:\WINDOWS\System32\svchost.exe[3820] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A30029
.text C:\WINDOWS\System32\svchost.exe[3820] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A30000
.text C:\WINDOWS\System32\svchost.exe[3820] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A30FD4
.text C:\WINDOWS\System32\svchost.exe[3820] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A30FEF
.text C:\WINDOWS\System32\svchost.exe[3820] WININET.dll!InternetOpenA 42C2C8A1 5 Bytes JMP 00A20000
.text C:\WINDOWS\System32\svchost.exe[3820] WININET.dll!InternetOpenW 42C2CED1 5 Bytes JMP 00A20FEF
.text C:\WINDOWS\System32\svchost.exe[3820] WININET.dll!InternetOpenUrlA 42C30BFA 5 Bytes JMP 00A2001B
.text C:\WINDOWS\System32\svchost.exe[3820] WININET.dll!InternetOpenUrlW 42C7AC51 5 Bytes JMP 00A2002C

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F170B3FC] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F170B458] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F170B684] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F170B6B2] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F170B684] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F170B458] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F170B3FC] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [F170B3FC] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [F170B458] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [F170B6B2] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [F170B684] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F170B684] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F170B6B2] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F170B3FC] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F170B458] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\AIM6\aim6.exe[944] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[944] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[944] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[944] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[944] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[944] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[944] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[944] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[944] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[944] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[944] @ C:\WINDOWS\system32\MSVCRT.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[944] @ C:\WINDOWS\system32\MSVCRT.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[944] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[944] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[944] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[944] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[944] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[944] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[944] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[944] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[944] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[944] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[944] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[944] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[944] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[944] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[944] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[944] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[944] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[944] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[944] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[944] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[944] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[944] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3216] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3216] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3216] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3216] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3216] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3216] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3216] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3216] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3216] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3216] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3216] @ C:\WINDOWS\system32\MSVCRT.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3216] @ C:\WINDOWS\system32\MSVCRT.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3216] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3216] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3216] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3216] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3216] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3216] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3216] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3216] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3216] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3216] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3216] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3216] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3216] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3216] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3216] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3216] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3216] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3216] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3216] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3216] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3216] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[3216] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVRec.sys (PC Tools Recognizer Driver for Windows 2000/XP/PC Tools Research Pty Ltd )
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat AVRec.sys (PC Tools Recognizer Driver for Windows 2000/XP/PC Tools Research Pty Ltd )

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device -> \Driver\atapi \Device\Harddisk0\DR0 872EACA1

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version
Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version@Version 0x01 0xCD 0xBB 0x1A ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----



DDS (Ver_10-03-17.01) - NTFSx86
Run by Mom at 18:06:52.98 on Thu 03/18/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.301 [GMT -4:00]

AV: PC Tools AntiVirus 6.0.0.19 *On-access scanning disabled* (Outdated) {832E7172-E406-4bb2-8B19-6D29F2C93A98}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\MioNet\MioNetManager.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\MioNet\jvm\bin\MioNet.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\MioNet\jvm\bin\MioNet.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mom\Desktop\dds.scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://midlandparkschools.schoolwires.com/midlandpark/site/default.asp
uWindow Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
BHO: {089fd14d-132b-48fc-8861-0048ae113215} - c:\program files\siteadvisor\6261\SiteAdv.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisor\6261\SiteAdv.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [Aida] c:\documents and settings\mom\application data\ttuh.exe
mRun: [Msamelujolijef] rundll32.exe "c:\windows\ecokohodopuv.dll",Startup
mRun: [wcmdmgr] c:\windows\wt\updater\wcmdmgrl.exe -launch
mRun: [ViewMgr] c:\program files\viewpoint\viewpoint manager\ViewMgr.exe
mRun: [Tsl] c:\progra~1\common~1\tsa\tsl.exe
mRun: [SiteAdvisor] c:\program files\siteadvisor\6253\SiteAdv.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [PCTAVApp] "c:\program files\pc tools antivirus\PCTAV.exe" /MONITORSCAN
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MMTray] c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [MioNet] c:\program files\mionet\MioNetLauncher.exe /p
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [LELA] "c:\program files\linksys\linksys easylink advisor\Linksys EasyLink Advisor.exe" /minimized
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HPHUPD06] c:\program files\hp\{aac4fc36-8f89-4587-8dd3-ebc57c83374d}\hphupd06.exe
mRun: [HPHmon06] c:\windows\system32\hphmon06.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [HP Lamp] c:\program files\hewlett-packard\hp precisionscan\precisionscan\HPLamp.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ConMgr.exe] "c:\program files\earthlink 5.0\conmgr.exe"
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
dRunOnce: [RunNarrator] Narrator.exe
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10a.exe
StartupFolder: c:\docume~1\mom\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\mom\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\mom\startm~1\programs\startup\konfab~1.lnk - c:\program files\pixoria\konfabulator\Konfabulator.exe
StartupFolder: c:\docume~1\mom\startm~1\programs\startup\nikonm~1.lnk - c:\program files\common files\nikon\monitor\NkMonitor.exe
StartupFolder: c:\docume~1\mom\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\volumewatcher\SPUVolumeWatcher.exe
StartupFolder: c:\documents and settings\mom\start menu\programs\startup\PowerReg Scheduler V3.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0000000A-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmsp9dmo.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {10000000-1000-0000-1000-000000000000} - file://c:\program files\internet explorer\kswclwkq.exe
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
DPF: {5334504D-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/8/D/08D91A3B-CFF6-45DE-95DF-64415075E344/mpg4sdmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp3.dll
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6261\SiteAdv.dll
Notify: msguard - eplrr0.dll
AppInit_DLLs: hijirike.dll c:\windows\system32\jebojope.dll
SSODL: eplrr - - No File
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: dohimipej - {e385c8fb-08d3-42c4-942e-70b19ae18505} - No File
STS: {e385c8fb-08d3-42c4-942e-70b19ae18505} - No File
LSA: Notification Packages = scecli dimoburi.dll gntpls.dll

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-8-1 130936]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2006-7-31 214664]
R2 AVFilter;AVFilter;c:\windows\system32\drivers\AVFilter.sys [2009-8-1 21904]
R2 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-4-18 204800]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-11-11 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2006-7-31 144704]
R2 MioNet;MioNet;c:\program files\mionet\MioNetManager.exe [2009-9-9 139264]
R2 PCTAVSvc;PC Tools AntiVirus Engine;c:\program files\pc tools antivirus\PCTAVSvc.exe [2009-8-1 826600]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-6-18 24652]
R3 AVHook;AVHook;c:\windows\system32\drivers\AVHook.sys [2009-8-1 28560]
R3 epstw2k;SCM Parallel Port SCSI Driver;c:\windows\system32\drivers\epstw2k.sys [2003-9-4 114944]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2006-7-31 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2006-7-31 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2006-7-31 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2006-7-31 40552]
R3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2003-9-4 10880]
S0 epstwnt;epstwnt;c:\windows\system32\drivers\epstwnt.mpd --> c:\windows\system32\drivers\epstwnt.mpd [?]
S1 seppgm;TCP x IP2 Kernel;\??\c:\windows\system32\seppgm.sys --> c:\windows\system32\seppgm.sys [?]
S2 seppgs;TCP x IP2 Kernel32;\??\c:\windows\system32\seppgm.sys --> c:\windows\system32\seppgm.sys [?]
S2 SHARSHTL;Shuttle Sharer;c:\windows\system32\drivers\sharshtl.sys --> c:\windows\system32\drivers\sharshtl.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2006-7-31 34248]

=============== Created Last 30 ================

2010-03-18 18:14:42 0 ----a-w- c:\documents and settings\mom\defogger_reenable
2010-03-14 10:08:13 3748 ----a-w- c:\windows\system32\asubtogi.dat

==================== Find3M ====================

2010-03-12 17:17:06 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-23 18:27:23 130368 ----a-w- c:\docume~1\mom\applic~1\GDIPFONTCACHEV1.DAT
2004-04-07 21:35:12 251983 ----a-w- c:\program files\pup.exe
2003-03-12 15:53:40 207758 ----a-w- c:\program files\INSTALL.LOG
2009-05-29 06:57:33 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-05-29 06:57:33 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-05-29 06:57:33 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 18:11:15.51 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 3/15/2003 6:09:19 PM
System Uptime: 3/18/2010 5:59:55 PM (1 hours ago)

Motherboard: Dell Computer Corp. | |
Processor: Intel® Pentium® 4 CPU 2.53GHz | Microprocessor | 2524/533mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 56 GiB total, 4.439 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 3/17/2010 2:08:08 PM - System Checkpoint

==== Installed Programs ======================

3D Groove Playback Engine
Ad-aware 6 Personal
Adobe After Effects 5.5
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 10 ActiveX
Adobe Photoshop 7.0
Adobe Premiere Pro
Adobe Reader 7.0
Adobe Shockwave Player
AIM 6
AnswerWorks Runtime
AOL Instant Messenger
Apple Mobile Device Support
Apple Software Update
aspi
Avatar - Legends of The Arena
Batch Assistant
BCM V.92 56K Modem
Bonjour
BufferChm
Camera Support Core Library
Camera Window
Canon Camera Support Core Library
Canon Camera Window for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon Utilities ZoomBrowser EX
CCHelp
CCScore
CK Becky Higgins' Creative Clips
Classic PhoneTools
CleanUp!
Clifford Thinking Adventures
CreativeProjects
CreativeProjectsTemplates
CueTour
Data Compiler
Dell Picture Studio - Dell Image Expert
Dell Solution Center
Dell Support 5.0.0 (766)
Destinations
Dig'nRigs
Digital Line Detect
Director
Dropbox
DVDSentry
EarthLink Free Trial
ESSAdpt
ESSANUP
ESSCAM
ESSCDBK
ESScore
ESSgui
ESShelp
ESSini
ESSPCD
ESSvpaht
ESSvpot
FlashFXP
Handbrake 2.4.1
Help and Support Customization
HijackThis 2.0.2
Hotfix for Windows XP (KB909394)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HP Diagnostic Assistant
HP Image Zone 4.0
HP PrecisionScan
HP Software Update
HPSystemDiagnostics
ImageStream_2008-09
Indexing Function
InstantShare
Intel A/V Codecs V2.0
Intel® PRO Ethernet Adapter and Software
Intel® PROSet II
Island Xtreme Stunts
iTunes
Java™ 6 Update 3
JumpStart Numbers
JumpStart Spelling
Kodak EasyShare software
KSU
LeadTool
LEGO Digital Designer
LEGO Island 2
Linksys EasyLink Advisor
Macromedia Dreamweaver MX
Macromedia Extension Manager
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB928367)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft ActiveSync
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft Publisher 2002
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MobileMe Control Panel
Modem Helper
MovieEdit Task
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB925673)
MUSICMATCH® Jukebox
My Scene™ CD-ROM
Nero - Burning Rom (Web installer)
Nikon Message Center
Nikon Transfer
Notifier
NVIDIA Display Driver
NVIDIA Windows 2000/XP Display Drivers
Optimum Online net guide
OTtBP
Overland
Paint Shop Pro 7
PC Tools AntiVirus 6.0
PCDADDIN
PCDHELP
PCDLNCH
PCDrdsho
PhotoGallery
Photosmart 320,370,7400,8100,8400 Series
PhotoStitch
Picture Control Utility
PowerDVD
PrintScreen
PS370
PSPrinters06
Pure Networks Platform
QFolder
Qualxserve Service Agreement
QuickProjects
QuickTime
RAW Image Task 1.1
RealPlayer
RemoteCapture Task 1.0.3
Roxio VideoWave Movie Creator
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Sesame Street Elmo's Art Workshop
Sesame Street Elmo's Preschool
SFR
SFR2
Shockwave
SkinsHP1
Sonic UDF Reader
Sony Picture Utility
Sony USB Driver
The Sims 2
Time to Play Dollhouse
Tonka Construction 2
TONKA TOWN
TrayApp
Unload
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
USB MassStorage CardReader
ViewNX
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Virtools 3D Life Player
WD Anywhere Access Powered by MioNet
WebEx Support Manager for Internet Explorer
WebFldrs XP
WebReg
WildTangent Multiplayer Library
WildTangent Updater
WildTangent Web Driver
Windows Communication Foundation
Windows Genuine Advantage Notifications (KB905474)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix - KB894476
Windows Media Player 11
Windows Mobile® Device Handbook
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

3/18/2010 5:59:24 PM, error: Service Control Manager [7031] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
3/18/2010 5:59:17 PM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
3/18/2010 5:59:17 PM, error: Service Control Manager [7031] - The McAfee Network Agent service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
3/14/2010 10:09:26 PM, error: Service Control Manager [7034] - The Pure Networks Platform Service service terminated unexpectedly. It has done this 1 time(s).
3/12/2010 12:43:56 PM, error: Service Control Manager [7000] - The McAfee Network Agent service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
3/12/2010 12:43:55 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McAfee Network Agent service to connect.
3/12/2010 12:42:50 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service McNASvc with arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}
3/12/2010 12:17:39 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\drivers\atapi.sys could not be copied into the DLL cache. The specific error code is 0x00000000 [The operation completed successfully. ]. This file is necessary to maintain system stability.
3/12/2010 12:15:18 PM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: This operation returned because the timeout period expired.
3/12/2010 11:56:33 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
3/12/2010 11:55:55 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the NVSvc service.
3/12/2010 11:54:58 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
3/12/2010 11:54:58 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
3/12/2010 1:55:04 PM, error: Service Control Manager [7034] - The PC Tools AntiVirus Engine service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================


#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:57 PM

Posted 18 March 2010 - 06:43 PM

Hello SmileyD,

Now I can see what is going on. It's time we start to fight back and get rid of this malware. whistling.gif

1.
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.

2.
Download and Run RKill
    Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

3.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Things to include in your next reply:
Combofix.txt
How is your machine running now?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:57 PM

Posted 20 March 2010 - 09:13 AM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding smile.gif

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#6 SmileyD

SmileyD
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:57 PM

Posted 20 March 2010 - 06:33 PM

Sorry crazy couple of days. This is the first time I had to send you a response.

I ran Combofix which took a while. It rebooted the computer and compiled a log file. I saved the file and then it went back to Windows XP. Since it closed the Combo Fix screen and went back to my desktop I thought it was done. I was unable to open anything or even shut down (the mouse moved but nothing opened when clicked), so I had to turn the computer off manually.

NOW, it will not get past the blue Windows XP screen. I tried opening it in Safe Mode but it will still not get past the screen.

Now What?



#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:57 PM

Posted 20 March 2010 - 08:16 PM

Hello SmileyD,

No need to worry we have many tricks we can try. thumbup2.gif

Let's restore your registry before the running of Combofix and see if that works.

1. Restart your computer
2. Before Windows loads, you will be prompted to choose which Operating System to start
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press enter.


At the C:\Windows prompt, type the bolded lines and hit enter after each one.
cd erdnt\hiv-backup
batch erdnt.con


The registry backups will begin copying. At the next prompt, type exit and hit Enter. Windows will try to load.

Are you able to get into windows?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 SmileyD

SmileyD
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:57 PM

Posted 21 March 2010 - 02:43 PM

I will try this tonight! Its too nice out to be inside! I'll let you know if it works.

Thanks!

#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:57 PM

Posted 21 March 2010 - 07:34 PM

Ok

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#10 SmileyD

SmileyD
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:57 PM

Posted 22 March 2010 - 08:30 AM

OK - we're back in business. I was able to get into windows with just one error

Error loading c:\windows\ecokohodopuv.dll
The specified module could not be found


Below is the Combofix log from the last one.

ComboFix 10-03-18.02 - Mom 03/19/2010 10:57:47.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.457 [GMT -4:00]
Running from: c:\documents and settings\Mom\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: PC Tools AntiVirus 6.0.0.19 *On-access scanning disabled* (Outdated) {832E7172-E406-4bb2-8B19-6D29F2C93A98}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Mom\Local Settings\Application Data\{B817CDF4-85AB-4A43-B434-7E2EDD2AFDE7}
c:\documents and settings\Mom\Local Settings\Application Data\{B817CDF4-85AB-4A43-B434-7E2EDD2AFDE7}\chrome.manifest
c:\documents and settings\Mom\Local Settings\Application Data\{B817CDF4-85AB-4A43-B434-7E2EDD2AFDE7}\chrome\content\_cfg.js
c:\documents and settings\Mom\Local Settings\Application Data\{B817CDF4-85AB-4A43-B434-7E2EDD2AFDE7}\chrome\content\overlay.xul
c:\documents and settings\Mom\Local Settings\Application Data\{B817CDF4-85AB-4A43-B434-7E2EDD2AFDE7}\install.rdf
c:\documents and settings\Mom\My Documents\ZbThumbnail.info
c:\program files\INSTALL.LOG
C:\smp.bat
c:\windows\AUTOLNCH.REG
c:\windows\ecokohodopuv.dll
c:\windows\jestertb.dll
c:\windows\Readme.txt
c:\windows\system32\11478.exe
c:\windows\system32\11538.exe
c:\windows\system32\11942.exe
c:\windows\system32\12382.exe
c:\windows\system32\12859.exe
c:\windows\system32\14604.exe
c:\windows\system32\14771.exe
c:\windows\system32\15141.exe
c:\windows\system32\153.exe
c:\windows\system32\15724.exe
c:\windows\system32\16827.exe
c:\windows\system32\17035.exe
c:\windows\system32\17421.exe
c:\windows\system32\17673.exe
c:\windows\system32\18467.exe
c:\windows\system32\1869.exe
c:\windows\system32\18716.exe
c:\windows\system32\19169.exe
c:\windows\system32\19718.exe
c:\windows\system32\19895.exe
c:\windows\system32\19912.exe
c:\windows\system32\20037.exe
c:\windows\system32\21726.exe
c:\windows\system32\23281.exe
c:\windows\system32\23811.exe
c:\windows\system32\24464.exe
c:\windows\system32\25547.exe
c:\windows\system32\25667.exe
c:\windows\system32\26299.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\27529.exe
c:\windows\system32\27644.exe
c:\windows\system32\28145.exe
c:\windows\system32\28703.exe
c:\windows\system32\292.exe
c:\windows\system32\29358.exe
c:\windows\system32\2995.exe
c:\windows\system32\30333.exe
c:\windows\system32\31322.exe
c:\windows\system32\32391.exe
c:\windows\system32\32662.exe
c:\windows\system32\32757.exe
c:\windows\system32\3902.exe
c:\windows\system32\4664.exe
c:\windows\system32\4827.exe
c:\windows\system32\491.exe
c:\windows\system32\5436.exe
c:\windows\system32\5447.exe
c:\windows\system32\5705.exe
c:\windows\system32\6334.exe
c:\windows\system32\6868.exe
c:\windows\system32\8723.exe
c:\windows\system32\9741.exe
c:\windows\system32\9894.exe
c:\windows\system32\9961.exe
c:\windows\system32\drivers\ndisrd.sys
c:\windows\system32\ndisapi.dll
c:\windows\system32\Packet.dll
c:\windows\system32\QTWMCI32.DLL
c:\windows\system32\tmp.reg
c:\windows\system32\wpcap.dll
c:\windows\Tasks\iretbumn.job
c:\windows\Temp\0297061268954346mcinst.exe

----- BITS: Possible infected sites -----

hxxp://82.98.235.34
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
c:\windows\system32\ws2_32.dll . . . is infected!!

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NDISRD
-------\Legacy_ZESOFT
-------\Service_NDISRD


((((((((((((((((((((((((( Files Created from 2010-02-19 to 2010-03-19 )))))))))))))))))))))))))))))))
.

2010-03-19 15:20 . 2004-08-04 07:56 50176 ----a-w- c:\windows\system32\proquota.exe
2010-03-19 15:20 . 2004-08-04 07:56 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2010-03-18 22:54 . 2010-01-05 22:04 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-03-18 22:54 . 2010-01-05 22:04 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-03-18 22:54 . 2010-01-05 22:04 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-03-18 22:54 . 2010-01-05 22:04 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-03-18 22:54 . 2010-01-05 22:04 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-03-18 22:54 . 2010-01-05 22:04 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-03-18 22:54 . 2010-01-05 22:04 312584 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-03-18 01:37 . 2010-03-18 01:37 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-03-18 01:36 . 2010-03-18 01:37 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-14 10:08 . 2010-03-14 10:08 3748 ----a-w- c:\windows\system32\asubtogi.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-19 15:27 . 2009-08-01 15:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-19 15:26 . 2009-08-01 15:09 -------- d-----w- c:\program files\PC Tools AntiVirus
2010-03-19 14:45 . 2003-03-12 15:56 -------- d-----w- c:\program files\McAfee.com
2010-03-19 14:03 . 2004-02-13 22:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-03-19 14:03 . 2003-03-12 15:58 -------- d-----w- c:\program files\Viewpoint
2010-03-19 01:34 . 2002-08-29 07:27 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-19 01:34 . 2002-08-29 07:27 95360 ----a-w- c:\windows\system32\drivers\atapi.svs
2010-03-18 23:13 . 2006-07-31 12:12 -------- d-----w- c:\program files\McAfee
2010-03-18 23:12 . 2006-07-31 12:12 -------- d-----w- c:\program files\Common Files\McAfee
2010-03-17 18:20 . 2009-12-13 06:09 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-17 11:54 . 2007-09-20 14:54 -------- d-----w- c:\program files\MioNet
2010-03-15 06:44 . 2009-10-25 21:50 -------- d-----w- c:\documents and settings\Mom\Application Data\MioNet
2010-03-14 00:44 . 2003-03-15 22:10 129976 ----a-w- c:\documents and settings\Mom\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-13 20:41 . 2003-03-12 15:41 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-13 20:40 . 2008-02-19 15:18 -------- d-----w- c:\program files\My Scene™
2010-03-13 20:38 . 2004-02-18 18:13 -------- d-----w- c:\program files\THQ
2010-03-13 17:20 . 2009-09-07 00:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-13 15:56 . 2006-10-06 18:32 -------- d-----w- c:\documents and settings\LocalService\Application Data\SiteAdvisor
2010-01-22 15:58 . 2010-01-22 15:58 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\AdobeUM
2010-01-21 17:54 . 2010-01-21 17:54 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-07 21:07 . 2009-09-07 00:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-09-07 00:26 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 22:04 . 2006-07-31 12:15 385536 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-01-05 22:04 . 2006-07-31 12:15 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-01-05 22:04 . 2006-07-31 12:15 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2004-04-07 21:35 . 2004-04-07 21:35 251983 ----a-w- c:\program files\pup.exe
.

------- Sigcheck -------

[-] 2004-08-04 . 51F0E3AE1895632263C1496C6ADC5F68 . 82944 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\ws2_32.dll
[-] 2004-08-04 . 51F0E3AE1895632263C1496C6ADC5F68 . 82944 . . [5.1.2600.2180] . . c:\windows\SYSTEM32\ws2_32.dll
[-] 2002-08-29 . 8529C295DF59B564D37A73B5629162B1 . 75264 . . [5.1.2600.0] . . c:\windows\$NtServicePackUninstall$\ws2_32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-06-27 03:02 77824 ----a-w- c:\documents and settings\Mom\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-06-27 03:02 77824 ----a-w- c:\documents and settings\Mom\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-06-27 03:02 77824 ----a-w- c:\documents and settings\Mom\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-06-12 50528]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wcmdmgr"="c:\windows\wt\updater\wcmdmgrl.exe" [2004-03-12 20480]
"SiteAdvisor"="c:\program files\SiteAdvisor\6253\SiteAdv.exe" [2006-07-24 35992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"PCTAVApp"="c:\program files\PC Tools AntiVirus\PCTAV.exe" [2009-02-19 1374096]
"nwiz"="nwiz.exe" [2003-10-06 741376]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2003-03-28 143360]
"mmtask"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2003-09-11 53248]
"MioNet"="c:\program files\MioNet\MioNetLauncher.exe" [2009-09-09 32768]
"LELA"="c:\program files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" [2008-05-01 131072]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe" [2004-04-06 172032]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Lamp"="c:\program files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe" [1998-11-24 42496]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-15 28672]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-06-13 127036]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-26 177472]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-04 1179952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 53760]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10a.exe" [2008-10-05 235936]

c:\documents and settings\Mom\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Mom\Application Data\Dropbox\bin\Dropbox.exe [2009-9-7 25598505]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-3-18 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-3-12 45056]
HP Digital Imaging Monitor.lnk - c:\program files\HP\digital imaging\bin\hpqtra08.exe [2004-5-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\digital imaging\bin\hpqthb08.exe [2004-5-28 53248]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\seppgm.sys]
@="Driver"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"67:UDP"= 67:UDP:0.0.0.0/255.255.255.255:Enabled:DHCP Discovery Service

R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [8/1/2009 11:10 AM 130936]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\SYSTEM32\DRIVERS\mfetdi2k.sys [3/18/2010 6:54 PM 82952]
R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [4/18/2008 5:30 AM 204800]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [3/18/2010 6:54 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [3/18/2010 6:54 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [3/18/2010 6:55 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [3/18/2010 6:54 PM 141792]
R2 MioNet;MioNet;c:\program files\MioNet\MioNetManager.exe [9/9/2009 8:36 AM 139264]
R3 cfwids;McAfee Inc. cfwids;c:\windows\SYSTEM32\DRIVERS\cfwids.sys [3/18/2010 6:54 PM 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\SYSTEM32\DRIVERS\mfefirek.sys [3/18/2010 6:54 PM 312584]
R3 mfendiskmp;mfendiskmp;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [3/18/2010 6:54 PM 88480]
S0 epstwnt;epstwnt;c:\windows\system32\Drivers\epstwnt.mpd --> c:\windows\system32\Drivers\epstwnt.mpd [?]
S1 seppgm;TCP x IP2 Kernel;\??\c:\windows\system32\seppgm.sys --> c:\windows\system32\seppgm.sys [?]
S2 seppgs;TCP x IP2 Kernel32;\??\c:\windows\system32\seppgm.sys --> c:\windows\system32\seppgm.sys [?]
S2 SHARSHTL;Shuttle Sharer;c:\windows\system32\Drivers\sharshtl.sys --> c:\windows\system32\Drivers\sharshtl.sys [?]
S3 epstw2k;SCM Parallel Port SCSI Driver;c:\windows\system32\Drivers\epstw2k.svs --> c:\windows\system32\Drivers\epstw2k.svs [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [3/18/2010 6:54 PM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\SYSTEM32\DRIVERS\mferkdet.sys [3/18/2010 6:54 PM 83496]
S3 scsiscan;SCSI Scanner Driver;c:\windows\SYSTEM32\DRIVERS\scsiscan.sys [9/4/2003 12:02 PM 10880]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2010-03-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2005-07-16 c:\windows\Tasks\HP Usg Daily FY04.job
- c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped06.exe [2004-06-07 04:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://midlandparkschools.schoolwires.com/midlandpark/site/default.asp
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Msamelujolijef - c:\windows\ecokohodopuv.dll
HKLM-Run-Tsl - c:\progra~1\COMMON~1\tsa\tsl.exe
HKLM-Run-ConMgr.exe - c:\program files\EarthLink 5.0\conmgr.exe
HKLM-Run-AdaptecDirectCD - c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
SharedTaskScheduler-{e385c8fb-08d3-42c4-942e-70b19ae18505} - (no file)
SSODL-eplrr- - (no file)
SSODL-dohimipej-{e385c8fb-08d3-42c4-942e-70b19ae18505} - (no file)
Notify-msguard - eplrr0.dll
SafeBoot-seppgs.sys
AddRemove-Batch Assistant - c:\program files\scbar\v9\scbar.exe
AddRemove-Data Compiler - c:\program files\scbar\v9\scbar.exe
AddRemove-ElmosArtWorkshop - c:\cwonders\ELMOSAW\CWRUN.EXE
AddRemove-Indexing Function - c:\program files\scbar\v9\scbar.exe
AddRemove-Sesame Street Elmo's Preschool - c:\program files\The Learning Company\Sesame Street\Sesame Street Elmo's Preschool\uninstal.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-19 11:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\epstw2k]
"ImagePath"="System32\Drivers\epstw2k.svs"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\epstwnt]
"ImagePath"="System32\Drivers\epstwnt.mpd"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:01,cd,bb,1a,51,9b,c5,b8,7e,17,0d,78,ad,1a,57,e0,22,40,35,3a,c9,
c2,96,56,1f,8b,db,41,18,30,96,09,c7,c1,e3,1d,d2,ff,6b,47,91,9b,a4,21,3d,91,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:11,38,08,58,fb,67,19,0f,44,35,03,46,69,fe,c0,e9,5a,33,81,2c,67,
3d,93,65,36,35,c3,d7,f6,56,81,96,e1,a6,e1,2c,9e,7b,78,41,46,e2,7a,14,85,06,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1092)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

- - - - - - - > 'explorer.exe'(5976)
c:\program files\SiteAdvisor\6253\saHook.dll
c:\documents and settings\Mom\Application Data\Dropbox\bin\DropboxExt.3.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\DRIVERS\CDANTSRV.EXE
c:\windows\System32\nvsvc32.exe
c:\program files\PC Tools AntiVirus\PCTAVSvc.exe
c:\windows\System32\ScsiAccess.EXE
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\wt\updater\wcmdmgr.exe
c:\windows\system32\fxssvc.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\windows\BCMSMMSG.exe
c:\program files\Microsoft ActiveSync\wcescomm.exe
c:\progra~1\MICROS~3\rapimgr.exe
c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\MioNet\jvm\bin\MioNet.exe
c:\program files\MioNet\jvm\bin\MioNet.exe
c:\windows\system32\java.exe
c:\windows\system32\HPZipm12.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-03-19 11:41:26 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-19 15:41

Pre-Run: 8,641,368,064 bytes free
Post-Run: 9,112,559,616 bytes free

- - End Of File - - 649B196985F7E6A9CC9A7BA03DE2C21B


#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:57 PM

Posted 22 March 2010 - 08:40 PM

Hello,

Glad to see you are up and running this is a step in the right direction. thumbup2.gif

1.
Hello, your log looks much better now.

Your Microsoft Windows installation is out of date.
Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
Go here to check for & install updates to Microsoft applications.
Note: The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install.

Please reboot and repeat the update process until there are no more updates to install.


2.
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :filefind
    ws2_32.dll

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

3.
Please download Malwarebytes Anti-Malware (v1.43) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

4.
I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

You can refer to this short video by: neomage
**Note**
To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.
Things to include in your next reply:
SystemLook log
MBAM log
Eset log
A new DDS log
No need for Attach.txt
How is your machine running now? Any signs or symptoms of infection?

Edited by fireman4it, 22 March 2010 - 08:53 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#12 SmileyD

SmileyD
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:57 PM

Posted 23 March 2010 - 07:51 PM

As of right now the computer is running faster. It is no longer redirecting.

Attached are the logs you requested.

Thank you so much for all your help!!! I always tell my friends bleepingcomputer when they are having computer problems!!!

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 12:08 on 23/03/2010 by Mom (Administrator - Elevation successful)

========== filefind ==========

Searching for "ws2_32.dll"
C:\I386\WS2_32.DLL --a--- 75264 bytes [22:21 15/03/2003] [11:00 29/08/2002] 8529C295DF59B564D37A73B5629162B1
C:\WINDOWS\$NtServicePackUninstall$\ws2_32.dll -----c 82944 bytes [15:16 23/03/2010] [07:56 04/08/2004] 51F0E3AE1895632263C1496C6ADC5F68
C:\WINDOWS\ServicePackFiles\i386\ws2_32.dll --a--- 82432 bytes [07:56 04/08/2004] [00:12 14/04/2008] 2CCC474EB85CEAA3E1FA1726580A3E5A
C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\ws2_32.dll --a--- 82432 bytes [13:46 23/03/2010] [00:12 14/04/2008] 2CCC474EB85CEAA3E1FA1726580A3E5A
C:\WINDOWS\SYSTEM32\ws2_32.dll --a--- 82432 bytes [11:00 29/08/2002] [00:12 14/04/2008] 2CCC474EB85CEAA3E1FA1726580A3E5A

-=End Of File=-

Malwarebytes' Anti-Malware 1.44
Database version: 3905
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

3/23/2010 1:04:27 PM
mbam-log-2010-03-23 (13-04-27).txt

Scan type: Quick Scan
Objects scanned: 133266
Time elapsed: 14 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cleansweep.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\cleansweep.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\cleansweep.exe\config.bin (Trojan.Agent) -> Quarantined and deleted successfully.


C:\Program Files\pup.exe multiple threats deleted - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\ecokohodopuv.dll.vir a variant of Win32/Cimag.AX trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\atapi.sys.vir Win32/Olmarik.VM trojan cleaned - quarantined
C:\WINDOWS\$NtServicePackUninstall$\ws2_32.dll Win32/Patched.ED trojan deleted - quarantined
C:\WINDOWS\wt\backup\1.6.2.003\wcmdmgrl.exe Win32/Adware.WildTangent application cleaned by deleting - quarantined
C:\WINDOWS\wt\updater\wcmdmgrl.exe Win32/Adware.WildTangent application cleaned by deleting - quarantined


DDS (Ver_10-03-17.01) - NTFSx86
Run by Mom at 20:43:53.62 on Tue 03/23/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.475 [GMT -4:00]

AV: PC Tools AntiVirus 6.0.0.19 *On-access scanning disabled* (Outdated) {832E7172-E406-4bb2-8B19-6D29F2C93A98}
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\MioNet\MioNetManager.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\MioNet\jvm\bin\MioNet.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\MioNet\jvm\bin\MioNet.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Mom\Desktop\dds.scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://midlandparkschools.schoolwires.com/midlandpark/site/default.asp
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: {089fd14d-132b-48fc-8861-0048ae113215} - c:\program files\siteadvisor\6261\SiteAdv.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100318185456.dll
TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisor\6261\SiteAdv.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Msamelujolijef] rundll32.exe "c:\windows\ecokohodopuv.dll",Startup
mRun: [Tsl] c:\progra~1\common~1\tsa\tsl.exe
mRun: [SiteAdvisor] c:\program files\siteadvisor\6253\SiteAdv.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [PCTAVApp] "c:\program files\pc tools antivirus\PCTAV.exe" /MONITORSCAN
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MMTray] c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [MioNet] c:\program files\mionet\MioNetLauncher.exe /p
mRun: [LELA] "c:\program files\linksys\linksys easylink advisor\Linksys EasyLink Advisor.exe" /minimized
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HPHUPD06] c:\program files\hp\{aac4fc36-8f89-4587-8dd3-ebc57c83374d}\hphupd06.exe
mRun: [HPHmon06] c:\windows\system32\hphmon06.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [HP Lamp] c:\program files\hewlett-packard\hp precisionscan\precisionscan\HPLamp.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ConMgr.exe] "c:\program files\earthlink 5.0\conmgr.exe"
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
dRunOnce: [RunNarrator] Narrator.exe
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10a.exe
StartupFolder: c:\docume~1\mom\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\mom\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\mom\startm~1\programs\startup\konfab~1.lnk - c:\program files\pixoria\konfabulator\Konfabulator.exe
StartupFolder: c:\docume~1\mom\startm~1\programs\startup\nikonm~1.lnk - c:\program files\common files\nikon\monitor\NkMonitor.exe
StartupFolder: c:\docume~1\mom\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\volumewatcher\SPUVolumeWatcher.exe
StartupFolder: c:\documents and settings\mom\start menu\programs\startup\PowerReg Scheduler V3.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0000000A-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmsp9dmo.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {10000000-1000-0000-1000-000000000000} - file://c:\program files\internet explorer\kswclwkq.exe
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
DPF: {5334504D-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/8/D/08D91A3B-CFF6-45DE-95DF-64415075E344/mpg4sdmo.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1269349377390
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp3.dll
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6261\SiteAdv.dll
Notify: msguard - eplrr0.dll
SSODL: eplrr - - No File
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: dohimipej - {e385c8fb-08d3-42c4-942e-70b19ae18505} - No File
STS: {e385c8fb-08d3-42c4-942e-70b19ae18505} - No File
LSA: Notification Packages = scecli dimoburi.dll gntpls.dll

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2006-7-31 385536]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-8-1 130936]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-3-18 82952]
R2 AVFilter;AVFilter;c:\windows\system32\drivers\AVFilter.sys [2009-8-1 21904]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-3-18 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-3-18 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-3-18 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-3-18 170144]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-3-18 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-3-18 141792]
R2 MioNet;MioNet;c:\program files\mionet\MioNetManager.exe [2009-9-9 139264]
R2 PCTAVSvc;PC Tools AntiVirus Engine;c:\program files\pc tools antivirus\PCTAVSvc.exe [2009-8-1 826600]
R3 AVHook;AVHook;c:\windows\system32\drivers\AVHook.sys [2009-8-1 28560]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-3-18 55456]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2006-7-31 152320]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2006-7-31 51688]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-3-18 312584]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-3-18 88480]
S0 epstwnt;epstwnt;c:\windows\system32\drivers\epstwnt.mpd --> c:\windows\system32\drivers\epstwnt.mpd [?]
S1 seppgm;TCP x IP2 Kernel;\??\c:\windows\system32\seppgm.sys --> c:\windows\system32\seppgm.sys [?]
S2 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-4-18 204800]
S2 seppgs;TCP x IP2 Kernel32;\??\c:\windows\system32\seppgm.sys --> c:\windows\system32\seppgm.sys [?]
S2 SHARSHTL;Shuttle Sharer;c:\windows\system32\drivers\sharshtl.sys --> c:\windows\system32\drivers\sharshtl.sys [?]
S3 epstw2k;SCM Parallel Port SCSI Driver;c:\windows\system32\drivers\epstw2k.svs --> c:\windows\system32\drivers\epstw2k.svs [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-3-18 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-3-18 83496]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2006-7-31 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2006-7-31 40552]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [2003-9-4 11520]

=============== Created Last 30 ================

2010-03-23 17:23:33 0 d-----w- c:\program files\ESET
2010-03-23 16:28:52 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-23 16:28:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-23 15:31:36 0 d-----w- c:\windows\system32\scripting
2010-03-23 15:31:32 0 d-----w- c:\windows\l2schemas
2010-03-23 15:31:30 0 d-----w- c:\windows\system32\en
2010-03-23 13:45:45 33792 ------w- c:\windows\system32\mmcperf.exe
2010-03-23 13:44:59 12800 ------w- c:\windows\system32\credssp.dll
2010-03-23 13:44:53 7168 ------w- c:\windows\system32\bitsprx4.dll
2010-03-23 13:44:52 233472 ------w- c:\windows\system32\azroles.dll
2010-03-23 13:44:43 136192 ------w- c:\windows\system32\aaclient.dll
2010-03-23 13:08:01 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-03-23 13:08:01 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-03-19 15:20:21 50176 ----a-w- c:\windows\system32\proquota.exe
2010-03-19 14:38:15 0 d-sha-r- C:\cmdcons
2010-03-19 14:22:45 98816 ----a-w- c:\windows\sed.exe
2010-03-19 14:22:45 77312 ----a-w- c:\windows\MBR.exe
2010-03-19 14:22:45 261632 ----a-w- c:\windows\PEV.exe
2010-03-19 14:22:45 161792 ----a-w- c:\windows\SWREG.exe
2010-03-18 22:54:53 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-03-18 22:54:22 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-03-18 22:54:22 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-03-18 22:54:22 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-03-18 22:54:22 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-03-18 22:54:22 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-03-18 22:54:22 312584 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-03-18 18:14:42 0 ----a-w- c:\documents and settings\mom\defogger_reenable
2010-03-14 10:08:13 3748 ----a-w- c:\windows\system32\asubtogi.dat

==================== Find3M ====================

2010-03-19 01:34:46 95360 ----a-w- c:\windows\system32\drivers\atapi.svs

============= FINISH: 20:45:18.68 ===============


#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:57 PM

Posted 23 March 2010 - 10:20 PM

Hello,


Things are looking alot better, but we still have some work to do.

1.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

CODE
Killall::

DDS::
DPF: {0000000A-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmsp9dmo.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {5334504D-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/8/D/08D91A3B-CFF6-45DE-95DF-64415075E344/mpg4sdmo.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {10000000-1000-0000-1000-000000000000} - file://c:\program files\internet explorer\kswclwkq.exe

File::
c:\windows\system32\eplrr0.dll
c:\windows\ecokohodopuv.dll
c:\progra~1\common~1\tsa\tsl.exe
c:\windows\system32\gntpls.dll
c:\windows\system32\dimoburi.dll
c:\windows\system32\asubtogi.dat
windows\system32\seppgm.sys

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Msamelujolijef"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tsl"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\ShellServiceObjectDelayLoad]
"dohimipej"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\ShellServiceObjectDelayLoad]
"eplrr"=-
[-HKEY_CLASSES_ROOT\CLSID\{e385c8fb-08d3-42c4-942e-70b19ae18505}]
[-HKEY_CLASSES_ROOT\CLSID\{e385c8fb-08d3-42c4-942e-70b19ae18505}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NAME]
"msguard"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{e385c8fb-08d3-42c4-942e-70b19ae18505}"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
[HKEY_CURRENT_USER\Software\Microsoft\Internet Connection Wizard]
"ShellNext"=""

Driver::
seppgs
seppgm


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

2.
I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

You can refer to this short video by: neomage
**Note**
To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

Things to include in your next reply:
Combofix.txt
Eset log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:57 PM

Posted 25 March 2010 - 06:57 AM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding smile.gif

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#15 SmileyD

SmileyD
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:57 PM

Posted 26 March 2010 - 08:20 AM

Sorry crazy few days - one kid sick, one kid sprained hand!

I will run it now!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users