View Full Version : Unwanted links (I'm not computer savvy)
I keep having links pop up on my screen to tell me Im infected with spyware and to upload their antispyware, I have run Spybot several times, but it keeps occurring, of course the spybot can't seem to remove something called Smitfraud-C, it says its on a currently running program or such, and asks me to restart and use it, I do, but it can't remove it then either and says the same thing again, could this Smitfraud thing be why my computer keeps having these antispyware adds pop up? oh yes, and the icon Im using is on my toolbar at the bottom, and it keeps saying Im infected with spyware and seems to lead to the same link.
Hi
Download and install TrendMicro HijackThis (http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe)
* Once installed open HijackThis by clicking Start > Programs > HijackThis and click the button labeled
Do a system scan only
* Click the scan button in the lower left hand corner of the interface and HijackThis will quickly scan your system.
* Once the scan is complete the scan button will now read save log. Click this button to save the log file to your PC. Once you select where you would like to save the file it will open in your systems default text editor. Typically this application is Notepad. Post the log here.
I did as you specified, here are the results of the scan, oh, and if it helps I have "Windows XP media edition"
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:49:06 PM, on 4/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\ehome\ehtray.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\DriveIcon\DriveIcon.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Common Files\AOL\1208824074\ee\AOLSoftware.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\WINDOWS\system32\gnitaxkl.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\AOL 9.1\waol.exe
C:\Program Files\AOL 9.1\shellmon.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\aol\aol toolbar 5.0\AolTbServer.exe
C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Application Data\U3\000016267370560B\LaunchPad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX3416
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/campaign.asp?cid=26076&affid=370-9
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DriveIcons] C:\Program Files\DriveIcon\DriveIcon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [Winupdates] c:\windows\system32\wskl2.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1208824074\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [bhsqceek] C:\WINDOWS\system32\gnitaxkl.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1\AOL.EXE" -b
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Icatch(VI) SnapDetect.lnk = ?
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O8 - Extra context menu item: &aol toolbar search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369af0d-62e9-4bda-8103-b4c75499b578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - cmdmapping - (no file) (HKCU)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1193336508750
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{56C2D231-B905-4062-B2CE-FAE3A78F77D0}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{71CDCD03-6954-4EC8-A7BD-72AF37479B9C}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9077DEE-A282-4E11-A450-B5FCE21220F7}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: McAfee Application Installer Cleanup (0208751208936130) (0208751208936130mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\020875~1.EXE
O23 - Service: AOL Connectivity Service (aol acs) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 13632 bytes
Hi
Ok. Time to begin then :)
You may want to print out these instructions for reference, since you
will have to restart your computer during the fix.
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, then make
sure Run fixit is checked and click Finish. The fix will
begin; follow the prompts. You will be asked to reboot your computer;
please do so. Your system may take longer than usual to load; this is
normal.
At the end of the fix, you may need to restart your computer again.
Finally, please post a fresh HijackThis log, along with the contents of
the logfile C:\fixwareout\report.txt
all right, both are complete, oh, and I ran the Spybot afterwards as well, it detected several things, including the SmitFraud-C, and it couldn't remove it, ah well, well, here are the two that you requested, first the log from Fixwareout, then the one from HijackThis.
Username "Owner" - 04/24/2008 1:38:59 [Fixwareout edited 9/01/2007]
~~~~~ Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdzif.exe"
Successfully flushed the DNS Resolver Cache.
System was rebooted successfully.
~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....
~~~~~ Other
C:\WINDOWS\Temp\kdzif.ren 60928 06/13/2007
~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
"AGRSMMSG"="AGRSMMSG.exe"
"Recguard"=hex(2):25,57,49,4e,44,49,52,25,5c,53,4d,49,4e,53,54,5c,52,45,43,47,\
55,41,52,44,2e,45,58,45,00
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /installquiet /nodetect"
"Broadcom Wireless Manager UI"="C:\\WINDOWS\\system32\\WLTRAY.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"DriveIcons"="C:\\Program Files\\DriveIcon\\DriveIcon.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"SiteAdvisor"="C:\\Program Files\\SiteAdvisor\\6253\\SiteAdv.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\jusched.exe\""
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"mcagent_exe"="C:\\Program Files\\McAfee.com\\Agent\\mcagent.exe /runkey"
"snp2std"="C:\\WINDOWS\\vsnp2std.exe"
"ntuser"="C:\\WINDOWS\\system32\\drivers\\spools.exe"
"Winupdates"="c:\\windows\\system32\\wskl2.exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1208824074\\ee\\AOLSoftware.exe"
"autoload"="C:\\Documents and Settings\\Owner.YOUR-A2A5F0665A\\cftmon.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"
"updateMgr"="C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe AcRdB7_0_9"
"ntuser"="C:\\WINDOWS\\system32\\drivers\\spools.exe"
"bhsqceek"="C:\\WINDOWS\\system32\\gnitaxkl.exe"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"AOL Fast Start"="\"C:\\Program Files\\AOL 9.1\\AOL.EXE\" -b"
"autoload"="C:\\Documents and Settings\\Owner.YOUR-A2A5F0665A\\cftmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~
:popcorn: and heres the Hijack this report.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:01:38 AM, on 4/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\spools.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\DriveIcon\DriveIcon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Common Files\AOL\1208824074\ee\AOLSoftware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\gnitaxkl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\BigFix\bigfix.exe
C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\AOL 9.1\waol.exe
C:\Program Files\AOL 9.1\shellmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX3416
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/campaign.asp?cid=26076&affid=370-9
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DriveIcons] C:\Program Files\DriveIcon\DriveIcon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [Winupdates] c:\windows\system32\wskl2.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1208824074\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [bhsqceek] C:\WINDOWS\system32\gnitaxkl.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1\AOL.EXE" -b
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Icatch(VI) SnapDetect.lnk = ?
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O8 - Extra context menu item: &aol toolbar search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369af0d-62e9-4bda-8103-b4c75499b578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - cmdmapping - (no file) (HKCU)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1193336508750
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{56C2D231-B905-4062-B2CE-FAE3A78F77D0}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{71CDCD03-6954-4EC8-A7BD-72AF37479B9C}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9077DEE-A282-4E11-A450-B5FCE21220F7}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AOL Connectivity Service (aol acs) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 12940 bytes
Hi
Ok. Time to target the next infection.
Disable Spybot's TeaTimer
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer
1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & a fresh hjt log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
Um, sorry for the wait, I had finals at college and was worried my computer might do something funky before then, but they are over and I did as you instructed, thanks for your time, and sorry about the wait, first here is the log from the Combofix:
ComboFix 08-04-27.3 - Owner 2008-04-28 23:35:17.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.565 [GMT -4:00]
Running from: C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\LocalService\cftmon.exe
C:\Documents and Settings\Owner.YOUR-A2A5F0665A\cftmon.exe
C:\Program Files\PC-Cleaner
C:\Program Files\VirusHeat 4.3
C:\Program Files\VirusHeat 4.3\blacklist.txt
C:\Program Files\VirusHeat 4.3\vht.dat
C:\Program Files\VirusHeat 4.3\VirusHeat 4.3.url
C:\WINDOWS\system32\advapi3.dll
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\system32\kdtrs.exe
C:\WINDOWS\system32bdn.com
C:\WINDOWS\system32hxiwlgpm.dat
C:\WINDOWS\system32ssvchost.com
C:\WINDOWS\system32taack.dat
C:\WINDOWS\system32VBIEWER.OCX
D:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_6TO4
-------\Service_6to4
-------\Legacy_Schedule
-------\Service_Schedule
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-29 )))))))))))))))))))))))))))))))
.
2008-04-24 01:35 . 2008-04-24 01:53 <DIR> d-------- C:\fixwareout
2008-04-23 16:47 . 2008-04-23 16:47 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-21 20:28 . 2008-04-21 20:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-04-21 20:27 . 2008-04-21 20:27 <DIR> d-------- C:\WINDOWS\aolshare
2008-04-21 20:27 . 2008-04-21 20:30 <DIR> d-------- C:\Program Files\Common Files\aolshare
2008-04-21 20:27 . 2008-04-22 22:29 <DIR> d-------- C:\Program Files\AOL 9.1
2008-04-21 20:02 . 2008-04-21 20:02 2 --a------ C:\WINDOWS\msoffice.ini
2008-04-19 04:40 . 2008-04-19 04:43 139 --a------ C:\WINDOWS\wininit.ini
2008-04-19 03:56 . 2008-04-19 03:56 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-19 03:56 . 2008-04-19 04:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-19 01:12 . 2008-04-19 01:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\cxmvsxsp
2008-04-18 22:55 . 2008-04-18 22:55 79,360 --a------ C:\ergmoed.exe
2008-04-18 22:55 . 2008-04-18 22:55 75,698 --a------ C:\WINDOWS\widuxngq.sys
2008-04-18 22:55 . 2008-04-19 01:41 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-18 22:55 . 2008-04-18 22:55 9,216 --a------ C:\wnntbsi.exe
2008-04-18 22:55 . 2008-04-18 22:55 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-18 22:55 . 2008-04-18 22:56 2 --a------ C:\75411178
2008-04-07 00:22 . 2008-04-07 00:22 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-03-31 00:43 . 2008-03-31 00:43 0 --a------ C:\LOG709.tmp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-29 03:16 --------- d-----w C:\Program Files\McAfee
2008-04-28 16:53 --------- d-----w C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Application Data\U3
2008-04-28 11:06 1,840 ----a-w C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Application Data\wklnhst.dat
2008-04-22 00:41 --------- d-----w C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Application Data\AOL
2008-04-22 00:36 --------- d-----w C:\Program Files\Common Files\AOL
2008-04-22 00:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-04-22 00:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-04-22 00:06 --------- d-----w C:\Program Files\Pure Networks
2008-04-09 20:11 --------- d-----w C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Application Data\Command & Conquer 3 Kane's Wrath
2008-04-08 20:06 --------- d-----w C:\Documents and Settings\Owner.YOUR-A2A5F0665A\Application Data\AdobeUM
2008-04-04 19:34 --------- d-----w C:\Program Files\Java
2008-03-25 21:04 --------- d-----w C:\Program Files\GameSpy
2008-03-25 20:43 --------- d-----w C:\Program Files\Electronic Arts
2008-03-25 20:40 --------- d-----w C:\Program Files\Common Files\EasyInfo
2008-03-05 18:50 --------- d-----w C:\Program Files\support.com
2008-03-05 17:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Support.com
2008-02-29 20:51 --------- d-----w C:\Program Files\ZyX
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 19:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 15:00 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 15:22 4670968]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-07 03:33 8720384]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"bhsqceek"="C:\WINDOWS\system32\gnitaxkl.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"AOL Fast Start"="C:\Program Files\AOL 9.1\AOL.exe" [2008-03-06 06:12 50528]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 23:56 64512]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-08-23 19:47 169984]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 20:42 79448]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-12 18:50 88204 C:\WINDOWS\AGRSMMSG.exe]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-04-27 13:48 7561216]
"nwiz"="nwiz.exe" [2006-04-27 13:48 1519616 C:\WINDOWS\system32\nwiz.exe]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-11-12 00:40 1236992]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-07 15:52 737370]
"DriveIcons"="C:\Program Files\DriveIcon\DriveIcon.exe" [2006-03-17 00:07 655360]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-08-23 19:57 98304]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 08:50 71216]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-02-08 22:39 36904]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992]
"snp2std"="C:\WINDOWS\vsnp2std.exe" [2006-09-15 14:21 675840]
"HostManager"="C:\Program Files\Common Files\AOL\1208824074\ee\AOLSoftware.exe" [2007-05-25 13:16 42032]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-07 03:33 8720384]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [2006-08-23 19:51:22 2168360]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]
Icatch(VI) SnapDetect.lnk - C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe [2007-01-12 03:14:25 65536]
Install Pending Files.LNK - C:\Program Files\SIFXINST\SIFXINST.EXE [2006-08-23 20:04:42 729088]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Electronic Arts\\Command & Conquer 3\\RetailExe\\1.0\\cnc3game.dat"=
"C:\\Program Files\\Electronic Arts\\Command & Conquer 3\\RetailExe\\1.4\\cnc3game.dat"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Electronic Arts\\Command & Conquer 3 Kane's Wrath\\RetailExe\\1.0\\cnc3ep1.dat"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\Common Files\\AOL\\1208824074\\ee\\aolsoftware.exe"=
"C:\\Program Files\\AOL 9.1\\waol.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
R3 nvsmu;nvsmu;C:\WINDOWS\system32\DRIVERS\nvsmu.sys [2006-03-06 17:49]
S3 SNP2STD;USB2.0 PC Camera (SNP2STD);C:\WINDOWS\system32\DRIVERS\snp2sxp.sys [2006-11-08 15:57]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98447ceb-7f81-11dc-ac96-0003253cd91b}]
\shell\autorun\command - I:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-04-15 06:01:24 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-04-01 05:21:41 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2008-04-17 16:37:00 C:\WINDOWS\Tasks\WebReg psc C3100 series.job"
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-28 23:45:03
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6253\saHook.dll
-> ?:\WINDOWS\system32\ATL.DLL
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Common Files\AOL\acs\AOLacsd.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-04-28 23:56:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-29 03:56:35
Pre-Run: 7,127,310,336 bytes free
Post-Run: 7,826,800,640 bytes free
226 --- E O F --- 2008-04-11 02:39:59
:bigthumb: and here is the log from the HijackThis program:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:58:28 PM, on 4/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\DriveIcon\DriveIcon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Common Files\AOL\1208824074\ee\AOLSoftware.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/campaign.asp?cid=26076&affid=370-9
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DriveIcons] C:\Program Files\DriveIcon\DriveIcon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1208824074\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [bhsqceek] C:\WINDOWS\system32\gnitaxkl.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1\AOL.EXE" -b
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Icatch(VI) SnapDetect.lnk = ?
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O8 - Extra context menu item: &aol toolbar search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369af0d-62e9-4bda-8103-b4c75499b578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - cmdmapping - (no file) (HKCU)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1193336508750
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{56C2D231-B905-4062-B2CE-FAE3A78F77D0}: NameServer = 85.255.114.108,85.255.112.64
O17 - HKLM\System\CCS\Services\Tcpip\..\{71CDCD03-6954-4EC8-A7BD-72AF37479B9C}: NameServer = 85.255.114.108,85.255.112.64
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9077DEE-A282-4E11-A450-B5FCE21220F7}: NameServer = 85.255.114.108,85.255.112.64
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.108 85.255.112.64
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.108 85.255.112.64
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.108 85.255.112.64
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AOL Connectivity Service (aol acs) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 11961 bytes
Hi
Before we go any further I'd like to see GMER log from your system.
Download GMER (http://www.gmer.net/gmer.zip) and save it your desktop:
Extract it to your desktop and double-click GMER.exe
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log in your reply.
all right, sorry for the wait on that, had some trouble with my connection recently, unfortunately my computer, well, I wont get into it, since it has nothing to do with the programming, well, here is the information from that scan.
GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-05-04 00:35:58
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.14 ----
SSDT \??\C:\WINDOWS\widuxngq.sys ZwCreateKey [0xF3D6F95F] <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\widuxngq.sys ZwOpenKey [0xF3D6FA13] <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\widuxngq.sys ZwTerminateProcess [0xF3D71531] <-- ROOTKIT !!!
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xF3CB697C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xF3CB692A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF3CB693E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xF3CB6A2F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF3CB6A5B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xF3CB6AC9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xF3CB6AB3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF3CB69BC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xF3CB6AF5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xF3CB6902]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xF3CB6916]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF3CB6990]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xF3CB6B31]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xF3CB6A9D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xF3CB6A87]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xF3CB6A45]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xF3CB6B1D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xF3CB6B09]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xF3CB6968]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF3CB6954]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xF3CB6A71]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xF3CB6ADF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF3CB69D2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xF3CB69A6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess
---- Kernel code sections - GMER 1.0.14 ----
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B19D2 1 Byte [ E9 ]
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection + 2 805B19D4 3 Bytes [ 4F, 70, 73 ]
? C:\WINDOWS\widuxngq.sys The system cannot find the file specified.
---- User code sections - GMER 1.0.14 ----
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[764] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0041C340 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[764] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 0041C3C0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00CE0FEF
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00CE0F6D
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00CE0058
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00CE0047
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00CE0036
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00CE0FA8
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00CE00B5
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00CE00A4
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00CE00C6
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00CE0F2D
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00CE0F1C
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00CE0025
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00CE0FDE
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00CE007D
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00CE0014
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00CE0FC3
.text C:\WINDOWS\system32\services.exe[892] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00CE0F52
.text C:\WINDOWS\system32\services.exe[892] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00A40FA8
.text C:\WINDOWS\system32\services.exe[892] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00A40F61
.text C:\WINDOWS\system32\services.exe[892] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00A40FC3
.text C:\WINDOWS\system32\services.exe[892] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00A40FD4
.text C:\WINDOWS\system32\services.exe[892] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00A4001E
.text C:\WINDOWS\system32\services.exe[892] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00A40F7C
.text C:\WINDOWS\system32\services.exe[892] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00A40FEF
.text C:\WINDOWS\system32\services.exe[892] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00A40F8D
.text C:\WINDOWS\system32\services.exe[892] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00A10000
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00B60000
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00B60080
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00B60F81
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00B60F9E
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00B60FAF
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00B60FD4
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00B600B8
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00B6009D
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00B60F30
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00B600D3
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00B600E4
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00B6005B
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00B60FE5
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00B60F70
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00B60036
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00B6001B
.text C:\WINDOWS\system32\lsass.exe[904] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00B60F4B
.text C:\WINDOWS\system32\lsass.exe[904] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00B50036
.text C:\WINDOWS\system32\lsass.exe[904] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00B50F94
.text C:\WINDOWS\system32\lsass.exe[904] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00B50025
.text C:\WINDOWS\system32\lsass.exe[904] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00B5000A
.text C:\WINDOWS\system32\lsass.exe[904] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00B50FA5
.text C:\WINDOWS\system32\lsass.exe[904] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00B50047
.text C:\WINDOWS\system32\lsass.exe[904] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00B50FEF
.text C:\WINDOWS\system32\lsass.exe[904] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00B50FCA
.text C:\WINDOWS\system32\lsass.exe[904] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00B30FEF
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00E4000A
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00E4009A
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00E40FAF
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00E4007D
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00E4006C
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00E40FDB
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00E400B5
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00E40F6F
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00E40F48
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00E400E1
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00E400FC
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00E40FCA
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00E4001B
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00E40F80
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00E40051
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00E4002C
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00E400D0
.text C:\WINDOWS\system32\svchost.exe[1052] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00E30FDB
.text C:\WINDOWS\system32\svchost.exe[1052] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00E30F9E
.text C:\WINDOWS\system32\svchost.exe[1052] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00E3002C
.text C:\WINDOWS\system32\svchost.exe[1052] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00E3001B
.text C:\WINDOWS\system32\svchost.exe[1052] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00E30FAF
.text C:\WINDOWS\system32\svchost.exe[1052] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00E30051
.text C:\WINDOWS\system32\svchost.exe[1052] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00E3000A
.text C:\WINDOWS\system32\svchost.exe[1052] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00E30FCA
.text C:\WINDOWS\system32\svchost.exe[1052] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00E1000A
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00BA0067
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00BA0F72
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00BA0F8D
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00BA0F9E
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00BA0040
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00BA008E
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00BA0F46
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00BA0F17
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00BA00B0
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00BA00CB
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00BA0FAF
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00BA000A
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00BA0F57
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00BA0025
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00BA0FCA
.text C:\WINDOWS\system32\svchost.exe[1112] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00BA009F
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00B9000A
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00B90F8A
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00B90FB9
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00B90FD4
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00B90047
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00B90036
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00B90FE5
.text C:\WINDOWS\system32\svchost.exe[1112] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00B90025
.text C:\WINDOWS\system32\svchost.exe[1112] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00B70000
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 02650FEF
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 02650047
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 02650F52
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 02650F79
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 02650F8A
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 02650025
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 02650F12
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 02650058
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 02650EDC
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 02650EF7
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 02650086
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 02650036
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 02650FD4
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 02650F37
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 02650FB9
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 0265000A
.text C:\WINDOWS\System32\svchost.exe[1148] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 02650075
.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 02640FC3
.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 02640054
.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 02640FD4
.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 0264000A
.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 0264002F
.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 02640F8D
.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 02640FEF
.text C:\WINDOWS\System32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 02640FA8
.text C:\WINDOWS\System32\svchost.exe[1148] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 02620000
.text C:\WINDOWS\System32\svchost.exe[1148] WININET.dll!InternetOpenA 42C2C851 5 Bytes JMP 01C30000
.text C:\WINDOWS\System32\svchost.exe[1148] WININET.dll!InternetOpenW 42C2CE81 5 Bytes JMP 01C30FE5
.text C:\WINDOWS\System32\svchost.exe[1148] WININET.dll!InternetOpenUrlA 42C30BAA 5 Bytes JMP 01C3001B
.text C:\WINDOWS\System32\svchost.exe[1148] WININET.dll!InternetOpenUrlW 42C7AE09 5 Bytes JMP 01C3002C
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 008C0000
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 008C0F4D
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 008C0F5E
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 008C0F79
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 008C0F8A
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 008C0FAF
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 008C0073
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 008C0F21
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 008C0F10
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 008C00A9
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 008C00BA
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 008C0036
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 008C0FE5
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 008C0F32
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 008C001B
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 008C0FCA
.text C:\WINDOWS\system32\svchost.exe[1196] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 008C0084
.text C:\WINDOWS\system32\svchost.exe[1196] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 008B000A
.text C:\WINDOWS\system32\svchost.exe[1196] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 008B002C
.text C:\WINDOWS\system32\svchost.exe[1196] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 008B0FB9
.text C:\WINDOWS\system32\svchost.exe[1196] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 008B0FD4
.text C:\WINDOWS\system32\svchost.exe[1196] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 008B0F6F
.text C:\WINDOWS\system32\svchost.exe[1196] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 008B001B
.text C:\WINDOWS\system32\svchost.exe[1196] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 008B0FE5
.text C:\WINDOWS\system32\svchost.exe[1196] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 008B0F9E
.text C:\WINDOWS\system32\svchost.exe[1196] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00890FEF
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 009A0000
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 009A0F63
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 009A0F74
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 009A0058
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 009A0FA5
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 009A002C
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 009A0090
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 009A0F48
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 009A0F12
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 009A0F2D
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 009A00BC
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 009A0047
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 009A0011
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 009A0073
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 009A0FC0
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 009A0FDB
.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 009A00AB
.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 0080002F
.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00800FAF
.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 0080001E
.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00800FDE
.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 0080006C
.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00800051
.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00800FEF
.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00800040
.text C:\WINDOWS\system32\svchost.exe[1340] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 007E0FEF
.text C:\WINDOWS\system32\svchost.exe[1340] WININET.dll!InternetOpenA 42C2C851 5 Bytes JMP 007D000A
.text C:\WINDOWS\system32\svchost.exe[1340] WININET.dll!InternetOpenW 42C2CE81 5 Bytes JMP 007D001B
.text C:\WINDOWS\system32\svchost.exe[1340] WININET.dll!InternetOpenUrlA 42C30BAA 5 Bytes JMP 007D0040
.text C:\WINDOWS\system32\svchost.exe[1340] WININET.dll!InternetOpenUrlW 42C7AE09 5 Bytes JMP 007D0FE5
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 0094000A
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00940F63
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00940058
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00940047
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00940F8A
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00940FC0
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00940095
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00940084
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00940F10
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00940F2B
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00940EFF
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00940FAF
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 0094001B
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00940073
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00940FDB
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 0094002C
.text C:\WINDOWS\system32\svchost.exe[1820] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00940F3C
.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00930051
.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 0093009B
.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 0093002C
.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 0093001B
.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00930FD4
.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00930FE5
.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 0093000A
.text C:\WINDOWS\system32\svchost.exe[1820] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 0093006C
.text C:\WINDOWS\system32\svchost.exe[1820] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00910000
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 009F0000
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 009F0065
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 009F0F70
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 009F004A
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 009F0F8D
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 009F0FB9
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 009F00A7
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 009F0F5F
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 009F00D3
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 009F0F3A
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 009F0F1F
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 009F0F9E
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 009F0FEF
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 009F0080
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 009F0FCA
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 009F0025
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 009F00B8
.text C:\WINDOWS\system32\svchost.exe[1852] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 009E0036
.text C:\WINDOWS\system32\svchost.exe[1852] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 009E006C
.text C:\WINDOWS\system32\svchost.exe[1852] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 009E0FE5
.text C:\WINDOWS\system32\svchost.exe[1852] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 009E001B
.text C:\WINDOWS\system32\svchost.exe[1852] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 009E0FAF
.text C:\WINDOWS\system32\svchost.exe[1852] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 009E0FC0
.text C:\WINDOWS\system32\svchost.exe[1852] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 009E0000
.text C:\WINDOWS\system32\svchost.exe[1852] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 009E0051
.text C:\WINDOWS\Explorer.EXE[2252] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 012D0000
.text C:\WINDOWS\Explorer.EXE[2252] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 012D0073
.text C:\WINDOWS\Explorer.EXE[2252] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 012D0062
.text C:\WINDOWS\Explorer.EXE[2252] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 012D0F94
.text C:\WINDOWS\Explorer.EXE[2252] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 012D0FAF
.text C:\WINDOWS\Explorer.EXE[2252] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 012D0036
.text C:\WINDOWS\Explorer.EXE[2252] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 012D0F2D
.text C:\WINDOWS\Explorer.EXE[2252] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 012D0F48
.text C:\WINDOWS\Explorer.EXE[2252] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 012D0F08
.text C:\WINDOWS\Explorer.EXE[2252] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 012D00AB
.text C:\WINDOWS\Explorer.EXE[2252] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 012D00BC
.text C:\WINDOWS\Explorer.EXE[2252] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 012D0051
.text C:\WINDOWS\Explorer.EXE[2252] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 012D0FDB
.text C:\WINDOWS\Explorer.EXE[2252] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 012D0F63
.text C:\WINDOWS\Explorer.EXE[2252] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 012D0FCA
.text C:\WINDOWS\Explorer.EXE[2252] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 012D0011
.text C:\WINDOWS\Explorer.EXE[2252] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 012D0090
.text C:\WINDOWS\Explorer.EXE[2252] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 012C0014
.text C:\WINDOWS\Explorer.EXE[2252] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 012C0F79
.text C:\WINDOWS\Explorer.EXE[2252] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 012C0FC3
.text C:\WINDOWS\Explorer.EXE[2252] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 012C0FD4
.text C:\WINDOWS\Explorer.EXE[2252] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 012C0F8A
.text C:\WINDOWS\Explorer.EXE[2252] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 012C0036
.text C:\WINDOWS\Explorer.EXE[2252] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 012C0FEF
.text C:\WINDOWS\Explorer.EXE[2252] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 012C0025
.text C:\WINDOWS\Explorer.EXE[2252] WININET.dll!InternetOpenA 42C2C851 5 Bytes JMP 00D60000
.text C:\WINDOWS\Explorer.EXE[2252] WININET.dll!InternetOpenW 42C2CE81 5 Bytes JMP 00D6001B
.text C:\WINDOWS\Explorer.EXE[2252] WININET.dll!InternetOpenUrlA 42C30BAA 5 Bytes JMP 00D60036
.text C:\WINDOWS\Explorer.EXE[2252] WININET.dll!InternetOpenUrlW 42C7AE09 5 Bytes JMP 00D60051
.text C:\WINDOWS\Explorer.EXE[2252] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 012A000A
.text C:\Program Files\Messenger\msmsgs.exe[2776] kernel32.dll!
heres the rest of it, sorry, the site said the original post was too long, so I couldnt get it all in.
.text C:\Program Files\Messenger\msmsgs.exe[2776] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00F80FEF
.text C:\Program Files\Messenger\msmsgs.exe[2776] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00F80073
.text C:\Program Files\Messenger\msmsgs.exe[2776] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00F80F7E
.text C:\Program Files\Messenger\msmsgs.exe[2776] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00F80F99
.text C:\Program Files\Messenger\msmsgs.exe[2776] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00F80062
.text C:\Program Files\Messenger\msmsgs.exe[2776] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00F80036
.text C:\Program Files\Messenger\msmsgs.exe[2776] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00F800BA
.text C:\Program Files\Messenger\msmsgs.exe[2776] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00F8009F
.text C:\Program Files\Messenger\msmsgs.exe[2776] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00F800F7
.text C:\Program Files\Messenger\msmsgs.exe[2776] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00F800E6
.text C:\Program Files\Messenger\msmsgs.exe[2776] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00F80112
.text C:\Program Files\Messenger\msmsgs.exe[2776] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00F80047
.text C:\Program Files\Messenger\msmsgs.exe[2776] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00F80000
.text C:\Program Files\Messenger\msmsgs.exe[2776] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00F8008E
.text C:\Program Files\Messenger\msmsgs.exe[2776] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00F80FD4
.text C:\Program Files\Messenger\msmsgs.exe[2776] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00F8001B
.text C:\Program Files\Messenger\msmsgs.exe[2776] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00F800CB
.text C:\Program Files\Messenger\msmsgs.exe[2776] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00F70FCA
.text C:\Program Files\Messenger\msmsgs.exe[2776] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00F70F9B
.text C:\Program Files\Messenger\msmsgs.exe[2776] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00F70FE5
.text C:\Program Files\Messenger\msmsgs.exe[2776] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00F7001B
.text C:\Program Files\Messenger\msmsgs.exe[2776] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00F70058
.text C:\Program Files\Messenger\msmsgs.exe[2776] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00F70047
.text C:\Program Files\Messenger\msmsgs.exe[2776] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00F7000A
.text C:\Program Files\Messenger\msmsgs.exe[2776] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00F70036
.text C:\Program Files\Messenger\msmsgs.exe[2776] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00F50000
.text C:\Program Files\Messenger\msmsgs.exe[2776] WININET.dll!InternetOpenA 42C2C851 5 Bytes JMP 00ED000A
.text C:\Program Files\Messenger\msmsgs.exe[2776] WININET.dll!InternetOpenW 42C2CE81 5 Bytes JMP 00ED0FEF
.text C:\Program Files\Messenger\msmsgs.exe[2776] WININET.dll!InternetOpenUrlA 42C30BAA 5 Bytes JMP 00ED0FD4
.text C:\Program Files\Messenger\msmsgs.exe[2776] WININET.dll!InternetOpenUrlW 42C7AE09 5 Bytes JMP 00ED0025
.text C:\Program Files\MySpace\IM\MySpaceIM.exe[2816] kernel32.dll!SetUnhandledExceptionFilter 7C84467D 5 Bytes [ 33, C0, C2, 04, 00 ]
.text C:\Program Files\internet explorer\iexplore.exe[3336] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00250FEF
.text C:\Program Files\internet explorer\iexplore.exe[3336] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00250F6D
.text C:\Program Files\internet explorer\iexplore.exe[3336] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0025006C
.text C:\Program Files\internet explorer\iexplore.exe[3336] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00250051
.text C:\Program Files\internet explorer\iexplore.exe[3336] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00250F9E
.text C:\Program Files\internet explorer\iexplore.exe[3336] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00250036
.text C:\Program Files\internet explorer\iexplore.exe[3336] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 002500B5
.text C:\Program Files\internet explorer\iexplore.exe[3336] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00250098
.text C:\Program Files\internet explorer\iexplore.exe[3336] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 002500EB
.text C:\Program Files\internet explorer\iexplore.exe[3336] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00250F48
.text C:\Program Files\internet explorer\iexplore.exe[3336] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00250F2D
.text C:\Program Files\internet explorer\iexplore.exe[3336] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00250FAF
.text C:\Program Files\internet explorer\iexplore.exe[3336] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 0025000A
.text C:\Program Files\internet explorer\iexplore.exe[3336] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00250087
.text C:\Program Files\internet explorer\iexplore.exe[3336] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 0025001B
.text C:\Program Files\internet explorer\iexplore.exe[3336] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00250FD4
.text C:\Program Files\internet explorer\iexplore.exe[3336] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 002500C6
.text C:\Program Files\internet explorer\iexplore.exe[3336] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00330051
.text C:\Program Files\internet explorer\iexplore.exe[3336] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00330FD4
.text C:\Program Files\internet explorer\iexplore.exe[3336] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00330036
.text C:\Program Files\internet explorer\iexplore.exe[3336] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00330025
.text C:\Program Files\internet explorer\iexplore.exe[3336] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00330FE5
.text C:\Program Files\internet explorer\iexplore.exe[3336] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 0033007D
.text C:\Program Files\internet explorer\iexplore.exe[3336] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00330000
.text C:\Program Files\internet explorer\iexplore.exe[3336] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 0033006C
.text C:\Program Files\internet explorer\iexplore.exe[3336] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 42F0F301 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3336] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 430A1712 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3336] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 430A1693 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3336] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 430A16D7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3336] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 430A161F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3336] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 430A1659 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3336] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 430A174D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3336] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 42F316B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3336] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00390000
.text C:\Program Files\internet explorer\iexplore.exe[3336] WININET.dll!InternetOpenA 42C2C851 5 Bytes JMP 01B90000
.text C:\Program Files\internet explorer\iexplore.exe[3336] WININET.dll!InternetOpenW 42C2CE81 5 Bytes JMP 01B90FE5
.text C:\Program Files\internet explorer\iexplore.exe[3336] WININET.dll!InternetOpenUrlA 42C30BAA 5 Bytes JMP 01B9001B
.text C:\Program Files\internet explorer\iexplore.exe[3336] WININET.dll!InternetOpenUrlW 42C7AE09 5 Bytes JMP 01B90FCA
.text C:\WINDOWS\system32\dllhost.exe[3540] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00620000
.text C:\WINDOWS\system32\dllhost.exe[3540] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00620075
.text C:\WINDOWS\system32\dllhost.exe[3540] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00620064
.text C:\WINDOWS\system32\dllhost.exe[3540] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00620F8A
.text C:\WINDOWS\system32\dllhost.exe[3540] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00620F9B
.text C:\WINDOWS\system32\dllhost.exe[3540] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00620FD1
.text C:\WINDOWS\system32\dllhost.exe[3540] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 006200A3
.text C:\WINDOWS\system32\dllhost.exe[3540] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00620F5B
.text C:\WINDOWS\system32\dllhost.exe[3540] kernel32.dll!CreateProcessW 7C802332 1 Byte [ E9 ]
.text C:\WINDOWS\system32\dllhost.exe[3540] kernel32.dll!CreateProcessW + 2 7C802334 3 Bytes [ EB, E1, 83 ]
.text C:\WINDOWS\system32\dllhost.exe[3540] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 006200D9
.text C:\WINDOWS\system32\dllhost.exe[3540] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00620F25
.text C:\WINDOWS\system32\dllhost.exe[3540] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00620FB6
.text C:\WINDOWS\system32\dllhost.exe[3540] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00620011
.text C:\WINDOWS\system32\dllhost.exe[3540] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00620086
.text C:\WINDOWS\system32\dllhost.exe[3540] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 0062003D
.text C:\WINDOWS\system32\dllhost.exe[3540] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00620022
.text C:\WINDOWS\system32\dllhost.exe[3540] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 006200BE
.text C:\WINDOWS\system32\dllhost.exe[3540] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00390025
.text C:\WINDOWS\system32\dllhost.exe[3540] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 0039005B
.text C:\WINDOWS\system32\dllhost.exe[3540] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00390FD4
.text C:\WINDOWS\system32\dllhost.exe[3540] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00390000
.text C:\WINDOWS\system32\dllhost.exe[3540] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00390FA8
.text C:\WINDOWS\system32\dllhost.exe[3540] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00390040
.text C:\WINDOWS\system32\dllhost.exe[3540] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00390FEF
.text C:\WINDOWS\system32\dllhost.exe[3540] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00390FB9
.text C:\WINDOWS\system32\dllhost.exe[3540] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 006D0FE5
---- User IAT/EAT - GMER 1.0.14 ----
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[320] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[320] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[320] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[320] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[320] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[320] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[320] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[320] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[320] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[320] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[320] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[320] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[320] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[320] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[320] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[320] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[320] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[320] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[320] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[320] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[320] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[320] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[320] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[320] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[320] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[320] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[320] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[320] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[320] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[320] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[320] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[320] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[320] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[320] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[320] @ C:\WINDOWS\system32\psapi.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[320] @ C:\WINDOWS\system32\psapi.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[320] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[320] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[320] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[320] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[320] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[320] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[320] @ C:\WINDOWS\system32\userenv.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[320] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[320] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1208824074\ee\AOLSoftware.exe[2752] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1208824074\ee\AOLSoftware.exe[2752] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1208824074\ee\AOLSoftware.exe[2752] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1208824074\ee\AOLSoftware.exe[2752] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1208824074\ee\AOLSoftware.exe[2752] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1208824074\ee\AOLSoftware.exe[2752] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1208824074\ee\AOLSoftware.exe[2752] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1208824074\ee\AOLSoftware.exe[2752] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1208824074\ee\AOLSoftware.exe[2752] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1208824074\ee\AOLSoftware.exe[2752] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1208824074\ee\AOLSoftware.exe[2752] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1208824074\ee\AOLSoftware.exe[2752] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1208824074\ee\AOLSoftware.exe[2752] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1208824074\ee\AOLSoftware.exe[2752] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1208824074\ee\AOLSoftware.exe[2752] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1208824074\ee\AOLSoftware.exe[2752] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1208824074\ee\AOLSoftware.exe[2752] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1208824074\ee\AOLSoftware.exe[2752] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9BE7] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1208824074\ee\AOLSoftware.exe[2752] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9B5A] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1208824074\ee\AOLSoftware.exe[2752] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1208824074\ee\AOLSoftware.exe[2752] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9C74] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1208824074\ee\AOLSoftware.exe[2752] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9A4C] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\AOL\1208824074\ee\AOLSoftware.exe[2752] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9AD3] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2804] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2804] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2804] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2804] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2804] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2804] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2804] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2804] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2804] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [63602AE9] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2804] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2804] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2804] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2804] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2804] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2804] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2804] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2804] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2804] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2804] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2804] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2804] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2804] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2804] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [63602AE9] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2804] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [63601740] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2804] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2804] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2804] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2804] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2804] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2804] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[2804] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
---- Devices - GMER 1.0.14 ----
Device \FileSystem\Ntfs \Ntfs widuxngq.sys
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
---- Services - GMER 1.0.14 ----
Service C:\WINDOWS\widuxngq.sys (*** hidden *** ) [SYSTEM] widuxngq <-- ROOTKIT !!!
---- Registry - GMER 1.0.14 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\widuxngq@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\widuxngq@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\widuxngq@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\widuxngq@ImagePath \??\C:\WINDOWS\widuxngq.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\widuxngq\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\widuxngq\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\ControlSet002\Services\widuxngq@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\widuxngq@Start 1
Reg HKLM\SYSTEM\ControlSet002\Services\widuxngq@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\widuxngq@ImagePath \??\C:\WINDOWS\widuxngq.sys
Reg HKLM\SYSTEM\ControlSet002\Services\widuxngq\Security
Reg HKLM\SYSTEM\ControlSet002\Services\widuxngq\Security@Security 0x01 0x00 0x14 0x80 ...
---- EOF - GMER 1.0.14 ----
Hi
Disable Spybot's TeaTimer
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer
Run FixWareout again in safe mode and post back its report. Then continue with following instructions.
Open notepad and copy/paste the text in the quotebox below into it:
KILLALL::
Driver::
widuxngq
File::
C:\ergmoed.exe
C:\WINDOWS\widuxngq.sys
C:\wnntbsi.exe
C:\75411178
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"bhsqceek"=-
Save this as
CFScript
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, click Yes.
The program will launch and start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings and select the following:
Scan using the following Anti-Virus database:
Extended (If available, otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK.
Under
select a target to scan
, select My Computer.
The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.Once the scan is complete:
Click on the Save as Text button.
Save the file to your desktop.
Copy and paste that information into your next post if the AV content will fit into one post only. Post also a fresh hjt log and ComboFix resultant log (c:\combofix\combofix.txt file contents).
Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.
If having a problme doing the above
Make sure that your Internet security settings are set to default values.
To set default security settings for Internet Explorer:
* Open Internet Explorer.
* Go to the Tools menu, then choose Internet Options.
* Click on the Security tab.
* Make sure that all four item (Internet, Local intranet, Trusted sites, and Restricted sites) are set to their default settings.
Due to inactivity, this thread will now be closed.
Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.