bad spyware infection, maybe more

Home Forums Contact

HijackThis Members

What the Tech? It's as easy as 1,2,3! ( Log In | Register )

What the Tech > Spyware / Malware / Virus Removal > Infections Removal

Closed Topic

Start new topic

bad spyware infection, maybe more

electriccrayon View Member Profile	Jun 17 2009, 05:24 PM Post #1
Authentic Member Group: Authentic Member Posts: 72 Joined: 9-January 07 Member No.: 66,184 Operating System: windows XP	i have a friend whos desktop is saying theres a windows security threat, and it keeps showing spyware pop-ups. i dont think the pc has any sort of protection, so im certain its full of all sorts of malware, spyware and viruses. i believe he said the browser has been hijacked several times, also it shuts down on its own sometimes. he's active military and doesnt have the time to do all this, so i am doing it for him.

Start new topic

Replies (1 - 7)

CatByte View Member Profile	Jun 17 2009, 05:32 PM Post #2
Classroom Administrator Assistant Group: Classroom Teacher Posts: 6,929 Joined: 18-November 04 From: Canada Member No.: 18,614 Operating System: xp sp3	Hi, I take it you are in possession of the computer. We will need more information from this computer in order to assist. Is the computer still able to access the internet: If so, download the following programs...if not you will need to download to another computer and transfer to the infected PC via USB. Please do the following: STEP #1 Please download DDS and save it to your desktop. Disable any script blocking protection Double click dds.pif to run the tool. When done, two DDS.txt's will open. Save both reports to your desktop. --------------------------------------------------- Please include the contents of the following in your next reply: DDS.txt Attach.txt. STEP #2 Download the GMER Rootkit Scanner. Unzip it to your Desktop. Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan. Double-click gmer.exe. The program will begin to run. Caution These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised! If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click NO In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked. Now click the Scan button. Once the scan is complete, you may receive another notice about rootkit activity. Click OK. GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt" Save it where you can easily find it, such as your desktop. Post the contents of GMER.txt in your next reply.

electriccrayon View Member Profile	Jun 17 2009, 06:48 PM Post #3
Authentic Member Group: Authentic Member Posts: 72 Joined: 9-January 07 Member No.: 66,184 Operating System: windows XP	the computer is in his possesion at home, and its still able to get online, so we will be wroking from the infected pc. here are the scan results you requested DDS (Ver_09-05-14.01) - NTFSx86 Run by toni poling at 19:47:43.95 on Wed 06/17/2009 Internet Explorer: 6.0.2900.2180 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1278.796 [GMT -4:00] ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe svchost C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\WINDOWS\DLL\RUNDLL32.exe C:\WINDOWS\system32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k podmena C:\WINDOWS\system32\sopidkc.exe C:\Program Files\Manson\liser.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Dell\Media Experience\DMXLauncher.exe C:\Program Files\DellSupport\DSAgnt.exe C:\WINDOWS\sysguard.exe C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\ghaf3wz.exe C:\program Files\Manson\liser.exe C:\WINDOWS\9129837.exe C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\ghaf3wz.exe C:\WINDOWS\system32\SYSDLL.exe C:\Program Files\America Online 9.0\aoltray.exe svchost C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\ghaf3wz.exe C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\notepad.exe C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\winamp.exe C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\win.exe C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\system.exe C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\toni poling\Desktop\dds.pif ============== Pseudo HJT Report =============== uStart Page = hxxp://www.dell4me.com/myway uSearch Bar = hxxp://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE uDefault_Page_URL = hxxp://www.dell4me.com/myway mDefault_Page_URL = hxxp://www.dell4me.com/myway mStart Page = hxxp://www.dell4me.com/myway uInternet Settings,ProxyServer = http=localhost:7171 uInternet Settings,ProxyOverride = .local;<local> uURLSearchHooks: N/A: {4d25f926-b9fe-4682-bf72-8ab8210d6d75} - c:\program files\mywaysa\srchasde\deSrcAs.dll BHO: c:\windows\system32\gsf83iujid.dll: {b2c7b2a1-00f3-42bd-f434-00aaba2c8952} - c:\windows\system32\gsf83iujid.dll TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup uRun: [system tool] c:\windows\sysguard.exe uRun: [<NO NAME>] c:\docume~1\tonipo~1\locals~1\temp\ghaf3wz.exe uRun: [kell] c:\program files\manson\liser.exe uRun: [Windows System Recover!] c:\docume~1\tonipo~1\locals~1\temp\notepad.exe uRun: [ttool] c:\windows\9129837.exe uRun: [hsf7husjnfg98gi498aejhiugjkdg4] c:\docume~1\tonipo~1\locals~1\temp\ghaf3wz.exe uRun: [SYSDLL] SYSDLL mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe mRun: [IgfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [SunJavaUpdateSched] c:\program files\java\j2re1.4.2_03\bin\jusched.exe mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe mRun: [MMTray] c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [QBReminderFlash] "c:\program files\intuit\quickbooks 2005\atom\QBReminder.exe" mRun: [dla] c:\windows\system32\dla\tfswctrl.exe mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe mRun: [sysldtray] c:\windows\ld09.exe dRun: [Windows System Recover!] c:\windows\temp\winamp.exe dRun: [kell] c:\program files\manson\liser.exe StartupFolder: c:\documents and settings\toni poling\start menu\programs\startup\fmnupd32.exe StartupFolder: c:\documents and settings\toni poling\start menu\programs\startup\zqosys32.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe uPolicies-explorer: NoFolderOptions = 1 (0x1) uPolicies-system: EnableProfileQuota = 1 (0x1) uPolicies-system: DisableRegistryTools = 1 (0x1) dPolicies-explorer: NoFolderOptions = 1 (0x1) dPolicies-system: DisableRegistryTools = 1 (0x1) IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll LSP: c:\windows\system32\lsp.dll DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab DPF: {d27cdb6e-ae6d-11cf-96b8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab Notify: igfxcui - igfxsrvc.dll AppInit_DLLs: c:\progra~1\manson\liser.dll STS: c:\windows\system32\gsf83iujid.dll: {b2c7b2a1-00f3-42bd-f434-00aaba2c8952} - c:\windows\system32\gsf83iujid.dll ============= SERVICES / DRIVERS =============== R1 podmenadrv;podmenadrv;c:\program files\podmena\podmena.sys [2009-6-14 9472] R2 dhcpsrv;Dhcp server;c:\windows\dll\RUNDLL32.exe [2009-6-14 235520] R2 msncache;msncache;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 14336] R2 podmena;podmena;c:\windows\system32\svchost.exe -k podmena [2004-8-10 14336] R2 sopidkc;sopidkc Service;c:\windows\system32\sopidkc.exe [2004-8-4 121856] S2 zgtkg3jrsyzdb6wtgw3rh3wahhrjkae80;zgtkg3jrsyzdb6wtgw3rh3wahhrjkae80;c:\windows\zgtkg3jrsyzdb6wtgw3rh3wahhrjkae81.exe [2009-6-14 5632] =============== Created Last 30 ================ 2009-06-16 11:08 2 ----h--- c:\windows\zaponce52621.dat 2009-06-16 11:08 1 ----h--- c:\windows\jmmark2.dat 2009-06-16 11:08 2 ----h--- c:\windows\zaponce52689.dat 2009-06-15 13:46 183,296 a------- c:\windows\system32\lsp.dll 2009-06-15 13:46 96,768 a------- c:\windows\syssvc.exe 2009-06-15 13:39 <DIR> --d----- c:\program files\common files\SWF Studio 2009-06-15 13:32 <DIR> --d----- c:\windows\system32\wbem\Repository 2009-06-15 12:45 2 ----h--- c:\windows\zaponce53173.dat 2009-06-14 17:28 10,752 a------- c:\windows\system32\iehelper.dll 2009-06-14 17:19 142 a------- C:\x345.bat 2009-06-14 17:19 <DIR> --d----- c:\windows\DLL 2009-06-14 17:19 <DIR> --d----- c:\windows\system32\3361 2009-06-14 17:19 103,358 a------- c:\windows\system32\drivers\731543e7.sys 2009-06-14 17:19 108,336 a------- c:\windows\system32\MSWINSCK.OCX 2009-06-14 17:19 <DIR> --d----- c:\program files\podmena 2009-06-14 17:19 155,136 a------- c:\windows\system32\tpsaxyd.exe 2009-06-14 17:19 56,833 a------- c:\windows\9129837.exe 2009-06-14 17:19 8 a------- c:\windows\system32\comsa32.sys 2009-06-14 17:19 1 ----h--- c:\windows\msmark2.dat 2009-06-14 17:19 31,744 ----h--- c:\windows\mstre19.exe 2009-06-14 17:19 2 ----h--- c:\windows\zaponce53222.dat 2009-06-14 17:19 2 ----h--- c:\windows\zaponce53290.dat 2009-06-14 17:18 5,632 a------- c:\windows\zgtkg3jrsyzdb6wtgw3rh3wahhrjkae81.exe 2009-06-14 17:18 <DIR> --dshr-- c:\program files\Manson 2009-06-14 17:18 15,872 ----h--- c:\windows\ld09.exe 2009-06-14 17:18 32,768 a------- C:\giyghshu.exe 2009-06-14 17:18 0 a------- C:\mupwjiav.exe 2009-06-14 17:18 2 a------- C:\1210782974 2009-06-14 17:18 17,408 a------- c:\windows\system32\SYSDLL.exe 2009-06-14 17:18 308,240 a------- c:\windows\sysguard.exe 2009-06-14 17:18 15,000 a------- c:\windows\system32\gsf83iujid.dll 2009-06-14 17:18 <DIR> --d----- c:\windows\system32\796525 2009-06-14 17:18 25,088 ----h--- c:\windows\ld08.exe 2009-06-14 17:18 384,000 a------- C:\vqX.exe 2009-06-14 11:40 <DIR> --d----- c:\docume~1\tonipo~1\applic~1\Symantec 2009-06-14 11:40 <DIR> --d----- c:\docume~1\tonipo~1\applic~1\AOL 2009-06-14 11:40 <DIR> --d----- c:\documents and settings\toni poling 2009-06-14 11:37 <DIR> --d----- c:\windows\system32\SoftwareDistribution 2009-06-14 11:34 8,192 a------- c:\windows\REGLOCS.OLD 2009-06-14 11:34 12,160 a------- c:\windows\system32\drivers\mouhid.sys 2009-06-14 11:34 21,504 a------- c:\windows\system32\hidserv.dll 2009-06-14 11:34 9,600 a------- c:\windows\system32\drivers\hidusb.sys 2009-06-14 10:46 <DIR> --d----- c:\program files\DellSupport 2009-06-14 10:44 <DIR> --ds---- c:\documents and settings\toni poling\UserData ==================== Find3M ==================== ============= FINISH: 19:48:14.48 =============== UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Ver_09-05-14.01) Microsoft Windows XP Home Edition Boot Device: \Device\HarddiskVolume2 Install Date: 6/14/2009 11:39:42 AM System Uptime: 6/17/2009 6:47:24 PM (1 hours ago) Motherboard: Dell Computer Corp. \| \| 0F5949 Processor: Intel® Celeron® CPU 2.40GHz \| Microprocessor \| 2392/400mhz ==== Disk Partitions ========================= C: is FIXED (NTFS) - 71 GiB total, 63.513 GiB free. D: is CDROM (CDFS) ==== Disabled Device Manager Items ============= ==== System Restore Points =================== RP1: 6/14/2009 11:39:47 AM - System Checkpoint RP2: 6/14/2009 10:45:39 AM - Removed Dell Support 3.1 RP3: 6/14/2009 5:44:14 PM - Removed Norton Security Center RP4: 6/15/2009 1:31:01 PM - Restore Operation RP5: 6/15/2009 1:51:32 PM - Removed Norton Security Center ==== Installed Programs ====================== Adobe Acrobat - Reader 6.0.2 Update Adobe Reader 6.0.1 America Online (Choose which version to remove) AOL Coach Version 1.0(Build:20040229.1 en) AOL Connectivity Services AOLIcon Broadcom Management Programs Dell Driver Reset Tool Dell Media Experience Dell Picture Studio v3.0 Dell System Restore DellSupport EarthLink setup files Get High Speed Internet! Intel® 537EP V9x DF PCI Modem Intel® Extreme Graphics Driver Internet Explorer Default Page Jasc Paint Shop Photo Album 5 Jasc Paint Shop Pro Studio, Dell Editon Java 2 Runtime Environment, SE v1.4.2_03 Learn2 Player (Uninstall Only) Macromedia Flash Player Microsoft .NET Framework 1.1 Microsoft Plus! Digital Media Edition Installer Microsoft Plus! Photo Story 2 LE Modem Event Monitor Modem Helper Modem On Hold Musicmatch® Jukebox MyWay Search Assistant NetZeroInstallers Photo Click QuickBooks Simple Start Special Edition QuickTime RealPlayer Basic Security Update for Windows XP (KB883939) Security Update for Windows XP (KB896422) Security Update for Windows XP (KB901214) Sonic DLA Sonic RecordNow Audio Sonic RecordNow Copy Sonic RecordNow Data Sonic Update Manager Viewpoint Media Player WebCyberCoach 3.2 Dell WebFldrs XP Windows Media Format Runtime Windows Media Player 10 Windows XP Hotfix - KB873339 Windows XP Hotfix - KB885250 Windows XP Hotfix - KB885835 Windows XP Hotfix - KB887472 Windows XP Hotfix - KB888113 Windows XP Hotfix - KB888310 Windows XP Hotfix - KB890175 Windows XP Hotfix - KB891781 WordPerfect Office 12 ==== Event Viewer Messages From Past Week ======== 6/15/2009 12:49:53 PM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: This operation returned because the timeout period expired. 6/15/2009 1:57:20 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect. 6/15/2009 1:57:20 PM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion. 6/15/2009 1:39:30 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the zgtkg3jrsyzdb6wtgw3rh3wahhrjkae80 service to connect. 6/15/2009 1:39:30 PM, error: Service Control Manager [7000] - The Automatic Updates service failed to start due to the following error: The system cannot find the file specified. 6/15/2009 1:34:40 PM, error: Service Control Manager [7000] - The Background Intelligent Transfer Service service failed to start due to the following error: The system cannot find the file specified. 6/15/2009 1:34:40 PM, error: DCOM [10005] - DCOM got error "%2" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} 6/14/2009 7:44:49 PM, error: DCOM [10005] - DCOM got error "%2" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334} 6/14/2009 5:51:39 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file wowfaxui.dll. This file was restored to the original version to maintain system stability. The file version of the bad file is 0.2.0.0, the version of the system file is 0.2.0.0. 6/14/2009 5:51:39 PM, information: Windows File Protection [64001] - File replacement was attempted on the protected system file wowfax.dll. This file was restored to the original version to maintain system stability. The file version of the bad file is 0.2.0.0, the version of the system file is 0.2.0.0. 6/14/2009 5:44:48 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found. ==== End Of File =========================== GMER 1.0.15.14972 - http://www.gmer.net Rootkit scan 2009-06-17 20:43:59 Windows 5.1.2600 Service Pack 2 ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\drivers\731543e7.sys ZwCreateEvent [0xF76B18AD] SSDT \SystemRoot\System32\drivers\731543e7.sys ZwCreateKey [0xF76AF985] SSDT \SystemRoot\System32\drivers\731543e7.sys ZwOpenKey [0xF76AFA45] ---- Kernel code sections - GMER 1.0.15 ---- ? C:\WINDOWS\System32\drivers\731543e7.sys The system cannot find the file specified. ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\svchost.exe[172] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00952F34 .text C:\WINDOWS\system32\svchost.exe[172] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00952EFF .text C:\WINDOWS\system32\svchost.exe[172] wininet.dll!InternetCloseHandle 771C4D9C 5 Bytes JMP 00951C54 .text C:\WINDOWS\system32\svchost.exe[172] wininet.dll!HttpSendRequestA 771C6279 5 Bytes JMP 00951B46 .text C:\WINDOWS\system32\svchost.exe[172] wininet.dll!InternetReadFile 771C8124 5 Bytes JMP 00952C42 .text C:\WINDOWS\system32\svchost.exe[172] wininet.dll!InternetQueryDataAvailable 771D8A4F 5 Bytes JMP 00952B78 .text C:\WINDOWS\system32\svchost.exe[172] wininet.dll!InternetReadFileExA 771F803E 5 Bytes JMP 00952D9A .text C:\WINDOWS\system32\svchost.exe[172] wininet.dll!InternetReadFileExW 771F8A8E 8 Bytes JMP 00952DB4 .text C:\WINDOWS\system32\svchost.exe[172] wininet.dll!HttpSendRequestW 77211BE4 5 Bytes JMP 00951BCD .text C:\WINDOWS\system32\svchost.exe[196] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00B02F34 .text C:\WINDOWS\system32\svchost.exe[196] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00B02EFF .text C:\WINDOWS\system32\svchost.exe[196] WININET.dll!InternetCloseHandle 771C4D9C 5 Bytes JMP 00B01C54 .text C:\WINDOWS\system32\svchost.exe[196] WININET.dll!HttpSendRequestA 771C6279 5 Bytes JMP 00B01B46 .text C:\WINDOWS\system32\svchost.exe[196] WININET.dll!InternetReadFile 771C8124 5 Bytes JMP 00B02C42 .text C:\WINDOWS\system32\svchost.exe[196] WININET.dll!InternetQueryDataAvailable 771D8A4F 5 Bytes JMP 00B02B78 .text C:\WINDOWS\system32\svchost.exe[196] WININET.dll!InternetReadFileExA 771F803E 5 Bytes JMP 00B02D9A .text C:\WINDOWS\system32\svchost.exe[196] WININET.dll!InternetReadFileExW 771F8A8E 8 Bytes JMP 00B02DB4 .text C:\WINDOWS\system32\svchost.exe[196] WININET.dll!HttpSendRequestW 77211BE4 5 Bytes JMP 00B01BCD .text C:\WINDOWS\system32\sopidkc.exe[316] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00F02F34 .text C:\WINDOWS\system32\sopidkc.exe[316] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00F02EFF .text C:\WINDOWS\system32\sopidkc.exe[316] wininet.dll!InternetCloseHandle 771C4D9C 5 Bytes JMP 00F01C54 .text C:\WINDOWS\system32\sopidkc.exe[316] wininet.dll!HttpSendRequestA 771C6279 5 Bytes JMP 00F01B46 .text C:\WINDOWS\system32\sopidkc.exe[316] wininet.dll!InternetReadFile 771C8124 5 Bytes JMP 00F02C42 .text C:\WINDOWS\system32\sopidkc.exe[316] wininet.dll!InternetQueryDataAvailable 771D8A4F 5 Bytes JMP 00F02B78 .text C:\WINDOWS\system32\sopidkc.exe[316] wininet.dll!InternetReadFileExA 771F803E 5 Bytes JMP 00F02D9A .text C:\WINDOWS\system32\sopidkc.exe[316] wininet.dll!InternetReadFileExW 771F8A8E 8 Bytes JMP 00F02DB4 .text C:\WINDOWS\system32\sopidkc.exe[316] wininet.dll!HttpSendRequestW 77211BE4 5 Bytes JMP 00F01BCD .text C:\WINDOWS\system32\wdfmgr.exe[464] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00642F34 .text C:\WINDOWS\system32\wdfmgr.exe[464] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00642EFF .text C:\WINDOWS\system32\wdfmgr.exe[464] wininet.dll!InternetCloseHandle 771C4D9C 5 Bytes JMP 00641C54 .text C:\WINDOWS\system32\wdfmgr.exe[464] wininet.dll!HttpSendRequestA 771C6279 5 Bytes JMP 00641B46 .text C:\WINDOWS\system32\wdfmgr.exe[464] wininet.dll!InternetReadFile 771C8124 5 Bytes JMP 00642C42 .text C:\WINDOWS\system32\wdfmgr.exe[464] wininet.dll!InternetQueryDataAvailable 771D8A4F 5 Bytes JMP 00642B78 .text C:\WINDOWS\system32\wdfmgr.exe[464] wininet.dll!InternetReadFileExA 771F803E 5 Bytes JMP 00642D9A .text C:\WINDOWS\system32\wdfmgr.exe[464] wininet.dll!InternetReadFileExW 771F8A8E 8 Bytes JMP 00642DB4 .text C:\WINDOWS\system32\wdfmgr.exe[464] wininet.dll!HttpSendRequestW 77211BE4 5 Bytes JMP 00641BCD .text C:\Program Files\Manson\liser.exe[524] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00F12F34 .text C:\Program Files\Manson\liser.exe[524] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00F12EFF .text C:\Program Files\Manson\liser.exe[524] WININET.dll!InternetCloseHandle 771C4D9C 5 Bytes JMP 00F11C54 .text C:\Program Files\Manson\liser.exe[524] WININET.dll!HttpSendRequestA 771C6279 5 Bytes JMP 00F11B46 .text C:\Program Files\Manson\liser.exe[524] WININET.dll!InternetReadFile 771C8124 5 Bytes JMP 00F12C42 .text C:\Program Files\Manson\liser.exe[524] WININET.dll!InternetQueryDataAvailable 771D8A4F 5 Bytes JMP 00F12B78 .text C:\Program Files\Manson\liser.exe[524] WININET.dll!InternetReadFileExA 771F803E 5 Bytes JMP 00F12D9A .text C:\Program Files\Manson\liser.exe[524] WININET.dll!InternetReadFileExW 771F8A8E 8 Bytes JMP 00F12DB4 .text C:\Program Files\Manson\liser.exe[524] WININET.dll!HttpSendRequestW 77211BE4 5 Bytes JMP 00F11BCD .text C:\WINDOWS\system32\winlogon.exe[656] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00BF2F34 .text C:\WINDOWS\system32\winlogon.exe[656] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00BF2EFF .text C:\WINDOWS\system32\winlogon.exe[656] wininet.dll!InternetCloseHandle 771C4D9C 5 Bytes JMP 00BF1C54 .text C:\WINDOWS\system32\winlogon.exe[656] wininet.dll!HttpSendRequestA 771C6279 5 Bytes JMP 00BF1B46 .text C:\WINDOWS\system32\winlogon.exe[656] wininet.dll!InternetReadFile 771C8124 5 Bytes JMP 00BF2C42 .text C:\WINDOWS\system32\winlogon.exe[656] wininet.dll!InternetQueryDataAvailable 771D8A4F 5 Bytes JMP 00BF2B78 .text C:\WINDOWS\system32\winlogon.exe[656] wininet.dll!InternetReadFileExA 771F803E 5 Bytes JMP 00BF2D9A .text C:\WINDOWS\system32\winlogon.exe[656] wininet.dll!InternetReadFileExW 771F8A8E 8 Bytes JMP 00BF2DB4 .text C:\WINDOWS\system32\winlogon.exe[656] wininet.dll!HttpSendRequestW 77211BE4 5 Bytes JMP 00BF1BCD .text C:\Documents and Settings\toni poling\Desktop\gmer.exe[676] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00152F34 .text C:\Documents and Settings\toni poling\Desktop\gmer.exe[676] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00152EFF .text C:\Documents and Settings\toni poling\Desktop\gmer.exe[676] wininet.dll!InternetCloseHandle 771C4D9C 5 Bytes JMP 00151C54 .text C:\Documents and Settings\toni poling\Desktop\gmer.exe[676] wininet.dll!HttpSendRequestA 771C6279 5 Bytes JMP 00151B46 .text C:\Documents and Settings\toni poling\Desktop\gmer.exe[676] wininet.dll!InternetReadFile 771C8124 5 Bytes JMP 00152C42 .text C:\Documents and Settings\toni poling\Desktop\gmer.exe[676] wininet.dll!InternetQueryDataAvailable 771D8A4F 5 Bytes JMP 00152B78 .text C:\Documents and Settings\toni poling\Desktop\gmer.exe[676] wininet.dll!InternetReadFileExA 771F803E 5 Bytes JMP 00152D9A .text C:\Documents and Settings\toni poling\Desktop\gmer.exe[676] wininet.dll!InternetReadFileExW 771F8A8E 8 Bytes JMP 00152DB4 .text C:\Documents and Settings\toni poling\Desktop\gmer.exe[676] wininet.dll!HttpSendRequestW 77211BE4 5 Bytes JMP 00151BCD .text C:\WINDOWS\system32\services.exe[700] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00042F34 .text C:\WINDOWS\system32\services.exe[700] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00042EFF .text C:\WINDOWS\system32\services.exe[700] wininet.dll!InternetCloseHandle 771C4D9C 5 Bytes JMP 00041C54 .text C:\WINDOWS\system32\services.exe[700] wininet.dll!HttpSendRequestA 771C6279 5 Bytes JMP 00041B46 .text C:\WINDOWS\system32\services.exe[700] wininet.dll!InternetReadFile 771C8124 5 Bytes JMP 00042C42 .text C:\WINDOWS\system32\services.exe[700] wininet.dll!InternetQueryDataAvailable 771D8A4F 5 Bytes JMP 00042B78 .text C:\WINDOWS\system32\services.exe[700] wininet.dll!InternetReadFileExA 771F803E 5 Bytes JMP 00042D9A .text C:\WINDOWS\system32\services.exe[700] wininet.dll!InternetReadFileExW 771F8A8E 8 Bytes JMP 00042DB4 .text C:\WINDOWS\system32\services.exe[700] wininet.dll!HttpSendRequestW 77211BE4 5 Bytes JMP 00041BCD .text C:\WINDOWS\system32\lsass.exe[712] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00C82F34 .text C:\WINDOWS\system32\lsass.exe[712] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00C82EFF .text C:\WINDOWS\system32\lsass.exe[712] wininet.dll!InternetCloseHandle 771C4D9C 5 Bytes JMP 00C81C54 .text C:\WINDOWS\system32\lsass.exe[712] wininet.dll!HttpSendRequestA 771C6279 5 Bytes JMP 00C81B46 .text C:\WINDOWS\system32\lsass.exe[712] wininet.dll!InternetReadFile 771C8124 5 Bytes JMP 00C82C42 .text C:\WINDOWS\system32\lsass.exe[712] wininet.dll!InternetQueryDataAvailable 771D8A4F 5 Bytes JMP 00C82B78 .text C:\WINDOWS\system32\lsass.exe[712] wininet.dll!InternetReadFileExA 771F803E 5 Bytes JMP 00C82D9A .text C:\WINDOWS\system32\lsass.exe[712] wininet.dll!InternetReadFileExW 771F8A8E 8 Bytes JMP 00C82DB4 .text C:\WINDOWS\system32\lsass.exe[712] wininet.dll!HttpSendRequestW 77211BE4 5 Bytes JMP 00C81BCD .text C:\WINDOWS\system32\hkcmd.exe[748] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 009F2F34 .text C:\WINDOWS\system32\hkcmd.exe[748] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 009F2EFF .text C:\WINDOWS\system32\hkcmd.exe[748] wininet.dll!InternetCloseHandle 771C4D9C 5 Bytes JMP 009F1C54 .text C:\WINDOWS\system32\hkcmd.exe[748] wininet.dll!HttpSendRequestA 771C6279 5 Bytes JMP 009F1B46 .text C:\WINDOWS\system32\hkcmd.exe[748] wininet.dll!InternetReadFile 771C8124 5 Bytes JMP 009F2C42 .text C:\WINDOWS\system32\hkcmd.exe[748] wininet.dll!InternetQueryDataAvailable 771D8A4F 5 Bytes JMP 009F2B78 .text C:\WINDOWS\system32\hkcmd.exe[748] wininet.dll!InternetReadFileExA 771F803E 5 Bytes JMP 009F2D9A .text C:\WINDOWS\system32\hkcmd.exe[748] wininet.dll!InternetReadFileExW 771F8A8E 8 Bytes JMP 009F2DB4 .text C:\WINDOWS\system32\hkcmd.exe[748] wininet.dll!HttpSendRequestW 77211BE4 5 Bytes JMP 009F1BCD .text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00D72F34 .text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00D72EFF .text C:\WINDOWS\system32\svchost.exe[880] wininet.dll!InternetCloseHandle 771C4D9C 5 Bytes JMP 00D71C54 .text C:\WINDOWS\system32\svchost.exe[880] wininet.dll!HttpSendRequestA 771C6279 5 Bytes JMP 00D71B46 .text C:\WINDOWS\system32\svchost.exe[880] wininet.dll!InternetReadFile 771C8124 5 Bytes JMP 00D72C42 .text C:\WINDOWS\system32\svchost.exe[880] wininet.dll!InternetQueryDataAvailable 771D8A4F 5 Bytes JMP 00D72B78 .text C:\WINDOWS\system32\svchost.exe[880] wininet.dll!InternetReadFileExA 771F803E 5 Bytes JMP 00D72D9A .text C:\WINDOWS\system32\svchost.exe[880] wininet.dll!InternetReadFileExW 771F8A8E 8 Bytes JMP 00D72DB4 .text C:\WINDOWS\system32\svchost.exe[880] wininet.dll!HttpSendRequestW 77211BE4 5 Bytes JMP 00D71BCD .text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00BE2F34 .text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00BE2EFF .text C:\WINDOWS\system32\svchost.exe[940] wininet.dll!InternetCloseHandle 771C4D9C 5 Bytes JMP 00BE1C54 .text C:\WINDOWS\system32\svchost.exe[940] wininet.dll!HttpSendRequestA 771C6279 5 Bytes JMP 00BE1B46 .text C:\WINDOWS\system32\svchost.exe[940] wininet.dll!InternetReadFile 771C8124 5 Bytes JMP 00BE2C42 .text C:\WINDOWS\system32\svchost.exe[940] wininet.dll!InternetQueryDataAvailable 771D8A4F 5 Bytes JMP 00BE2B78 .text C:\WINDOWS\system32\svchost.exe[940] wininet.dll!InternetReadFileExA 771F803E 5 Bytes JMP 00BE2D9A .text C:\WINDOWS\system32\svchost.exe[940] wininet.dll!InternetReadFileExW 771F8A8E 8 Bytes JMP 00BE2DB4 .text C:\WINDOWS\system32\svchost.exe[940] wininet.dll!HttpSendRequestW 77211BE4 5 Bytes JMP 00BE1BCD .text C:\WINDOWS\System32\svchost.exe[1032] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 02702F34 .text C:\WINDOWS\System32\svchost.exe[1032] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 02702EFF .text C:\WINDOWS\System32\svchost.exe[1032] WININET.dll!InternetCloseHandle 771C4D9C 5 Bytes JMP 02701C54 .text C:\WINDOWS\System32\svchost.exe[1032] WININET.dll!HttpSendRequestA 771C6279 5 Bytes JMP 02701B46 .text C:\WINDOWS\System32\svchost.exe[1032] WININET.dll!InternetReadFile 771C8124 5 Bytes JMP 02702C42 .text C:\WINDOWS\System32\svchost.exe[1032] WININET.dll!InternetQueryDataAvailable 771D8A4F 5 Bytes JMP 02702B78 .text C:\WINDOWS\System32\svchost.exe[1032] WININET.dll!InternetReadFileExA 771F803E 5 Bytes JMP 02702D9A .text C:\WINDOWS\System32\svchost.exe[1032] WININET.dll!InternetReadFileExW 771F8A8E 8 Bytes JMP 02702DB4 .text C:\WINDOWS\System32\svchost.exe[1032] WININET.dll!HttpSendRequestW 77211BE4 5 Bytes JMP 02701BCD .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00832F34 .text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00832EFF .text C:\WINDOWS\system32\svchost.exe[1104] wininet.dll!InternetCloseHandle 771C4D9C 5 Bytes JMP 00831C54 .text C:\WINDOWS\system32\svchost.exe[1104] wininet.dll!HttpSendRequestA 771C6279 5 Bytes JMP 00831B46 .text C:\WINDOWS\system32\svchost.exe[1104] wininet.dll!InternetReadFile 771C8124 5 Bytes JMP 00832C42 .text C:\WINDOWS\system32\svchost.exe[1104] wininet.dll!InternetQueryDataAvailable 771D8A4F 5 Bytes JMP 00832B78 .text C:\WINDOWS\system32\svchost.exe[1104] wininet.dll!InternetReadFileExA 771F803E 5 Bytes JMP 00832D9A .text C:\WINDOWS\system32\svchost.exe[1104] wininet.dll!InternetReadFileExW 771F8A8E 8 Bytes JMP 00832DB4 .text C:\WINDOWS\system32\svchost.exe[1104] wininet.dll!HttpSendRequestW 77211BE4 5 Bytes JMP 00831BCD .text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00B02F34 .text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00B02EFF .text C:\WINDOWS\system32\svchost.exe[1184] WININET.dll!InternetCloseHandle 771C4D9C 5 Bytes JMP 00B01C54 .text C:\WINDOWS\system32\svchost.exe[1184] WININET.dll!HttpSendRequestA 771C6279 5 Bytes JMP 00B01B46 .text C:\WINDOWS\system32\svchost.exe[1184] WININET.dll!InternetReadFile 771C8124 5 Bytes JMP 00B02C42 .text C:\WINDOWS\system32\svchost.exe[1184] WININET.dll!InternetQueryDataAvailable 771D8A4F 5 Bytes JMP 00B02B78 .text C:\WINDOWS\system32\svchost.exe[1184] WININET.dll!InternetReadFileExA 771F803E 5 Bytes JMP 00B02D9A .text C:\WINDOWS\system32\svchost.exe[1184] WININET.dll!InternetReadFileExW 771F8A8E 8 Bytes JMP 00B02DB4 .text C:\WINDOWS\system32\svchost.exe[1184] WININET.dll!HttpSendRequestW 77211BE4 5 Bytes JMP 00B01BCD .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1264] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00D82F34 .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1264] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00D82EFF .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1264] wininet.dll!InternetCloseHandle 771C4D9C 5 Bytes JMP 00D81C54 .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1264] wininet.dll!HttpSendRequestA 771C6279 5 Bytes JMP 00D81B46 .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1264] wininet.dll!InternetReadFile 771C8124 5 Bytes JMP 00D82C42 .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1264] wininet.dll!InternetQueryDataAvailable 771D8A4F 5 Bytes JMP 00D82B78 .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1264] wininet.dll!InternetReadFileExA 771F803E 5 Bytes JMP 00D82D9A .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1264] wininet.dll!InternetReadFileExW 771F8A8E 8 Bytes JMP 00D82DB4 .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1264] wininet.dll!HttpSendRequestW 77211BE4 5 Bytes JMP 00D81BCD .text C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe[1280] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00372F34 .text C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe[1280] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00372EFF .text C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe[1280] WININET.dll!InternetCloseHandle 771C4D9C 5 Bytes JMP 00371C54 .text C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe[1280] WININET.dll!HttpSendRequestA 771C6279 5 Bytes JMP 00371B46 .text C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe[1280] WININET.dll!InternetReadFile 771C8124 5 Bytes JMP 00372C42 .text C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe[1280] WININET.dll!InternetQueryDataAvailable 771D8A4F 5 Bytes JMP 00372B78 .text C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe[1280] WININET.dll!InternetReadFileExA 771F803E 5 Bytes JMP 00372D9A .text C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe[1280] WININET.dll!InternetReadFileExW 771F8A8E 8 Bytes JMP 00372DB4 .text C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe[1280] WININET.dll!HttpSendRequestW 77211BE4 5 Bytes JMP 00371BCD .text C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[1356] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00BA2F34 .text C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[1356] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00BA2EFF .text C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[1356] wininet.dll!InternetCloseHandle 771C4D9C 5 Bytes JMP 00BA1C54 .text C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[1356] wininet.dll!HttpSendRequestA 771C6279 5 Bytes JMP 00BA1B46 .text C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[1356] wininet.dll!InternetReadFile 771C8124 5 Bytes JMP 00BA2C42 .text C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[1356] wininet.dll!InternetQueryDataAvailable 771D8A4F 5 Bytes JMP 00BA2B78 .text C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[1356] wininet.dll!InternetReadFileExA 771F803E 5 Bytes JMP 00BA2D9A .text C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[1356] wininet.dll!InternetReadFileExW 771F8A8E 8 Bytes JMP 00BA2DB4 .text C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe[1356] wininet.dll!HttpSendRequestW 77211BE4 5 Bytes JMP 00BA1BCD .text C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe[1392] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00BF2F34 .text C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe[1392] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00BF2EFF .text C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe[1392] wininet.dll!InternetCloseHandle 771C4D9C 5 Bytes JMP 00BF1C54 .text C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe[1392] wininet.dll!HttpSendRequestA 771C6279 5 Bytes JMP 00BF1B46 .text C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe[1392] wininet.dll!InternetReadFile 771C8124 5 Bytes JMP 00BF2C42 .text C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe[1392] wininet.dll!InternetQueryDataAvailable 771D8A4F 5 Bytes JMP 00BF2B78 .text C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe[1392] wininet.dll!InternetReadFileExA 771F803E 5 Bytes JMP 00BF2D9A .text C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe[1392] wininet.dll!InternetReadFileExW 771F8A8E 8 Bytes JMP 00BF2DB4 .text C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe[1392] wininet.dll!HttpSendRequestW 77211BE4 5 Bytes JMP 00BF1BCD .text C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe[1396] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00CD2F34 .text C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe[1396] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00CD2EFF .text C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe[1396] wininet.dll!InternetCloseHandle 771C4D9C 5 Bytes JMP 00CD1C54 .text C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe[1396] wininet.dll!HttpSendRequestA 771C6279 5 Bytes JMP 00CD1B46 .text C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe[1396] wininet.dll!InternetReadFile 771C8124 5 Bytes JMP 00CD2C42 .text C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe[1396] wininet.dll!InternetQueryDataAvailable 771D8A4F 5 Bytes JMP 00CD2B78 .text C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe[1396] wininet.dll!InternetReadFileExA 771F803E 5 Bytes JMP 00CD2D9A .text C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe[1396] wininet.dll!InternetReadFileExW 771F8A8E 8 Bytes JMP 00CD2DB4 .text C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe[1396] wininet.dll!HttpSendRequestW 77211BE4 5 Bytes JMP 00CD1BCD .text C:\Program Files\DellSupport\DSAgnt.exe[1400] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 012C2F34 .text C:\Program Files\DellSupport\DSAgnt.exe[1400] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 012C2EFF .text C:\Program Files\DellSupport\DSAgnt.exe[1400] GDI32.dll!GetHFONT + 51 77F17CE3 7 Bytes CALL 35672B62 \\?\globalroot\Device\__max++>\B542AA1E.x86.dll .text C:\Program Files\DellSupport\DSAgnt.exe[1400] GDI32.dll!TextOutW + 1D9 77F17EC1 7 Bytes CALL 35672B7E \\?\globalroot\Device\__max++>\B542AA1E.x86.dll .text C:\Program Files\DellSupport\DSAgnt.exe[1400] USER32.dll!SystemParametersInfoA + 79 77D505CD 7 Bytes CALL 35672B36 \\?\globalroot\Device\__max++>\B542AA1E.x86.dll .text C:\Program Files\DellSupport\DSAgnt.exe[1400] WININET.dll!InternetCloseHandle 771C4D9C 5 Bytes JMP 012C1C54 .text C:\Program Files\DellSupport\DSAgnt.exe[1400] WININET.dll!HttpSendRequestA 771C6279 5 Bytes JMP 012C1B46 .text C:\Program Files\DellSupport\DSAgnt.exe[1400] WININET.dll!InternetReadFile 771C8124 5 Bytes JMP 012C2C42 .text C:\Program Files\DellSupport\DSAgnt.exe[1400] WININET.dll!InternetQueryDataAvailable 771D8A4F 5 Bytes JMP 012C2B78 .text C:\Program Files\DellSupport\DSAgnt.exe[1400] WININET.dll!InternetReadFileExA 771F803E 5 Bytes JMP 012C2D9A .text C:\Program Files\DellSupport\DSAgnt.exe[1400] WININET.dll!InternetReadFileExW 771F8A8E 8 Bytes JMP 012C2DB4 .text C:\Program Files\DellSupport\DSAgnt.exe[1400] WININET.dll!HttpSendRequestW 77211BE4 5 Bytes JMP 012C1BCD .text C:\Program Files\Real\RealPlayer\RealPlay.exe[1408] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 013C2F34 .text C:\Program Files\Real\RealPlayer\RealPlay.exe[1408] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 013C2EFF .text C:\Program Files\Real\RealPlayer\RealPlay.exe[1408] USER32.dll!SystemParametersInfoA + 79 77D505CD 7 Bytes CALL 35672B36 \\?\globalroot\Device\__max++>\B542AA1E.x86.dll .text C:\Program Files\Real\RealPlayer\RealPlay.exe[1408] GDI32.dll!GetHFONT + 51 77F17CE3 7 Bytes CALL 35672B62 \\?\globalroot\Device\__max++>\B542AA1E.x86.dll .text C:\Program Files\Real\RealPlayer\RealPlay.exe[1408] GDI32.dll!TextOutW + 1D9 77F17EC1 7 Bytes CALL 35672B7E \\?\globalroot\Device\__max++>\B542AA1E.x86.dll .text C:\Program Files\Real\RealPlayer\RealPlay.exe[1408] wininet.dll!InternetCloseHandle 771C4D9C 5 Bytes JMP 013C1C54 .text C:\Program Files\Real\RealPlayer\RealPlay.exe[1408] wininet.dll!HttpSendRequestA 771C6279 5 Bytes JMP 013C1B46 .text C:\Program Files\Real\RealPlayer\RealPlay.exe[1408] wininet.dll!InternetReadFile 771C8124 5 Bytes JMP 013C2C42 .text C:\Program Files\Real\RealPlayer\RealPlay.exe[1408] wininet.dll!InternetQueryDataAvailable 771D8A4F 5 Bytes JMP 013C2B78 .text C:\Program Files\Real\RealPlayer\RealPlay.exe[1408] wininet.dll!InternetReadFileExA 771F803E 5 Bytes JMP 013C2D9A .text C:\Program Files\Real\RealPlayer\RealPlay.exe[1408] wininet.dll!InternetReadFileExW 771F8A8E 8 Bytes JMP 013C2DB4 .text C:\Program Files\Real\RealPlayer\RealPlay.exe[1408] wininet.dll!HttpSendRequestW 77211BE4 5 Bytes JMP 013C1BCD .text C:\WINDOWS\system32\dla\tfswctrl.exe[1456] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00DA2F34 .text C:\WINDOWS\system32\dla\tfswctrl.exe[1456] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00DA2EFF .text C:\WINDOWS\system32\dla\tfswctrl.exe[1456] wininet.dll!InternetCloseHandle 771C4D9C 5 Bytes JMP 00DA1C54 .text C:\WINDOWS\system32\dla\tfswctrl.exe[1456] wininet.dll!HttpSendRequestA 771C6279 5 Bytes JMP 00DA1B46 .text C:\WINDOWS\system32\dla\tfswctrl.exe[1456] wininet.dll!InternetReadFile 771C8124 5 Bytes JMP 00DA2C42 .text C:\WINDOWS\system32\dla\tfswctrl.exe[1456] wininet.dll!InternetQueryDataAvailable 771D8A4F 5 Bytes JMP 00DA2B78 .text C:\WINDOWS\system32\dla\tfswctrl.exe[1456] wininet.dll!InternetReadFileExA 771F803E 5 Bytes JMP 00DA2D9A .text C:\WINDOWS\system32\dla\tfswctrl.exe[1456] wininet.dll!InternetReadFileExW 771F8A8E 8 Bytes JMP 00DA2DB4 .text C:\WINDOWS\system32\dla\tfswctrl.exe[1456] wininet.dll!HttpSendRequestW 77211BE4 5 Bytes JMP 00DA1BCD .text C:\WINDOWS\Explorer.EXE[1468] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 01392F34 .text C:\WINDOWS\Explorer.EXE[1468] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01392EFF .text C:\WINDOWS\Explorer.EXE[1468] GDI32.dll!GetHFONT + 51 77F17CE3 7 Bytes CALL 35672B62 \\?\globalroot\Device\__max++>\B542AA1E.x86.dll .text C:\WINDOWS\Explorer.EXE[1468] GDI32.dll!TextOutW + 1D9 77F17EC1 7 Bytes CALL 35672B7E \\?\globalroot\Device\__max++>\B542AA1E.x86.dll .text C:\WINDOWS\Explorer.EXE[1468] USER32.dll!SystemParametersInfoA + 79 77D505CD 7 Bytes CALL 35672B36 \\?\globalroot\Device\__max++>\B542AA1E.x86.dll .text C:\WINDOWS\Explorer.EXE[1468] WININET.dll!InternetCloseHandle 771C4D9C 5 Bytes JMP 01391C54 .text C:\WINDOWS\Explorer.EXE[1468] WININET.dll!HttpSendRequestA 771C6279 5 Bytes JMP 01391B46 .text C:\WINDOWS\Explorer.EXE[1468] WININET.dll!InternetReadFile 771C8124 5 Bytes JMP 01392C42 .text C:\WINDOWS\Explorer.EXE[1468] WININET.dll!InternetQueryDataAvailable 771D8A4F 5 Bytes JMP 01392B78 .text C:\WINDOWS\Explorer.EXE[1468] WININET.dll!InternetReadFileExA 771F803E 5 Bytes JMP 01392D9A .text C:\WINDOWS\Explorer.EXE[1468] WININET.dll!InternetReadFileExW 771F8A8E 8 Bytes JMP 01392DB4 .text C:\WINDOWS\Explorer.EXE[1468] WININET.dll!HttpSendRequestW 77211BE4 5 Bytes JMP 01391BCD .text C:\WINDOWS\system32\spoolsv.exe[1564] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00E22F34 .text C:\WINDOWS\system32\spoolsv.exe[1564] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00E22EFF .text C:\WINDOWS\system32\spoolsv.exe[1564] wininet.dll!InternetCloseHandle 771C4D9C 5 Bytes JMP 00E21C54 .text C:\WINDOWS\system32\spoolsv.exe[1564] wininet.dll!HttpSendRequestA 771C6279 5 Bytes JMP 00E21B46 .text C:\WINDOWS\system32\spoolsv.exe[1564] wininet.dll!InternetReadFile 771C8124 5 Bytes JMP 00E22C42 .text C:\WINDOWS\system32\spoolsv.exe[1564] wininet.dll!InternetQueryDataAvailable 771D8A4F 5 Bytes JMP 00E22B78 .text C:\WINDOWS\system32\spoolsv.exe[1564] wininet.dll!InternetReadFileExA 771F803E 5 Bytes JMP 00E22D9A .text C:\WINDOWS\system32\spoolsv.exe[1564] wininet.dll!InternetReadFileExW 771F8A8E 8 Bytes JMP 00E22DB4 .text C:\WINDOWS\system32\spoolsv.exe[1564] wininet.dll!HttpSendRequestW 77211BE4 5 Bytes JMP 00E21BCD .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\ghaf3wz.exe[1592] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00BA2F34 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\ghaf3wz.exe[1592] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00BA2EFF .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\ghaf3wz.exe[1592] wininet.dll!InternetCloseHandle 771C4D9C 5 Bytes JMP 00BA1C54 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\ghaf3wz.exe[1592] wininet.dll!HttpSendRequestA 771C6279 5 Bytes JMP 00BA1B46 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\ghaf3wz.exe[1592] wininet.dll!InternetReadFile 771C8124 5 Bytes JMP 00BA2C42 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\ghaf3wz.exe[1592] wininet.dll!InternetQueryDataAvailable 771D8A4F 5 Bytes JMP 00BA2B78 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\ghaf3wz.exe[1592] wininet.dll!InternetReadFileExA 771F803E 5 Bytes JMP 00BA2D9A .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\ghaf3wz.exe[1592] wininet.dll!InternetReadFileExW 771F8A8E 8 Bytes JMP 00BA2DB4 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\ghaf3wz.exe[1592] wininet.dll!HttpSendRequestW 77211BE4 5 Bytes JMP 00BA1BCD .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[1632] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00862F34 .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[1632] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00862EFF .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[1632] wininet.dll!InternetCloseHandle 771C4D9C 5 Bytes JMP 00861C54 .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[1632] wininet.dll!HttpSendRequestA 771C6279 5 Bytes JMP 00861B46 .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[1632] wininet.dll!InternetReadFile 771C8124 5 Bytes JMP 00862C42 .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[1632] wininet.dll!InternetQueryDataAvailable 771D8A4F 5 Bytes JMP 00862B78 .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[1632] wininet.dll!InternetReadFileExA 771F803E 5 Bytes JMP 00862D9A .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[1632] wininet.dll!InternetReadFileExW 771F8A8E 8 Bytes JMP 00862DB4 .text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[1632] wininet.dll!HttpSendRequestW 77211BE4 5 Bytes JMP 00861BCD .text C:\Program Files\Dell\Media Experience\DMXLauncher.exe[1648] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 009E2F34 .text C:\Program Files\Dell\Media Experience\DMXLauncher.exe[1648] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 009E2EFF .text C:\Program Files\Dell\Media Experience\DMXLauncher.exe[1648] wininet.dll!InternetCloseHandle 771C4D9C 5 Bytes JMP 009E1C54 .text C:\Program Files\Dell\Media Experience\DMXLauncher.exe[1648] wininet.dll!HttpSendRequestA 771C6279 5 Bytes JMP 009E1B46 .text C:\Program Files\Dell\Media Experience\DMXLauncher.exe[1648] wininet.dll!InternetReadFile 771C8124 5 Bytes JMP 009E2C42 .text C:\Program Files\Dell\Media Experience\DMXLauncher.exe[1648] wininet.dll!InternetQueryDataAvailable 771D8A4F 5 Bytes JMP 009E2B78 .text C:\Program Files\Dell\Media Experience\DMXLauncher.exe[1648] wininet.dll!InternetReadFileExA 771F803E 5 Bytes JMP 009E2D9A .text C:\Program Files\Dell\Media Experience\DMXLauncher.exe[1648] wininet.dll!InternetReadFileExW 771F8A8E 8 Bytes JMP 009E2DB4 .text C:\Program Files\Dell\Media Experience\DMXLauncher.exe[1648] wininet.dll!HttpSendRequestW 77211BE4 5 Bytes JMP 009E1BCD .text C:\WINDOWS\sysguard.exe[1704] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 009E2F34 .text C:\WINDOWS\sysguard.exe[1704] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 009E2EFF .text C:\WINDOWS\sysguard.exe[1704] USER32.DLL!SystemParametersInfoA + 79 77D505CD 7 Bytes CALL 35672B36 \\?\globalroot\Device\__max++>\B542AA1E.x86.dll .text C:\WINDOWS\sysguard.exe[1704] GDI32.dll!GetHFONT + 51 77F17CE3 7 Bytes CALL 35672B62 \\?\globalroot\Device\__max++>\B542AA1E.x86.dll .text C:\WINDOWS\sysguard.exe[1704] GDI32.dll!TextOutW + 1D9 77F17EC1 7 Bytes CALL 35672B7E \\?\globalroot\Device\__max++>\B542AA1E.x86.dll .text C:\WINDOWS\sysguard.exe[1704] WININET.dll!InternetCloseHandle 771C4D9C 5 Bytes JMP 009E1C54 .text C:\WINDOWS\sysguard.exe[1704] WININET.dll!HttpSendRequestA 771C6279 5 Bytes JMP 009E1B46 .text C:\WINDOWS\sysguard.exe[1704] WININET.dll!InternetReadFile 771C8124 5 Bytes JMP 009E2C42 .text C:\WINDOWS\sysguard.exe[1704] WININET.dll!InternetQueryDataAvailable 771D8A4F 5 Bytes JMP 009E2B78 .text C:\WINDOWS\sysguard.exe[1704] WININET.dll!InternetReadFileExA 771F803E 5 Bytes JMP 009E2D9A .text C:\WINDOWS\sysguard.exe[1704] WININET.dll!InternetReadFileExW 771F8A8E 8 Bytes JMP 009E2DB4 .text C:\WINDOWS\sysguard.exe[1704] WININET.dll!HttpSendRequestW 77211BE4 5 Bytes JMP 009E1BCD .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\ghaf3wz.exe[1720] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00932F34 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\ghaf3wz.exe[1720] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00932EFF .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\ghaf3wz.exe[1720] USER32.DLL!SystemParametersInfoA + 79 77D505CD 7 Bytes CALL 35672B36 \\?\globalroot\Device\__max++>\B542AA1E.x86.dll .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\ghaf3wz.exe[1720] GDI32.dll!GetHFONT + 51 77F17CE3 7 Bytes CALL 35672B62 \\?\globalroot\Device\__max++>\B542AA1E.x86.dll .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\ghaf3wz.exe[1720] GDI32.dll!TextOutW + 1D9 77F17EC1 7 Bytes CALL 35672B7E \\?\globalroot\Device\__max++>\B542AA1E.x86.dll .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\ghaf3wz.exe[1720] wininet.dll!InternetCloseHandle 771C4D9C 5 Bytes JMP 00931C54 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\ghaf3wz.exe[1720] wininet.dll!HttpSendRequestA 771C6279 5 Bytes JMP 00931B46 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\ghaf3wz.exe[1720] wininet.dll!InternetReadFile 771C8124 5 Bytes JMP 00932C42 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\ghaf3wz.exe[1720] wininet.dll!InternetQueryDataAvailable 771D8A4F 5 Bytes JMP 00932B78 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\ghaf3wz.exe[1720] wininet.dll!InternetReadFileExA 771F803E 5 Bytes JMP 00932D9A .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\ghaf3wz.exe[1720] wininet.dll!InternetReadFileExW 771F8A8E 8 Bytes JMP 00932DB4 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\ghaf3wz.exe[1720] wininet.dll!HttpSendRequestW 77211BE4 5 Bytes JMP 00931BCD .text C:\program Files\Manson\liser.exe[1732] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00362F34 .text C:\program Files\Manson\liser.exe[1732] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00362EFF .text C:\program Files\Manson\liser.exe[1732] wininet.dll!InternetCloseHandle 771C4D9C 5 Bytes JMP 00361C54 .text C:\program Files\Manson\liser.exe[1732] wininet.dll!HttpSendRequestA 771C6279 5 Bytes JMP 00361B46 .text C:\program Files\Manson\liser.exe[1732] wininet.dll!InternetReadFile 771C8124 5 Bytes JMP 00362C42 .text C:\program Files\Manson\liser.exe[1732] wininet.dll!InternetQueryDataAvailable 771D8A4F 5 Bytes JMP 00362B78 .text C:\program Files\Manson\liser.exe[1732] wininet.dll!InternetReadFileExA 771F803E 5 Bytes JMP 00362D9A .text C:\program Files\Manson\liser.exe[1732] wininet.dll!InternetReadFileExW 771F8A8E 8 Bytes JMP 00362DB4 .text C:\program Files\Manson\liser.exe[1732] wininet.dll!HttpSendRequestW 77211BE4 5 Bytes JMP 00361BCD .text C:\WINDOWS\system32\SYSDLL.exe[1812] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A12F34 .text C:\WINDOWS\system32\SYSDLL.exe[1812] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A12EFF .text C:\WINDOWS\system32\SYSDLL.exe[1812] WININET.dll!InternetCloseHandle 771C4D9C 5 Bytes JMP 00A11C54 .text C:\WINDOWS\system32\SYSDLL.exe[1812] WININET.dll!HttpSendRequestA 771C6279 5 Bytes JMP 00A11B46 .text C:\WINDOWS\system32\SYSDLL.exe[1812] WININET.dll!InternetReadFile 771C8124 5 Bytes JMP 00A12C42 .text C:\WINDOWS\system32\SYSDLL.exe[1812] WININET.dll!InternetQueryDataAvailable 771D8A4F 5 Bytes JMP 00A12B78 .text C:\WINDOWS\system32\SYSDLL.exe[1812] WININET.dll!InternetReadFileExA 771F803E 5 Bytes JMP 00A12D9A .text C:\WINDOWS\system32\SYSDLL.exe[1812] WININET.dll!InternetReadFileExW 771F8A8E 8 Bytes JMP 00A12DB4 .text C:\WINDOWS\system32\SYSDLL.exe[1812] WININET.dll!HttpSendRequestW 77211BE4 5 Bytes JMP 00A11BCD .text C:\Program Files\America Online 9.0\aoltray.exe[1872] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 009A2F34 .text C:\Program Files\America Online 9.0\aoltray.exe[1872] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 009A2EFF .text C:\Program Files\America Online 9.0\aoltray.exe[1872] wininet.dll!InternetCloseHandle 771C4D9C 5 Bytes JMP 009A1C54 .text C:\Program Files\America Online 9.0\aoltray.exe[1872] wininet.dll!HttpSendRequestA 771C6279 5 Bytes JMP 009A1B46 .text C:\Program Files\America Online 9.0\aoltray.exe[1872] wininet.dll!InternetReadFile 771C8124 5 Bytes JMP 009A2C42 .text C:\Program Files\America Online 9.0\aoltray.exe[1872] wininet.dll!InternetQueryDataAvailable 771D8A4F 5 Bytes JMP 009A2B78 .text C:\Program Files\America Online 9.0\aoltray.exe[1872] wininet.dll!InternetReadFileExA 771F803E 5 Bytes JMP 009A2D9A .text C:\Program Files\America Online 9.0\aoltray.exe[1872] wininet.dll!InternetReadFileExW 771F8A8E 8 Bytes JMP 009A2DB4 .text C:\Program Files\America Online 9.0\aoltray.exe[1872] wininet.dll!HttpSendRequestW 77211BE4 5 Bytes JMP 009A1BCD .text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00C02F34 .text C:\WINDOWS\system32\svchost.exe[1896] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00C02EFF .text C:\WINDOWS\system32\svchost.exe[1896] wininet.dll!InternetCloseHandle 771C4D9C 5 Bytes JMP 00C01C54 .text C:\WINDOWS\system32\svchost.exe[1896] wininet.dll!HttpSendRequestA 771C6279 5 Bytes JMP 00C01B46 .text C:\WINDOWS\system32\svchost.exe[1896] wininet.dll!InternetReadFile 771C8124 5 Bytes JMP 00C02C42 .text C:\WINDOWS\system32\svchost.exe[1896] wininet.dll!InternetQueryDataAvailable 771D8A4F 5 Bytes JMP 00C02B78 .text C:\WINDOWS\system32\svchost.exe[1896] wininet.dll!InternetReadFileExA 771F803E 5 Bytes JMP 00C02D9A .text C:\WINDOWS\system32\svchost.exe[1896] wininet.dll!InternetReadFileExW 771F8A8E 8 Bytes JMP 00C02DB4 .text C:\WINDOWS\system32\svchost.exe[1896] wininet.dll!HttpSendRequestW 77211BE4 5 Bytes JMP 00C01BCD .text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1988] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 014F2F34 .text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1988] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 014F2EFF .text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1988] wininet.dll!InternetCloseHandle 771C4D9C 5 Bytes JMP 014F1C54 .text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1988] wininet.dll!HttpSendRequestA 771C6279 5 Bytes JMP 014F1B46 .text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1988] wininet.dll!InternetReadFile 771C8124 5 Bytes JMP 014F2C42 .text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1988] wininet.dll!InternetQueryDataAvailable 771D8A4F 5 Bytes JMP 014F2B78 .text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1988] wininet.dll!InternetReadFileExA 771F803E 5 Bytes JMP 014F2D9A .text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1988] wininet.dll!InternetReadFileExW 771F8A8E 8 Bytes JMP 014F2DB4 .text C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe[1988] wininet.dll!HttpSendRequestW 77211BE4 5 Bytes JMP 014F1BCD .text C:\WINDOWS\DLL\RUNDLL32.exe[2008] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 01472F34 .text C:\WINDOWS\DLL\RUNDLL32.exe[2008] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01472EFF .text C:\WINDOWS\DLL\RUNDLL32.exe[2008] user32.dll!SystemParametersInfoA + 79 77D505CD 7 Bytes CALL 35672B36 \\?\globalroot\Device\__max++>\B542AA1E.x86.dll .text C:\WINDOWS\DLL\RUNDLL32.exe[2008] GDI32.dll!GetHFONT + 51 77F17CE3 7 Bytes CALL 35672B62 \\?\globalroot\Device\__max++>\B542AA1E.x86.dll .text C:\WINDOWS\DLL\RUNDLL32.exe[2008] GDI32.dll!TextOutW + 1D9 77F17EC1 7 Bytes CALL 35672B7E \\?\globalroot\Device\__max++>\B542AA1E.x86.dll .text C:\WINDOWS\DLL\RUNDLL32.exe[2008] WININET.dll!InternetCloseHandle 771C4D9C 5 Bytes JMP 01471C54 .text C:\WINDOWS\DLL\RUNDLL32.exe[2008] WININET.dll!HttpSendRequestA 771C6279 5 Bytes JMP 01471B46 .text C:\WINDOWS\DLL\RUNDLL32.exe[2008] WININET.dll!InternetReadFile 771C8124 5 Bytes JMP 01472C42 .text C:\WINDOWS\DLL\RUNDLL32.exe[2008] WININET.dll!InternetQueryDataAvailable 771D8A4F 5 Bytes JMP 01472B78 .text C:\WINDOWS\DLL\RUNDLL32.exe[2008] WININET.dll!InternetReadFileExA 771F803E 5 Bytes JMP 01472D9A .text C:\WINDOWS\DLL\RUNDLL32.exe[2008] WININET.dll!InternetReadFileExW 771F8A8E 8 Bytes JMP 01472DB4 .text C:\WINDOWS\DLL\RUNDLL32.exe[2008] WININET.dll!HttpSendRequestW 77211BE4 5 Bytes JMP 01471BCD ? C:\WINDOWS\system32\svchost.exe[2444] image checksum mismatch; time/date stamp mismatch; .text C:\WINDOWS\system32\svchost.exe[2444] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00092F34 .text C:\WINDOWS\system32\svchost.exe[2444] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00092EFF .text C:\WINDOWS\system32\svchost.exe[2444] GDI32.dll!GetHFONT + 51 77F17CE3 7 Bytes CALL 35672B62 \\?\globalroot\Device\__max++>\B542AA1E.x86.dll .text C:\WINDOWS\system32\svchost.exe[2444] GDI32.dll!TextOutW + 1D9 77F17EC1 7 Bytes CALL 35672B7E \\?\globalroot\Device\__max++>\B542AA1E.x86.dll .text C:\WINDOWS\system32\svchost.exe[2444] USER32.dll!SystemParametersInfoA + 79 77D505CD 7 Bytes CALL 35672B36 \\?\globalroot\Device\__max++>\B542AA1E.x86.dll .text C:\WINDOWS\system32\svchost.exe[2444] wininet.dll!InternetCloseHandle 771C4D9C 5 Bytes JMP 00091C54 .text C:\WINDOWS\system32\svchost.exe[2444] wininet.dll!HttpSendRequestA 771C6279 5 Bytes JMP 00091B46 .text C:\WINDOWS\system32\svchost.exe[2444] wininet.dll!InternetReadFile 771C8124 5 Bytes JMP 00092C42 .text C:\WINDOWS\system32\svchost.exe[2444] wininet.dll!InternetQueryDataAvailable 771D8A4F 5 Bytes JMP 00092B78 .text C:\WINDOWS\system32\svchost.exe[2444] wininet.dll!InternetReadFileExA 771F803E 5 Bytes JMP 00092D9A .text C:\WINDOWS\system32\svchost.exe[2444] wininet.dll!InternetReadFileExW 771F8A8E 8 Bytes JMP 00092DB4 .text C:\WINDOWS\system32\svchost.exe[2444] wininet.dll!HttpSendRequestW 77211BE4 5 Bytes JMP 00091BCD .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\ghaf3wz.exe[3136] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00142F34 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\ghaf3wz.exe[3136] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00142EFF .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\ghaf3wz.exe[3136] USER32.DLL!SystemParametersInfoA + 79 77D505CD 7 Bytes CALL 35672B36 \\?\globalroot\Device\__max++>\B542AA1E.x86.dll .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\ghaf3wz.exe[3136] GDI32.dll!GetHFONT + 51 77F17CE3 7 Bytes CALL 35672B62 \\?\globalroot\Device\__max++>\B542AA1E.x86.dll .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\ghaf3wz.exe[3136] GDI32.dll!TextOutW + 1D9 77F17EC1 7 Bytes CALL 35672B7E \\?\globalroot\Device\__max++>\B542AA1E.x86.dll .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\ghaf3wz.exe[3136] wininet.dll!InternetCloseHandle 771C4D9C 5 Bytes JMP 00141C54 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\ghaf3wz.exe[3136] wininet.dll!HttpSendRequestA 771C6279 5 Bytes JMP 00141B46 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\ghaf3wz.exe[3136] wininet.dll!InternetReadFile 771C8124 5 Bytes JMP 00142C42 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\ghaf3wz.exe[3136] wininet.dll!InternetQueryDataAvailable 771D8A4F 5 Bytes JMP 00142B78 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\ghaf3wz.exe[3136] wininet.dll!InternetReadFileExA 771F803E 5 Bytes JMP 00142D9A .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\ghaf3wz.exe[3136] wininet.dll!InternetReadFileExW 771F8A8E 8 Bytes JMP 00142DB4 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\ghaf3wz.exe[3136] wininet.dll!HttpSendRequestW 77211BE4 5 Bytes JMP 00141BCD .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\notepad.exe[3412] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00142F34 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\notepad.exe[3412] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00142EFF .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\notepad.exe[3412] GDI32.DLL!GetHFONT + 51 77F17CE3 7 Bytes CALL 35672B62 \\?\globalroot\Device\__max++>\B542AA1E.x86.dll .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\notepad.exe[3412] GDI32.DLL!TextOutW + 1D9 77F17EC1 7 Bytes CALL 35672B7E \\?\globalroot\Device\__max++>\B542AA1E.x86.dll .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\notepad.exe[3412] USER32.dll!SystemParametersInfoA + 79 77D505CD 7 Bytes CALL 35672B36 \\?\globalroot\Device\__max++>\B542AA1E.x86.dll .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\notepad.exe[3412] wininet.dll!InternetCloseHandle 771C4D9C 5 Bytes JMP 00141C54 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\notepad.exe[3412] wininet.dll!HttpSendRequestA 771C6279 5 Bytes JMP 00141B46 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\notepad.exe[3412] wininet.dll!InternetReadFile 771C8124 5 Bytes JMP 00142C42 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\notepad.exe[3412] wininet.dll!InternetQueryDataAvailable 771D8A4F 5 Bytes JMP 00142B78 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\notepad.exe[3412] wininet.dll!InternetReadFileExA 771F803E 5 Bytes JMP 00142D9A .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\notepad.exe[3412] wininet.dll!InternetReadFileExW 771F8A8E 8 Bytes JMP 00142DB4 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\notepad.exe[3412] wininet.dll!HttpSendRequestW 77211BE4 5 Bytes JMP 00141BCD .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\winamp.exe[3428] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00142F34 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\winamp.exe[3428] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00142EFF .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\winamp.exe[3428] GDI32.DLL!GetHFONT + 51 77F17CE3 7 Bytes CALL 35672B62 \\?\globalroot\Device\__max++>\B542AA1E.x86.dll .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\winamp.exe[3428] GDI32.DLL!TextOutW + 1D9 77F17EC1 7 Bytes CALL 35672B7E \\?\globalroot\Device\__max++>\B542AA1E.x86.dll .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\winamp.exe[3428] USER32.dll!SystemParametersInfoA + 79 77D505CD 7 Bytes CALL 35672B36 \\?\globalroot\Device\__max++>\B542AA1E.x86.dll .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\winamp.exe[3428] wininet.dll!InternetCloseHandle 771C4D9C 5 Bytes JMP 00141C54 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\winamp.exe[3428] wininet.dll!HttpSendRequestA 771C6279 5 Bytes JMP 00141B46 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\winamp.exe[3428] wininet.dll!InternetReadFile 771C8124 5 Bytes JMP 00142C42 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\winamp.exe[3428] wininet.dll!InternetQueryDataAvailable 771D8A4F 5 Bytes JMP 00142B78 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\winamp.exe[3428] wininet.dll!InternetReadFileExA 771F803E 5 Bytes JMP 00142D9A .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\winamp.exe[3428] wininet.dll!InternetReadFileExW 771F8A8E 8 Bytes JMP 00142DB4 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\winamp.exe[3428] wininet.dll!HttpSendRequestW 77211BE4 5 Bytes JMP 00141BCD ? C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\csrss.exe[3440] image checksum mismatch; time/date stamp mismatch; unknown module: urlmon.dllunknown module: oleaut32.dll .code C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\csrss.exe[3440] C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\csrss.exe entry point in ".code" section [0x0040101A] .idata C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\csrss.exe[3440] C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\csrss.exe unknown last section [0x00408000, 0x20000, 0xC0000040] .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\csrss.exe[3440] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00142F34 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\csrss.exe[3440] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00142EFF .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\csrss.exe[3440] wininet.dll!InternetCloseHandle 771C4D9C 5 Bytes JMP 00141C54 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\csrss.exe[3440] wininet.dll!HttpSendRequestA 771C6279 5 Bytes JMP 00141B46 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\csrss.exe[3440] wininet.dll!InternetReadFile 771C8124 5 Bytes JMP 00142C42 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\csrss.exe[3440] wininet.dll!InternetQueryDataAvailable 771D8A4F 5 Bytes JMP 00142B78 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\csrss.exe[3440] wininet.dll!InternetReadFileExA 771F803E 5 Bytes JMP 00142D9A .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\csrss.exe[3440] wininet.dll!InternetReadFileExW 771F8A8E 8 Bytes JMP 00142DB4 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\csrss.exe[3440] wininet.dll!HttpSendRequestW 77211BE4 5 Bytes JMP 00141BCD .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\win.exe[3452] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00142F34 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\win.exe[3452] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00142EFF .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\win.exe[3452] wininet.dll!InternetCloseHandle 771C4D9C 5 Bytes JMP 00141C54 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\win.exe[3452] wininet.dll!HttpSendRequestA 771C6279 5 Bytes JMP 00141B46 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\win.exe[3452] wininet.dll!InternetReadFile 771C8124 5 Bytes JMP 00142C42 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\win.exe[3452] wininet.dll!InternetQueryDataAvailable 771D8A4F 5 Bytes JMP 00142B78 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\win.exe[3452] wininet.dll!InternetReadFileExA 771F803E 5 Bytes JMP 00142D9A .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\win.exe[3452] wininet.dll!InternetReadFileExW 771F8A8E 8 Bytes JMP 00142DB4 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\win.exe[3452] wininet.dll!HttpSendRequestW 77211BE4 5 Bytes JMP 00141BCD .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\system.exe[3464] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00142F34 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\system.exe[3464] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00142EFF .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\system.exe[3464] wininet.dll!InternetCloseHandle 771C4D9C 5 Bytes JMP 00141C54 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\system.exe[3464] wininet.dll!HttpSendRequestA 771C6279 5 Bytes JMP 00141B46 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\system.exe[3464] wininet.dll!InternetReadFile 771C8124 5 Bytes JMP 00142C42 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\system.exe[3464] wininet.dll!InternetQueryDataAvailable 771D8A4F 5 Bytes JMP 00142B78 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\system.exe[3464] wininet.dll!InternetReadFileExA 771F803E 5 Bytes JMP 00142D9A .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\system.exe[3464] wininet.dll!InternetReadFileExW 771F8A8E 8 Bytes JMP 00142DB4 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\system.exe[3464] wininet.dll!HttpSendRequestW 77211BE4 5 Bytes JMP 00141BCD ? C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\svchost.exe[3476] image checksum mismatch; time/date stamp mismatch; unknown module: urlmon.dllunknown module: oleaut32.dll .code C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\svchost.exe[3476] C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\svchost.exe entry point in ".code" section [0x0040101A] .idata C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\svchost.exe[3476] C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\svchost.exe unknown last section [0x00408000, 0x20000, 0xC0000040] .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\svchost.exe[3476] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00142F34 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\svchost.exe[3476] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00142EFF .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\svchost.exe[3476] wininet.dll!InternetCloseHandle 771C4D9C 5 Bytes JMP 00141C54 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\svchost.exe[3476] wininet.dll!HttpSendRequestA 771C6279 5 Bytes JMP 00141B46 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\svchost.exe[3476] wininet.dll!InternetReadFile 771C8124 5 Bytes JMP 00142C42 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\svchost.exe[3476] wininet.dll!InternetQueryDataAvailable 771D8A4F 5 Bytes JMP 00142B78 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\svchost.exe[3476] wininet.dll!InternetReadFileExA 771F803E 5 Bytes JMP 00142D9A .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\svchost.exe[3476] wininet.dll!InternetReadFileExW 771F8A8E 8 Bytes JMP 00142DB4 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\svchost.exe[3476] wininet.dll!HttpSendRequestW 77211BE4 5 Bytes JMP 00141BCD ? C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\winlogon.exe[3488] image checksum mismatch; time/date stamp mismatch; unknown module: urlmon.dllunknown module: oleaut32.dll .code C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\winlogon.exe[3488] C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\winlogon.exe entry point in ".code" section [0x0040101A] .idata C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\winlogon.exe[3488] C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\winlogon.exe unknown last section [0x00408000, 0x20000, 0xC0000040] .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\winlogon.exe[3488] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00142F34 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\winlogon.exe[3488] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00142EFF .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\winlogon.exe[3488] wininet.dll!InternetCloseHandle 771C4D9C 5 Bytes JMP 00141C54 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\winlogon.exe[3488] wininet.dll!HttpSendRequestA 771C6279 5 Bytes JMP 00141B46 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\winlogon.exe[3488] wininet.dll!InternetReadFile 771C8124 5 Bytes JMP 00142C42 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\winlogon.exe[3488] wininet.dll!InternetQueryDataAvailable 771D8A4F 5 Bytes JMP 00142B78 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\winlogon.exe[3488] wininet.dll!InternetReadFileExA 771F803E 5 Bytes JMP 00142D9A .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\winlogon.exe[3488] wininet.dll!InternetReadFileExW 771F8A8E 8 Bytes JMP 00142DB4 .text C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\winlogon.exe[3488] wininet.dll!HttpSendRequestW 77211BE4 5 Bytes JMP 00141BCD ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Program Files\DellSupport\DSAgnt.exe[1400] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [356729B9] \\?\globalroot\Device\__max++>\B542AA1E.x86.dll IAT C:\Program Files\Real\RealPlayer\RealPlay.exe[1408] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [356729B9] \\?\globalroot\Device\__max++>\B542AA1E.x86.dll IAT C:\WINDOWS\Explorer.EXE[1468] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [356729B9] \\?\globalroot\Device\__max++>\B542AA1E.x86.dll IAT C:\WINDOWS\sysguard.exe[1704] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [356729B9] \\?\globalroot\Device\__max++>\B542AA1E.x86.dll IAT C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\ghaf3wz.exe[1720] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [356729B9] \\?\globalroot\Device\__max++>\B542AA1E.x86.dll IAT C:\WINDOWS\DLL\RUNDLL32.exe[2008] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [356729B9] \\?\globalroot\Device\__max++>\B542AA1E.x86.dll IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!RegQueryValueExW] 81EC8B55 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorDacl] 000208EC IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!SetEntriesInAclW] 57565300 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorGroup] 01B1C033 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorOwner] 000100BE IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!InitializeSecurityDescriptor] D1B60F00 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!GetTokenInformation] F8158488 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!OpenProcessToken] 8AFFFFFE IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!OpenThreadToken] 80E280D1 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!SetServiceStatus] F8058C88 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!RegisterServiceCtrlHandlerW] 40FFFFFD IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!RegCloseKey] D21ADAF6 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!RegOpenKeyExW] E280D98A IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!StartServiceCtrlDispatcherW] 32DB021B IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] B60F0040 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!lstrlenW] 18E2C1D1 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LocalFree] D18A1089 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetCurrentProcess] 8380E280 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetCurrentThread] DAF604C0 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetProcAddress] E280D21A IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryExW] 32C9021B IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LCMapStringW] 6A000040 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!FreeLibrary] C9335B63 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!lstrcpyW] 94B81D89 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] 0F410040 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!lstrcmpiW] F80D84B6 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!ExitProcess] 8DFFFFFE IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetCommandLineW] FFFEF795 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!InitializeCriticalSection] 8AD02BFF IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetProcessHeap] D0C28A12 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!SetErrorMode] D0D032C0 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] D0D032C0 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObject] D0D032C0 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] 32C232C0 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] C0B60FC3 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] B88D0489 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetTickCount] 89004094 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetCurrentThreadId] C4E0850C IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetCurrentProcessId] 3B410040 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] 33C47CCE IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!TerminateProcess] 00FFBFC9 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] 918A0000 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LocalAlloc] [004094B8] C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!lstrcmpW] 8024C28A IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] C01AD8F6 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtQuerySecurityObject] C332DB02 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlFreeHeap] 8AF0B60F IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtOpenKey] 40C4E099 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!wcscat] D2B60F00 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!wcscpy] E0C1C68B IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlAllocateHeap] C1C23308 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlCompareUnicodeString] C23308E0 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlInitUnicodeString] 3308E0C1 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlInitializeSid] 89C233C6 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] 40C0E081 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] 08C8C100 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtClose] BCE08189 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] C8C10040 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlGetDaclSecurityDescriptor] E0818908 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlQueryInformationAcl] C10040B8 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlGetAce] 818908C8 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlImageNtHeader] [0040B4E0] C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!wcslen] 2674DB84 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] 0395B60F IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlCopySid] 0FFFFFFF IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] FEF80584 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] C203FFFF IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] F7F78B99 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] 84B60FFE IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcServerListen] FFFDF815 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] FC4589FF IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] 658304EB IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] DB8400FC IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] B60F2674 IAT C:\WINDOWS\system32\svchost.exe[2444] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [356729B9] \\?\globalroot\Device\__max++>\B542AA1E.x86.dll IAT C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\ghaf3wz.exe[3136] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [356729B9] \\?\globalroot\Device\__max++>\B542AA1E.x86.dll IAT C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\notepad.exe[3412] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [356729B9] \\?\globalroot\Device\__max++>\B542AA1E.x86.dll IAT C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\winamp.exe[3428] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [356729B9] \\?\globalroot\Device\__max++>\B542AA1E.x86.dll ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 731543e7.sys AttachedDevice \Driver\Tcpip \Device\Tcp podmena.sys (podmena/podmena) AttachedDevice \Driver\Tcpip \Device\Tcp 731543e7.sys Device \Driver\podmenadrv \Device\PodmenaFD 731543e7.sys Device \Driver\podmenadrv \Device\Podmena 731543e7.sys Device \FileSystem\Fastfat \Fat AFF7DC8A Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) ---- Processes - GMER 1.0.15 ---- Library \\?\globalroot\Device\__max++>\B542AA1E.x86.dll ( hidden * ) @ C:\Program Files\DellSupport\DSAgnt.exe [1400] 0x35670000 Library \\?\globalroot\Device\__max++>\B542AA1E.x86.dll (* hidden * ) @ C:\Program Files\Real\RealPlayer\RealPlay.exe [1408] 0x35670000 Library \\?\globalroot\Device\__max++>\B542AA1E.x86.dll (* hidden * ) @ C:\WINDOWS\Explorer.EXE [1468] 0x35670000 Library \\?\globalroot\Device\__max++>\B542AA1E.x86.dll (* hidden * ) @ C:\WINDOWS\sysguard.exe [1704] 0x35670000 Library \\?\globalroot\Device\__max++>\B542AA1E.x86.dll (* hidden * ) @ C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\ghaf3wz.exe [1720] 0x35670000 Library \\?\globalroot\Device\__max++>\B542AA1E.x86.dll (* hidden * ) @ C:\WINDOWS\DLL\RUNDLL32.exe [2008] 0x35670000 Library \\?\globalroot\Device\__max++>\B542AA1E.x86.dll (* hidden * ) @ C:\WINDOWS\system32\svchost.exe [2444] 0x35670000 Library \\?\globalroot\Device\__max++>\B542AA1E.x86.dll (* hidden * ) @ C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\ghaf3wz.exe [3136] 0x35670000 Library \\?\globalroot\Device\__max++>\B542AA1E.x86.dll (* hidden * ) @ C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\notepad.exe [3412] 0x35670000 Library \\?\globalroot\Device\__max++>\B542AA1E.x86.dll (* hidden * ) @ C:\DOCUME~1\TONIPO~1\LOCALS~1\Temp\winamp.exe [3428] 0x35670000 ---- Services - GMER 1.0.15 ---- Service C:\WINDOWS\System32\drivers\731543e7.sys (* hidden * ) [SYSTEM] 731543e7 <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\731543e7@ImagePath \SystemRoot\System32\drivers\731543e7.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\731543e7@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\731543e7@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\731543e7@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet003\Services\731543e7@ImagePath \SystemRoot\System32\drivers\731543e7.sys Reg HKLM\SYSTEM\ControlSet003\Services\731543e7@Type 1 Reg HKLM\SYSTEM\ControlSet003\Services\731543e7@Start 1 Reg HKLM\SYSTEM\ControlSet003\Services\731543e7@ErrorControl 1 ---- Files - GMER 1.0.15 ---- ADS C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000216.sys:1 5632 bytes executable ADS C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000627.sys:1 5632 bytes executable ADS C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000747.sys:1 5632 bytes executable ADS C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000765.sys:1 5632 bytes executable ADS C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000788.sys:1 5632 bytes executable ADS C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP4\A0002259.sys:1 5632 bytes executable ADS C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP4\A0002283.sys:1 5632 bytes executable ADS C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP4\A0002298.sys:1 5632 bytes executable ADS C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP4\A0002312.sys:1 5632 bytes executable ADS C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP4\A0002326.sys:1 5632 bytes executable ADS C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0002376.sys:1 5632 bytes executable ADS C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0002392.sys:1 5632 bytes executable ADS C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0002410.sys:1 5632 bytes executable ADS C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0002433.sys:1 5632 bytes executable ADS C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0002450.sys:1 5632 bytes executable ADS C:\WINDOWS\system32\netcfgx.dll:Zone.Identifier 49152 bytes executable ---- EOF - GMER 1.0.15 ----

CatByte View Member Profile	Jun 17 2009, 07:09 PM Post #4
Classroom Administrator Assistant Group: Classroom Teacher Posts: 6,929 Joined: 18-November 04 From: Canada Member No.: 18,614 Operating System: xp sp3	Good grief...there is more slime on this computer than I've seen in a long time I can't make any promises, but I'll do what i can Once we've cleaned up this PC I can recommend an Antivirus and firewall and other programs to prevent this from happening again: please do the following: Download ComboFix from one of these locations: Link 1 Link 2 Link 3 VERY IMPORTANT !!! Save ComboFix.exe to your Desktop Double click on ComboFix.exe & follow the prompts. Now open notepad and copy/paste the text inside the quotebox below into it: QUOTE DDS:: uInternet Settings,ProxyServer = http=localhost:7171 uInternet Settings,ProxyOverride = .local;<local> Save this as CFScript.txt[ Referring to the screenshot* above, drag CFScript.txt into ComboFix.exe. Then as part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes**, to continue scanning for malware. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Notes: 1. Do not mouse-click Combofix's window while it is running. That may cause it to stall. 2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

CatByte View Member Profile	Jun 24 2009, 06:20 PM Post #5
Classroom Administrator Assistant Group: Classroom Teacher Posts: 6,929 Joined: 18-November 04 From: Canada Member No.: 18,614 Operating System: xp sp3	Hi, do you still need help with your machine? If the instructions are unclear or you are having other issues, please advise

electriccrayon View Member Profile	Jun 25 2009, 10:46 AM Post #6
Authentic Member Group: Authentic Member Posts: 72 Joined: 9-January 07 Member No.: 66,184 Operating System: windows XP	i havent had the chance to get back to the infected computer since your last instructions where posted, but i will take care of that sometime this evening. sorry for the delay.

electriccrayon View Member Profile	Jul 1 2009, 01:11 AM Post #7
Authentic Member Group: Authentic Member Posts: 72 Joined: 9-January 07 Member No.: 66,184 Operating System: windows XP	the computers owner decided to go with a new one. sorry to waste some of your time, but thank you for your help! this topic is closed

CatByte View Member Profile	Jul 1 2009, 03:54 AM Post #8
Classroom Administrator Assistant Group: Classroom Teacher Posts: 6,929 Joined: 18-November 04 From: Canada Member No.: 18,614 Operating System: xp sp3	Thank-you for letting us know. CB

« Next Oldest · Infections Removal · Next Newest »

Closed Topic

Start new topic

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Similar Topics

Similar Topics

Similar Topics

		Topic Title	Replies	Topic Starter	Views	Last Action
		Infections Removal Infection Removal - USB drivers - XP SP updates 12	22	cklenertz	347	8 minutes ago Last post by: cklenertz
		Infections Removal Help with Firefox/Java infection	9	redofromstart	220	17th November 2009 - 07:04 PM Last post by: LDTate
		Infections Removal [Closed] (Bogus) Spyware Alert and Porn Website Pop Ups - Unable to g	4	stupidman	216	17th November 2009 - 06:25 PM Last post by: CatByte
		Infections Removal [Resolved] Repeated Infection and now Blue screen of Death - need imme 123	39	abu_jaaneb	1,055	16th November 2009 - 10:37 AM Last post by: Tomk

Display Mode: Switch to: Standard · Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Time is now: 21st November 2009 - 01:38 PM

Advertisements do not imply our endorsement of that product or service. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk.
Member site: Alliance of Security Analysis Professionals | UNITE Against Malware
Memory Forums | Auto Repair Forum
© Geeks to Go, Inc. | All Rights Reserved | Privacy Policy

Powered By IP.Board © 2009 IPS, Inc.