Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93105 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Ameana Is Back


  • Please log in to reply
9 replies to this topic

#1 bellemov

bellemov

    Authentic Member

  • Authentic Member
  • PipPip
  • 28 posts

Posted 11 April 2007 - 01:13 PM

Last November you helped me remove a file with VundoFix. Recently my computer has been running very slowly and today I got a familiar pop-up from ameana.com. Last Friday McAfee, during a routine scan, quarantined a known trojan. I can't find the log to find the name of it. Not sure if any of this is related. Here's my HJT log, thanks in advance for any help.

Logfile of HijackThis v1.99.1
Scan saved at 3:04:58 PM, on 4/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\AOL\1121872257\ee\AOLSoftware.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\America Online 9.0\waol.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\AOL\1121872257\ee\aolsoftware.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\TJH110606\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1121872257\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.learninglibrary.com
O15 - Trusted Zone: *.rapmls.com
O15 - Trusted Zone: http://*.rapmls.com
O15 - Trusted Zone: *.betaweb.suprakim.com
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {62BC5DB2-0044-4040-B366-D628F3CFD551} (PowerTeam HTML Printing Behavior) - file://C:\DOCUME~1\Windows\LOCALS~1\Temp\IXP000.TMP\setup.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1145217443890
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgall..._1/axofupld.cab
O16 - DPF: {7D30109B-DD2B-4339-BE80-1CD48723C2BC} (LiveX(v6.0.1.0)) - http://bowwow4.serve...om/cab/Live.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9EF34803-43A8-487A-BC9E-C23FACCDBDBE} (PDFConvert.Converter) - http://rapprinter.ra...Creator_001.exe
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.60...geWell-ipix.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SQL Server (MSSMLBIZ) (MSSQL$MSSMLBIZ) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

    Advertisements

Register to Remove


#2 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 13 April 2007 - 03:36 PM

1) Download F-Secure's BlackLight from here and save it to your Desktop.

2) Log off from the internet and disconnect your modem cable.

3) Go to Start > Run, copy and paste the following into the text box and hit OK:
"%userprofile%\desktop\fsbl.exe" /expert

The F-Secure Blacklight Beta window should open.
  • Accept the agreement and click Next >.
  • Click the Scan button to begin.
  • Leave the PC idle while the scan takes place.
  • When it has completed, click the Close button.
  • A text file, fsbl-date/time, will be saved onto your Desktop - copy and paste this into your next reply.
Also, run HJT and click on Open the Misc Tools section.
  • Click Open Uninstall Manager...
  • Click Save list... and save it to your Desktop.
  • Copy and paste the file uninstall_list.txt into your next reply.
Finally throw in a fresh HJT log and we'll see what we can see.
Death to the salad eaters!

#3 bellemov

bellemov

    Authentic Member

  • Authentic Member
  • PipPip
  • 28 posts

Posted 14 April 2007 - 01:54 PM

F-Secure's Blacklight log
04/14/07 15:30:17 [Info]: BlackLight Engine 1.0.61 initialized
04/14/07 15:30:17 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/14/07 15:30:18 [Note]: 7019 4
04/14/07 15:30:18 [Note]: 7005 0
04/14/07 15:30:28 [Note]: 7006 0
04/14/07 15:30:28 [Note]: 7022 0
04/14/07 15:30:28 [Note]: 7011 508
04/14/07 15:30:28 [Note]: 7026 0
04/14/07 15:30:28 [Note]: 7026 0
04/14/07 15:30:38 [Note]: FSRAW library version 1.7.1021
04/14/07 15:40:36 [Note]: 7007 0

Unistall List
Ad-Aware SE Personal
Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat 6.0.1 Standard
Adobe Acrobat and Reader 6.0.3 Update
Adobe Acrobat and Reader 6.0.4 Update
Adobe Acrobat and Reader 6.0.5 Update
Adobe Acrobat and Reader 6.0.6 Update
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Shockwave Player
ALPS Touch Pad Driver
AOL Coach Version 2.0(Build:20041026.5 en)
AOL Deskbar
AOL Registration
AOL Toolbar
AOL Uninstaller (Choose which Products to Remove)
Bluetooth® Wireless Technology Synchronization Plug-in
Broadcom Advanced Control Suite 2
Broadcom ASF Management Applications
BUM
Canon Camera Support Core Library
Canon Camera Window DS for ZoomBrowser EX
Canon Camera Window DVC for ZoomBrowser EX
Canon Camera Window for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon ZoomBrowser EX
Conexant D110 MDC V.9x Modem
Dell Wireless WLAN Card
Digital Line Detect
Easy CD Creator 5 Basic
eKEY
EPSON Printer Software
Form Viewer
HijackThis 1.99.1
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB909394)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HP Photo and Imaging 2.2 - Scanjet 3970 Series
Intel® Graphics Media Accelerator Driver for Mobile
Internal Network Card Power Management
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03
Java™ SE Runtime Environment 6 Update 1
KODAK EASYSHARE Gallery Upload ActiveX Control
Logitech SetPoint
Macromedia Flash Player 8
Mapopolis
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft ActiveSync
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Web Components
Microsoft Office Accounting 2007
Microsoft Office Accounting 2007
Microsoft Office Accounting ADP Payroll Addin
Microsoft Office Accounting Equifax Addin
Microsoft Office Accounting Fixed Asset Manager
Microsoft Office Accounting PayPal Addin
Microsoft Office Professional Edition 2003
Microsoft Office Small Business Connectivity Components
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Streets and Trips 2005
Microsoft User-Mode Driver Framework Feature Pack 1.0
Modem Helper
MSXML 6.0 Parser
NetWaiting
Picasa 2
PowerDVD 5.1
QuickSet
QuickTime
Rapattoni MLS PDF Creator
RealPlayer
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Spyware Doctor 4.0
Time Zone Data Update Tool for Microsoft Office Outlook
Treo 700wx User Guide
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB929338)
Update for Windows XP (KB931836)
URGE
Viewpoint Media Player
Virtual MLS
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Mobile Daylight Saving Time 2007 Updates
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086

Fresh HJT log
Logfile of HijackThis v1.99.1
Scan saved at 3:42:58 PM, on 4/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\AOL\1121872257\ee\AOLSoftware.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\AOL\1121872257\ee\aolsoftware.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Acrobat\Acrobat.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\TJH110606\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1121872257\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.learninglibrary.com
O15 - Trusted Zone: *.rapmls.com
O15 - Trusted Zone: http://*.rapmls.com
O15 - Trusted Zone: *.betaweb.suprakim.com
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {62BC5DB2-0044-4040-B366-D628F3CFD551} (PowerTeam HTML Printing Behavior) - file://C:\DOCUME~1\Windows\LOCALS~1\Temp\IXP000.TMP\setup.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1145217443890
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgall..._1/axofupld.cab
O16 - DPF: {7D30109B-DD2B-4339-BE80-1CD48723C2BC} (LiveX(v6.0.1.0)) - http://bowwow4.serve...om/cab/Live.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9EF34803-43A8-487A-BC9E-C23FACCDBDBE} (PDFConvert.Converter) - http://rapprinter.ra...Creator_001.exe
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.60...geWell-ipix.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SQL Server (MSSMLBIZ) (MSSQL$MSSMLBIZ) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

#4 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 14 April 2007 - 02:22 PM

No coconut there then!

Run the following online scan: Panda ActiveScan.
  • Please note that IE is required to run this scan.
  • You will need to fill in the "Country, region, email address" information before you can download and install the ActiveX components necessary to run the scan.
  • Decide whether you want to click the radio button underneath this part that says -
    "I do not want to receive marketing information from Panda Software and/or its International Representatives where applicable." - it's your choice!
  • When you are asked to "Select a device to scan...", click on "My Computer".
When the scan has finished, click See Report > Save Report which by default will save the scan results as Activescan.txt in My Documents.
Let me have a copy of this and we'll see where that gets us.

Also, rename your copy of hijackthis.exe to seek.exe and post a fresh log run in Normal Mode. It's possible that a nasty is interfering with the normal working of HJT in order to hide itself and renaming the .exe will get around this.
Death to the salad eaters!

#5 bellemov

bellemov

    Authentic Member

  • Authentic Member
  • PipPip
  • 28 posts

Posted 16 April 2007 - 11:04 AM

Below are the panda log and the new HJT log. I also forgot to mention that everytime I shut down there is a program that is not responding that I have to manually end. It's "VR+mVSrHmNFcUputjBtsVg24+def..."

Logfile of HijackThis v1.99.1
Scan saved at 12:55:33 PM, on 4/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\AOL\1121872257\ee\AOLSoftware.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\AOL\1121872257\ee\aolsoftware.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\TJH110606\seek.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1121872257\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.learninglibrary.com
O15 - Trusted Zone: *.rapmls.com
O15 - Trusted Zone: http://*.rapmls.com
O15 - Trusted Zone: *.betaweb.suprakim.com
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {62BC5DB2-0044-4040-B366-D628F3CFD551} (PowerTeam HTML Printing Behavior) - file://C:\DOCUME~1\Windows\LOCALS~1\Temp\IXP000.TMP\setup.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1145217443890
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgall..._1/axofupld.cab
O16 - DPF: {7D30109B-DD2B-4339-BE80-1CD48723C2BC} (LiveX(v6.0.1.0)) - http://bowwow4.serve...om/cab/Live.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9EF34803-43A8-487A-BC9E-C23FACCDBDBE} (PDFConvert.Converter) - http://rapprinter.ra...Creator_001.exe
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.60...geWell-ipix.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SQL Server (MSSMLBIZ) (MSSQL$MSSMLBIZ) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE


PANDA LOG:

Incident Status Location

Virus:Trj/ConHook.BK Disinfected C:\VundoFix Backups\IndASS.dll.bad
Thanks for your help.

#6 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 16 April 2007 - 12:44 PM

I also forgot to mention that everytime I shut down there is a program that is not responding that I have to manually end. It's "VR+mVSrHmNFcUputjBtsVg24+def..."

I'm assuming that VR+mVSrHmNFcUputjBtsVg24+def... is the exact name that appears in the pop-up window at shutdown - doesn't look like it belongs.
Neither the Panda scan of your log shows any malware onboard - this may, or may not, mean that your PC is clean. I don't like the above, but without more to go, there isn't a lot I can do about it.
Download gmer.zip from here and save it to your Desktop.
You will need to unzip it before you run it.

To do this: Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


Double click gmer.exe to begin:
  • If you get a message about "system modification", click Yes and work through the rest of the instructions.
  • Ensure that the Rootkit Tab at the top is selected.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click the Scan button on the right.
  • When the scan has completed, (you'll have time for a snack and a cuppa!), click the Copy button underneath - this will save the report to your Clipboard.
  • Paste it into Notepad (Start > All Programs > Accessories > Notepad) and save it somewhere convenient.
  • Click the >>> Tab at the top and select the Autostart Tab.
  • Click the Scan button on the right - this one should only take seconds to complete.
  • Save the log as before.
Copy and paste both reports into your next reply - you may need to post them separately.
The Preview option may show the whole logs being posted, but they sometimes get cut down when the actual post is made, so check the post once it is completed.
Death to the salad eaters!

#7 bellemov

bellemov

    Authentic Member

  • Authentic Member
  • PipPip
  • 28 posts

Posted 16 April 2007 - 01:14 PM

GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-04-16 15:03:15
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwDeleteKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwDeleteValueKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys ZwOpenKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwProtectVirtualMemory
Code \SystemRoot\system32\drivers\mfehidk.sys ZwRenameKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwSetValueKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwTerminateProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwUnmapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys ZwYieldExecution
Code \SystemRoot\system32\drivers\mfehidk.sys NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys NtMapViewOfSection

---- Kernel code sections - GMER 1.0.12 ----

.text ntkrnlpa.exe!ZwYieldExecution 8050189C 7 Bytes JMP A95A35BD \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!NtCreateFile 8056D3CA 5 Bytes JMP A95A357F \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!NtMapViewOfSection 805A6206 7 Bytes JMP A95A35D3 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A701C 5 Bytes JMP A95A35E9 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805AC78E 7 Bytes JMP A95A3593 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwCreateProcess 805C5F8E 5 Bytes JMP A95A35A9 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwTerminateProcess 805C776C 5 Bytes JMP A95A356B \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwSetValueKey 80617546 7 Bytes JMP A95A3555 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwRenameKey 806188AC 7 Bytes JMP A95A3529 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwCreateKey 80618E86 5 Bytes JMP A95A34FF \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwDeleteKey 80619316 7 Bytes JMP A95A3513 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwDeleteValueKey 806194E6 7 Bytes JMP A95A353F \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwOpenKey 8061A21C 5 Bytes JMP A95A34EB \SystemRoot\system32\drivers\mfehidk.sys
? C:\WINDOWS\system32\DRIVERS\update.sys
? C:\WINDOWS\TEMP\mc25.tmp The system cannot find the file specified.

---- User code sections - GMER 1.0.12 ----

.text C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe[264] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe[264] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe[264] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe[264] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe[264] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe[264] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
.text C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe[264] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F180F5A
.text C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe[264] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F140F5A
.text C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe[264] GDI32.dll!Escape 77F273B4 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\EXPLORER.EXE[576] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\EXPLORER.EXE[576] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\EXPLORER.EXE[576] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 02B40000
.text C:\WINDOWS\EXPLORER.EXE[576] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 02B400B3
.text C:\WINDOWS\EXPLORER.EXE[576] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 02B40098
.text C:\WINDOWS\EXPLORER.EXE[576] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 02B40087
.text C:\WINDOWS\EXPLORER.EXE[576] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 02B4006C
.text C:\WINDOWS\EXPLORER.EXE[576] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 02B4005B
.text C:\WINDOWS\EXPLORER.EXE[576] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 02B40F88
.text C:\WINDOWS\EXPLORER.EXE[576] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 02B40FA3
.text C:\WINDOWS\EXPLORER.EXE[576] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 02B40F55
.text C:\WINDOWS\EXPLORER.EXE[576] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 02B40F66
.text C:\WINDOWS\EXPLORER.EXE[576] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 02B40109
.text C:\WINDOWS\EXPLORER.EXE[576] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 02B40FCA
.text C:\WINDOWS\EXPLORER.EXE[576] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 02B4001B
.text C:\WINDOWS\EXPLORER.EXE[576] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 02B400C4
.text C:\WINDOWS\EXPLORER.EXE[576] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 02B40040
.text C:\WINDOWS\EXPLORER.EXE[576] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 02B40FE5
.text C:\WINDOWS\EXPLORER.EXE[576] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 02B40F77
.text C:\WINDOWS\EXPLORER.EXE[576] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 02B30011
.text C:\WINDOWS\EXPLORER.EXE[576] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 02B30F76
.text C:\WINDOWS\EXPLORER.EXE[576] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 02B30000
.text C:\WINDOWS\EXPLORER.EXE[576] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 02B30FCA
.text C:\WINDOWS\EXPLORER.EXE[576] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 02B30F91
.text C:\WINDOWS\EXPLORER.EXE[576] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 02B3003D
.text C:\WINDOWS\EXPLORER.EXE[576] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 02B30FEF
.text C:\WINDOWS\EXPLORER.EXE[576] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 02B30022
.text C:\WINDOWS\EXPLORER.EXE[576] GDI32.dll!Escape 77F273B4 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\EXPLORER.EXE[576] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F1B0F5A
.text C:\WINDOWS\EXPLORER.EXE[576] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F170F5A
.text C:\WINDOWS\EXPLORER.EXE[576] WININET.dll!InternetOpenA 771CC859 5 Bytes JMP 02A0000A
.text C:\WINDOWS\EXPLORER.EXE[576] WININET.dll!InternetOpenW 771CCE91 5 Bytes JMP 02A00025
.text C:\WINDOWS\EXPLORER.EXE[576] WININET.dll!InternetOpenUrlA 771D06CD 5 Bytes JMP 02A00036
.text C:\WINDOWS\EXPLORER.EXE[576] WININET.dll!InternetOpenUrlW 7721A881 5 Bytes JMP 02A00FE5
.text C:\WINDOWS\EXPLORER.EXE[576] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 02B90000
.text C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[704] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[704] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[704] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[704] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[704] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[704] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F180F5A
.text C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[704] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F140F5A
.text C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe[704] GDI32.dll!Escape 77F273B4 6 Bytes JMP 5F100F5A
.text C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe[748] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe[748] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe[748] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe[748] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe[748] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe[748] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F180F5A
.text C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe[748] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F140F5A
.text C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe[748] GDI32.dll!Escape 77F273B4 6 Bytes JMP 5F100F5A
.text C:\PROGRA~1\COMMON~1\McAfee\RedirSvc\RedirSvc.exe[836] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\COMMON~1\McAfee\RedirSvc\RedirSvc.exe[836] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\PROGRA~1\COMMON~1\McAfee\RedirSvc\RedirSvc.exe[836] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\PROGRA~1\COMMON~1\McAfee\RedirSvc\RedirSvc.exe[836] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\PROGRA~1\COMMON~1\McAfee\RedirSvc\RedirSvc.exe[836] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\PROGRA~1\COMMON~1\McAfee\RedirSvc\RedirSvc.exe[836] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F180F5A
.text C:\PROGRA~1\COMMON~1\McAfee\RedirSvc\RedirSvc.exe[836] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F140F5A
.text C:\PROGRA~1\COMMON~1\McAfee\RedirSvc\RedirSvc.exe[836] GDI32.dll!Escape 77F273B4 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\SYSTEM32\CSRSS.EXE[852] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\SYSTEM32\CSRSS.EXE[852] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\SYSTEM32\CSRSS.EXE[852] GDI32.dll!Escape 77F273B4 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\SYSTEM32\CSRSS.EXE[852] KERNEL32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\SYSTEM32\CSRSS.EXE[852] KERNEL32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\SYSTEM32\CSRSS.EXE[852] KERNEL32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\SYSTEM32\CSRSS.EXE[852] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F180F5A
.text C:\WINDOWS\SYSTEM32\CSRSS.EXE[852] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F140F5A
.text C:\WINDOWS\SYSTEM32\WINLOGON.EXE[876] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\SYSTEM32\WINLOGON.EXE[876] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\SYSTEM32\WINLOGON.EXE[876] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\SYSTEM32\WINLOGON.EXE[876] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\SYSTEM32\WINLOGON.EXE[876] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\SYSTEM32\WINLOGON.EXE[876] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F180F5A
.text C:\WINDOWS\SYSTEM32\WINLOGON.EXE[876] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F140F5A
.text C:\WINDOWS\SYSTEM32\WINLOGON.EXE[876] GDI32.dll!Escape 77F273B4 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\SYSTEM32\SERVICES.EXE[920] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\SYSTEM32\SERVICES.EXE[920] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\SYSTEM32\SERVICES.EXE[920] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 010A0FE5
.text C:\WINDOWS\SYSTEM32\SERVICES.EXE[920] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 010A005B
.text C:\WINDOWS\SYSTEM32\SERVICES.EXE[920] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 010A0F66
.text C:\WINDOWS\SYSTEM32\SERVICES.EXE[920] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 010A004A
.text C:\WINDOWS\SYSTEM32\SERVICES.EXE[920] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 010A002F
.text C:\WINDOWS\SYSTEM32\SERVICES.EXE[920] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 010A0F97
.text C:\WINDOWS\SYSTEM32\SERVICES.EXE[920] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 010A0091
.text C:\WINDOWS\SYSTEM32\SERVICES.EXE[920] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 010A0080
.text C:\WINDOWS\SYSTEM32\SERVICES.EXE[920] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 010A0EF8
.text C:\WINDOWS\SYSTEM32\SERVICES.EXE[920] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 010A0F13
.text C:\WINDOWS\SYSTEM32\SERVICES.EXE[920] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 010A0EE7
.text C:\WINDOWS\SYSTEM32\SERVICES.EXE[920] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 010A001E
.text C:\WINDOWS\SYSTEM32\SERVICES.EXE[920] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 010A0FD4
.text C:\WINDOWS\SYSTEM32\SERVICES.EXE[920] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 010A0F55
.text C:\WINDOWS\SYSTEM32\SERVICES.EXE[920] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 010A0FB2
.text C:\WINDOWS\SYSTEM32\SERVICES.EXE[920] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 010A0FC3
.text C:\WINDOWS\SYSTEM32\SERVICES.EXE[920] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 010A0F2E
.text C:\WINDOWS\SYSTEM32\SERVICES.EXE[920] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 0096002F
.text C:\WINDOWS\SYSTEM32\SERVICES.EXE[920] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 0096006C
.text C:\WINDOWS\SYSTEM32\SERVICES.EXE[920] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00960FDE
.text C:\WINDOWS\SYSTEM32\SERVICES.EXE[920] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00960FEF
.text C:\WINDOWS\SYSTEM32\SERVICES.EXE[920] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 0096005B
.text C:\WINDOWS\SYSTEM32\SERVICES.EXE[920] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 0096004A
.text C:\WINDOWS\SYSTEM32\SERVICES.EXE[920] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 0096000A
.text C:\WINDOWS\SYSTEM32\SERVICES.EXE[920] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00960FC3
.text C:\WINDOWS\SYSTEM32\SERVICES.EXE[920] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F1B0F5A
.text C:\WINDOWS\SYSTEM32\SERVICES.EXE[920] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F170F5A
.text C:\WINDOWS\SYSTEM32\SERVICES.EXE[920] GDI32.dll!Escape 77F273B4 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\SYSTEM32\SERVICES.EXE[920] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00930FEF
.text C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe[1048] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe[1048] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe[1048] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe[1048] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe[1048] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe[1048] GDI32.dll!Escape 77F273B4 6 Bytes JMP 5F100F5A
.text C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe[1048] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F180F5A
.text C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe[1048] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F140F5A
.text C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe[1188] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe[1188] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe[1188] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe[1188] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe[1188] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe[1188] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F180F5A
.text C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe[1188] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F140F5A
.text C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe[1188] GDI32.dll!Escape 77F273B4 6 Bytes JMP 5F100F5A
.text C:\Program Files\Apoint\Apoint.exe[1264] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Apoint\Apoint.exe[1264] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Apoint\Apoint.exe[1264] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Apoint\Apoint.exe[1264] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Apoint\Apoint.exe[1264] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Apoint\Apoint.exe[1264] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F180F5A
.text C:\Program Files\Apoint\Apoint.exe[1264] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F140F5A
.text C:\Program Files\Apoint\Apoint.exe[1264] GDI32.dll!Escape 77F273B4 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\SYSTEM32\SVCHOST.EXE[1284] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\SYSTEM32\SVCHOST.EXE[1284] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\SYSTEM32\SVCHOST.EXE[1284] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01B40FEF
.text C:\WINDOWS\SYSTEM32\SVCHOST.EXE[1284] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01B40FA8
.text C:\WINDOWS\SYSTEM32\SVCHOST.EXE[1284] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01B40093
.text C:\WINDOWS\SYSTEM32\SVCHOST.EXE[1284] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 01B40FB9
.text C:\WINDOWS\SYSTEM32\SVCHOST.EXE[1284] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 01B40076
.text C:\WINDOWS\SYSTEM32\SVCHOST.EXE[1284] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01B40FD4
.text C:\WINDOWS\SYSTEM32\SVCHOST.EXE[1284] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 01B40F8D
.text C:\WINDOWS\SYSTEM32\SVCHOST.EXE[1284] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01B400D5
.text C:\WINDOWS\SYSTEM32\SVCHOST.EXE[1284] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 01B40F3C
.text C:\WINDOWS\SYSTEM32\SVCHOST.EXE[1284] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01B40F57
.text C:\WINDOWS\SYSTEM32\SVCHOST.EXE[1284] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 01B40F21
.text C:\WINDOWS\SYSTEM32\SVCHOST.EXE[1284] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 01B4005B
.text C:\WINDOWS\SYSTEM32\SVCHOST.EXE[1284] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 01B40014
.text C:\WINDOWS\SYSTEM32\SVCHOST.EXE[1284] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 01B400B8
.text C:\WINDOWS\SYSTEM32\SVCHOST.EXE[1284] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 01B40040
.text C:\WINDOWS\SYSTEM32\SVCHOST.EXE[1284] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 01B40025
.text C:\WINDOWS\SYSTEM32\SVCHOST.EXE[1284] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 01B40F72
.text C:\WINDOWS\SYSTEM32\SVCHOST.EXE[1284] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 01B30F94
.text C:\WINDOWS\SYSTEM32\SVCHOST.EXE[1284] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 01B30025
.text C:\WINDOWS\SYSTEM32\SVCHOST.EXE[1284] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 01B30FAF
.text C:\WINDOWS\SYSTEM32\SVCHOST.EXE[1284] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 01B30FD4
.text C:\WINDOWS\SYSTEM32\SVCHOST.EXE[1284] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 01B3000A
.text C:\WINDOWS\SYSTEM32\SVCHOST.EXE[1284] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 01B30F68
.text C:\WINDOWS\SYSTEM32\SVCHOST.EXE[1284] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 01B30FEF
.text C:\WINDOWS\SYSTEM32\SVCHOST.EXE[1284] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 01B30F83
.text C:\WINDOWS\SYSTEM32\SVCHOST.EXE[1284] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F1B0F5A
.text C:\WINDOWS\SYSTEM32\SVCHOST.EXE[1284] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F170F5A
.text C:\WINDOWS\SYSTEM32\SVCHOST.EXE[1284] GDI32.dll!Escape 77F273B4 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\SYSTEM32\SVCHOST.EXE[1284] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 01B0000A
.text C:\WINDOWS\SYSTEM32\SVCHOST.EXE[1284] WININET.dll!InternetOpenA 771CC859 5 Bytes JMP 01B10000
.text C:\WINDOWS\SYSTEM32\SVCHOST.EXE[1284] WININET.dll!InternetOpenW 771CCE91 5 Bytes JMP 01B10FDB
.text C:\WINDOWS\SYSTEM32\SVCHOST.EXE[1284] WININET.dll!InternetOpenUrlA 771D06CD 5 Bytes JMP 01B10011
.text C:\WINDOWS\SYSTEM32\SVCHOST.EXE[1284] WININET.dll!InternetOpenUrlW 7721A881 5 Bytes JMP 01B10FC0
.text C:\WINDOWS\SYSTEM32\WLTRAY.EXE[1316] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\SYSTEM32\WLTRAY.EXE[1316] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\SYSTEM32\WLTRAY.EXE[1316] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\SYSTEM32\WLTRAY.EXE[1316] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\SYSTEM32\WLTRAY.EXE[1316] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\SYSTEM32\WLTRAY.EXE[1316] GDI32.dll!Escape 77F273B4 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\SYSTEM32\WLTRAY.EXE[1316] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F180F5A
.text C:\WINDOWS\SYSTEM32\WLTRAY.EXE[1316] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F140F5A
.text C:\Program Files\Common Files\AOL\1121872257\EE\aolsoftware.exe[1364] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Common Files\AOL\1121872257\EE\aolsoftware.exe[1364] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Common Files\AOL\1121872257\EE\aolsoftware.exe[1364] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\AOL\1121872257\EE\aolsoftware.exe[1364] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\AOL\1121872257\EE\aolsoftware.exe[1364] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\AOL\1121872257\EE\aolsoftware.exe[1364] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F180F5A
.text C:\Program Files\Common Files\AOL\1121872257\EE\aolsoftware.exe[1364] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F140F5A
.text C:\Program Files\Common Files\AOL\1121872257\EE\aolsoftware.exe[1364] GDI32.dll!Escape 77F273B4 6 Bytes JMP 5F100F5A
.text C:\Program Files\QuickTime\qttask.exe[1516] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\QuickTime\qttask.exe[1516] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\QuickTime\qttask.exe[1516] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\QuickTime\qttask.exe[1516] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\QuickTime\qttask.exe[1516] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\QuickTime\qttask.exe[1516] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F180F5A
.text C:\Program Files\QuickTime\qttask.exe[1516] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F140F5A
.text C:\Program Files\QuickTime\qttask.exe[1516] GDI32.dll!Escape 77F273B4 6 Bytes JMP 5F100F5A
.text C:\Program Files\Spyware Doctor\swdoctor.exe[1596] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Spyware Doctor\swdoctor.exe[1596] USER32.dll!DispatchMessageA 7E4196B8 6 Bytes JMP 5F040F5A
.text C:\Program Files\Spyware Doctor\swdoctor.exe[1596] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F120F5A
.text C:\Program Files\Spyware Doctor\swdoctor.exe[1596] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F0E0F5A
.text C:\Program Files\Spyware Doctor\swdoctor.exe[1596] GDI32.dll!Escape 77F273B4 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Messenger\msmsgs.exe[1624] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Messenger\msmsgs.exe[1624] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 11, 5F ]
.text C:\Program Files\Messenger\msmsgs.exe[1624] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00EF0000
.text C:\Program Files\Messenger\msmsgs.exe[1624] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00EF0F57
.text C:\Program Files\Messenger\msmsgs.exe[1624] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00EF0F68
.text C:\Program Files\Messenger\msmsgs.exe[1624] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00EF0F83
.text C:\Program Files\Messenger\msmsgs.exe[1624] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00EF0F94
.text C:\Program Files\Messenger\msmsgs.exe[1624] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00EF0FB9
.text C:\Program Files\Messenger\msmsgs.exe[1624] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00EF008C
.text C:\Program Files\Messenger\msmsgs.exe[1624] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00EF0071
.text C:\Program Files\Messenger\msmsgs.exe[1624] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00EF00B8
.text C:\Program Files\Messenger\msmsgs.exe[1624] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00EF0F1F
.text C:\Program Files\Messenger\msmsgs.exe[1624] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00EF00D3
.text C:\Program Files\Messenger\msmsgs.exe[1624] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00EF0040
.text C:\Program Files\Messenger\msmsgs.exe[1624] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00EF0FE5
.text C:\Program Files\Messenger\msmsgs.exe[1624] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00EF0F46
.text C:\Program Files\Messenger\msmsgs.exe[1624] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00EF001B
.text C:\Program Files\Messenger\msmsgs.exe[1624] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00EF0FD4
.text C:\Program Files\Messenger\msmsgs.exe[1624] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00EF00A7
.text C:\Program Files\Messenger\msmsgs.exe[1624] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00EE0F9E
.text C:\Program Files\Messenger\msmsgs.exe[1624] ADVAPI32.dll!RegCreateKeyExW 77DD7535 1 Byte [ E9 ]
.text C:\Program Files\Messenger\msmsgs.exe[1624] ADVAPI32.dll!RegCreateKeyExW + 2 77DD7537 3 Bytes [ 8A, 10, 89 ]
.text C:\Program Files\Messenger\msmsgs.exe[1624] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00EE0FB9
.text C:\Program Files\Messenger\msmsgs.exe[1624] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00EE0FCA
.text C:\Program Files\Messenger\msmsgs.exe[1624] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00EE0F7C
.text C:\Program Files\Messenger\msmsgs.exe[1624] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00EE0F8D
.text C:\Program Files\Messenger\msmsgs.exe[1624] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00EE0FEF
.text C:\Program Files\Messenger\msmsgs.exe[1624] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00EE000A
.text C:\Program Files\Messenger\msmsgs.exe[1624] GDI32.dll!Escape 77F273B4 6 Bytes JMP 5F130F5A
.text C:\Program Files\Messenger\msmsgs.exe[1624] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F1B0F5A
.text C:\Program Files\Messenger\msmsgs.exe[1624] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F170F5A
.text C:\Program Files\Messenger\msmsgs.exe[1624] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00E6000A
.text C:\Program Files\Messenger\msmsgs.exe[1624] WININET.dll!InternetOpenA 771CC859 5 Bytes JMP 00EC0000
.text C:\Program Files\Messenger\msmsgs.exe[1624] WININET.dll!InternetOpenW 771CCE91 5 Bytes JMP 00EC001B
.text C:\Program Files\Messenger\msmsgs.exe[1624] WININET.dll!InternetOpenUrlA 771D06CD 5 Bytes JMP 00EC0FDB
.text C:\Program Files\Messenger\msmsgs.exe[1624] WININET.dll!InternetOpenUrlW 7721A881 5 Bytes JMP 00EC0FC0
.text C:\WINDOWS\SYSTEM32\BCMWLTRY.EXE[1812] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\SYSTEM32\BCMWLTRY.EXE[1812] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\SYSTEM32\BCMWLTRY.EXE[1812] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\SYSTEM32\BCMWLTRY.EXE[1812] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\SYSTEM32\BCMWLTRY.EXE[1812] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\SYSTEM32\BCMWLTRY.EXE[1812] GDI32.dll!Escape 77F273B4 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\SYSTEM32\BCMWLTRY.EXE[1812] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F180F5A
.text C:\WINDOWS\SYSTEM32\BCMWLTRY.EXE[1812] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F140F5A
.text C:\WINDOWS\SYSTEM32\spoolsv.exe[1876] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\SYSTEM32\spoolsv.exe[1876] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\SYSTEM32\spoolsv.exe[1876] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\SYSTEM32\spoolsv.exe[1876] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\SYSTEM32\spoolsv.exe[1876] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\SYSTEM32\spoolsv.exe[1876] GDI32.dll!Escape 77F273B4 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\SYSTEM32\spoolsv.exe[1876] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F180F5A
.text C:\WINDOWS\SYSTEM32\spoolsv.exe[1876] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F140F5A
.text C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe[2016] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe[2016] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe[2016] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe[2016] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe[2016] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe[2016] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F180F5A
.text C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe[2016] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F140F5A
.text C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe[2016] GDI32.dll!Escape 77F273B4 6 Bytes JMP 5F100F5A
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2076] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2076] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 11, 5F ]
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2076] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00260FEF
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2076] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00260F72
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2076] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00260F97
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2076] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00260FA8
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2076] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00260FC3
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2076] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00260FD4
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2076] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 0026009D
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2076] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00260082
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2076] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 002600B8
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2076] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00260F1F
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2076] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2076] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00260F04
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2076] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 0026005B
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2076] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 0026000A
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2076] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00260F57
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2076] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00260036
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2076] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00260025
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2076] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00260F30
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2076] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00350FC0
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2076] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00350062
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2076] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 0035001B
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2076] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 0035000A
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2076] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00350FAF
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2076] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00350047
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2076] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00350FEF
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2076] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00350036
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2076] GDI32.dll!Escape 77F273B4 6 Bytes JMP 5F130F5A
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2076] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F1B0F5A
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2076] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F170F5A
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[2076] ws2_32.dll!socket 71AB3B91 5 Bytes JMP 052C0000
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[2276] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[2276] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[2276] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[2276] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[2276] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[2276] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F180F5A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[2276] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F140F5A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[2276] GDI32.dll!Escape 77F273B4 6 Bytes JMP 5F100F5A
.text C:\Program Files\McAfee\MPF\MpfSrv.exe[2388] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\McAfee\MPF\MpfSrv.exe[2388] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\McAfee\MPF\MpfSrv.exe[2388] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\McAfee\MPF\MpfSrv.exe[2388] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\McAfee\MPF\MpfSrv.exe[2388] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\McAfee\MPF\MpfSrv.exe[2388] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F180F5A
.text C:\Program Files\McAfee\MPF\MpfSrv.exe[2388] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F140F5A
.text C:\Program Files\McAfee\MPF\MpfSrv.exe[2388] GDI32.dll!Escape 77F273B4 6 Bytes JMP 5F100F5A
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2488] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2488] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 11, 5F ]
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2488] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 005C0000
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2488] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 005C0093
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2488] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 005C0082
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2488] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 005C0067
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2488] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 005C0F9E
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2488] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 005C0FB9
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2488] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 005C00AE
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2488] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 005C0F72
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2488] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 005C0F4B
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2488] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 005C00DA
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2488] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 005C00FF
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2488] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 005C0040
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2488] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 005C0FE5
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2488] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 005C0F83
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2488] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 005C0025
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2488] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 005C0FD4
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2488] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 005C00C9
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2488] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 005B002C
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2488] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 005B0F8A
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2488] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 005B0FDB
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2488] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 005B001B
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2488] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 005B0047
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2488] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 005B0FA5
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2488] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 005B000A
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2488] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 005B0FC0
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2488] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F1B0F5A
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2488] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F170F5A
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2488] GDI32.dll!Escape 77F273B4 6 Bytes JMP 5F130F5A
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2488] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00590FEF
.text C:\Program Files\Spyware Doctor\sdhelp.exe[3060] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Spyware Doctor\sdhelp.exe[3060] user32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0E0F5A
.text C:\Program Files\Spyware Doctor\sdhelp.exe[3060] user32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Spyware Doctor\sdhelp.exe[3060] GDI32.dll!Escape 77F273B4 6 Bytes JMP 5F040F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3588] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Internet Explorer\iexplore.exe[3588] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 11, 5F ]
.text C:\Program Files\Internet Explorer\iexplore.exe[3588] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00260FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[3588] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00260089
.text C:\Program Files\Internet Explorer\iexplore.exe[3588] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00260078
.text C:\Program Files\Internet Explorer\iexplore.exe[3588] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00260F9E
.text C:\Program Files\Internet Explorer\iexplore.exe[3588] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 0026005B
.text C:\Program Files\Internet Explorer\iexplore.exe[3588] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00260025
.text C:\Program Files\Internet Explorer\iexplore.exe[3588] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 002600CB
.text C:\Program Files\Internet Explorer\iexplore.exe[3588] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 002600B0
.text C:\Program Files\Internet Explorer\iexplore.exe[3588] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00260F46
.text C:\Program Files\Internet Explorer\iexplore.exe[3588] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00260F57
.text C:\Program Files\Internet Explorer\iexplore.exe[3588] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
.text C:\Program Files\Internet Explorer\iexplore.exe[3588] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00260F35
.text C:\Program Files\Internet Explorer\iexplore.exe[3588] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00260040
.text C:\Program Files\Internet Explorer\iexplore.exe[3588] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00260FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[3588] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00260F79
.text C:\Program Files\Internet Explorer\iexplore.exe[3588] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 0026000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3588] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00260FB9
.text C:\Program Files\Internet Explorer\iexplore.exe[3588] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00260F68
.text C:\Program Files\Internet Explorer\iexplore.exe[3588] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00340FB2
.text C:\Program Files\Internet Explorer\iexplore.exe[3588] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00340047
.text C:\Program Files\Internet Explorer\iexplore.exe[3588] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00340FC3
.text C:\Program Files\Internet Explorer\iexplore.exe[3588] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00340FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[3588] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00340036
.text C:\Program Files\Internet Explorer\iexplore.exe[3588] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00340025
.text C:\Program Files\Internet Explorer\iexplore.exe[3588] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00340FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[3588] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00340014
.text C:\Program Files\Internet Explorer\iexplore.exe[3588] GDI32.dll!Escape 77F273B4 6 Bytes JMP 5F130F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3588] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 00CCF205 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3588] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F1B0F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3588] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F170F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3588] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 00E5FEBF C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3588] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 00E5FE40 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3588] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 00E5FE84 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3588] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 00E5FDCC C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3588] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 00E5FE06 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3588] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 00E5FEFA C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3588] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 00CF15DA C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3588] WININET.dll!InternetOpenA 771CC859 5 Bytes JMP 02210FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[3588] WININET.dll!InternetOpenW 771CCE91 5 Bytes JMP 0221000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3588] WININET.dll!InternetOpenUrlA 771D06CD 5 Bytes JMP 02210025
.text C:\Program Files\Internet Explorer\iexplore.exe[3588] WININET.dll!InternetOpenUrlW 7721A881 5 Bytes JMP 02210FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[3588] ws2_32.dll!socket 71AB3B91 5 Bytes JMP 02740FEF
.text C:\Program Files\Common Files\AOL\1121872257\EE\aolsoftware.exe[3676] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Common Files\AOL\1121872257\EE\aolsoftware.exe[3676] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Common Files\AOL\1121872257\EE\aolsoftware.exe[3676] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\AOL\1121872257\EE\aolsoftware.exe[3676] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\AOL\1121872257\EE\aolsoftware.exe[3676] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\AOL\1121872257\EE\aolsoftware.exe[3676] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
.text C:\Program Files\Common Files\AOL\1121872257\EE\aolsoftware.exe[3676] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F180F5A
.text C:\Program Files\Common Files\AOL\1121872257\EE\aolsoftware.exe[3676] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F140F5A
.text C:\Program Files\Common Files\AOL\1121872257\EE\aolsoftware.exe[3676] GDI32.dll!Escape 77F273B4 6 Bytes JMP 5F100F5A
.text C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE[3900] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE[3900] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 11, 5F ]
.text C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE[3900] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00260FEF
.text C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE[3900] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0026006F
.text C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE[3900] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00260F7A
.text C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE[3900] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00260F97
.text C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE[3900] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00260054
.text C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE[3900] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00260FC3
.text C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE[3900] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00260F42
.text C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE[3900] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00260F53
.text C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE[3900] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 002600C0
.text C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE[3900] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 0026009B
.text C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE[3900] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
.text C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE[3900] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 002600D1
.text C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE[3900] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00260FA8
.text C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE[3900] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00260014
.text C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE[3900] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00260080
.text C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE[3900] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00260FDE
.text C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE[3900] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 0026002F
.text C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE[3900] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00260F27
.text C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE[3900] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00370036
.text C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE[3900] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00370FAC
.text C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE[3900] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00370FE5
.text C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE[3900] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00370011
.text C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE[3900] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00370073
.text C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE[3900] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00370062
.text C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE[3900] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00370000
.text C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE[3900] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00370047
.text C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE[3900] GDI32.dll!Escape 77F273B4 6 Bytes JMP 5F130F5A
.text C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE[3900] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F1B0F5A
.text C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE[3900] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F170F5A
.text C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE[3900] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 08B80FE5
.text C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE[3900] WININET.dll!InternetOpenA 771CC859 5 Bytes JMP 069B0000
.text C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE[3900] WININET.dll!InternetOpenW 771CCE91 5 Bytes JMP 069B0025
.text C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE[3900] WININET.dll!InternetOpenUrlA 771D06CD 5 Bytes JMP 069B0FE5
.text C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE[3900] WININET.dll!InternetOpenUrlW 7721A881 5 Bytes JMP 069B0FD4
.text C:\Program Files\America Online 9.0\waol.exe[4124] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\America Online 9.0\waol.exe[4124] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\America Online 9.0\waol.exe[4124] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\America Online 9.0\waol.exe[4124] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\America Online 9.0\waol.exe[4124] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\America Online 9.0\waol.exe[4124] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
.text C:\Program Files\America Online 9.0\waol.exe[4124] user32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F180F5A
.text C:\Program Files\America Online 9.0\waol.exe[4124] user32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F140F5A
.text C:\Program Files\America Online 9.0\waol.exe[4124] GDI32.dll!Escape 77F273B4 6 Bytes JMP 5F100F5A
.text C:\Program Files\Adobe\Acrobat 6.0\Acrobat\Acrobat.exe[5072] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Adobe\Acrobat 6.0\Acrobat\Acrobat.exe[5072] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Adobe\Acrobat 6.0\Acrobat\Acrobat.exe[5072] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Adobe\Acrobat 6.0\Acrobat\Acrobat.exe[5072] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Adobe\Acrobat 6.0\Acrobat\Acrobat.exe[5072] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Adobe\Acrobat 6.0\Acrobat\Acrobat.exe[5072] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
.text C:\Program Files\Adobe\Acrobat 6.0\Acrobat\Acrobat.exe[5072] GDI32.dll!Escape 77F273B4 6 Bytes JMP 5F100F5A
.text C:\Program Files\Adobe\Acrobat 6.0\Acrobat\Acrobat.exe[5072] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F180F5A
.text C:\Program Files\Adobe\Acrobat 6.0\Acrobat\Acrobat.exe[5072] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F140F5A
.text C:\DOCUME~1\Windows\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[5752] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\DOCUME~1\Windows\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[5752] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\DOCUME~1\Windows\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[5752] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\DOCUME~1\Windows\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[5752] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\DOCUME~1\Windows\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[5752] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\DOCUME~1\Windows\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[5752] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, 7F, E2 ]
.text C:\DOCUME~1\Windows\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[5752] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F180F5A
.text C:\DOCUME~1\Windows\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[5752] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F140F5A
.text C:\DOCUME~1\Windows\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[5752] GDI32.dll!Escape 77F273B4 6 Bytes JMP 5F100F5A

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE A8573C8A
Device \FileSystem\Fastfat \Fat IRP_MJ_CLOSE A85707C8
Device \FileSystem\Fastfat \Fat IRP_MJ_READ A856C60A
Device \FileSystem\Fastfat \Fat IRP_MJ_WRITE A856CAED
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION A8577958
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION A857A821
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA A858338A
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_EA A8582D49
Device \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS A857CBBE
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION A857D331
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION A858B4F4
Device \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL A8573B37
Device \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL A856F948
Device \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL A857946B
Device \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN A858A79D
Device \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL A8589C4A
Device \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP A85702FD
Device \FileSystem\Fastfat \Fat IRP_MJ_PNP A858A1DB
Device \FileSystem\Fastfat \Fat FastIoCheckIfPossible A85851F9

---- Processes - GMER 1.0.12 ----

Process C:\Program Files\America Online 9.0\waol.exe (*** hidden *** ) 4124

---- EOF - GMER 1.0.12 ----



AUTOSTART


GMER 1.0.12.12244 - http://www.gmer.net
Autostart scan 2007-04-16 15:06:44
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
igfxcui@DLLName = igfxsrvc.dll
WgaLogon@DLLName = WgaLogon.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
AOL ACS /*AOL Connectivity Service*/@ = "C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe"
AOL TopSpeedMonitor /*AOL TopSpeed Monitor*/@ = C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
BAsfIpM /*Broadcom ASF IP monitoring service v6.0.4*/@ = C:\WINDOWS\system32\basfipm.exe
Fax /*Fax*/@ = %systemroot%\system32\fxssvc.exe
McAfee HackerWatch Service /*McAfee HackerWatch Service*/@ = "C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe"
mcmscsvc /*McAfee Services*/@ = C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
McNASvc /*McAfee Network Agent*/@ = "c:\program files\common files\mcafee\mna\mcnasvc.exe"
McODS /*McAfee Scanner*/@ = C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
mcpromgr /*McAfee Protection Manager*/@ = C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
McRedirector /*McAfee Redirector Service*/@ = c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
McShield /*McAfee Real-time Scanner*/@ = C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
McSysmon /*McAfee SystemGuards*/@ = C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
MDM /*Machine Debug Manager*/@ = "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"
MpfService /*McAfee Personal Firewall Service*/@ = "C:\Program Files\McAfee\MPF\MPFSrv.exe"
MSSQL$MSSMLBIZ /*SQL Server (MSSMLBIZ)*/@ = "c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ
NICCONFIGSVC /*NICCONFIGSVC*/@ = C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
SCardSvr /*Smart Card*/@ = %SystemRoot%\System32\SCardSvr.exe
SDhelper /*PC Tools Spyware Doctor*/@ = C:\Program Files\Spyware Doctor\sdhelp.exe
Spooler /*Print Spooler*/@ = %SystemRoot%\system32\spoolsv.exe
SQLBrowser /*SQL Server Browser*/@ = "c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe"
SQLWriter /*SQL Server VSS Writer*/@ = "c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
wltrysvc /*Dell Wireless WLAN Tray Service*/@ = %SystemRoot%\System32\WLTRYSVC.EXE %SystemRoot%\System32\bcmwltry.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@ApointC:\Program Files\Apoint\Apoint.exe = C:\Program Files\Apoint\Apoint.exe
@IgfxTrayC:\WINDOWS\system32\igfxtray.exe = C:\WINDOWS\system32\igfxtray.exe
@HotKeysCmdsC:\WINDOWS\system32\hkcmd.exe = C:\WINDOWS\system32\hkcmd.exe
@Dell QuickSetC:\Program Files\Dell\QuickSet\quickset.exe = C:\Program Files\Dell\QuickSet\quickset.exe
@Dell Wireless Manager UIC:\WINDOWS\system32\WLTRAY = C:\WINDOWS\system32\WLTRAY
@AdaptecDirectCD"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" = "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
@HostManagerC:\Program Files\Common Files\AOL\1121872257\ee\AOLSoftware.exe = C:\Program Files\Common Files\AOL\1121872257\ee\AOLSoftware.exe
@AOLDialerC:\Program Files\Common Files\AOL\ACS\AOLDial.exe = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
@KernelFaultCheck%systemroot%\system32\dumprep 0 -k = %systemroot%\system32\dumprep 0 -k
@Share-to-Web Namespace Daemonc:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe = c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
@QuickTime Task"C:\Program Files\QuickTime\qttask.exe" -atboottime = "C:\Program Files\QuickTime\qttask.exe" -atboottime
@Logitech Hardware Abstraction LayerKHALMNPR.EXE = KHALMNPR.EXE
@SunJavaUpdateSched"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" = "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@ctfmon.exeC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
@Spyware Doctor"C:\Program Files\Spyware Doctor\swdoctor.exe" /Q = "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
@MSMSGS"C:\Program Files\Messenger\msmsgs.exe" /background = "C:\Program Files\Messenger\msmsgs.exe" /background
@H/PC Connection Agent"C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" = "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
@AOL Fast Start"C:\Program Files\America Online 9.0\AOL.EXE" -b = "C:\Program Files\America Online 9.0\AOL.EXE" -b

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad@WPDShServiceObj = C:\WINDOWS\system32\WPDShServiceObj.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{30D02401-6A81-11d0-8274-00C04FD5AE38} /*IE Search Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Microsoft Url History Service*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FF393560-C2A7-11CF-BFF4-444553540000} /*History*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Microsoft Url Search Hook*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*The Internet*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\system32\extmgr.dll = C:\WINDOWS\system32\extmgr.dll
@{5E44E225-A408-11CF-B581-008029601108} /*Adaptec DirectCD Shell Extension*/C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll = C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\OFFICE11\msohev.dll = C:\Program Files\Microsoft Office\OFFICE11\msohev.dll
@{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} /*Adobe.Acrobat.ContextMenu*/C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll = C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Program Files\Real\RealPlayer\rpshell.dll = C:\Program Files\Real\RealPlayer\rpshell.dll
@{A4DF5659-0801-4A60-9607-1C48695EFDA9} /*Share-to-Web Upload Folder*/c:\Program Files\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL = c:\Program Files\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL
@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@{07C45BB1-4A8C-4642-A1F5-237E7215FF66} /*IE Microsoft BrowserBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{1C1EDB47-CE22-4bbb-B608-77B48F83C823} /*IE Fade Task*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{205D7A97-F16D-4691-86EF-F3075DCCA57D} /*IE Menu Desk Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3028902F-6374-48b2-8DC6-9725E775B926} /*IE AutoComplete*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{43886CD5-6529-41c4-A707-7B3C92C05E68} /*IE Navigation Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{44C76ECD-F7FA-411c-9929-1B77BA77F524} /*IE Menu Site*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{4B78D326-D922-44f9-AF2A-07805C2A3560} /*IE Menu Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6038EF75-ABFC-4e59-AB6F-12D397F6568D} /*IE Microsoft History AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE} /*IE Tracking Shell Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6CF48EF8-44CD-45d2-8832-A16EA016311B} /*IE IShellFolderBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{73CFD649-CD48-4fd8-A272-2070EA56526B} /*IE BandProxy*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8} /*IE MRU AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E} /*IE RSS Feeder Folder*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} /*IE Microsoft Shell Folder AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{B31C5FAE-961F-415b-BAF0-E697A5178B94} /*IE Microsoft Multiple AutoComplete List Container*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BC476F4C-D9D7-4100-8D4E-E043F6DEC409} /*Microsoft Browser Architecture*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A} /*IE Shell Rebar BandSite*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{E6EE9AAC-F76B-4947-8260-A9F136138E11} /*IE Shell Band Site Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F2CF5485-4E02-4f68-819C-B92DE9277049} /*&Links*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E} /*IE Registry Tree Options Utility*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} /*IE User Assist*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FDE7673D-2E19-4145-8376-BBD58C4BC7BA} /*IE Custom MRU AutoCompleted List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{35786D3C-B075-49b9-88DD-029876E11C01} /*Portable Devices*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8} /*Portable Devices Menu*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{49BF5420-FA7F-11cf-8011-00A0C90A8F78} /*Mobile Device*/C:\PROGRA~1\MI3AA1~1\Wcesview.dll = C:\PROGRA~1\MI3AA1~1\Wcesview.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
Adobe.Acrobat.ContextMenu@{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll
MCVSRIGHTCLICKSCANNER@{162EFDC5-2957-465D-887B-590AF4A7E84D} = c:\PROGRA~1\mcafee\VIRUSS~1\mcodsax.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\MCVSRIGHTCLICKSCANNER@{162EFDC5-2957-465D-887B-590AF4A7E84D} = c:\PROGRA~1\mcafee\VIRUSS~1\mcodsax.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll = C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
@{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll = C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll = C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
@{7DB2D5A0-7241-4E79-B68D-6309F01C5231}c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll = c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
@{AE7CD045-E861-484f-8273-0445EE161910}C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll = C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
@{B56A7D7D-6927-48C8-A975-17DF180C71AC}C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll = C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINDOWS\system32\LOGON.SCR

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft....k/?LinkId=69157
@Start Pagehttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft....k/?LinkId=69157
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.dell.com = http://www.dell.com
@Start Pagehttp://www.msn.com/ = http://www.msn.com/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
ms-itss@CLSID = C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
mso-offdap@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
mso-offdap11@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll

HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\system32\wiascr.dll

C:\Documents and Settings\Windows\Start Menu\Programs\Startup = DESKTOP.INI

C:\Documents and Settings\All Users\Start Menu\Programs\Startup >>>
Acrobat Assistant.lnk = Acrobat Assistant.lnk
DESKTOP.INI = DESKTOP.INI
Digital Line Detect.lnk = Digital Line Detect.lnk
Logitech SetPoint.lnk = Logitech SetPoint.lnk

---- EOF - GMER 1.0.12 ----

#8 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 16 April 2007 - 03:16 PM

You will need to make a copy of these instructions because you have to disconnect from the internet to complete the fix. Either print them out or copy and paste them into Notepad.

Preparation

1) Download the trial version of AVG Anti-Spyware from here and save it to your Desktop.
If you already have this program installed, skip to Updating AVG Anti-Spyware: below.

* Please note that this program was formerly known as Ewido anti-spyware 4.0. Taken from the Ewido website:

ewido anti-spyware 4.0 will now continue under the new product name AVG Anti-Spyware 7.5. AVG Anti-Spyware 7.5 contains the same ewido technology, but with some further enhanced features:

Highly improved cleaning
Lower resource usage
Additional languages supported

All current licenses for ewido anti-spyware 4.0 will continue to be valid, and users can change over to the new AVG Anti-Spyware 7.5 for free.

Double click the avgas-setup file to begin installation and follow the prompts.
When the program has been installed, and you click the Finish button, AVG A-S will open.
  • Updating AVG Anti-Spyware:

    By default AVG A-S is configured to update automatically so, if you have an active internet connection, it should do so following installation. If you are unsure whether or not it has done so, do the following:
  • Click the Update icon at the top and under "Manual Update" - click the Start update button.
  • Either AVG A-S will update or inform you that no update was available.
  • If you cannot access the internet with the infected PC, or you are having problems updating, you can download the signatures file from here.
    Once you have installed AVG A-S, double click avgas-signatures-full-current.exe to update it.

    Disabling the Resident Shield:
  • By default the Resident Shield is active but as it may interfere with the process of cleaning your PC, it will need to be disabled.
    (When the PC has been cleaned you can activate the shield again, if you wish.)
  • Click the Shield icon at the top and under "Resident shield is..." - click active.
  • This should now change to inactive.

    Changing Recommended Actions
  • Click the Scanner icon at the top and then click the Settings Tab.
  • Under "How to act?" click Recommended actions and select "Quarantine" from the menu.
You can now close AVG A-S.

AVG A-S is designed to be used to both scan for and remove malicious files and also to run in real-time alongside, but not replace, your existing anti-virus program to give an added layer of protection.
Both the Resident Shield and Automatic Updates will only be available for the thirty day trial period, after that AVG A-S will revert to a stand-alone scanner which you can keep and manually update for free and use in a similar way to Ad-Aware SE Personal, Spybot S&D etc.
Should you wish to benefit from the real-time protection, you will need to upgrade the program. To do this, simply open it and click on the Buy now button.


2) You will need to set Windows to show All Hidden Files and Folders.
Instructions can be found here.
** These files are hidden to stop you accidentally removing something important.
It is advisable to hide them again after fixing your computer. **

3) Log off from the internet and disconnect your modem cable for the duration of the fix.

Removal

1) Boot into Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
2) Navigate to the C:\Windows\Temp folder and delete all the files that you find there.
Do this for all Usernames.

3) Navigate to C:\Documents and Settings\Username\Local Settings\Temp and delete all the files that you find there.
Do this for all Usernames.

4) Go to Start > Control Panel > Internet Options.

For I.E. 6 - under Temporary Internet files, click on Delete Files...
Check the box to the left of 'Delete all offline content' and then click on OK.

For I.E. 7 - under Browsing History, click delete...
Under Temporary Internet Files, click Delete files...

5) Ensure that ALL open Windows / Programs / Folders are closed and then run AVG A-S.
  • If it is not already selected, click the Scanner icon at the top and then select the Scan Tab.
  • Click "Complete System Scan"
  • While the scan is in progress the PC should be left otherwise idle - so if you fancy a cuppa, now's the time to put the kettle on!
  • When the scan has completed, any threats that AVG A-S has detected will be displayed.
  • Click the Apply all actions button at the bottom.
  • When AVG A-S has finished, it will display the message "All actions have been applied".

    Saving a report:
  • Click the Save Report button at the bottom left and the "Reports" window will open.
  • The content of the scan report will be displayed in the right hand pane and a copy will be automatically saved as Report-Scan-date-time.txt into the C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports folder.
  • You will need to post a copy of this report into your next reply, so if it is more convenient, you can save another copy of this report elsewhere:
    Click the Save report as button and select a destination by clicking the down arrow to the right of the Save in: text box and then click Save.
Close AVG A-S.

6) Boot into Normal Mode.

Post a new HJT log (run in Normal Mode), the AVG A-S log AND a description of how your PC is running.
I'd also like to know when the pop-ups occur - online, offline, how often, anything that might help.
Death to the salad eaters!

#9 bellemov

bellemov

    Authentic Member

  • Authentic Member
  • PipPip
  • 28 posts

Posted 17 April 2007 - 06:10 PM

I haven't seen a ameana pop up since my initial post. But I have seen many many hour glasses. Things are running so slow it can take 10-15 seconds to close a file or open one. I'm wondering if it isn't AOL related. Some of my aol windows are in spanish even after repeatly changing it to english.


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:37:50 PM 4/17/2007

+ Scan result:



C:\Documents and Settings\Windows\Cookies\windows@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Windows\Cookies\windows@revsci[1].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Windows\Cookies\windows@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.


::Report end

Logfile of HijackThis v1.99.1
Scan saved at 7:49:36 PM, on 4/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\AOL\1121872257\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Apoint\Apntex.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\AOL\1121872257\ee\aolsoftware.exe
C:\TJH110606\seek.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1121872257\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.learninglibrary.com
O15 - Trusted Zone: *.rapmls.com
O15 - Trusted Zone: http://*.rapmls.com
O15 - Trusted Zone: *.betaweb.suprakim.com
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {62BC5DB2-0044-4040-B366-D628F3CFD551} (PowerTeam HTML Printing Behavior) - file://C:\DOCUME~1\Windows\LOCALS~1\Temp\IXP000.TMP\setup.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1145217443890
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgall..._1/axofupld.cab
O16 - DPF: {7D30109B-DD2B-4339-BE80-1CD48723C2BC} (LiveX(v6.0.1.0)) - http://bowwow4.serve...om/cab/Live.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9EF34803-43A8-487A-BC9E-C23FACCDBDBE} (PDFConvert.Converter) - http://rapprinter.ra...Creator_001.exe
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.60...geWell-ipix.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SQL Server (MSSMLBIZ) (MSSQL$MSSMLBIZ) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

#10 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 18 April 2007 - 01:24 PM

Things look OK, so i'd be inclined to work on the principle that it isn't a malware issue at the moment.

Run HijackThis as you did to generate a log, but this time click on 'Do a system scan only'.
Place a checkmark in the boxes to the left of the following entries, by clicking on them:

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

CLOSE ALL OPEN WINDOWS AND BROWSERS - EXCEPT HJT and click on Fix checked


The following steps will serve as a spring clean for your PC. Not all of them will be of benefit to your PC as this is a general post, but the overall effect should be positive.

1) Go to Start > Control Panel > Add/Remove Programs and remove any programs that you no longer use and then reboot your PC.

2) Download ATF Cleaner by Atribune from here and save it to your Desktop.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache

The rest are optional - if you want to remove the lot, check "Select All".
Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.

When you have finished, click on the Exit button in the Main menu.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please Note: This program is for Windows XP and Windows 2000 only.

3) Double click My Computer.
Right click the disc drive you wish to check.
Click Properties.
In the Properties dialog box, click the Tools Tab.
Under Error-checking, click the Check Now button.
In the "Check Disc Local Disk (C:)" dialog box, check both Automatically fix file system errors and Scan for and attempt recovery of bad sectors, and then click Start.

This will look for and attempt to repair any errors that your hard drive has.

4) Go to Start > Run, enter sfc /scannow ( note the space between the "c" and "/" ) and click on OK.

This will look for and attempt to replace any corrupt system files that can be found. There are backups of some of these files on your PC and Windows will check for a copy here first. If you are prompted to insert your Windows XP disc, do so. If you don't have this disc and are asked for it, you will have to cancel at this point.

For details on the System File Checker, click here.

5) Defragment your hard drive. A tutorial for disc defragmentation is available here.

6) Download and run StartUp Inspector.
This program will help you to decide exactly what programs you disable from running at startup.
The Readme.txt file included has instructions on how to use it.

If you don't intend to use the AVG A-S Resident Guard, do the following:
  • Go to Start > Run, enter services.msc and hit OK.
  • Locate and right click AVG Anti-Spyware Guard
  • Select Properties from the menu.
  • Under the General Tab, change the Service status: to Stopped and then the Startup type: to Disabled.
You don't need to have this service running if you aren't using the guard.
Once the trial period has expired, you will need to do this unless you upgrade as well.

Let me know if this helps.
Death to the salad eaters!

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users