1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Is my laptop malware/spyware free? Running extremely slow.

Discussion in 'Malware and Virus Removal Archive' started by damavand00, 2010/01/05.

  1. 2010/01/05
    damavand00

    damavand00 Inactive Thread Starter

    Joined:
    2009/09/09
    Messages:
    23
    Likes Received:
    0
    [Resolved] Is my laptop malware/spyware free? Running extremely slow.

    Hi and thank you in advance for your support.
    I have two laptops. one of them was infected with malware/spyware awhile back which as fixed here. the second laptop is extremely slow and showing the same signs.
    can some body check the logs and see if it is infected. requested log files are as follow:



    DDS (Ver_09-12-01.01) - NTFSx86
    Run by ray at 9:55:12.71 on Tue 01/05/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.133 [GMT -5:00]

    AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    svchost.exe
    svchost.exe
    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\dlcccoms.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\CyberDefender\Registry Cleaner\CDregclean.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe
    C:\WINDOWS\system32\drwtsn32.exe
    C:\WINDOWS\system32\drwtsn32.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
    C:\WINDOWS\ehome\ehshell.exe
    C:\Documents and Settings\ray\My Documents\Downloads\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://yahoo.com/
    uInternet Settings,ProxyOverride = *.local
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
    uRun: [CyberDefender Registry Cleaner] c:\program files\cyberdefender\registry cleaner\CDregclean.exe
    mRun: [ehTray] c:\windows\ehome\ehtray.exe
    mRun: [IntelZeroConfig] c:\program files\intel\wireless\bin\ZCfgSvc.exe
    mRun: [<NO NAME>]
    mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
    mRun: [igfxtray] c:\windows\system32\igfxtray.exe
    mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
    mRun: [igfxpers] c:\windows\system32\igfxpers.exe
    mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
    mRun: [ShowLOMControl] 1 (0x1)
    mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
    mRun: [DLCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCCtime.dll,_RunDLLEntry@16
    mRun: [SigmatelSysTrayApp] stsystra.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
    mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    mRun: [CyberDefender Registry Cleaner]
    IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1251310152406
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
    Notify: igfxcui - igfxdev.dll
    Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\ray\applic~1\mozilla\firefox\profiles\0lkcvkqu.default\
    FF - prefs.js: browser.startup.homepage - yahoo.com
    FF - plugin: c:\documents and settings\ray\local settings\application data\yahoo!\browserplus\2.4.17\plugins\npybrowserplus_2.4.17.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\NPUploader.dll

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);

    ============= SERVICES / DRIVERS ===============

    R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-7-8 214664]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-9-15 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-15 74480]
    R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-10-3 359952]
    R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
    R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-10-3 144704]
    R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-10-3 606736]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-10-3 79816]
    R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-10-3 35272]
    R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-10-3 34248]
    R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-10-3 40552]
    R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-15 7408]

    =============== Created Last 30 ================


    ==================== Find3M ====================

    2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
    2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
    2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
    2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
    2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
    2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
    2006-05-29 17:59:50 251 -c--a-w- c:\program files\wt3d.ini
    2004-04-14 14:36:00 35564644 -c--a-w- c:\program files\SAV CE Americas Home Client 8.11.323.exe

    ============= FINISH: 9:57:10.42 ===============

    *******************************************************


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_09-12-01.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 8/26/2009 11:07:34 AM
    System Uptime: 1/5/2010 6:51:51 AM (3 hours ago)

    Motherboard: Dell Inc. | | 0HC416
    Processor: Intel(R) Pentium(R) M processor 1.73GHz | Microprocessor | 1729/133mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 68 GiB total, 40.407 GiB free.
    D: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: Ethernet Controller
    Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_01B51028&REV_02\4&2FA23535&0&00F0
    Manufacturer:
    Name: Ethernet Controller
    PNP Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_01B51028&REV_02\4&2FA23535&0&00F0
    Service:

    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: Base System Device
    Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_01B51028&REV_01\4&2FA23535&0&0AF0
    Manufacturer:
    Name: Base System Device
    PNP Device ID: PCI\VEN_1180&DEV_0843&SUBSYS_01B51028&REV_01\4&2FA23535&0&0AF0
    Service:

    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: Base System Device
    Device ID: PCI\VEN_1180&DEV_0592&SUBSYS_01B51028&REV_0A\4&2FA23535&0&0BF0
    Manufacturer:
    Name: Base System Device
    PNP Device ID: PCI\VEN_1180&DEV_0592&SUBSYS_01B51028&REV_0A\4&2FA23535&0&0BF0
    Service:

    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: Base System Device
    Device ID: PCI\VEN_1180&DEV_0852&SUBSYS_01B51028&REV_05\4&2FA23535&0&0CF0
    Manufacturer:
    Name: Base System Device
    PNP Device ID: PCI\VEN_1180&DEV_0852&SUBSYS_01B51028&REV_05\4&2FA23535&0&0CF0
    Service:

    ==== System Restore Points ===================

    RP37: 10/8/2009 8:42:33 AM - System Checkpoint
    RP38: 10/10/2009 1:11:13 PM - System Checkpoint
    RP39: 10/11/2009 10:06:17 AM - Installed SUPERAntiSpyware Free Edition
    RP40: 10/11/2009 1:00:18 PM - Software Distribution Service 3.0
    RP41: 10/14/2009 7:55:22 AM - System Checkpoint
    RP42: 10/14/2009 8:45:06 AM - Software Distribution Service 3.0
    RP43: 10/14/2009 9:36:51 AM - Installed Windows XP KB958644.
    RP44: 10/14/2009 9:49:19 AM - Software Distribution Service 3.0
    RP45: 10/15/2009 11:34:25 AM - System Checkpoint
    RP46: 10/18/2009 4:58:12 PM - Software Distribution Service 3.0
    RP47: 10/27/2009 11:15:39 AM - System Checkpoint
    RP48: 11/1/2009 2:13:46 PM - Software Distribution Service 3.0
    RP49: 11/12/2009 11:35:43 AM - Software Distribution Service 3.0
    RP50: 11/16/2009 11:53:47 AM - Software Distribution Service 3.0
    RP51: 11/20/2009 12:13:23 PM - System Checkpoint
    RP52: 11/23/2009 3:22:50 PM - System Checkpoint
    RP53: 12/13/2009 9:13:32 AM - System Checkpoint
    RP54: 12/14/2009 2:36:02 PM - Software Distribution Service 3.0
    RP55: 12/22/2009 5:30:27 PM - System Checkpoint
    RP56: 12/23/2009 5:45:41 PM - System Checkpoint
    RP57: 12/28/2009 6:50:17 PM - System Checkpoint
    RP58: 1/4/2010 1:19:34 PM - System Checkpoint

    ==== Installed Programs ======================

    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Bonjour
    CyberDefender Registry Cleaner
    Dell ResourceCD
    GemMaster Mystic
    High Definition Audio Driver Package - KB835221
    Hotfix for Windows Media Player 10 (KB903157)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Intel(R) Graphics Media Accelerator Driver for Mobile
    Intel(R) PROSet/Wireless Software
    Internal Network Card Power Management
    iTunes
    Malwarebytes' Anti-Malware
    McAfee SecurityCenter
    mCore
    mDriver
    mDrWiFi
    mHlpDell
    Microsoft .NET Framework 1.0 Hotfix (KB953295)
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB953297)
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    mIWA
    mIWCA
    mLogView
    mMHouse
    Mozilla Firefox (3.5.6)
    mPfMgr
    mPfWiz
    mProSafe
    mSSO
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    mToolkit
    mWlsSafe
    mXML
    mZConfig
    Nero OEM
    NeroVision Express 2
    Otto
    PokerStars
    QuickSet
    QuickTime
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371-v2)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    SigmaTel Audio
    Sonic Encoders
    Spybot - Search & Destroy
    SUPERAntiSpyware Free Edition
    Update for Windows Internet Explorer 8 (KB973874)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Media Player 10 (KB913800)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Update Rollup 2 for Windows XP Media Center Edition 2005
    WebFldrs XP
    WinAVI Video Converter
    Windows Internet Explorer 8
    Windows Media Format Runtime
    Windows XP Media Center Edition 2005 KB908250
    Windows XP Media Center Edition 2005 KB973768
    Windows XP Service Pack 3
    Yahoo! BrowserPlus
    Yahoo! Messenger
    Yahoo! Software Update
    Yahoo! Toolbar

    ==== End Of File ===========================
     
    damavand00,
    #1
  2. 2010/01/05
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    How much RAM do you have?

    I strongly recommend, you uninstall CyberDefender Registry Cleaner. Using any registry cleaners is asking for troubles.

    Print these instructions out.

    NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

    ***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***

    STEP 1. Download SUPERAntiSpyware Free for Home Users:
    http://www.superantispyware.com/

    * Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    * An icon will be created on your desktop. Double-click that icon to launch the program.
    * If asked to update the program definitions, click "Yes ". If not, update the definitions before scanning by selecting "Check for Updates ". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
    * Close SUPERAntiSpyware.

    PHYSICALLY DISCONNECT FROM THE INTERNET

    Restart computer in Safe Mode.
    To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

    * Open SUPERAntiSpyware.
    * Click Scan your Computer... button.
    * Click Scanning Preferences/Control Center... button.
    * Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
    * Click the Scanning Control tab.
    * Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Terminate memory threats before quarantining.
    * Click the Close button to leave the control center screen.
    * On the left, make sure you check C:\Fixed Drive.
    * On the right, choose Perform Complete Scan.
    * Click Next to start the scan. Please be patient while it scans your computer.
    * After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
    * Make sure everything has a checkmark next to it and click Next.
    * A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
    * If asked if you want to reboot, click Yes.
    * To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
    * Click Close to exit the program.
    Post SUPERAntiSpyware log.

    RECONNECT TO THE INTERNET

    RESTART COMPUTER!

    STEP 2. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
    (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform full scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    RESTART COMPUTER!

    STEP 3. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
    Alternative downloads:
    - http://majorgeeks.com/GMER_d5198.html
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log to your next reply.

    RESTART COMPUTER

    STEP 4. Download HijackThis:
    http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
    by clicking on Installer under Version 2.0.2
    [DO NOT download version 2.0.3 (beta)]
    Install, and run it.
    Post HijackThis log.
    NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
    Do NOT attempt to "fix" anything!


    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #2


  3. to hide this advert.

  4. 2010/01/08
    damavand00

    damavand00 Inactive Thread Starter

    Joined:
    2009/09/09
    Messages:
    23
    Likes Received:
    0
    Hi Broni and thanks again for your help.
    sorry about the delay, it took me awhile to collect all the logs.

    Laptop has 500MB of RAM

    I have collected all logs. However, I had a problem with superantispyware. it ran and found 8 items which i deleted them, but it did not create a log file for that scan. there was only one log file dating back to 10/11/2009, which i am posting here. not sure if it is useful:

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 10/11/2009 at 11:14 AM

    Application Version : 4.29.1002

    Core Rules Database Version : 4158
    Trace Rules Database Version: 2085

    Scan type : Complete Scan
    Total Scan Time : 01:04:41

    Memory items scanned : 499
    Memory threats detected : 0
    Registry items scanned : 4258
    Registry threats detected : 0
    File items scanned : 20615
    File threats detected : 333

    Adware.Tracking Cookie
    C:\Documents and Settings\ray\Cookies\ray@blockbuster.112.2o7[1].txt
    C:\Documents and Settings\ray\Cookies\ray@tribalfusion[2].txt
    C:\Documents and Settings\ray\Cookies\ray@msnportal.112.2o7[1].txt
    C:\Documents and Settings\ray\Cookies\ray@2o7[2].txt
    C:\Documents and Settings\ray\Cookies\ray@advertising[2].txt
    C:\Documents and Settings\ray\Cookies\ray@atdmt[2].txt
    C:\Documents and Settings\ray\Cookies\ray@collective-media[1].txt
    C:\Documents and Settings\ray\Cookies\ray@ads.cnn[2].txt
    C:\Documents and Settings\ray\Cookies\ray@serving-sys[1].txt
    C:\Documents and Settings\ray\Cookies\ray@specificclick[1].txt
    C:\Documents and Settings\ray\Cookies\ray@ads.bridgetrack[2].txt
    C:\Documents and Settings\ray\Cookies\ray@specificmedia[1].txt
    C:\Documents and Settings\ray\Cookies\ray@yieldmanager[2].txt
    C:\Documents and Settings\ray\Cookies\ray@a1.interclick[2].txt
    C:\Documents and Settings\ray\Cookies\ray@ak[2].txt
    C:\Documents and Settings\ray\Cookies\ray@cdn4.specificclick[2].txt
    C:\Documents and Settings\ray\Cookies\ray@trafficmp[1].txt
    C:\Documents and Settings\ray\Cookies\ray@media6degrees[1].txt
    C:\Documents and Settings\ray\Cookies\ray@eyewonder[1].txt
    C:\Documents and Settings\ray\Cookies\ray@insightexpressai[2].txt
    C:\Documents and Settings\ray\Cookies\ray@at.atwola[1].txt
    C:\Documents and Settings\ray\Cookies\ray@bs.serving-sys[1].txt
    C:\Documents and Settings\ray\Cookies\ray@revsci[2].txt
    C:\Documents and Settings\ray\Cookies\ray@t.lynxtrack[2].txt
    C:\Documents and Settings\ray\Cookies\ray@overture[1].txt
    C:\Documents and Settings\ray\Cookies\ray@ads.pointroll[1].txt
    C:\Documents and Settings\ray\Cookies\ray@pro-market[1].txt
    C:\Documents and Settings\ray\Cookies\ray@perf.overture[1].txt
    C:\Documents and Settings\ray\Cookies\ray@cgi-bin[2].txt
    C:\Documents and Settings\ray\Cookies\ray@richmedia.yahoo[1].txt
    C:\Documents and Settings\ray\Cookies\ray@interclick[1].txt
    C:\Documents and Settings\ray\Cookies\ray@tacoda[1].txt
    C:\Documents and Settings\ray\Cookies\ray@questionmarket[1].txt
    C:\Documents and Settings\Administrator.SERVER01\Cookies\administrator@ad.yieldmanager[1].txt
    C:\Documents and Settings\Administrator.SERVER01\Cookies\administrator@doubleclick[1].txt
    .questionmarket.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .questionmarket.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .doubleclick.net [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .doubleclick.net [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    ad.yieldmanager.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    ad.yieldmanager.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    ad.yieldmanager.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    ad.yieldmanager.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    ad.yieldmanager.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    ad.yieldmanager.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .mediaplex.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .mediaplex.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .adlegend.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .adlegend.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .atdmt.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .atdmt.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .atdmt.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .adrevolver.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    media.adrevolver.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    media.adrevolver.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .adrevolver.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .imrworldwide.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .imrworldwide.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .specificmedia.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .specificmedia.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .specificmedia.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .specificclick.net [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .specificclick.net [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .specificclick.net [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .specificclick.net [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .specificclick.net [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .specificclick.net [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .specificclick.net [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .specificclick.net [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .specificclick.net [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .specificclick.net [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .specificclick.net [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .specificclick.net [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .specificclick.net [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .specificclick.net [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .fastclick.net [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .fastclick.net [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .fastclick.net [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .fastclick.net [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .fastclick.net [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .fastclick.net [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .casalemedia.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .casalemedia.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .casalemedia.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .casalemedia.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .statcounter.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .statcounter.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .statcounter.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .statcounter.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .statcounter.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .statcounter.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .insightexpressai.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .insightexpressai.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .insightexpressai.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .insightexpressai.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .insightexpressai.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .insightexpressai.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .insightexpressai.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .insightexpressai.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .insightexpressai.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .insightexpressai.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .insightexpressai.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .insightexpressai.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .insightexpressai.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .insightexpressai.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .insightexpressai.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .insightexpressai.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .insightexpressai.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .insightexpressai.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .indexstats.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .tribalfusion.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .advertising.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .advertising.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .advertising.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .advertising.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .advertising.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .advertising.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .247realmedia.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .247realmedia.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .247realmedia.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .247realmedia.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .247realmedia.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .247realmedia.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .c7.zedo.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .zedo.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .zedo.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .zedo.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .zedo.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .zedo.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .zedo.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .oasn04.247realmedia.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .richmedia.yahoo.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .content.yieldmanager.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .media6degrees.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .trafficmp.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .media6degrees.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .media6degrees.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .media6degrees.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .trafficmp.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .trafficmp.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .trafficmp.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .trafficmp.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .ads.pointroll.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .ads.pointroll.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .ads.pointroll.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .ads.pointroll.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .ads.pointroll.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .ads.pointroll.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .ads.pointroll.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .ads.pointroll.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .ads.pointroll.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .collective-media.net [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .realmedia.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .realmedia.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .realmedia.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .realmedia.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .realmedia.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .tacoda.net [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .tacoda.net [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .tacoda.net [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .serving-sys.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .serving-sys.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .bs.serving-sys.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .serving-sys.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .serving-sys.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .serving-sys.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .serving-sys.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .2o7.net [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .2o7.net [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .2o7.net [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .interclick.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .interclick.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .a1.interclick.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .a1.interclick.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .a1.interclick.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .a1.interclick.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    stats.townnews.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    stats.townnews.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    stats.townnews.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    ads2.weblogssl.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .tns-counter.ru [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .vortexmediagroup.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .adopt.euroclick.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .adserver.adtechus.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .adinterax.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .adinterax.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .burstnet.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .revsci.net [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .revsci.net [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .revsci.net [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .revsci.net [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .kelleybluebook.112.2o7.net [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .atwola.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .at.atwola.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .adopt.specificclick.net [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .msnportal.112.2o7.net [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    rotator.adjuggler.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    rotator.adjuggler.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .overture.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .overture.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .tracking.realtor.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .homestore.122.2o7.net [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .maxis.112.2o7.net [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .edge.ru4.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .apmebf.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .adtech.de [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    data.coremetrics.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .petfinder.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .petfinder.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .petfinder.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .petfinder.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    sales.liveperson.net [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    sales.liveperson.net [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .socialmedia.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .iacas.adbureau.net [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .iacas.adbureau.net [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .iacas.adbureau.net [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .iacas.adbureau.net [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .iacas.adbureau.net [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .kontera.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .kontera.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    .bluestreak.com [ C:\Documents and Settings\Reza\Application Data\Mozilla\Firefox\Profiles\w3a7dpun.default\cookies.txt ]
    C:\Documents and Settings\Reza\Cookies\reza@sales.liveperson[2].txt
    C:\Documents and Settings\Reza\Cookies\reza@content.yieldmanager[1].txt
    C:\Documents and Settings\Reza\Cookies\reza@sales.liveperson[3].txt
    C:\Documents and Settings\Reza\Cookies\reza@atdmt[2].txt
    C:\Documents and Settings\Reza\Cookies\reza@atdmt[3].txt
    C:\Documents and Settings\Reza\Cookies\reza@2o7[5].txt
    C:\Documents and Settings\Reza\Cookies\reza@atdmt[5].txt
    C:\Documents and Settings\Reza\Cookies\reza@atdmt[4].txt
    C:\Documents and Settings\Reza\Cookies\reza@a1.interclick[2].txt
    C:\Documents and Settings\Reza\Cookies\reza@apmebf[3].txt
    C:\Documents and Settings\Reza\Cookies\reza@apmebf[4].txt
    C:\Documents and Settings\Reza\Cookies\reza@mediaplex[2].txt
    C:\Documents and Settings\Reza\Cookies\reza@questionmarket[3].txt
    C:\Documents and Settings\Reza\Cookies\reza@atwola[2].txt
    C:\Documents and Settings\Reza\Cookies\reza@bluestreak[4].txt
    C:\Documents and Settings\Reza\Cookies\reza@insightexpressai[1].txt
    C:\Documents and Settings\Reza\Cookies\reza@bluestreak[1].txt
    C:\Documents and Settings\Reza\Cookies\reza@insightexpressai[3].txt
    C:\Documents and Settings\Reza\Cookies\reza@ad.yieldmanager[1].txt
    C:\Documents and Settings\Reza\Cookies\reza@specificclick[3].txt
    C:\Documents and Settings\Reza\Cookies\reza@specificclick[1].txt
    C:\Documents and Settings\Reza\Cookies\reza@adopt.specificclick[3].txt
    C:\Documents and Settings\Reza\Cookies\reza@adopt.specificclick[2].txt
    C:\Documents and Settings\Reza\Cookies\reza@anad.tacoda[2].txt
    C:\Documents and Settings\Reza\Cookies\reza@ads.bridgetrack[2].txt
    C:\Documents and Settings\Reza\Cookies\reza@realmedia[2].txt
    C:\Documents and Settings\Reza\Cookies\reza@dynamic.media.adrevolver[1].txt
    C:\Documents and Settings\Reza\Cookies\reza@ad.yieldmanager[5].txt
    C:\Documents and Settings\Reza\Cookies\reza@ad.yieldmanager[2].txt
    C:\Documents and Settings\Reza\Cookies\reza@ad.yieldmanager[3].txt
    C:\Documents and Settings\Reza\Cookies\reza@statse.webtrendslive[2].txt
    C:\Documents and Settings\Reza\Cookies\reza@adserver.adtechus[1].txt
    C:\Documents and Settings\Reza\Cookies\reza@dynamic.media.adrevolver[4].txt
    C:\Documents and Settings\Reza\Cookies\reza@ads.as4x.tmcs[2].txt
    C:\Documents and Settings\Reza\Cookies\reza@trafficmp[1].txt
    C:\Documents and Settings\Reza\Cookies\reza@msnportal.112.2o7[1].txt
    C:\Documents and Settings\Reza\Cookies\reza@msnportal.112.2o7[2].txt
    C:\Documents and Settings\Reza\Cookies\reza@stat.youku[1].txt
    C:\Documents and Settings\Reza\Cookies\reza@dynamic.media.adrevolver[2].txt
    C:\Documents and Settings\Reza\Cookies\reza@dynamic.media.adrevolver[3].txt
    C:\Documents and Settings\Reza\Cookies\reza@casalemedia[2].txt
    C:\Documents and Settings\Reza\Cookies\reza@fastclick[2].txt
    C:\Documents and Settings\Reza\Cookies\reza@edge.ru4[2].txt
    C:\Documents and Settings\Reza\Cookies\reza@ads.pointroll[3].txt
    C:\Documents and Settings\Reza\Cookies\reza@ads.pointroll[1].txt
    C:\Documents and Settings\Reza\Cookies\reza@media.adrevolver[2].txt
    C:\Documents and Settings\Reza\Cookies\reza@trafficmp[3].txt
    C:\Documents and Settings\Reza\Cookies\reza@trafficmp[2].txt
    C:\Documents and Settings\Reza\Cookies\reza@media.adrevolver[3].txt
    C:\Documents and Settings\Reza\Cookies\reza@ads.pointroll[4].txt
    C:\Documents and Settings\Reza\Cookies\reza@media.adrevolver[1].txt
    C:\Documents and Settings\Reza\Cookies\reza@overture[2].txt
    C:\Documents and Settings\Reza\Cookies\reza@adrevolver[1].txt
    C:\Documents and Settings\Reza\Cookies\reza@tribalfusion[1].txt
    C:\Documents and Settings\Reza\Cookies\reza@collective-media[1].txt
    C:\Documents and Settings\Reza\Cookies\reza@tacoda[2].txt
    C:\Documents and Settings\Reza\Cookies\reza@specificmedia[2].txt
    C:\Documents and Settings\Reza\Cookies\reza@adrevolver[2].txt
    C:\Documents and Settings\Reza\Cookies\reza@richmedia.yahoo[3].txt
    C:\Documents and Settings\Reza\Cookies\reza@richmedia.yahoo[1].txt
    C:\Documents and Settings\Reza\Cookies\reza@adopt.euroclick[3].txt
    C:\Documents and Settings\Reza\Cookies\reza@adrevolver[3].txt
    C:\Documents and Settings\Reza\Cookies\reza@revsci[1].txt
    C:\Documents and Settings\Reza\Cookies\reza@burstnet[3].txt
    C:\Documents and Settings\Reza\Cookies\reza@advertising[2].txt
    C:\Documents and Settings\Reza\Cookies\reza@data.coremetrics[2].txt
    C:\Documents and Settings\Reza\Cookies\reza@burstnet[2].txt
    C:\Documents and Settings\Reza\Cookies\reza@ads.shutterfly[1].txt
    C:\Documents and Settings\Reza\Cookies\reza@imrworldwide[2].txt
    C:\Documents and Settings\Reza\Cookies\reza@adinterax[2].txt
    C:\Documents and Settings\Reza\Cookies\reza@ads.cnn[2].txt
    C:\Documents and Settings\Reza\Cookies\reza@ads.cnn[1].txt
    C:\Documents and Settings\Reza\Cookies\reza@advertising[4].txt
    C:\Documents and Settings\Reza\Cookies\reza@2o7[1].txt
    C:\Documents and Settings\Reza\Cookies\reza@advertising[1].txt
    C:\Documents and Settings\Reza\Cookies\reza@lstat.youku[1].txt
    C:\Documents and Settings\Reza\Cookies\reza@doubleclick[3].txt
    C:\Documents and Settings\Reza\Cookies\reza@doubleclick[2].txt
    C:\Documents and Settings\Reza\Cookies\reza@ads.revsci[2].txt
    C:\Documents and Settings\Reza\Cookies\reza@ad1.king[2].txt
    C:\Documents and Settings\Reza\Cookies\reza@interclick[2].txt
    C:\Documents and Settings\Reza\Cookies\reza@interclick[3].txt
    C:\Documents and Settings\Reza\Cookies\reza@ads.revsci[1].txt
    C:\Documents and Settings\Reza\Cookies\reza@2o7[2].txt
    C:\Documents and Settings\Reza\Cookies\reza@2o7[4].txt
    C:\Documents and Settings\Reza\Cookies\reza@adopt.euroclick[1].txt
    C:\Documents and Settings\Reza\Cookies\reza@apmebf[1].txt
    C:\Documents and Settings\Reza\Cookies\reza@bluestreak[2].txt
    C:\Documents and Settings\Reza\Cookies\reza@data.coremetrics[1].txt
    C:\Documents and Settings\Reza\Cookies\reza@fastclick[1].txt
    C:\Documents and Settings\Reza\Cookies\reza@interclick[1].txt
    C:\Documents and Settings\Reza\Cookies\reza@kontera[2].txt
    C:\Documents and Settings\Reza\Cookies\reza@mediaplex[1].txt
    C:\Documents and Settings\Reza\Cookies\reza@partner2profit[1].txt
    C:\Documents and Settings\Reza\Cookies\reza@questionmarket[1].txt
    C:\Documents and Settings\Reza\Cookies\reza@questionmarket[2].txt
    C:\Documents and Settings\Reza\Cookies\reza@realmedia[1].txt
    C:\Documents and Settings\Reza\Cookies\reza@specificclick[2].txt
    C:\Documents and Settings\Reza\Cookies\reza@tribalfusion[2].txt
    C:\Documents and Settings\Reza\Cookies\reza@zedo[1].txt
    C:\Documents and Settings\reza.CAZA\Cookies\reza@interclick[1].txt
    C:\Documents and Settings\reza.CAZA\Cookies\reza@a1.interclick[1].txt
    C:\Documents and Settings\reza.CAZA\Cookies\reza@ads.pointroll[2].txt
    C:\Documents and Settings\reza.CAZA\Cookies\reza@advertising[1].txt
    C:\Documents and Settings\reza.CAZA\Cookies\reza@ad.yieldmanager[2].txt
    C:\Documents and Settings\reza.CAZA\Cookies\reza@adserver.adtechus[1].txt
    C:\Documents and Settings\reza.CAZA\Cookies\reza@atdmt[1].txt
    C:\Documents and Settings\reza.CAZA\Cookies\reza@bs.serving-sys[2].txt
    C:\Documents and Settings\reza.CAZA\Cookies\reza@doubleclick[1].txt
    C:\Documents and Settings\reza.CAZA\Cookies\reza@msnportal.112.2o7[1].txt
    C:\Documents and Settings\reza.CAZA\Cookies\reza@serving-sys[2].txt
    *****************************************

    Malwarebytes' Anti-Malware 1.43
    Database version: 3508
    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    1/7/2010 1:54:40 PM
    mbam-log-2010-01-07 (13-54-40).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 325327
    Time elapsed: 1 hour(s), 40 minute(s), 25 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Documents and Settings\Reza\Desktop\install_flash_player.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    ***********************************
     
    damavand00,
    #3
  5. 2010/01/08
    damavand00

    damavand00 Inactive Thread Starter

    Joined:
    2009/09/09
    Messages:
    23
    Likes Received:
    0
    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-01-07 16:17:48
    Windows 5.1.2600 Service Pack 3
    Running: b0tpzgl1.exe; Driver: C:\DOCUME~1\ray\LOCALS~1\Temp\pxtdqpow.sys


    ---- System - GMER 1.0.15 ----

    SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xAABCE0B0]

    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xAAAE878A]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xAAAE8821]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xAAAE8738]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xAAAE874C]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xAAAE8835]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xAAAE8861]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xAAAE88CF]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xAAAE88B9]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xAAAE87CA]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xAAAE88FB]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xAAAE880D]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xAAAE8710]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xAAAE8724]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xAAAE879E]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xAAAE8937]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xAAAE88A3]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xAAAE888D]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xAAAE884B]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xAAAE8923]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xAAAE890F]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xAAAE8776]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xAAAE8762]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xAAAE8877]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xAAAE87F9]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xAAAE88E5]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xAAAE87E0]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xAAAE87B4]
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
    Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwYieldExecution 8082B23C 7 Bytes JMP AAAE87B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtCreateFile 808972FC 5 Bytes JMP AAAE878E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtMapViewOfSection 808D04FE 7 Bytes JMP AAAE87CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 808D1314 5 Bytes JMP AAAE87E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 808D6A96 7 Bytes JMP AAAE87A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtOpenProcess 808EA324 5 Bytes JMP AAAE8714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtOpenThread 808EA5B0 5 Bytes JMP AAAE8728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!NtSetInformationProcess 808ECDE2 5 Bytes JMP AAAE8766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwCreateProcessEx 808F03F8 7 Bytes JMP AAAE8750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwCreateProcess 808F04AE 5 Bytes JMP AAAE873C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwSetContextThread 808F09B8 5 Bytes JMP AAAE877A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwTerminateProcess 808F1CB8 5 Bytes JMP AAAE87FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwQueryValueKey 8094156A 7 Bytes JMP AAAE8891 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwSetValueKey 809418B8 7 Bytes JMP AAAE887B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwUnloadKey 80941BE2 7 Bytes JMP AAAE88E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 80942480 7 Bytes JMP AAAE88A7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwRenameKey 80942D54 7 Bytes JMP AAAE884F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwCreateKey 80943332 5 Bytes JMP AAAE8825 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwDeleteKey 809437C2 7 Bytes JMP AAAE8839 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwDeleteValueKey 80943992 7 Bytes JMP AAAE8865 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwEnumerateKey 80943B72 7 Bytes JMP AAAE88D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwEnumerateValueKey 80943DDC 7 Bytes JMP AAAE88BD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwOpenKey 80944704 5 Bytes JMP AAAE8811 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwQueryKey 80944A2A 7 Bytes JMP AAAE893B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwRestoreKey 80944CEA 5 Bytes JMP AAAE8913 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwReplaceKey 809453DE 5 Bytes JMP AAAE8927 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwNotifyChangeKey 809454F8 5 Bytes JMP AAAE88FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    ? yxpofu.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Messenger\msmsgs.exe[664] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F30FEF
    .text C:\Program Files\Messenger\msmsgs.exe[664] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F3007D
    .text C:\Program Files\Messenger\msmsgs.exe[664] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F30062
    .text C:\Program Files\Messenger\msmsgs.exe[664] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F30051
    .text C:\Program Files\Messenger\msmsgs.exe[664] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F30F94
    .text C:\Program Files\Messenger\msmsgs.exe[664] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F30036
    .text C:\Program Files\Messenger\msmsgs.exe[664] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F300B3
    .text C:\Program Files\Messenger\msmsgs.exe[664] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F30F77
    .text C:\Program Files\Messenger\msmsgs.exe[664] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F300DF
    .text C:\Program Files\Messenger\msmsgs.exe[664] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F30F46
    .text C:\Program Files\Messenger\msmsgs.exe[664] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F30104
    .text C:\Program Files\Messenger\msmsgs.exe[664] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F30FA5
    .text C:\Program Files\Messenger\msmsgs.exe[664] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F3000A
    .text C:\Program Files\Messenger\msmsgs.exe[664] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F300A2
    .text C:\Program Files\Messenger\msmsgs.exe[664] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F30025
    .text C:\Program Files\Messenger\msmsgs.exe[664] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F30FCA
    .text C:\Program Files\Messenger\msmsgs.exe[664] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F300CE
    .text C:\Program Files\Messenger\msmsgs.exe[664] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F10062
    .text C:\Program Files\Messenger\msmsgs.exe[664] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F1003D
    .text C:\Program Files\Messenger\msmsgs.exe[664] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F10018
    .text C:\Program Files\Messenger\msmsgs.exe[664] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F10FEF
    .text C:\Program Files\Messenger\msmsgs.exe[664] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F10FCD
    .text C:\Program Files\Messenger\msmsgs.exe[664] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F10FDE
    .text C:\Program Files\Messenger\msmsgs.exe[664] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F20036
    .text C:\Program Files\Messenger\msmsgs.exe[664] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F20FA5
    .text C:\Program Files\Messenger\msmsgs.exe[664] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F20FE5
    .text C:\Program Files\Messenger\msmsgs.exe[664] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F2001B
    .text C:\Program Files\Messenger\msmsgs.exe[664] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F20FC0
    .text C:\Program Files\Messenger\msmsgs.exe[664] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F2000A
    .text C:\Program Files\Messenger\msmsgs.exe[664] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F2006C
    .text C:\Program Files\Messenger\msmsgs.exe[664] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F20051
    .text C:\Program Files\Messenger\msmsgs.exe[664] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F00FEF
    .text C:\Program Files\Messenger\msmsgs.exe[664] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00EA0FEF
    .text C:\Program Files\Messenger\msmsgs.exe[664] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00EA0FD4
    .text C:\Program Files\Messenger\msmsgs.exe[664] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00EA0FC3
    .text C:\Program Files\Messenger\msmsgs.exe[664] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00EA0FB2
    .text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA0FEF
    .text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA0067
    .text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA0F72
    .text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA0F83
    .text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA0040
    .text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA0025
    .text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA009F
    .text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA0F57
    .text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA00C1
    .text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA0F28
    .text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BA0F03
    .text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BA0F9E
    .text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BA0FD4
    .text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BA0082
    .text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BA0014
    .text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BA0FC3
    .text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BA00B0
    .text C:\WINDOWS\system32\svchost.exe[776] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00930FB9
    .text C:\WINDOWS\system32\svchost.exe[776] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00930F83
    .text C:\WINDOWS\system32\svchost.exe[776] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00930FCA
    .text C:\WINDOWS\system32\svchost.exe[776] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00930000
    .text C:\WINDOWS\system32\svchost.exe[776] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0093004A
    .text C:\WINDOWS\system32\svchost.exe[776] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930FE5
    .text C:\WINDOWS\system32\svchost.exe[776] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00930FA8
    .text C:\WINDOWS\system32\svchost.exe[776] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B3, 88] {MOV BL, 0x88}
    .text C:\WINDOWS\system32\svchost.exe[776] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00930025
    .text C:\WINDOWS\system32\svchost.exe[776] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920062
    .text C:\WINDOWS\system32\svchost.exe[776] msvcrt.dll!system 77C293C7 5 Bytes JMP 00920FCD
    .text C:\WINDOWS\system32\svchost.exe[776] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0092002C
    .text C:\WINDOWS\system32\svchost.exe[776] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920000
    .text C:\WINDOWS\system32\svchost.exe[776] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0092003D
    .text C:\WINDOWS\system32\svchost.exe[776] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00920011
    .text C:\WINDOWS\system32\svchost.exe[776] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00900000
    .text C:\WINDOWS\system32\svchost.exe[776] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00900011
    .text C:\WINDOWS\system32\svchost.exe[776] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00900036
    .text C:\WINDOWS\system32\svchost.exe[776] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00900047
    .text C:\WINDOWS\system32\svchost.exe[776] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00910FEF
    .text C:\WINDOWS\system32\services.exe[876] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00740000
    .text C:\WINDOWS\system32\services.exe[876] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0074009A
    .text C:\WINDOWS\system32\services.exe[876] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0074007F
    .text C:\WINDOWS\system32\services.exe[876] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00740062
    .text C:\WINDOWS\system32\services.exe[876] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00740051
    .text C:\WINDOWS\system32\services.exe[876] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00740FC0
    .text C:\WINDOWS\system32\services.exe[876] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007400D9
    .text C:\WINDOWS\system32\services.exe[876] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007400C8
    .text C:\WINDOWS\system32\services.exe[876] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00740F65
    .text C:\WINDOWS\system32\services.exe[876] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007400FE
    .text C:\WINDOWS\system32\services.exe[876] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00740119
    .text C:\WINDOWS\system32\services.exe[876] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00740FAF
    .text C:\WINDOWS\system32\services.exe[876] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00740011
    .text C:\WINDOWS\system32\services.exe[876] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 007400AB
    .text C:\WINDOWS\system32\services.exe[876] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00740FD1
    .text C:\WINDOWS\system32\services.exe[876] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00740022
    .text C:\WINDOWS\system32\services.exe[876] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00740F76
    .text C:\WINDOWS\system32\services.exe[876] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00070014
    .text C:\WINDOWS\system32\services.exe[876] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00070F7C
    .text C:\WINDOWS\system32\services.exe[876] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00070FCD
    .text C:\WINDOWS\system32\services.exe[876] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00070FDE
    .text C:\WINDOWS\system32\services.exe[876] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00070F8D
    .text C:\WINDOWS\system32\services.exe[876] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00070FEF
    .text C:\WINDOWS\system32\services.exe[876] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0007002F
    .text C:\WINDOWS\system32\services.exe[876] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00070FA8
    .text C:\WINDOWS\system32\services.exe[876] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00060FC6
    .text C:\WINDOWS\system32\services.exe[876] msvcrt.dll!system 77C293C7 5 Bytes JMP 00060047
    .text C:\WINDOWS\system32\services.exe[876] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00060011
    .text C:\WINDOWS\system32\services.exe[876] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00060FE3
    .text C:\WINDOWS\system32\services.exe[876] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00060036
    .text C:\WINDOWS\system32\services.exe[876] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00060000
    .text C:\WINDOWS\system32\services.exe[876] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00050000
    .text C:\WINDOWS\system32\lsass.exe[888] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA0FEF
    .text C:\WINDOWS\system32\lsass.exe[888] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA00A7
    .text C:\WINDOWS\system32\lsass.exe[888] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA0FB2
    .text C:\WINDOWS\system32\lsass.exe[888] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA0FC3
    .text C:\WINDOWS\system32\lsass.exe[888] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA0080
    .text C:\WINDOWS\system32\lsass.exe[888] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA0040
    .text C:\WINDOWS\system32\lsass.exe[888] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA0F7A
    .text C:\WINDOWS\system32\lsass.exe[888] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA00C2
    .text C:\WINDOWS\system32\lsass.exe[888] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA0F4E
    .text C:\WINDOWS\system32\lsass.exe[888] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA0F5F
    .text C:\WINDOWS\system32\lsass.exe[888] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BA0F3D
    .text C:\WINDOWS\system32\lsass.exe[888] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BA0065
    .text C:\WINDOWS\system32\lsass.exe[888] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BA000A
    .text C:\WINDOWS\system32\lsass.exe[888] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BA0F97
    .text C:\WINDOWS\system32\lsass.exe[888] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BA002F
    .text C:\WINDOWS\system32\lsass.exe[888] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BA0FD4
    .text C:\WINDOWS\system32\lsass.exe[888] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BA00DD
    .text C:\WINDOWS\system32\lsass.exe[888] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B90FD4
    .text C:\WINDOWS\system32\lsass.exe[888] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B9004A
    .text C:\WINDOWS\system32\lsass.exe[888] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B90025
    .text C:\WINDOWS\system32\lsass.exe[888] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B90014
    .text C:\WINDOWS\system32\lsass.exe[888] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B90F97
    .text C:\WINDOWS\system32\lsass.exe[888] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B90FEF
    .text C:\WINDOWS\system32\lsass.exe[888] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B90FB2
    .text C:\WINDOWS\system32\lsass.exe[888] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D9, 88]
    .text C:\WINDOWS\system32\lsass.exe[888] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B90FC3
    .text C:\WINDOWS\system32\lsass.exe[888] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B80038
    .text C:\WINDOWS\system32\lsass.exe[888] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B80FAD
    .text C:\WINDOWS\system32\lsass.exe[888] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B80027
    .text C:\WINDOWS\system32\lsass.exe[888] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B80000
    .text C:\WINDOWS\system32\lsass.exe[888] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B80FD2
    .text C:\WINDOWS\system32\lsass.exe[888] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B80FE3
    .text C:\WINDOWS\system32\lsass.exe[888] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B70000
    .text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F90000
    .text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F900BC
    .text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F900AB
    .text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F90FD1
    .text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F9008E
    .text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F90062
    .text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F90F88
    .text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F90FA5
    .text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F90F52
    .text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F90F63
    .text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F90F37
    .text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F90073
    .text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F90011
    .text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F90FB6
    .text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F90047
    .text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F9002C
    .text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F900EB
    .text C:\WINDOWS\system32\svchost.exe[1040] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F80022
    .text C:\WINDOWS\system32\svchost.exe[1040] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F80F80
    .text C:\WINDOWS\system32\svchost.exe[1040] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F80011
    .text C:\WINDOWS\system32\svchost.exe[1040] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F80000
    .text C:\WINDOWS\system32\svchost.exe[1040] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F80F9B
    .text C:\WINDOWS\system32\svchost.exe[1040] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F80FE5
    .text C:\WINDOWS\system32\svchost.exe[1040] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F80FAC
    .text C:\WINDOWS\system32\svchost.exe[1040] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [18, 89]
    .text C:\WINDOWS\system32\svchost.exe[1040] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F80033
    .text C:\WINDOWS\system32\svchost.exe[1040] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F70F84
    .text C:\WINDOWS\system32\svchost.exe[1040] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F70F95
    .text C:\WINDOWS\system32\svchost.exe[1040] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F70FC1
    .text C:\WINDOWS\system32\svchost.exe[1040] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F70FEF
    .text C:\WINDOWS\system32\svchost.exe[1040] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F70FB0
    .text C:\WINDOWS\system32\svchost.exe[1040] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F70FD2
    .text C:\WINDOWS\system32\svchost.exe[1040] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F60000
    .text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A30000
    .text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A3008E
    .text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A30FA3
    .text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A3007D
    .text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A3006C
    .text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A30040
    .text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A30F74
    .text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A300B0
    .text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A300F9
    .text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A300E8
    .text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A30114
    .text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A30051
    .text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A30011
    .text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A3009F
    .text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A30FCA
    .text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A30FE5
    .text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A300CD
    .text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A20FD1
    .text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A20047
    .text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A2002C
    .text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A20011
    .text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A20F94
    .text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A20000
    .text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00A20FA5
    .text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C2, 88]
    .text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A20FC0
    .text C:\WINDOWS\system32\svchost.exe[1124] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A10053
    .text C:\WINDOWS\system32\svchost.exe[1124] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A10FC8
    .text C:\WINDOWS\system32\svchost.exe[1124] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A10038
    .text C:\WINDOWS\system32\svchost.exe[1124] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A10000
    .text C:\WINDOWS\system32\svchost.exe[1124] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A10FE3
    .text C:\WINDOWS\system32\svchost.exe[1124] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A10011
    .text C:\WINDOWS\system32\svchost.exe[1124] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A00FEF
    .text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02D3000A
    .text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02D30F72
    .text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02D30067
    .text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02D30F8D
    .text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02D30F9E
    .text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02D30FD4
    .text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02D300BA
    .text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02D3009D
    .text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02D300D5
    .text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02D30F3C
    .text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02D300E6
    .text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02D30FB9
    .text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02D30025
    .text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02D30082
    .text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02D30FEF
    .text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02D30036
    .text C:\WINDOWS\System32\svchost.exe[1160] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02D30F57
    .text C:\WINDOWS\System32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02D2003D
    .text C:\WINDOWS\System32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02D20FAC
    .text C:\WINDOWS\System32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02D2002C
    .text C:\WINDOWS\System32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02D20011
    .text C:\WINDOWS\System32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02D20FBD
    .text C:\WINDOWS\System32\svchost.exe[1160] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02D20000
    .text C:\WINDOWS\System32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02D20069
    .text C:\WINDOWS\System32\svchost.exe[1160] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02D20058
    .text C:\WINDOWS\System32\svchost.exe[1160] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02D10053
    .text C:\WINDOWS\System32\svchost.exe[1160] msvcrt.dll!system 77C293C7 5 Bytes JMP 02D10042
    .text C:\WINDOWS\System32\svchost.exe[1160] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02D1001D
    .text C:\WINDOWS\System32\svchost.exe[1160] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02D10000
    .text C:\WINDOWS\System32\svchost.exe[1160] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02D10FC8
    .text C:\WINDOWS\System32\svchost.exe[1160] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02D10FE3
    .text C:\WINDOWS\System32\svchost.exe[1160] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02C30FEF
    .text C:\WINDOWS\System32\svchost.exe[1160] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FB0000
    .text C:\WINDOWS\System32\svchost.exe[1160] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FB0011
    .text C:\WINDOWS\System32\svchost.exe[1160] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FB0022
    .text C:\WINDOWS\System32\svchost.exe[1160] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00FB0FC7
    .text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00780000
    .text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007800AB
    .text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00780FB6
    *********
     
    damavand00,
    #4
  6. 2010/01/08
    damavand00

    damavand00 Inactive Thread Starter

    Joined:
    2009/09/09
    Messages:
    23
    Likes Received:
    0
    gmer continued

    .text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00780090
    .text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00780073
    .text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0078003D
    .text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007800D7
    .text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007800C6
    .text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00780F4F
    .text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00780F6A
    .text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00780F3E
    .text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0078004E
    .text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0078001B
    .text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00780F9B
    .text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0078002C
    .text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00780FE5
    .text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007800E8
    .text C:\WINDOWS\system32\svchost.exe[1560] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00770025
    .text C:\WINDOWS\system32\svchost.exe[1560] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00770F94
    .text C:\WINDOWS\system32\svchost.exe[1560] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00770FD4
    .text C:\WINDOWS\system32\svchost.exe[1560] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0077000A
    .text C:\WINDOWS\system32\svchost.exe[1560] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00770051
    .text C:\WINDOWS\system32\svchost.exe[1560] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00770FEF
    .text C:\WINDOWS\system32\svchost.exe[1560] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00770FAF
    .text C:\WINDOWS\system32\svchost.exe[1560] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [97, 88]
    .text C:\WINDOWS\system32\svchost.exe[1560] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00770036
    .text C:\WINDOWS\system32\svchost.exe[1560] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00760070
    .text C:\WINDOWS\system32\svchost.exe[1560] msvcrt.dll!system 77C293C7 5 Bytes JMP 00760055
    .text C:\WINDOWS\system32\svchost.exe[1560] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00760FE5
    .text C:\WINDOWS\system32\svchost.exe[1560] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00760000
    .text C:\WINDOWS\system32\svchost.exe[1560] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00760044
    .text C:\WINDOWS\system32\svchost.exe[1560] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00760029
    .text C:\WINDOWS\system32\svchost.exe[1560] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00750000
    .text C:\WINDOWS\Explorer.EXE[1568] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02260FEF
    .text C:\WINDOWS\Explorer.EXE[1568] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02260F61
    .text C:\WINDOWS\Explorer.EXE[1568] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02260056
    .text C:\WINDOWS\Explorer.EXE[1568] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02260F7C
    .text C:\WINDOWS\Explorer.EXE[1568] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0226002F
    .text C:\WINDOWS\Explorer.EXE[1568] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02260FA8
    .text C:\WINDOWS\Explorer.EXE[1568] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02260073
    .text C:\WINDOWS\Explorer.EXE[1568] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02260F2B
    .text C:\WINDOWS\Explorer.EXE[1568] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02260F06
    .text C:\WINDOWS\Explorer.EXE[1568] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 022600A9
    .text C:\WINDOWS\Explorer.EXE[1568] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 022600BA
    .text C:\WINDOWS\Explorer.EXE[1568] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02260F97
    .text C:\WINDOWS\Explorer.EXE[1568] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02260FDE
    .text C:\WINDOWS\Explorer.EXE[1568] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02260F3C
    .text C:\WINDOWS\Explorer.EXE[1568] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0226001E
    .text C:\WINDOWS\Explorer.EXE[1568] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02260FCD
    .text C:\WINDOWS\Explorer.EXE[1568] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0226008E
    .text C:\WINDOWS\Explorer.EXE[1568] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02250FAF
    .text C:\WINDOWS\Explorer.EXE[1568] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02250F6F
    .text C:\WINDOWS\Explorer.EXE[1568] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0225000A
    .text C:\WINDOWS\Explorer.EXE[1568] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02250FD4
    .text C:\WINDOWS\Explorer.EXE[1568] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02250F8A
    .text C:\WINDOWS\Explorer.EXE[1568] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02250FEF
    .text C:\WINDOWS\Explorer.EXE[1568] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0225002C
    .text C:\WINDOWS\Explorer.EXE[1568] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0225001B
    .text C:\WINDOWS\Explorer.EXE[1568] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0222001D
    .text C:\WINDOWS\Explorer.EXE[1568] msvcrt.dll!system 77C293C7 5 Bytes JMP 02220F9C
    .text C:\WINDOWS\Explorer.EXE[1568] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0222000C
    .text C:\WINDOWS\Explorer.EXE[1568] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02220FEF
    .text C:\WINDOWS\Explorer.EXE[1568] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02220FAD
    .text C:\WINDOWS\Explorer.EXE[1568] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02220FD2
    .text C:\WINDOWS\Explorer.EXE[1568] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01990FEF
    .text C:\WINDOWS\Explorer.EXE[1568] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0199000A
    .text C:\WINDOWS\Explorer.EXE[1568] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0199001B
    .text C:\WINDOWS\Explorer.EXE[1568] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 0199002C
    .text C:\WINDOWS\Explorer.EXE[1568] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01A50000
    .text C:\WINDOWS\system32\svchost.exe[1636] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009C0FEF
    .text C:\WINDOWS\system32\svchost.exe[1636] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009C0F88
    .text C:\WINDOWS\system32\svchost.exe[1636] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009C0F99
    .text C:\WINDOWS\system32\svchost.exe[1636] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009C0FB6
    .text C:\WINDOWS\system32\svchost.exe[1636] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009C0073
    .text C:\WINDOWS\system32\svchost.exe[1636] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009C0051
    .text C:\WINDOWS\system32\svchost.exe[1636] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009C0F57
    .text C:\WINDOWS\system32\svchost.exe[1636] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009C009F
    .text C:\WINDOWS\system32\svchost.exe[1636] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009C00E6
    .text C:\WINDOWS\system32\svchost.exe[1636] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009C00C1
    .text C:\WINDOWS\system32\svchost.exe[1636] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009C00F7
    .text C:\WINDOWS\system32\svchost.exe[1636] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009C0062
    .text C:\WINDOWS\system32\svchost.exe[1636] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009C0000
    .text C:\WINDOWS\system32\svchost.exe[1636] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009C008E
    .text C:\WINDOWS\system32\svchost.exe[1636] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009C0036
    .text C:\WINDOWS\system32\svchost.exe[1636] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009C0025
    .text C:\WINDOWS\system32\svchost.exe[1636] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009C00B0
    .text C:\WINDOWS\system32\svchost.exe[1636] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009B001B
    .text C:\WINDOWS\system32\svchost.exe[1636] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009B0047
    .text C:\WINDOWS\system32\svchost.exe[1636] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009B0FD4
    .text C:\WINDOWS\system32\svchost.exe[1636] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009B000A
    .text C:\WINDOWS\system32\svchost.exe[1636] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009B0036
    .text C:\WINDOWS\system32\svchost.exe[1636] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009B0FEF
    .text C:\WINDOWS\system32\svchost.exe[1636] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 009B0F94
    .text C:\WINDOWS\system32\svchost.exe[1636] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [BB, 88]
    .text C:\WINDOWS\system32\svchost.exe[1636] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009B0FA5
    .text C:\WINDOWS\system32\svchost.exe[1636] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009A0031
    .text C:\WINDOWS\system32\svchost.exe[1636] msvcrt.dll!system 77C293C7 5 Bytes JMP 009A0FA6
    .text C:\WINDOWS\system32\svchost.exe[1636] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009A0016
    .text C:\WINDOWS\system32\svchost.exe[1636] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009A0FE3
    .text C:\WINDOWS\system32\svchost.exe[1636] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009A0FC1
    .text C:\WINDOWS\system32\svchost.exe[1636] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009A0FD2
    .text C:\WINDOWS\system32\svchost.exe[1636] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00990FEF
    .text C:\WINDOWS\System32\svchost.exe[2264] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0000
    .text C:\WINDOWS\System32\svchost.exe[2264] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0051
    .text C:\WINDOWS\System32\svchost.exe[2264] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0F5C
    .text C:\WINDOWS\System32\svchost.exe[2264] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F83
    .text C:\WINDOWS\System32\svchost.exe[2264] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0F94
    .text C:\WINDOWS\System32\svchost.exe[2264] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0036
    .text C:\WINDOWS\System32\svchost.exe[2264] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0073
    .text C:\WINDOWS\System32\svchost.exe[2264] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F37
    .text C:\WINDOWS\System32\svchost.exe[2264] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0F06
    .text C:\WINDOWS\System32\svchost.exe[2264] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A009F
    .text C:\WINDOWS\System32\svchost.exe[2264] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A00B0
    .text C:\WINDOWS\System32\svchost.exe[2264] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0FA5
    .text C:\WINDOWS\System32\svchost.exe[2264] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0FE5
    .text C:\WINDOWS\System32\svchost.exe[2264] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0062
    .text C:\WINDOWS\System32\svchost.exe[2264] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0FD4
    .text C:\WINDOWS\System32\svchost.exe[2264] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0025
    .text C:\WINDOWS\System32\svchost.exe[2264] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A008E
    .text C:\WINDOWS\System32\svchost.exe[2264] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0029002C
    .text C:\WINDOWS\System32\svchost.exe[2264] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00290FA5
    .text C:\WINDOWS\System32\svchost.exe[2264] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0029001B
    .text C:\WINDOWS\System32\svchost.exe[2264] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00290FE5
    .text C:\WINDOWS\System32\svchost.exe[2264] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290062
    .text C:\WINDOWS\System32\svchost.exe[2264] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290000
    .text C:\WINDOWS\System32\svchost.exe[2264] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00290047
    .text C:\WINDOWS\System32\svchost.exe[2264] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290FB6
    .text C:\WINDOWS\System32\svchost.exe[2264] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003E0F8B
    .text C:\WINDOWS\System32\svchost.exe[2264] msvcrt.dll!system 77C293C7 5 Bytes JMP 003E000C
    .text C:\WINDOWS\System32\svchost.exe[2264] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003E0FC1
    .text C:\WINDOWS\System32\svchost.exe[2264] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003E0FE3
    .text C:\WINDOWS\System32\svchost.exe[2264] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003E0FA6
    .text C:\WINDOWS\System32\svchost.exe[2264] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003E0FD2
    .text C:\WINDOWS\System32\svchost.exe[2264] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009B0000
    .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2312] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
    .text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2312] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
    .text C:\WINDOWS\system32\dllhost.exe[2520] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E80FEF
    .text C:\WINDOWS\system32\dllhost.exe[2520] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E80091
    .text C:\WINDOWS\system32\dllhost.exe[2520] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E80F9C
    .text C:\WINDOWS\system32\dllhost.exe[2520] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E80FAD
    .text C:\WINDOWS\system32\dllhost.exe[2520] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E80FCA
    .text C:\WINDOWS\system32\dllhost.exe[2520] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E8005B
    .text C:\WINDOWS\system32\dllhost.exe[2520] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E80F64
    .text C:\WINDOWS\system32\dllhost.exe[2520] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E80F75
    .text C:\WINDOWS\system32\dllhost.exe[2520] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E800DF
    .text C:\WINDOWS\system32\dllhost.exe[2520] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E800CE
    .text C:\WINDOWS\system32\dllhost.exe[2520] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E80F2B
    .text C:\WINDOWS\system32\dllhost.exe[2520] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E8006C
    .text C:\WINDOWS\system32\dllhost.exe[2520] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E8000A
    .text C:\WINDOWS\system32\dllhost.exe[2520] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E800A2
    .text C:\WINDOWS\system32\dllhost.exe[2520] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E80040
    .text C:\WINDOWS\system32\dllhost.exe[2520] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E8001B
    .text C:\WINDOWS\system32\dllhost.exe[2520] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E800BD
    .text C:\WINDOWS\system32\dllhost.exe[2520] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E60064
    .text C:\WINDOWS\system32\dllhost.exe[2520] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E60053
    .text C:\WINDOWS\system32\dllhost.exe[2520] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E6001D
    .text C:\WINDOWS\system32\dllhost.exe[2520] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E60FEF
    .text C:\WINDOWS\system32\dllhost.exe[2520] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E60042
    .text C:\WINDOWS\system32\dllhost.exe[2520] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E6000C
    .text C:\WINDOWS\system32\dllhost.exe[2520] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E70FD1
    .text C:\WINDOWS\system32\dllhost.exe[2520] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E70FA2
    .text C:\WINDOWS\system32\dllhost.exe[2520] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E7002C
    .text C:\WINDOWS\system32\dllhost.exe[2520] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E7001B
    .text C:\WINDOWS\system32\dllhost.exe[2520] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E7005F
    .text C:\WINDOWS\system32\dllhost.exe[2520] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E7000A
    .text C:\WINDOWS\system32\dllhost.exe[2520] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00E7004E
    .text C:\WINDOWS\system32\dllhost.exe[2520] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E7003D
    .text C:\WINDOWS\system32\dllhost.exe[2520] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E50000
    .text C:\WINDOWS\system32\svchost.exe[2864] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B9000A
    .text C:\WINDOWS\system32\svchost.exe[2864] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B90F5C
    .text C:\WINDOWS\system32\svchost.exe[2864] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B90F6D
    .text C:\WINDOWS\system32\svchost.exe[2864] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B90051
    .text C:\WINDOWS\system32\svchost.exe[2864] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B90F94
    .text C:\WINDOWS\system32\svchost.exe[2864] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B9002C
    .text C:\WINDOWS\system32\svchost.exe[2864] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B90089
    .text C:\WINDOWS\system32\svchost.exe[2864] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B90F41
    .text C:\WINDOWS\system32\svchost.exe[2864] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B90F01
    .text C:\WINDOWS\system32\svchost.exe[2864] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B90F1C
    .text C:\WINDOWS\system32\svchost.exe[2864] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B90EF0
    .text C:\WINDOWS\system32\svchost.exe[2864] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B90FA5
    .text C:\WINDOWS\system32\svchost.exe[2864] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B90FE5
    .text C:\WINDOWS\system32\svchost.exe[2864] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B9006C
    .text C:\WINDOWS\system32\svchost.exe[2864] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B90FC0
    .text C:\WINDOWS\system32\svchost.exe[2864] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B9001B
    .text C:\WINDOWS\system32\svchost.exe[2864] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B9009A
    .text C:\WINDOWS\system32\svchost.exe[2864] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B80FAF
    .text C:\WINDOWS\system32\svchost.exe[2864] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B80F72
    .text C:\WINDOWS\system32\svchost.exe[2864] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B8000A
    .text C:\WINDOWS\system32\svchost.exe[2864] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B80FD4
    .text C:\WINDOWS\system32\svchost.exe[2864] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B8002F
    .text C:\WINDOWS\system32\svchost.exe[2864] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B80FEF
    .text C:\WINDOWS\system32\svchost.exe[2864] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B80F83
    .text C:\WINDOWS\system32\svchost.exe[2864] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D8, 88]
    .text C:\WINDOWS\system32\svchost.exe[2864] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B80F94
    .text C:\WINDOWS\system32\svchost.exe[2864] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B70FD9
    .text C:\WINDOWS\system32\svchost.exe[2864] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B70064
    .text C:\WINDOWS\system32\svchost.exe[2864] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B7002E
    .text C:\WINDOWS\system32\svchost.exe[2864] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B7000C
    .text C:\WINDOWS\system32\svchost.exe[2864] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B70049
    .text C:\WINDOWS\system32\svchost.exe[2864] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B7001D
    .text C:\WINDOWS\system32\svchost.exe[2864] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B60FEF
    .text C:\WINDOWS\system32\svchost.exe[3112] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BC0000
    .text C:\WINDOWS\system32\svchost.exe[3112] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BC008E
    .text C:\WINDOWS\system32\svchost.exe[3112] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BC0FA3
    .text C:\WINDOWS\system32\svchost.exe[3112] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BC007D
    .text C:\WINDOWS\system32\svchost.exe[3112] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BC0FC0
    .text C:\WINDOWS\system32\svchost.exe[3112] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BC0047
    .text C:\WINDOWS\system32\svchost.exe[3112] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BC0F6D
    .text C:\WINDOWS\system32\svchost.exe[3112] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BC0F7E
    .text C:\WINDOWS\system32\svchost.exe[3112] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BC00E1
    .text C:\WINDOWS\system32\svchost.exe[3112] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BC0F48
    .text C:\WINDOWS\system32\svchost.exe[3112] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BC0F37
    .text C:\WINDOWS\system32\svchost.exe[3112] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BC0058
    .text C:\WINDOWS\system32\svchost.exe[3112] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BC0FEF
    .text C:\WINDOWS\system32\svchost.exe[3112] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BC00A9
    .text C:\WINDOWS\system32\svchost.exe[3112] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BC0036
    .text C:\WINDOWS\system32\svchost.exe[3112] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BC0025
    .text C:\WINDOWS\system32\svchost.exe[3112] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BC00D0
    .text C:\WINDOWS\system32\svchost.exe[3112] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BB0FB9
    .text C:\WINDOWS\system32\svchost.exe[3112] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BB0051
    .text C:\WINDOWS\system32\svchost.exe[3112] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BB0FCA
    .text C:\WINDOWS\system32\svchost.exe[3112] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BB0000
    .text C:\WINDOWS\system32\svchost.exe[3112] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BB0040
    .text C:\WINDOWS\system32\svchost.exe[3112] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BB0FE5
    .text C:\WINDOWS\system32\svchost.exe[3112] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BB0F9E
    .text C:\WINDOWS\system32\svchost.exe[3112] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DB, 88]
    .text C:\WINDOWS\system32\svchost.exe[3112] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BB0025
    .text C:\WINDOWS\system32\svchost.exe[3112] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BA003D
    .text C:\WINDOWS\system32\svchost.exe[3112] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BA0FBC
    .text C:\WINDOWS\system32\svchost.exe[3112] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BA0011
    .text C:\WINDOWS\system32\svchost.exe[3112] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BA0000
    .text C:\WINDOWS\system32\svchost.exe[3112] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BA002C
    .text C:\WINDOWS\system32\svchost.exe[3112] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BA0FD7
    .text C:\WINDOWS\system32\wuauclt.exe[3164] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0000
    .text C:\WINDOWS\system32\wuauclt.exe[3164] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0F55
    .text C:\WINDOWS\system32\wuauclt.exe[3164] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0F66
    .text C:\WINDOWS\system32\wuauclt.exe[3164] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0040
    .text C:\WINDOWS\system32\wuauclt.exe[3164] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0F8D
    .text C:\WINDOWS\system32\wuauclt.exe[3164] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B002F
    .text C:\WINDOWS\system32\wuauclt.exe[3164] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B0F1D
    .text C:\WINDOWS\system32\wuauclt.exe[3164] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0065
    .text C:\WINDOWS\system32\wuauclt.exe[3164] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B008A
    .text C:\WINDOWS\system32\wuauclt.exe[3164] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B0EF1
    .text C:\WINDOWS\system32\wuauclt.exe[3164] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B0ED6
    .text C:\WINDOWS\system32\wuauclt.exe[3164] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B0FA8
    .text C:\WINDOWS\system32\wuauclt.exe[3164] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B0FEF
    .text C:\WINDOWS\system32\wuauclt.exe[3164] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B0F3A
    .text C:\WINDOWS\system32\wuauclt.exe[3164] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B0FC3
    .text C:\WINDOWS\system32\wuauclt.exe[3164] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B0FD4
    .text C:\WINDOWS\system32\wuauclt.exe[3164] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B0F02
    .text C:\WINDOWS\system32\wuauclt.exe[3164] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0F97
    .text C:\WINDOWS\system32\wuauclt.exe[3164] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A0FB2
    .text C:\WINDOWS\system32\wuauclt.exe[3164] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A0011
    .text C:\WINDOWS\system32\wuauclt.exe[3164] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0FEF
    .text C:\WINDOWS\system32\wuauclt.exe[3164] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0022
    .text C:\WINDOWS\system32\wuauclt.exe[3164] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A0000
    .text C:\WINDOWS\system32\wuauclt.exe[3164] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002B0025
    .text C:\WINDOWS\system32\wuauclt.exe[3164] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002B0F83
    .text C:\WINDOWS\system32\wuauclt.exe[3164] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002B0FD4
    .text C:\WINDOWS\system32\wuauclt.exe[3164] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002B000A
    .text C:\WINDOWS\system32\wuauclt.exe[3164] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002B0040
    .text C:\WINDOWS\system32\wuauclt.exe[3164] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002B0FEF
    .text C:\WINDOWS\system32\wuauclt.exe[3164] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002B0F9E
    .text C:\WINDOWS\system32\wuauclt.exe[3164] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4B, 88]
    .text C:\WINDOWS\system32\wuauclt.exe[3164] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002B0FB9

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[3020] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[3020] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[3020] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[3020] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[3020] @ C:\WINDOWS\system32\USER32.dll [GDI32.dll!GetStockObject] [61449CEC] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[3020] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[3020] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[3020] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[3020] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[3020] @ C:\WINDOWS\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [61449CEC] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[3020] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6144AE29] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[3020] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[3020] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[3020] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[3020] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[3020] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [6144A3BA] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[3020] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [6144A3BA] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[3020] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [61449C27] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[3020] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [61449B56] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[3020] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [61449B94] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[3020] @ C:\WINDOWS\system32\SHELL32.dll [GDI32.dll!GetStockObject] [61449CEC] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[3020] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[3020] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[3020] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[3020] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[3020] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6144AE29] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[3020] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [61449D87] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[3020] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [61449B94] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[3020] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [6144A3BA] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[3020] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [61449C27] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[3020] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [6144A3BA] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[3020] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [61449CF2] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
    IAT C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe[3020] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [61449B56] C:\PROGRA~1\Yahoo!\Messenger\yui.dll

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

    Device \FileSystem\Fastfat \Fat A91FAD20
    Device \FileSystem\Fastfat \Fat A92018C1

    AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

    ---- EOF - GMER 1.0.15 ----
    *******************
     
    damavand00,
    #5
  7. 2010/01/08
    damavand00

    damavand00 Inactive Thread Starter

    Joined:
    2009/09/09
    Messages:
    23
    Likes Received:
    0
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:12:11 AM, on 1/8/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\dlcccoms.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\ray\Application Data\U3\0000160EF173B4BA\LaunchPad.exe
    F:\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [ShowLOMControl] 
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1251310152406
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

    --
    End of file - 8144 bytes
     
    damavand00,
    #6
  8. 2010/01/08
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    So far, not much here.
    Surely, another 512MB of RAM would help.

    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.


    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Please, never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE. If Combofix asks you to install Recovery Console, please allow it.

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #7
  9. 2010/01/09
    damavand00

    damavand00 Inactive Thread Starter

    Joined:
    2009/09/09
    Messages:
    23
    Likes Received:
    0
    combofix log and second hijackthis log:

    ComboFix 10-01-04.01 - ray 01/09/2010 9:43.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.176 [GMT -5:00]
    Running from: c:\documents and settings\ray\My Documents\Downloads\ComboFix.exe
    AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\CyberDefender
    c:\program files\CyberDefender\Registry Cleaner\CDRC.dll
    c:\program files\CyberDefender\Registry Cleaner\CDregclean.exe
    c:\recycler\S-1-5-21-421331025-2012027420-4002958943-1005
    c:\recycler\S-1-5-21-421331025-2012027420-4002958943-500
    c:\recycler\S-1-5-21-421331025-2012027420-4002958943-501
    c:\windows\kb913800.exe
    c:\windows\system32\Cache

    .
    ((((((((((((((((((((((((( Files Created from 2009-12-09 to 2010-01-09 )))))))))))))))))))))))))))))))
    .

    2010-01-08 15:35 . 2006-12-07 15:45 110592 ----a-w- c:\documents and settings\ray\Application Data\U3\temp\cleanup.exe
    2010-01-08 15:10 . 2006-12-07 15:45 3096576 ---ha-w- c:\documents and settings\ray\Application Data\U3\temp\Launchpad Removal.exe
    2010-01-07 17:04 . 2010-01-07 17:04 5061520 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
    2010-01-07 13:53 . 2010-01-07 13:53 117760 ----a-w- c:\documents and settings\Administrator.CAZA\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-01-07 13:51 . 2010-01-07 13:52 -------- d-----w- c:\documents and settings\Administrator.CAZA
    2010-01-07 13:44 . 2010-01-07 13:44 52224 ----a-w- c:\documents and settings\ray\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-01-08 15:35 . 2009-08-26 18:37 -------- d-----w- c:\documents and settings\ray\Application Data\U3
    2010-01-07 17:05 . 2009-10-11 00:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-01-07 13:52 . 2010-01-07 13:52 -------- d-----w- c:\documents and settings\Administrator.CAZA\Application Data\SUPERAntiSpyware.com
    2010-01-07 13:52 . 2010-01-07 13:52 -------- d-----w- c:\documents and settings\Administrator.CAZA\Application Data\Intel
    2010-01-07 13:44 . 2009-10-11 14:08 117760 ----a-w- c:\documents and settings\ray\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2009-12-30 19:55 . 2009-10-11 00:44 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-12-30 19:54 . 2009-10-11 00:43 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-12-23 00:10 . 2009-10-03 16:46 -------- d-----w- c:\program files\McAfee
    2009-12-21 22:17 . 2008-11-11 16:38 -------- d-----w- c:\program files\PokerStars
    2009-12-14 20:02 . 2006-06-25 22:02 -------- d-----w- c:\program files\Dl_cats
    2009-11-20 15:26 . 2009-10-01 14:59 15224 ----a-w- c:\documents and settings\ray\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-11-14 22:02 . 2009-11-14 15:01 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo! Companion
    2009-11-14 15:04 . 2009-11-14 15:01 -------- d-----w- c:\documents and settings\ray\Application Data\Yahoo!
    2009-11-14 15:01 . 2009-11-14 15:00 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo!
    2009-11-14 15:01 . 2006-05-21 12:21 -------- d-----w- c:\program files\Yahoo!
    2009-11-10 19:39 . 2009-11-14 15:00 607472 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo!\YUpdater\yupdater.exe
    2009-10-29 07:45 . 2004-08-10 11:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2009-10-21 05:38 . 2004-08-10 11:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
    2009-10-21 05:38 . 2004-08-10 11:00 25088 ----a-w- c:\windows\system32\httpapi.dll
    2009-10-20 16:20 . 2004-08-10 11:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
    2009-10-14 14:27 . 2009-08-26 14:59 87747 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
    2009-10-13 10:30 . 2004-08-10 11:00 270336 ----a-w- c:\windows\system32\oakley.dll
    2009-10-12 13:38 . 2004-08-10 11:00 149504 ----a-w- c:\windows\system32\rastls.dll
    2009-10-12 13:38 . 2004-08-10 11:00 79872 ----a-w- c:\windows\system32\raschap.dll
    2006-05-29 17:59 . 2006-05-29 17:59 251 -c--a-w- c:\program files\wt3d.ini
    2004-04-14 14:36 . 2006-06-23 21:30 35564644 -c--a-w- c:\program files\SAV CE Americas Home Client 8.11.323.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS "= "c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
    "SpybotSD TeaTimer "= "c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    "SUPERAntiSpyware "= "c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-18 2000112]
    "Messenger (Yahoo!) "= "c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ShowLOMControl "= "1 (0x1)" [X]
    "ehTray "= "c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
    "IntelZeroConfig "= "c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-07-23 401408]
    "IntelWireless "= "c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-07-23 385024]
    "igfxtray "= "c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
    "igfxhkcmd "= "c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
    "igfxpers "= "c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
    "Dell QuickSet "= "c:\program files\Dell\QuickSet\quickset.exe" [2005-12-15 839680]
    "NeroFilterCheck "= "c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "DLCCCATS "= "c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2006-02-24 73728]
    "SigmatelSysTrayApp "= "stsystra.exe" [2005-09-09 393216]
    "QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
    "iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
    "mcagent_exe "= "c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
    2005-07-23 02:46 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=" "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=" "

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "c:\\Program Files\\Messenger\\msmsgs.exe "=
    "c:\\WINDOWS\\system32\\dlcccoms.exe "=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
    "c:\\Program Files\\iTunes\\iTunes.exe "=
    "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP "= 3389:TCP:*:Disabled:mad:xpsp2res.dll,-22009

    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/15/2009 10:42 AM 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/15/2009 10:42 AM 74480]
    R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/15/2009 10:42 AM 7408]
    .
    Contents of the 'Scheduled Tasks' folder

    2009-10-01 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

    2009-10-03 c:\windows\Tasks\McDefragTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-03 16:22]

    2009-10-03 c:\windows\Tasks\McQcTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-03 16:22]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://yahoo.com/
    uInternet Settings,ProxyOverride = *.local
    FF - ProfilePath - c:\documents and settings\ray\Application Data\Mozilla\Firefox\Profiles\0lkcvkqu.default\
    FF - prefs.js: browser.startup.homepage - yahoo.com
    FF - plugin: c:\documents and settings\ray\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.17\Plugins\npybrowserplus_2.4.17.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\NPUploader.dll

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true.
    - - - - ORPHANS REMOVED - - - -

    AddRemove-HijackThis - F:\HijackThis.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-01-09 09:52
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(828)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll
    c:\windows\system32\WININET.dll
    c:\program files\Intel\Wireless\Bin\LgNotify.dll
    .
    Completion time: 2010-01-09 09:55:54
    ComboFix-quarantined-files.txt 2010-01-09 14:55

    Pre-Run: 44,640,870,400 bytes free
    Post-Run: 46,989,471,744 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS= "Windows XP Media Center Edition" /noexecute=optin /fastdetect

    - - End Of File - - 729B0B4AA68A92F471DA65360BEF3B1E


    **********************

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:06:27 AM, on 1/9/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\dlcccoms.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe
    C:\WINDOWS\system32\wscntfy.exe
    c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\explorer.exe
    F:\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [ShowLOMControl] 
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1251310152406
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

    --
    End of file - 7949 bytes
     
    damavand00,
    #8
  10. 2010/01/09
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Uninstall Combofix:
    Go Start > Run [Vista users, go Start> "Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall "
    Restart computer.

    ===========================================================

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Read through the requirements and privacy statement and click on Accept button.
    2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    3. When the downloads have finished, click on Settings.
    4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    5. Click on My Computer under Scan.
    6. Once the scan is complete, it will display the results. Click on View Scan Report.
    7. You will see a list of infected items there. Click on Save Report As....
    8. Save this report to a convenient place. Change the Files of type to Text file (.txt before clicking on the Save button. Then post it here.
     
    broni,
    #9
  11. 2010/01/10
    damavand00

    damavand00 Inactive Thread Starter

    Joined:
    2009/09/09
    Messages:
    23
    Likes Received:
    0
    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0: scan report
    Sunday, January 10, 2010
    Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Saturday, January 09, 2010 19:59:55
    Records in database: 3302043
    --------------------------------------------------------------------------------

    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

    Scan area - My Computer:
    C:\
    D:\
    E:\
    F:\

    Scan statistics:
    Objects scanned: 83797
    Threats found: 1
    Infected objects found: 2
    Suspicious objects found: 0
    Scan duration: 04:10:43


    File name / Threat / Threats count
    F:\tftpd32.303.zip Infected: not-a-virus:Server-FTP.Win32.SFH.g 1
    F:\SSH-TFTP\tftpd32.303.zip Infected: not-a-virus:Server-FTP.Win32.SFH.g 1

    Selected area has been scanned.
     
    damavand00,
    #10
  12. 2010/01/10
    damavand00

    damavand00 Inactive Thread Starter

    Joined:
    2009/09/09
    Messages:
    23
    Likes Received:
    0
    just a side note:
    There is a usb flash drive connected while running kaspersky, which i think is drive F.
     
    damavand00,
    #11
  13. 2010/01/10
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Make sure, you remove those two infected files from USB stick. Better yet, format it.

    Please download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.
    • Open JavaRa.exe again and select Search For Updates.
    • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    ================================================================

    Disable TeaTimer, as it'll interfere with the cleaning process:
    Right click Spybot's TeaTimer System Tray Icon.
    Click Exit Spybot-S&D Resident.
    TeaTimer closes.
    NOTE. If on re-boot, Spybot inquires about registry change(s), allow it.

    ==============================================================

    Print this post out, since you won't have an access to it, at some point.

    1. Open HijackThis.

    2. Close all windows, except for HijackThis.

    3. Put checkmarks next to the following HijackThis entries:

    nothing malicious to remove

    4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

    - O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    - O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    - O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    - O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    - O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
    - O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    - O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    - O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    - O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [unless you have paid version]
    - O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    - O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [unless you have paid version]


    5. Click on Fix checked button.

    6. Restart computer.


    When done.....


    Your computer is clean :)

    1. Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore ".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C: ")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    [SIZE= "4"]5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately![/SIZE]

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run defrag at your convenience.

    8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    9. Please, let me know, how is your computer doing.
     
    broni,
    #12
  14. 2010/01/11
    damavand00

    damavand00 Inactive Thread Starter

    Joined:
    2009/09/09
    Messages:
    23
    Likes Received:
    0
    thank you broni.
    things are a lot better now. laptop is actually behaving normal now.
    I appreciate all your help and support. I may upgrade the RAM later as you suggested.
    great job and hope u have a great year.....
    Regards,
    Ray
     
    damavand00,
    #13
  15. 2010/01/11
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Same to you :)
    Happy surfing :)
     
    broni,
    #14

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...