Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

Please help me! Need malware removed!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

Please help me! Need malware removed!

Unread postby francis89 » November 18th, 2009, 4:02 pm

Hello helpers, I have recently gotten some kind of malware virus on my laptop, and my virus removal program does not seem to detect it. As of right now, I've found some kind of loophole so that it doesnt really bother me, but it still makes my laptop run slower than normally. The loophole I've found is that if i sign onto my fathers account, and then log in to my own account, the virus seems to ignore me and just hang out in my dads account. Pretty weird, I know, I dont even know how I figured that out. But if someone could help me get rid of the virus completely, itd be very helpful, thank you!

Here is my HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:01:42 PM, on 11/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscript.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080303
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080303
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080303
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://partnerpage.google.com/smallbiz. ... bd=6080303
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.227 aviraplatinum2009.microsoft.com
O1 - Hosts: 91.212.127.227 aviraplatinum2009.com
O1 - Hosts: 91.212.127.227 http://www.aviraplatinum2009.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [rsotjtxm] C:\Documents and Settings\frankee\Local Settings\Application Data\ktktek\pbsysysguard.exe
O4 - HKCU\..\Run: [DellAutomatedPCTuneUp] "C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [rsotjtxm] C:\Documents and Settings\frankee\Local Settings\Application Data\ktktek\pbsysysguard.exe
O4 - HKUS\S-1-5-21-3707664285-3799962952-1332791384-1007\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User 'frankie')
O4 - Global Startup: Dell Network Assistant.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DellAMBrokerService - Unknown owner - C:\Program Files\DellAutomatedPCTuneUp\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9512 bytes
francis89
Active Member
 
Posts: 12
Joined: February 25th, 2009, 9:19 pm
Top
Advertisement
Register to Remove

Re: Please help me! Need malware removed!

Unread postby MWR 3 day Mod » November 22nd, 2009, 10:55 pm

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am
Top

Re: Please help me! Need malware removed!

Unread postby deltalima » November 23rd, 2009, 8:05 am

Hi francis89,

Welcome to the forum.

My nickname is deltalima and I will be helping you with your computer problems.

HijackThis logs can take some time to research, so please be patient with me.

Please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • If after 3 days you have not responded to this topic, it will be closed, and you will need to start a new one.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • All of my posts need to be checked by a teacher, so please be patient while I attempt to remove your malware.

Uninstall List
  • Open HijackThis.
  • Look under System tools.
  • Click on the Open Uninstall Manager... button.
  • Click on the Save list... button.
  • It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
  • Notepad will open. Please copy and paste the contents of this log in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK
Top

Re: Please help me! Need malware removed!

Unread postby francis89 » November 23rd, 2009, 3:20 pm

Thanks deltalima!


Here is my uninstall log:

Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.2
AIM 7
AIM Search
Apple Software Update
ATI Catalyst Control Center
ATI Display Driver
Broadcom Management Programs
Browser Address Error Redirector
Conexant HDA D330 MDC V.92 Modem
Dell Automated PC TuneUp
Dell Network Assistant
Dell Support Center (Support Software)
Dell Touchpad
Dell Wireless WLAN Card
Digital Line Detect
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Plus Web Player
Download Updater (AOL LLC)
Google Desktop
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
J2SE Runtime Environment 5.0 Update 6
McAfee Security Scan
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 Redistributable
Modem Diagnostic Tool
Mozilla Firefox (3.0.15)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
NetWaiting
PowerDVD
QuickSet
QuickTime
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler
Roxio Update Manager
SearchAssist
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Sonic Activation Module
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
VC80CRTRedist - 8.0.50727.4053
Viewpoint Media Player
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
WinRAR archiver
Yahoo! Install Manager
Yahoo! Toolbar
francis89
Active Member
 
Posts: 12
Joined: February 25th, 2009, 9:19 pm
Top

Re: Please help me! Need malware removed!

Unread postby deltalima » November 25th, 2009, 8:07 am

Hi francis89,

HostXpert
Download HostXpert from here & save it to your desktop
  • Right click on HostsXpert.zip and select Extract All...
  • Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard
  • Click on the Browse button. Click on Desktop. Then click OK
  • Once done, check (tick) the Show extracted files box and click Finish
  • Once extracted, HostsXpert folder will open
  • Double click on HostsXpert.exe to start it
  • On your left hand side, click on Restore MS Hosts File
  • Exit HostsXpert

Rkill
Note: If your security software warns about Rkill, please ignore and allow the download to continue.
Please download Rkill.com ... by Grinler. Save it to your Desktop.
  1. Double click on the Rkill Desktop icon.
  2. A command window will open then disappear upon completion, this is normal.
Please leave Rkill on the Desktop unless instructed otherwise.

DO NOT REBOOT until completing the next stage.

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Check all items except items in the C:\System Volume Information folder... then click on Remove Selected.
    We will take care of the System Volume Information items later.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download GMER Rootkit Scanner from here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"
Important! Please do not select the "Show all" checkbox during the scan..

Now please post the log from Malwarebytes Anti-Malware, the log from GMER and a new HijackThis log.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK
Top

Re: Please help me! Need malware removed!

Unread postby francis89 » November 25th, 2009, 9:24 pm

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2

11/25/2009 4:13:11 PM
mbam-log-2009-11-25 (16-13-11).txt

Scan type: Full Scan (C:\|)
Objects scanned: 162034
Time elapsed: 36 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


gmer:

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-25 17:40:45
Windows 5.1.2600 Service Pack 2
Running: b2m0osis.exe; Driver: C:\DOCUME~1\frankee\LOCALS~1\Temp\kxtdypow.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB0A4178A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xB0A41821]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB0A41738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB0A4174C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB0A41835]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB0A41861]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB0A418CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB0A418B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB0A417CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB0A418FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xB0A4180D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB0A41710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB0A41724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB0A4179E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xB0A41937]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB0A418A3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB0A4188D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB0A4184B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xB0A41923]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xB0A4190F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB0A41776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB0A41762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xB0A41877]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB0A417F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xB0A418E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB0A417E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB0A417B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AB0 7 Bytes JMP B0A417B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80577F8E 5 Bytes JMP B0A4178E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B0E34 7 Bytes JMP B0A417CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B1C42 5 Bytes JMP B0A417E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B7218 7 Bytes JMP B0A417A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CA156 5 Bytes JMP B0A41714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CA3E2 5 Bytes JMP B0A41728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CCBA0 5 Bytes JMP B0A41766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805CFE76 7 Bytes JMP B0A41750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805CFF2C 5 Bytes JMP B0A4173C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D0436 5 Bytes JMP B0A4177A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D1680 5 Bytes JMP B0A417FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 8062065C 7 Bytes JMP B0A41891 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 806209AA 5 Bytes JMP B0A41913 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80620C62 7 Bytes JMP B0A4187B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80620F2A 7 Bytes JMP B0A418E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 80621770 7 Bytes JMP B0A418A7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80621FC8 7 Bytes JMP B0A4184F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806225A2 5 Bytes JMP B0A41825 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80622A32 7 Bytes JMP B0A41839 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80622C02 7 Bytes JMP B0A41865 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 80622DE2 7 Bytes JMP B0A418D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062304C 7 Bytes JMP B0A418BD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80623938 5 Bytes JMP B0A41811 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 80623C5C 7 Bytes JMP B0A4193B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 80624182 5 Bytes JMP B0A41927 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 8062429C 5 Bytes JMP B0A418FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\explorer.exe[180] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001A000A
.text C:\WINDOWS\explorer.exe[180] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001A0F83
.text C:\WINDOWS\explorer.exe[180] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001A0078
.text C:\WINDOWS\explorer.exe[180] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001A0067
.text C:\WINDOWS\explorer.exe[180] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001A0F9E
.text C:\WINDOWS\explorer.exe[180] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001A0025
.text C:\WINDOWS\explorer.exe[180] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001A00C4
.text C:\WINDOWS\explorer.exe[180] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001A0F72
.text C:\WINDOWS\explorer.exe[180] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001A00F0
.text C:\WINDOWS\explorer.exe[180] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001A00D5
.text C:\WINDOWS\explorer.exe[180] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 001A0F46
.text C:\WINDOWS\explorer.exe[180] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 001A0040
.text C:\WINDOWS\explorer.exe[180] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\explorer.exe[180] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 001A0093
.text C:\WINDOWS\explorer.exe[180] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 001A0FC3
.text C:\WINDOWS\explorer.exe[180] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 001A0FDE
.text C:\WINDOWS\explorer.exe[180] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 001A0F57
.text C:\WINDOWS\explorer.exe[180] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00280036
.text C:\WINDOWS\explorer.exe[180] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00280069
.text C:\WINDOWS\explorer.exe[180] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0028001B
.text C:\WINDOWS\explorer.exe[180] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0028000A
.text C:\WINDOWS\explorer.exe[180] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00280058
.text C:\WINDOWS\explorer.exe[180] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00280FE5
.text C:\WINDOWS\explorer.exe[180] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 00280FB6
.text C:\WINDOWS\explorer.exe[180] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [48, 88]
.text C:\WINDOWS\explorer.exe[180] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00280047
.text C:\WINDOWS\explorer.exe[180] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00290FB7
.text C:\WINDOWS\explorer.exe[180] msvcrt.dll!system 77C293C7 5 Bytes JMP 00290FC8
.text C:\WINDOWS\explorer.exe[180] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0029002E
.text C:\WINDOWS\explorer.exe[180] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00290000
.text C:\WINDOWS\explorer.exe[180] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00290FD9
.text C:\WINDOWS\explorer.exe[180] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00290011
.text C:\WINDOWS\explorer.exe[180] WININET.dll!InternetOpenW 771BAF6D 5 Bytes JMP 002B0000
.text C:\WINDOWS\explorer.exe[180] WININET.dll!InternetOpenA 771C57BE 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\explorer.exe[180] WININET.dll!InternetOpenUrlA 771C5A8A 5 Bytes JMP 002B001B
.text C:\WINDOWS\explorer.exe[180] WININET.dll!InternetOpenUrlW 771D5C0F 5 Bytes JMP 002B002C
.text C:\WINDOWS\explorer.exe[180] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00F20FEF
.text C:\WINDOWS\system32\wuauclt.exe[396] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001B0000
.text C:\WINDOWS\system32\wuauclt.exe[396] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001B00B8
.text C:\WINDOWS\system32\wuauclt.exe[396] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001B00A7
.text C:\WINDOWS\system32\wuauclt.exe[396] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001B0080
.text C:\WINDOWS\system32\wuauclt.exe[396] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001B0FC3
.text C:\WINDOWS\system32\wuauclt.exe[396] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001B0FD4
.text C:\WINDOWS\system32\wuauclt.exe[396] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001B00DF
.text C:\WINDOWS\system32\wuauclt.exe[396] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001B0F8D
.text C:\WINDOWS\system32\wuauclt.exe[396] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001B0112
.text C:\WINDOWS\system32\wuauclt.exe[396] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001B0101
.text C:\WINDOWS\system32\wuauclt.exe[396] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 001B0123
.text C:\WINDOWS\system32\wuauclt.exe[396] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 001B005B
.text C:\WINDOWS\system32\wuauclt.exe[396] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 001B001B
.text C:\WINDOWS\system32\wuauclt.exe[396] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 001B0F9E
.text C:\WINDOWS\system32\wuauclt.exe[396] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 001B004A
.text C:\WINDOWS\system32\wuauclt.exe[396] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\system32\wuauclt.exe[396] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 001B00F0
.text C:\WINDOWS\system32\wuauclt.exe[396] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00290F8B
.text C:\WINDOWS\system32\wuauclt.exe[396] msvcrt.dll!system 77C293C7 5 Bytes JMP 00290F9C
.text C:\WINDOWS\system32\wuauclt.exe[396] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00290FB7
.text C:\WINDOWS\system32\wuauclt.exe[396] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00290FEF
.text C:\WINDOWS\system32\wuauclt.exe[396] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0029000C
.text C:\WINDOWS\system32\wuauclt.exe[396] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00290FDE
.text C:\WINDOWS\system32\wuauclt.exe[396] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A001B
.text C:\WINDOWS\system32\wuauclt.exe[396] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A0F79
.text C:\WINDOWS\system32\wuauclt.exe[396] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A0000
.text C:\WINDOWS\system32\wuauclt.exe[396] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A0FCA
.text C:\WINDOWS\system32\wuauclt.exe[396] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 002A0036
.text C:\WINDOWS\system32\wuauclt.exe[396] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 002A0FE5
.text C:\WINDOWS\system32\wuauclt.exe[396] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 002A0F94
.text C:\WINDOWS\system32\wuauclt.exe[396] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [4A, 88]
.text C:\WINDOWS\system32\wuauclt.exe[396] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 002A0FAF
.text C:\WINDOWS\system32\services.exe[844] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[844] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00070F72
.text C:\WINDOWS\system32\services.exe[844] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00070067
.text C:\WINDOWS\system32\services.exe[844] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00070F8D
.text C:\WINDOWS\system32\services.exe[844] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00070F9E
.text C:\WINDOWS\system32\services.exe[844] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0007001B
.text C:\WINDOWS\system32\services.exe[844] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00070F3C
.text C:\WINDOWS\system32\services.exe[844] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00070F4D
.text C:\WINDOWS\system32\services.exe[844] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00070F17
.text C:\WINDOWS\system32\services.exe[844] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 000700BA
.text C:\WINDOWS\system32\services.exe[844] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00070EFC
.text C:\WINDOWS\system32\services.exe[844] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00070040
.text C:\WINDOWS\system32\services.exe[844] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[844] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00070078
.text C:\WINDOWS\system32\services.exe[844] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00070FAF
.text C:\WINDOWS\system32\services.exe[844] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[844] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 0007009F
.text C:\WINDOWS\system32\services.exe[844] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0006002F
.text C:\WINDOWS\system32\services.exe[844] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00060FA8
.text C:\WINDOWS\system32\services.exe[844] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00060FDE
.text C:\WINDOWS\system32\services.exe[844] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[844] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 0006006F
.text C:\WINDOWS\system32\services.exe[844] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 0006000A
.text C:\WINDOWS\system32\services.exe[844] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 00060FC3
.text C:\WINDOWS\system32\services.exe[844] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [26, 88]
.text C:\WINDOWS\system32\services.exe[844] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 0006004A
.text C:\WINDOWS\system32\services.exe[844] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050042
.text C:\WINDOWS\system32\services.exe[844] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050FC1
.text C:\WINDOWS\system32\services.exe[844] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050027
.text C:\WINDOWS\system32\services.exe[844] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\services.exe[844] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050FD2
.text C:\WINDOWS\system32\services.exe[844] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00050FE3
.text C:\WINDOWS\system32\services.exe[844] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00F30000
.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00F30089
.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00F3006E
.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00F30F94
.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00F30FA5
.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00F3003D
.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00F30F52
.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00F300A4
.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00F300D0
.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00F300B5
.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00F300EB
.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00F30FB6
.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00F3001B
.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00F30F79
.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00F3002C
.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00F30FE5
.text C:\WINDOWS\system32\lsass.exe[856] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00F30F37
.text C:\WINDOWS\system32\lsass.exe[856] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F20014
.text C:\WINDOWS\system32\lsass.exe[856] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F20F7C
.text C:\WINDOWS\system32\lsass.exe[856] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F20FC3
.text C:\WINDOWS\system32\lsass.exe[856] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F20FDE
.text C:\WINDOWS\system32\lsass.exe[856] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00F20039
.text C:\WINDOWS\system32\lsass.exe[856] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00F20FEF
.text C:\WINDOWS\system32\lsass.exe[856] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 00F20F97
.text C:\WINDOWS\system32\lsass.exe[856] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [12, 89]
.text C:\WINDOWS\system32\lsass.exe[856] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00F20FA8
.text C:\WINDOWS\system32\lsass.exe[856] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F10049
.text C:\WINDOWS\system32\lsass.exe[856] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F10FBE
.text C:\WINDOWS\system32\lsass.exe[856] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F1001D
.text C:\WINDOWS\system32\lsass.exe[856] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F1000C
.text C:\WINDOWS\system32\lsass.exe[856] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F1002E
.text C:\WINDOWS\system32\lsass.exe[856] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F10FEF
.text C:\WINDOWS\system32\lsass.exe[856] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00E30FE5
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00CF0000
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00CF007D
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00CF0F88
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00CF0F99
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00CF0062
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00CF0FD1
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00CF0F52
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00CF0F63
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00CF00DA
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00CF00BF
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 00CF0F26
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 00CF0FC0
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00CF001B
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 00CF008E
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 00CF0047
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 00CF002C
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 00CF0F41
.text C:\WINDOWS\system32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CE0FCA
.text C:\WINDOWS\system32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CE006C
.text C:\WINDOWS\system32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CE001B
.text C:\WINDOWS\system32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CE0000
.text C:\WINDOWS\system32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00CE0051
.text C:\WINDOWS\system32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00CE0FEF
.text C:\WINDOWS\system32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 00CE0FAF
.text C:\WINDOWS\system32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [EE, 88]
.text C:\WINDOWS\system32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00CE0036
.text C:\WINDOWS\system32\svchost.exe[1060] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CD0064
.text C:\WINDOWS\system32\svchost.exe[1060] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CD0053
.text C:\WINDOWS\system32\svchost.exe[1060] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CD0027
.text C:\WINDOWS\system32\svchost.exe[1060] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CD0FEF
.text C:\WINDOWS\system32\svchost.exe[1060] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CD0042
.text C:\WINDOWS\system32\svchost.exe[1060] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CD000C
.text C:\WINDOWS\system32\svchost.exe[1060] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00C60FE5
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 009C0000
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 009C0F6B
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 009C0F86
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 009C0F97
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 009C0FB2
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 009C002F
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 009C0F22
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 009C0F3F
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 009C0EEF
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 009C0F00
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 009C0EDE
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 009C004A
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 009C0FEF
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 009C0F50
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 009C0FC3
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 009C0FDE
.text C:\WINDOWS\system32\svchost.exe[1140] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 009C0F11
.text C:\WINDOWS\system32\svchost.exe[1140] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009B0FCA
.text C:\WINDOWS\system32\svchost.exe[1140] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009B0F79
.text C:\WINDOWS\system32\svchost.exe[1140] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009B001B
.text C:\WINDOWS\system32\svchost.exe[1140] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009B0FE5
.text C:\WINDOWS\system32\svchost.exe[1140] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 009B0F8A
.text C:\WINDOWS\system32\svchost.exe[1140] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 009B0000
.text C:\WINDOWS\system32\svchost.exe[1140] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 009B0F9B
.text C:\WINDOWS\system32\svchost.exe[1140] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [BB, 88]
.text C:\WINDOWS\system32\svchost.exe[1140] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 009B002C
.text C:\WINDOWS\system32\svchost.exe[1140] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009A0FD2
.text C:\WINDOWS\system32\svchost.exe[1140] msvcrt.dll!system 77C293C7 5 Bytes JMP 009A0FE3
.text C:\WINDOWS\system32\svchost.exe[1140] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009A0038
.text C:\WINDOWS\system32\svchost.exe[1140] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009A0000
.text C:\WINDOWS\system32\svchost.exe[1140] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009A0049
.text C:\WINDOWS\system32\svchost.exe[1140] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009A001D
.text C:\WINDOWS\system32\svchost.exe[1140] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00990000
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 03220FEF
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 03220F46
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 03220F61
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 03220F72
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 03220025
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 03220FA8
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 03220082
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 03220067
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 03220EFD
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 03220F0E
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 03220EEC
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 03220F8D
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 0322000A
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 03220056
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 03220FB9
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 03220FD4
.text C:\WINDOWS\System32\svchost.exe[1180] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 03220F1F
.text C:\WINDOWS\System32\svchost.exe[1180] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03050FC0
.text C:\WINDOWS\System32\svchost.exe[1180] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03050F94
.text C:\WINDOWS\System32\svchost.exe[1180] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 03050FDB
.text C:\WINDOWS\System32\svchost.exe[1180] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03050011
.text C:\WINDOWS\System32\svchost.exe[1180] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 03050047
.text C:\WINDOWS\System32\svchost.exe[1180] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 03050000
.text C:\WINDOWS\System32\svchost.exe[1180] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 03050FA5
.text C:\WINDOWS\System32\svchost.exe[1180] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [25, 8B]
.text C:\WINDOWS\System32\svchost.exe[1180] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 0305002C
.text C:\WINDOWS\System32\svchost.exe[1180] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03040047
.text C:\WINDOWS\System32\svchost.exe[1180] msvcrt.dll!system 77C293C7 5 Bytes JMP 03040FBC
.text C:\WINDOWS\System32\svchost.exe[1180] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03040011
.text C:\WINDOWS\System32\svchost.exe[1180] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03040FE3
.text C:\WINDOWS\System32\svchost.exe[1180] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0304002C
.text C:\WINDOWS\System32\svchost.exe[1180] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03040000
.text C:\WINDOWS\System32\svchost.exe[1180] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 03020FEF
.text C:\WINDOWS\System32\svchost.exe[1180] WININET.dll!InternetOpenW 771BAF6D 5 Bytes JMP 03030FE5
.text C:\WINDOWS\System32\svchost.exe[1180] WININET.dll!InternetOpenA 771C57BE 5 Bytes JMP 03030000
.text C:\WINDOWS\System32\svchost.exe[1180] WININET.dll!InternetOpenUrlA 771C5A8A 5 Bytes JMP 03030FD4
.text C:\WINDOWS\System32\svchost.exe[1180] WININET.dll!InternetOpenUrlW 771D5C0F 5 Bytes JMP 03030FC3
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 007E0000
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!VirtualProtectEx 7C801A5D 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 007E0F61
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 007E0F7C
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 007E0F97
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 007E0FB2
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 007E0FD4
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 007E0F1F
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 007E0071
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 007E0F04
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 007E009D
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 007E0EDF
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 007E0FC3
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 007E001B
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 007E0F50
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 007E0FE5
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 007E002C
.text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 007E0082
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007D0FC3
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007D0054
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007D0014
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007D0FD4
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 007D0F97
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 007D0FEF
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 5 Bytes JMP 007D0039
.text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 007D0FB2
.text C:\WINDOWS\system32\svchost.exe[1304] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007C0036
.text C:\WINDOWS\system32\svchost.exe[1304] msvcrt.dll!system 77C293C7 5 Bytes JMP 007C0025
.text C:\WINDOWS\system32\svchost.exe[1304] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007C0FB5
.text C:\WINDOWS\system32\svchost.exe[1304] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007C0FE3
.text C:\WINDOWS\system32\svchost.exe[1304] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007C000A
.text C:\WINDOWS\system32\svchost.exe[1304] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007C0FC6
.text C:\WINDOWS\system32\svchost.exe[1304] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 007B0FEF
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 008F0000
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 008F0F79
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 008F006E
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 008F0051
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 008F0F94
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 008F0FAF
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 008F0F4B
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 008F0093
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 008F00C6
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 008F00B5
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 008F0F12
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 008F0036
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 008F0FE5
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 008F0F68
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 008F0FC0
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 008F0011
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 008F00A4
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 008E0022
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 008E0062
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 008E0FD1
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 008E0011
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 008E0047
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 008E0000
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 008E0FA5
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [AE, 88]
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 008E0FB6
.text C:\WINDOWS\system32\svchost.exe[1332] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 008D0049
.text C:\WINDOWS\system32\svchost.exe[1332] msvcrt.dll!system 77C293C7 5 Bytes JMP 008D0FB4
.text C:\WINDOWS\system32\svchost.exe[1332] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 008D0FE3
.text C:\WINDOWS\system32\svchost.exe[1332] msvcrt.dll!_open 77C2F566 5 Bytes JMP 008D0000
.text C:\WINDOWS\system32\svchost.exe[1332] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 008D002E
.text C:\WINDOWS\system32\svchost.exe[1332] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 008D0011
.text C:\WINDOWS\system32\svchost.exe[1332] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 008C0FEF
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 007A0000
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 007A00A0
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 007A007B
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 007A0FA1
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 007A0FB2
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 007A0040
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 007A0F62
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 007A0F73
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 007A0F47
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 007A00E0
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 007A0F2C
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 007A0FC3
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 007A001B
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 007A0F90
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 007A0FD4
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 007A0FE5
.text C:\WINDOWS\system32\svchost.exe[1760] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 007A00C5
.text C:\WINDOWS\system32\svchost.exe[1760] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00650025
.text C:\WINDOWS\system32\svchost.exe[1760] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0065005B
.text C:\WINDOWS\system32\svchost.exe[1760] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00650FD4
.text C:\WINDOWS\system32\svchost.exe[1760] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00650FEF
.text C:\WINDOWS\system32\svchost.exe[1760] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 0065004A
.text C:\WINDOWS\system32\svchost.exe[1760] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 0065000A
.text C:\WINDOWS\system32\svchost.exe[1760] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 00650FA8
.text C:\WINDOWS\system32\svchost.exe[1760] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [85, 88]
.text C:\WINDOWS\system32\svchost.exe[1760] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00650FB9
.text C:\WINDOWS\system32\svchost.exe[1760] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00640FAD
.text C:\WINDOWS\system32\svchost.exe[1760] msvcrt.dll!system 77C293C7 5 Bytes JMP 00640038
.text C:\WINDOWS\system32\svchost.exe[1760] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00640FC8
.text C:\WINDOWS\system32\svchost.exe[1760] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00640000
.text C:\WINDOWS\system32\svchost.exe[1760] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00640027
.text C:\WINDOWS\system32\svchost.exe[1760] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00640FE3
.text C:\WINDOWS\system32\svchost.exe[1760] WININET.dll!InternetOpenW 771BAF6D 5 Bytes JMP 00630FEF
.text C:\WINDOWS\system32\svchost.exe[1760] WININET.dll!InternetOpenA 771C57BE 5 Bytes JMP 0063000A
.text C:\WINDOWS\system32\svchost.exe[1760] WININET.dll!InternetOpenUrlA 771C5A8A 5 Bytes JMP 00630027
.text C:\WINDOWS\system32\svchost.exe[1760] WININET.dll!InternetOpenUrlW 771D5C0F 5 Bytes JMP 00630FD4
.text C:\WINDOWS\system32\svchost.exe[1760] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 0062000A
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2008] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2008] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\System32\svchost.exe[4404] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001A000A
.text C:\WINDOWS\System32\svchost.exe[4404] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001A00A4
.text C:\WINDOWS\System32\svchost.exe[4404] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001A0FAF
.text C:\WINDOWS\System32\svchost.exe[4404] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001A0093
.text C:\WINDOWS\System32\svchost.exe[4404] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001A006C
.text C:\WINDOWS\System32\svchost.exe[4404] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\System32\svchost.exe[4404] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001A0F6D
.text C:\WINDOWS\System32\svchost.exe[4404] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001A00B5
.text C:\WINDOWS\System32\svchost.exe[4404] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001A0106
.text C:\WINDOWS\System32\svchost.exe[4404] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001A00EB
.text C:\WINDOWS\System32\svchost.exe[4404] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 001A0117
.text C:\WINDOWS\System32\svchost.exe[4404] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 001A0FCA
.text C:\WINDOWS\System32\svchost.exe[4404] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 001A001B
.text C:\WINDOWS\System32\svchost.exe[4404] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 001A0F8A
.text C:\WINDOWS\System32\svchost.exe[4404] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 001A0051
.text C:\WINDOWS\System32\svchost.exe[4404] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 001A0036
.text C:\WINDOWS\System32\svchost.exe[4404] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 001A00D0
.text C:\WINDOWS\System32\svchost.exe[4404] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00280FCA
.text C:\WINDOWS\System32\svchost.exe[4404] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0028005B
.text C:\WINDOWS\System32\svchost.exe[4404] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00280025
.text C:\WINDOWS\System32\svchost.exe[4404] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00280FEF
.text C:\WINDOWS\System32\svchost.exe[4404] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00280F9E
.text C:\WINDOWS\System32\svchost.exe[4404] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00280000
.text C:\WINDOWS\System32\svchost.exe[4404] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 00280FAF
.text C:\WINDOWS\System32\svchost.exe[4404] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [48, 88]
.text C:\WINDOWS\System32\svchost.exe[4404] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00280036
.text C:\WINDOWS\System32\svchost.exe[4404] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003D0038
.text C:\WINDOWS\System32\svchost.exe[4404] msvcrt.dll!system 77C293C7 5 Bytes JMP 003D0FAD
.text C:\WINDOWS\System32\svchost.exe[4404] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003D0FD2
.text C:\WINDOWS\System32\svchost.exe[4404] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003D000C
.text C:\WINDOWS\System32\svchost.exe[4404] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003D001D
.text C:\WINDOWS\System32\svchost.exe[4404] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003D0FEF
.text C:\WINDOWS\System32\svchost.exe[4404] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00650FE5
.text C:\WINDOWS\explorer.exe[5940] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\explorer.exe[5940] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001A0080
.text C:\WINDOWS\explorer.exe[5940] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001A006F
.text C:\WINDOWS\explorer.exe[5940] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001A0054
.text C:\WINDOWS\explorer.exe[5940] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001A0039
.text C:\WINDOWS\explorer.exe[5940] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001A0F97
.text C:\WINDOWS\explorer.exe[5940] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001A0F53
.text C:\WINDOWS\explorer.exe[5940] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001A009B
.text C:\WINDOWS\explorer.exe[5940] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001A0F24
.text C:\WINDOWS\explorer.exe[5940] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001A00C7
.text C:\WINDOWS\explorer.exe[5940] kernel32.dll!GetProcAddress 7C80ADB0 5 Bytes JMP 001A0F09
.text C:\WINDOWS\explorer.exe[5940] kernel32.dll!LoadLibraryW 7C80AE5B 5 Bytes JMP 001A001E
.text C:\WINDOWS\explorer.exe[5940] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 001A0FDE
.text C:\WINDOWS\explorer.exe[5940] kernel32.dll!CreatePipe 7C81E0D7 5 Bytes JMP 001A0F70
.text C:\WINDOWS\explorer.exe[5940] kernel32.dll!CreateNamedPipeW 7C82F0EF 5 Bytes JMP 001A0FA8
.text C:\WINDOWS\explorer.exe[5940] kernel32.dll!CreateNamedPipeA 7C85FE94 5 Bytes JMP 001A0FC3
.text C:\WINDOWS\explorer.exe[5940] kernel32.dll!WinExec 7C86158D 5 Bytes JMP 001A00AC
.text C:\WINDOWS\explorer.exe[5940] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0028002C
.text C:\WINDOWS\explorer.exe[5940] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00280F94
.text C:\WINDOWS\explorer.exe[5940] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0028001B
.text C:\WINDOWS\explorer.exe[5940] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00280000
.text C:\WINDOWS\explorer.exe[5940] ADVAPI32.dll!RegCreateKeyExA 77DDE9D4 5 Bytes JMP 00280051
.text C:\WINDOWS\explorer.exe[5940] ADVAPI32.dll!RegOpenKeyA 77DDEFA8 5 Bytes JMP 00280FE5
.text C:\WINDOWS\explorer.exe[5940] ADVAPI32.dll!RegCreateKeyW 77DFBA3D 2 Bytes JMP 00280FAF
.text C:\WINDOWS\explorer.exe[5940] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA40 2 Bytes [48, 88]
.text C:\WINDOWS\explorer.exe[5940] ADVAPI32.dll!RegCreateKeyA 77DFBCDB 5 Bytes JMP 00280FC0
.text C:\WINDOWS\explorer.exe[5940] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00290055
.text C:\WINDOWS\explorer.exe[5940] msvcrt.dll!system 77C293C7 5 Bytes JMP 00290044
.text C:\WINDOWS\explorer.exe[5940] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00290FDE
.text C:\WINDOWS\explorer.exe[5940] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0029000C
.text C:\WINDOWS\explorer.exe[5940] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00290029
.text C:\WINDOWS\explorer.exe[5940] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00290FEF
.text C:\WINDOWS\explorer.exe[5940] WININET.dll!InternetOpenW 771BAF6D 5 Bytes JMP 002B0014
.text C:\WINDOWS\explorer.exe[5940] WININET.dll!InternetOpenA 771C57BE 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\explorer.exe[5940] WININET.dll!InternetOpenUrlA 771C5A8A 5 Bytes JMP 002B0031
.text C:\WINDOWS\explorer.exe[5940] WININET.dll!InternetOpenUrlW 771D5C0F 5 Bytes JMP 002B0042
.text C:\WINDOWS\explorer.exe[5940] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00FA0000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat AA3ADC8A

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\frankee\Application Data\Move Networks\QMCache00\540E2E2FCA1E8B42B4D14F6EEF4D931E0000018A0095DA6707A6B.qss 0 bytes
File C:\Documents and Settings\frankee\Application Data\Move Networks\QMCache00\540E2E2FCA1E8B42B4D14F6EEF4D931E0000018B0095B4A103EE9.qss 0 bytes
File C:\Documents and Settings\frankee\Application Data\Move Networks\QMCache00\540E2E2FCA1E8B42B4D14F6EEF4D931E0000018C0095D7900809A.qss 382864 bytes
File C:\Documents and Settings\frankee\Application Data\Move Networks\QMCache00\540E2E2FCA1E8B42B4D14F6EEF4D931E0000018D009594D3089BE.qss 365779 bytes
File C:\Documents and Settings\frankee\Application Data\Move Networks\QMCache00\540E2E2FCA1E8B42B4D14F6EEF4D931E0000018E00958D1C07F30.qss 363804 bytes
File C:\Documents and Settings\frankee\Application Data\Move Networks\QMCache00\540E2E2FCA1E8B42B4D14F6EEF4D931E0000018F00955BF607275.qss 351222 bytes
File C:\Documents and Settings\frankee\Application Data\Move Networks\QMCache00\540E2E2FCA1E8B42B4D14F6EEF4D931E000001900095868204A62.qss 362114 bytes
File C:\Documents and Settings\frankee\Application Data\Move Networks\QMCache00\540E2E2FCA1E8B42B4D14F6EEF4D931E000001910095A21506E63.qss 0 bytes
File C:\Documents and Settings\frankee\Application Data\Move Networks\QMCache00\540E2E2FCA1E8B42B4D14F6EEF4D931E00000188009601EF059C9.qss 0 bytes
File C:\Documents and Settings\frankee\Application Data\Move Networks\QMCache00\540E2E2FCA1E8B42B4D14F6EEF4D931E000001890095CE67034B8.qss 0 bytes

---- EOF - GMER 1.0.15 ----
francis89
Active Member
 
Posts: 12
Joined: February 25th, 2009, 9:19 pm
Top

Re: Please help me! Need malware removed!

Unread postby francis89 » November 25th, 2009, 9:25 pm

hijackthis:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:42:18 PM, on 11/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\frankee\Desktop\b2m0osis.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080303
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080303
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080303
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://partnerpage.google.com/smallbiz. ... bd=6080303
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [DellAutomatedPCTuneUp] "C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [rsotjtxm] C:\Documents and Settings\frankee\Local Settings\Application Data\ktktek\pbsysysguard.exe
O4 - HKUS\S-1-5-21-3707664285-3799962952-1332791384-1007\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User 'frankie')
O4 - Global Startup: Dell Network Assistant.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: McAfee Security Scan.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DellAMBrokerService - Unknown owner - C:\Program Files\DellAutomatedPCTuneUp\brkrsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9563 bytes
francis89
Active Member
 
Posts: 12
Joined: February 25th, 2009, 9:19 pm
Top

Re: Please help me! Need malware removed!

Unread postby deltalima » November 26th, 2009, 8:32 am

Hi francis89,

Please re-open HijackThis and select Scan. Check the boxes next to all the entries listed below (if present):

O4 - HKCU\..\Run: [rsotjtxm] C:\Documents and Settings\frankee\Local Settings\Application Data\ktktek\pbsysysguard.exe
O4 - HKLM\..\Run: [rsotjtxm] C:\Documents and Settings\frankee\Local Settings\Application Data\ktktek\pbsysysguard.exe

Now close all other open windows and then click on Fix Checked. Close HijackThis.

Now you need to show all files and folders

  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck Hide file extensions for known file types* Uncheck the Hide protected operating system files (recommended) option.
  • Click Apply to confirm.
  • Click OK

Using Windows Explorer (to get there right-click your Start button and go to Explore), please delete this folder (if present):
C:\Documents and Settings\frankee\Local Settings\Application Data\ktktek

Now please reboot the computer.

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply along with a fresh HijackThis log and also let me know how your computer is runnig now.
.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK
Top

Re: Please help me! Need malware removed!

Unread postby Carolyn » November 30th, 2009, 4:39 pm

Due to a lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine
Top
Advertisement
Register to Remove
Topic locked
  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 542 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index