My Anti Spyware

by **tomvilfroy** » Sat Apr 18, 2009 4:08 pm

Seems there are times when the computer is very sluggish. More so when the browsers are open and there are times that when the task manager is open, you can
see the browser is state of "Not Running" (or whatever it says there)..and this is for periods of LONG time (minutes). Yes I know there are times when it needs to
clear out the cache..but it is pretty excessive.

Also noticed when I boot up, it looks like the computer is trying to open up a browser session to some site. I do run spybot every day and doesn't seem to find the problem.

To give you how bad the computer lag is, I'm a touch typist and I'm waiting on the words to appear on the screen...plus 2 times while typing this message, the cursor went to a wait state.

Thanks for the help Patrik (or whomever)

Here is the log file :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:00:15 AM, on 4/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ACNielsen\Homescan Internet Transporter\HSTrans.exe
C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
C:\WINDOWS\system32\ctfmon.exe
C:\program files\ncsoft\launcher\NCLauncher.exe
C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoFXM08.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html ... TP&M=T3524
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [MegaPanel] C:\Program Files\ACNielsen\Homescan Internet Transporter\HSTrans.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Nitro PDF Printer Monitor] "C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NielsenOnline] C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PlayNC Launcher] C:\program files\ncsoft\launcher\NCLauncher.exe /Minimized
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: hp officejet 4100 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 8447324500
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BCL easyPDF SDK 5 Loader (bepldr) - Unknown owner - C:\Program Files\Common Files\BCL Technologies\NitroPDF5\bepldr.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 10496 bytes

by **patrik** » Sun Apr 19, 2009 3:06 pm

Hello tomvilfroy.

HijackThis log looks ok.
Download Avenger from here and unzip to your desktop.
Run Avenger, make sure that the box next to "Scan for rootkits" has a tick in it and that the box next to "Automatically disable any rootkits found" does not have a tick in it, then click on ‘Execute’.
Afterwards, Windows restarts, and opens the log generated by The Avenger so you can see the results. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).

Download RSIT by random/random from here and save it to your desktop.

* Double click on RSIT.exe to run RSIT.
* Click Continue at the disclaimer screen.
* Once it has finished, two logs will open.

Post back with Avenger log + both RSIT logs. Post each log in separate post.

by **tomvilfroy** » Sun Apr 19, 2009 4:44 pm

Patrik

A few things to add

1) Took forever this morning to open browser windows. Plus during the reboot of avenger, still saw a prompt that said something to the effect of "You are opening something over an unsecure" something. Wish I wrote down the whole text. Said cancel to that window

2) RSIT only had one log file.

Log files to follow in respective posts.

by **tomvilfroy** » Sun Apr 19, 2009 4:44 pm

Avenger log :

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Completed script processing.

*******************

Finished! Terminate.

by **tomvilfroy** » Sun Apr 19, 2009 4:45 pm

RSIT log file :

Logfile of random's system information tool 1.06 (written by random/random)
Run by Owner at 2009-04-19 10:38:59
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 91 GB (61%) free of 148 GB
Total RAM: 1022 MB (41% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:39:20 AM, on 4/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ACNielsen\Homescan Internet Transporter\HSTrans.exe
C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
C:\WINDOWS\system32\ctfmon.exe
C:\program files\ncsoft\launcher\NCLauncher.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoFXM08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Owner\Desktop\RSIT(2).exe
C:\Program Files\Trend Micro\HijackThis\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html ... TP&M=T3524
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [MegaPanel] C:\Program Files\ACNielsen\Homescan Internet Transporter\HSTrans.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Nitro PDF Printer Monitor] "C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NielsenOnline] C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PlayNC Launcher] C:\program files\ncsoft\launcher\NCLauncher.exe /Minimized
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: hp officejet 4100 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 8447324500
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BCL easyPDF SDK 5 Loader (bepldr) - Unknown owner - C:\Program Files\Common Files\BCL Technologies\NitroPDF5\bepldr.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 10564 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp officejet 4100 series#1175808469.job
C:\WINDOWS\tasks\ISP signup reminder 1.job
C:\WINDOWS\tasks\ISP signup reminder 2.job
C:\WINDOWS\tasks\ISP signup reminder 3.job
C:\WINDOWS\tasks\McDefragTask.job
C:\WINDOWS\tasks\McQcTask.job
C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job
C:\WINDOWS\tasks\Spybot - Search & Destroy Updater - Scheduled Task.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll [2008-05-15 817936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-23 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Program Files\McAfee\VirusScan\scriptsn.dll [2007-11-09 58688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
CBrowserHelperObject Object - c:\windows\system32\BAE.dll [2006-01-31 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-03-09 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-03-09 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{0BF43445-2F28-4351-9252-17FE6E806AA0}
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll [2008-05-15 817936]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2005-01-12 32768]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2006-04-17 16143872]
"Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE [2002-09-14 212992]
"Reminder"=C:\WINDOWS\Creator\Remind_XP.exe [2005-02-25 966656]
"MegaPanel"=C:\Program Files\ACNielsen\Homescan Internet Transporter\HSTrans.exe [2006-05-11 2064384]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"Nitro PDF Printer Monitor"=C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe [2008-01-29 210208]
"mcagent_exe"=C:\Program Files\McAfee.com\Agent\mcagent.exe [2007-11-01 582992]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-09-17 13574144]
"nwiz"=nwiz.exe /install []
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-09-06 413696]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2008-09-17 86016]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088]
"REGSHAVE"=C:\Program Files\REGSHAVE\REGSHAVE.EXE [2002-02-04 53248]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-09 148888]
"NielsenOnline"=C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe [2008-10-31 45056]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"=NA []
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"PlayNC Launcher"=C:\program files\ncsoft\launcher\NCLauncher.exe [2009-04-16 38136]
"Messenger (Yahoo!)"=C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [2008-11-05 4347120]
"MsnMsgr"=C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe [2009-02-06 3885408]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
hp officejet 4100 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2006-01-15 61440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Application Loader"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Atari\Neverwinter Nights 2\nwn2main.exe"="C:\Program Files\Atari\Neverwinter Nights 2\nwn2main.exe:*:Enabled:Neverwinter Nights 2 Main"
"C:\Program Files\Atari\Neverwinter Nights 2\nwn2main_amdxp.exe"="C:\Program Files\Atari\Neverwinter Nights 2\nwn2main_amdxp.exe:*:Enabled:Neverwinter Nights 2 AMD"
"C:\Program Files\Atari\Neverwinter Nights 2\nwupdate.exe"="C:\Program Files\Atari\Neverwinter Nights 2\nwupdate.exe:*:Enabled:Neverwinter Nights 2 Updater"
"C:\Program Files\Atari\Neverwinter Nights 2\nwn2server.exe"="C:\Program Files\Atari\Neverwinter Nights 2\nwn2server.exe:*:Enabled:Neverwinter Nights 2 Server"
"C:\Program Files\2K Games\Firaxis Games\Sid Meier's Railroads!\RailRoads.exe"="C:\Program Files\2K Games\Firaxis Games\Sid Meier's Railroads!\RailRoads.exe:*:Enabled:Sid Meier's Railroads!"
"C:\Program Files\DNA\btdna.exe"="C:\Program Files\DNA\btdna.exe:*:Enabled:DNA"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"
"C:\Program Files\Reality Pump\Two Worlds\TwoWorlds.exe"="C:\Program Files\Reality Pump\Two Worlds\TwoWorlds.exe:*:Enabled:Two Worlds"
"C:\Program Files\Reality Pump\Two Worlds\TwoWorlds_RADEON.exe"="C:\Program Files\Reality Pump\Two Worlds\TwoWorlds_RADEON.exe:*:Enabled:Two Worlds"
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe"="C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{78f1cde1-4d8a-11db-9115-806d6172696f}]
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

======List of files/folders created in the last 1 months======

2009-04-19 10:31:03 ----D---- C:\Avenger
2009-04-19 10:31:02 ----A---- C:\avenger.txt
2009-04-17 19:31:14 ----D---- C:\Documents and Settings\All Users\Application Data\PopCap
2009-04-17 19:28:20 ----D---- C:\Program Files\PopCap Games
2009-04-16 18:49:23 ----HDC---- C:\WINDOWS\$NtUninstallKB959426$
2009-04-16 18:49:04 ----HDC---- C:\WINDOWS\$NtUninstallKB961373$
2009-04-16 18:36:48 ----HDC---- C:\WINDOWS\$NtUninstallKB956572$
2009-04-16 18:36:08 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$
2009-04-16 18:35:40 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$
2009-04-16 18:34:14 ----HDC---- C:\WINDOWS\$NtUninstallKB923561$
2009-04-16 10:22:01 ----N---- C:\WINDOWS\system32\xpsp4res.dll
2009-04-07 11:27:50 ----D---- C:\Documents and Settings\Owner\Application Data\Days of Wonder, Inc
2009-04-07 11:13:08 ----D---- C:\Program Files\Memoir 44 Editor
2009-04-06 12:43:59 ----A---- C:\WINDOWS\nswatchdog.exe
2009-04-01 07:56:38 ----A---- C:\WINDOWS\system32\javaws.exe
2009-04-01 07:56:38 ----A---- C:\WINDOWS\system32\javaw.exe
2009-04-01 07:56:38 ----A---- C:\WINDOWS\system32\java.exe
2009-03-27 08:57:55 ----D---- C:\Program Files\VASSAL

======List of files/folders modified in the last 1 months======

2009-04-19 10:39:07 ----D---- C:\WINDOWS\Temp
2009-04-19 10:39:05 ----D---- C:\WINDOWS\Prefetch
2009-04-19 10:38:44 ----D---- C:\download
2009-04-19 10:31:03 ----D---- C:\WINDOWS\system32\drivers
2009-04-19 10:31:03 ----D---- C:\WINDOWS
2009-04-19 10:30:02 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-04-19 10:16:27 ----D---- C:\Program Files\Mozilla Firefox
2009-04-17 19:28:20 ----D---- C:\Program Files
2009-04-17 13:28:12 ----D---- C:\WINDOWS\system32
2009-04-16 20:43:11 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-04-16 20:38:48 ----D---- C:\Program Files\McAfee
2009-04-16 20:38:24 ----D---- C:\WINDOWS\system32\wbem
2009-04-16 20:38:24 ----D---- C:\WINDOWS\AppPatch
2009-04-16 18:49:31 ----HD---- C:\WINDOWS\inf
2009-04-16 18:49:26 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-04-16 18:49:11 ----A---- C:\WINDOWS\imsins.BAK
2009-04-16 18:48:52 ----SHD---- C:\WINDOWS\Installer
2009-04-16 18:47:49 ----D---- C:\WINDOWS\system32\CatRoot2
2009-04-16 18:47:21 ----D---- C:\WINDOWS\system32\en-US
2009-04-16 18:47:20 ----D---- C:\Program Files\Internet Explorer
2009-04-16 18:36:30 ----HD---- C:\WINDOWS\$hf_mig$
2009-04-16 18:35:37 ----D---- C:\email correspondance
2009-04-12 09:32:56 ----SD---- C:\Documents and Settings\Owner\Application Data\Microsoft
2009-04-06 08:57:24 ----A---- C:\WINDOWS\system32\MRT.exe
2009-04-01 07:56:20 ----D---- C:\Program Files\Java
2009-03-21 08:31:20 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-03-21 08:06:58 ----A---- C:\WINDOWS\system32\kernel32.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 mfehidk;McAfee Inc. mfehidk; C:\WINDOWS\system32\drivers\mfehidk.sys [2007-11-22 201320]
R1 MPFP;MPFP; C:\WINDOWS\System32\Drivers\Mpfp.sys [2007-07-13 113952]
R1 nnrnstdi;nnrnstdi; C:\WINDOWS\system32\drivers\nnrnstdi.sys [2008-08-22 14336]
R2 atksgt;atksgt; C:\WINDOWS\system32\DRIVERS\atksgt.sys [2007-03-24 271360]
R2 lirsgt;lirsgt; C:\WINDOWS\system32\DRIVERS\lirsgt.sys [2007-03-24 18048]
R3 AgereSoftModem;Agere Systems Soft Modem; C:\WINDOWS\system32\DRIVERS\AGRSM.sys [2005-09-22 1094751]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2006-04-17 4262912]
R3 km_filter;km_filter; C:\WINDOWS\system32\drivers\km_filter.sys [2008-08-22 8832]
R3 mfeavfk;McAfee Inc. mfeavfk; C:\WINDOWS\system32\drivers\mfeavfk.sys [2007-11-22 79304]
R3 mfebopk;McAfee Inc. mfebopk; C:\WINDOWS\system32\drivers\mfebopk.sys [2007-11-22 35240]
R3 mfesmfk;McAfee Inc. mfesmfk; C:\WINDOWS\system32\drivers\mfesmfk.sys [2007-12-02 40488]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-09-17 6132576]
R3 RTL8023xp;Realtek 10/100/1000 NIC Family all in one NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys [2006-01-18 80512]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
S3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2006-01-15 1477632]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver; C:\WINDOWS\system32\DRIVERS\el575nd5.sys [2001-08-17 69692]
S3 FINEPIX_PCC;FinePix Digital Camera 030616; C:\WINDOWS\System32\Drivers\V4CB012D.SYS [2002-05-07 81700]
S3 FTDIBUS;USB Serial Converter Driver; C:\WINDOWS\system32\drivers\ftdibus.sys [2005-12-19 28449]
S3 FTSER2K;USB Serial Port Driver; C:\WINDOWS\system32\drivers\ftser2k.sys [2005-12-19 60572]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2003-03-09 51024]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2003-03-09 16080]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2003-03-09 21456]
S3 mferkdk;McAfee Inc. mferkdk; C:\WINDOWS\system32\drivers\mferkdk.sys [2007-11-22 33832]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2008-04-13 79232]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys [2003-01-10 33588]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-03-09 152984]
R2 mcmscsvc;McAfee Services; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2008-01-09 767976]
R2 McNASvc;McAfee Network Agent; c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe [2008-01-25 2458128]
R2 McProxy;McAfee Proxy Service; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2007-08-15 359248]
R2 McShield;McAfee Real-time Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2007-07-24 144704]
R2 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2007-07-18 856864]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-09-17 163908]
R2 PrismXL;PrismXL; C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS [2006-09-26 172032]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
R3 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2007-12-05 695624]
S2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2006-01-15 405504]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2006-01-26 520192]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 bepldr;BCL easyPDF SDK 5 Loader; C:\Program Files\Common Files\BCL Technologies\NitroPDF5\bepldr.exe [2007-11-15 151552]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2006-10-20 36864]
S3 GameConsoleService;GameConsoleService; C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe [2008-05-05 165416]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2006-10-30 741376]
S3 McODS;McAfee Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2007-11-07 378184]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2003-03-09 65795]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2006-10-30 122880]

-----------------EOF-----------------

by **patrik** » Mon Apr 20, 2009 4:32 pm

I would check a few more.
Please scan your computer with Kaspersky Online Scanner. Save a report to your desktop.

If you have previously downloaded ComboFix, please delete that version now.
Download Combofix from here. Close any open browsers. Double click on combofix.exe and follow the prompts.

Post back with combofix log + Kaspersky online scan report.

by **tomvilfroy** » Mon Apr 20, 2009 8:51 pm

Sorry, can't download combofix. every tie I do, McaVee reports it as a trojan and deletes it.

by **patrik** » Tue Apr 21, 2009 8:26 am

Sorry, can't download combofix. every tie I do, McaVee reports it as a trojan and deletes it.

Its false alert. Please disable your antivirus before using Combofix.

Also post here a Kaspersky scan report.

by **tomvilfroy** » Tue Apr 21, 2009 11:23 am

Saddly can't give u an online scanner log - stops at 88% both times and thus no scan log to provide - this after running for
5 hr and 30 minutes.

by **patrik** » Wed Apr 22, 2009 3:31 pm

Saddly can't give u an online scanner log - stops at 88% both times and thus no scan log to provide - this after running for
5 hr and 30 minutes.

You have tried to download and run Combofix again ?

by **tomvilfroy** » Sun Apr 26, 2009 2:52 am

Yes and like I said, I can't seem to download it - it gets deleted every time it gets downloaded.

by **patrik** » Mon Apr 27, 2009 11:46 am

Download GMER Antirootkit from here and uzip it to a folder that you create such as C:\Gmer\.

Disconnect from the internet and disable all active protection so your security program drivers will not conflict with gmer's driver
Double-click Gmer.exe to run the program.
When the program opens, click the ">>>" Tab
Click the "Rootkit/Malware" Tab.
Select all drives that are connected to your system to be scanned.
Click the Scan button.
When the scan is finished, click Copy to save the scan log to the Windows clipboard.
Open Notepad or a similar text editor.
Paste the clipboard contents into a text file by clicking Edit -> Paste or Ctrl + V
Save the gmer scan log to your desktop.
Close Gmer.

Post back with GMER log.

by **tomvilfroy** » Mon Apr 27, 2009 10:19 pm

Here is the gmer log - had to do it in 2 parts since forum only allow X amoutn of characters

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-27 16:15:31
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xF42399AA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xF4239A41]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xF4239958]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF423996C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xF4239A55]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF4239A81]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xF4239AEF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xF4239AD9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF42399EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xF4239B1B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xF4239A2D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xF4239930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xF4239944]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF42399BE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xF4239B57]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xF4239AC3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xF4239AAD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xF4239A6B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xF4239B43]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xF4239B2F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xF4239996]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF4239982]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xF4239A97]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF4239A19]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xF4239B05]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF4239A00]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xF42399D4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 8050223C 7 Bytes JMP F42399D8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 8056E2FC 5 Bytes JMP F42399AE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805A7500 7 Bytes JMP F42399EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A8316 5 Bytes JMP F4239A04 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805ADA94 7 Bytes JMP F42399C2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805C1322 5 Bytes JMP F4239934 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805C15AE 5 Bytes JMP F4239948 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805C3DE0 5 Bytes JMP F4239986 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C73F6 7 Bytes JMP F4239970 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805C74AC 5 Bytes JMP F423995C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805C79B6 5 Bytes JMP F423999A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805C8CB6 5 Bytes JMP F4239A1D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 80618568 7 Bytes JMP F4239AB1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 806188B6 7 Bytes JMP F4239A9B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80618BE0 7 Bytes JMP F4239B09 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 8061947E 7 Bytes JMP F4239AC7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80619D52 7 Bytes JMP F4239A6F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 8061A330 5 Bytes JMP F4239A45 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 8061A7C0 7 Bytes JMP F4239A59 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8061A990 7 Bytes JMP F4239A85 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 8061AB70 7 Bytes JMP F4239AF3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8061ADDA 7 Bytes JMP F4239ADD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 8061B702 5 Bytes JMP F4239A31 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 8061BA28 7 Bytes JMP F4239B5B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8061BCE8 5 Bytes JMP F4239B33 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8061C3DC 5 Bytes JMP F4239B47 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 8061C4F6 5 Bytes JMP F4239B1F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? jamr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[220] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BB0000
.text C:\WINDOWS\system32\svchost.exe[220] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BB007D
.text C:\WINDOWS\system32\svchost.exe[220] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BB006C
.text C:\WINDOWS\system32\svchost.exe[220] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BB005B
.text C:\WINDOWS\system32\svchost.exe[220] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BB0F9E
.text C:\WINDOWS\system32\svchost.exe[220] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BB0FB9
.text C:\WINDOWS\system32\svchost.exe[220] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BB0F61
.text C:\WINDOWS\system32\svchost.exe[220] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BB00A9
.text C:\WINDOWS\system32\svchost.exe[220] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BB00D5
.text C:\WINDOWS\system32\svchost.exe[220] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BB0F3C
.text C:\WINDOWS\system32\svchost.exe[220] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BB0F2B
.text C:\WINDOWS\system32\svchost.exe[220] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BB0040
.text C:\WINDOWS\system32\svchost.exe[220] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BB001B
.text C:\WINDOWS\system32\svchost.exe[220] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BB008E
.text C:\WINDOWS\system32\svchost.exe[220] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BB0FCA
.text C:\WINDOWS\system32\svchost.exe[220] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BB0FE5
.text C:\WINDOWS\system32\svchost.exe[220] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BB00BA
.text C:\WINDOWS\system32\svchost.exe[220] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00920FD1
.text C:\WINDOWS\system32\svchost.exe[220] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00920F91
.text C:\WINDOWS\system32\svchost.exe[220] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00920022
.text C:\WINDOWS\system32\svchost.exe[220] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00920011
.text C:\WINDOWS\system32\svchost.exe[220] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0092004E
.text C:\WINDOWS\system32\svchost.exe[220] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00920000
.text C:\WINDOWS\system32\svchost.exe[220] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00920033
.text C:\WINDOWS\system32\svchost.exe[220] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00920FAC
.text C:\WINDOWS\system32\svchost.exe[220] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0091005A
.text C:\WINDOWS\system32\svchost.exe[220] msvcrt.dll!system 77C293C7 5 Bytes JMP 00910049
.text C:\WINDOWS\system32\svchost.exe[220] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0091002E
.text C:\WINDOWS\system32\svchost.exe[220] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0091000C
.text C:\WINDOWS\system32\svchost.exe[220] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00910FD9
.text C:\WINDOWS\system32\svchost.exe[220] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0091001D
.text C:\WINDOWS\system32\svchost.exe[220] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00930FEF
.text C:\WINDOWS\system32\svchost.exe[220] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 0093000A
.text C:\WINDOWS\system32\svchost.exe[220] WININET.dll!InternetOpenUrlA 78070BCA 3 Bytes JMP 0093001B
.text C:\WINDOWS\system32\svchost.exe[220] WININET.dll!InternetOpenUrlA + 4 78070BCE 1 Byte [88]
.text C:\WINDOWS\system32\svchost.exe[220] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 00930036
.text C:\WINDOWS\system32\svchost.exe[220] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00900FEF
.text C:\WINDOWS\system32\services.exe[564] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[564] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070F61
.text C:\WINDOWS\system32\services.exe[564] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070F72
.text C:\WINDOWS\system32\services.exe[564] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070F8D
.text C:\WINDOWS\system32\services.exe[564] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0007004A
.text C:\WINDOWS\system32\services.exe[564] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0007002F
.text C:\WINDOWS\system32\services.exe[564] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070F2B
.text C:\WINDOWS\system32\services.exe[564] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070F46
.text C:\WINDOWS\system32\services.exe[564] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 0007009F
.text C:\WINDOWS\system32\services.exe[564] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0007008E
.text C:\WINDOWS\system32\services.exe[564] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 000700B0
.text C:\WINDOWS\system32\services.exe[564] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00070FA8
.text C:\WINDOWS\system32\services.exe[564] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00070FDE
.text C:\WINDOWS\system32\services.exe[564] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00070071
.text C:\WINDOWS\system32\services.exe[564] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00070014
.text C:\WINDOWS\system32\services.exe[564] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00070FC3
.text C:\WINDOWS\system32\services.exe[564] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00070F10
.text C:\WINDOWS\system32\services.exe[564] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00060036
.text C:\WINDOWS\system32\services.exe[564] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00060FA8
.text C:\WINDOWS\system32\services.exe[564] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00060025
.text C:\WINDOWS\system32\services.exe[564] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00060FE5
.text C:\WINDOWS\system32\services.exe[564] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00060FB9
.text C:\WINDOWS\system32\services.exe[564] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[564] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0006005B
.text C:\WINDOWS\system32\services.exe[564] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00060FD4
.text C:\WINDOWS\system32\services.exe[564] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050FBE
.text C:\WINDOWS\system32\services.exe[564] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050FD9
.text C:\WINDOWS\system32\services.exe[564] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0005002E
.text C:\WINDOWS\system32\services.exe[564] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\services.exe[564] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050049
.text C:\WINDOWS\system32\services.exe[564] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0005001D
.text C:\WINDOWS\system32\services.exe[564] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\lsass.exe[576] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EB0000
.text C:\WINDOWS\system32\lsass.exe[576] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EB0F88
.text C:\WINDOWS\system32\lsass.exe[576] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EB007D
.text C:\WINDOWS\system32\lsass.exe[576] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EB006C
.text C:\WINDOWS\system32\lsass.exe[576] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EB0FAF
.text C:\WINDOWS\system32\lsass.exe[576] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EB0036
.text C:\WINDOWS\system32\lsass.exe[576] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EB009F
.text C:\WINDOWS\system32\lsass.exe[576] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EB008E
.text C:\WINDOWS\system32\lsass.exe[576] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EB00CB
.text C:\WINDOWS\system32\lsass.exe[576] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EB0F3C
.text C:\WINDOWS\system32\lsass.exe[576] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EB00E6
.text C:\WINDOWS\system32\lsass.exe[576] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EB0047
.text C:\WINDOWS\system32\lsass.exe[576] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EB0FE5
.text C:\WINDOWS\system32\lsass.exe[576] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EB0F6D
.text C:\WINDOWS\system32\lsass.exe[576] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EB0FCA
.text C:\WINDOWS\system32\lsass.exe[576] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EB001B
.text C:\WINDOWS\system32\lsass.exe[576] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EB00B0
.text C:\WINDOWS\system32\lsass.exe[576] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EA0036
.text C:\WINDOWS\system32\lsass.exe[576] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EA0FA5
.text C:\WINDOWS\system32\lsass.exe[576] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EA001B
.text C:\WINDOWS\system32\lsass.exe[576] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EA0FE5
.text C:\WINDOWS\system32\lsass.exe[576] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EA0062
.text C:\WINDOWS\system32\lsass.exe[576] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EA0000
.text C:\WINDOWS\system32\lsass.exe[576] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00EA0051
.text C:\WINDOWS\system32\lsass.exe[576] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EA0FCA
.text C:\WINDOWS\system32\lsass.exe[576] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E90F7F
.text C:\WINDOWS\system32\lsass.exe[576] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E90F90
.text C:\WINDOWS\system32\lsass.exe[576] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E90FB5
.text C:\WINDOWS\system32\lsass.exe[576] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E90FE3
.text C:\WINDOWS\system32\lsass.exe[576] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E90000
.text C:\WINDOWS\system32\lsass.exe[576] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E90FC6
.text C:\WINDOWS\system32\lsass.exe[576] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E8000A
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D90000
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D9008A
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D90F95
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D9006F
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D90FB2
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D90039
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D90F5D
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D90F7A
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D900D1
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D90F38
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D90F1D
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D90054
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D90FEF
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D900A5
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D90FCD
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D90FDE
.text C:\WINDOWS\system32\svchost.exe[760] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D900B6
.text C:\WINDOWS\system32\svchost.exe[760] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D80036
.text C:\WINDOWS\system32\svchost.exe[760] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D80F8D
.text C:\WINDOWS\system32\svchost.exe[760] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D80025
.text C:\WINDOWS\system32\svchost.exe[760] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D80FEF
.text C:\WINDOWS\system32\svchost.exe[760] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D80F9E
.text C:\WINDOWS\system32\svchost.exe[760] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D8000A
.text C:\WINDOWS\system32\svchost.exe[760] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D80FB9
.text C:\WINDOWS\system32\svchost.exe[760] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F8, 88]
.text C:\WINDOWS\system32\svchost.exe[760] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D80FCA
.text C:\WINDOWS\system32\svchost.exe[760] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D7004E
.text C:\WINDOWS\system32\svchost.exe[760] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D70FC3
.text C:\WINDOWS\system32\svchost.exe[760] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D70FDE
.text C:\WINDOWS\system32\svchost.exe[760] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D70000
.text C:\WINDOWS\system32\svchost.exe[760] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D70033
.text C:\WINDOWS\system32\svchost.exe[760] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D70FEF
.text C:\WINDOWS\system32\svchost.exe[760] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D60000
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D10000
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D1007F
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D10064
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D10F8A
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D1003D
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D10FAF
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D10F52
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D1009A
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D10F1C
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D10F2D
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D10F01
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D1002C
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D10FDB
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D10F6F
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D1001B
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D10FCA
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D100B5
.text C:\WINDOWS\system32\svchost.exe[808] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D00F94
.text C:\WINDOWS\system32\svchost.exe[808] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D00F5E
.text C:\WINDOWS\system32\svchost.exe[808] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D00FB9
.text C:\WINDOWS\system32\svchost.exe[808] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D00FCA
.text C:\WINDOWS\system32\svchost.exe[808] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D00011
.text C:\WINDOWS\system32\svchost.exe[808] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D00FEF
.text C:\WINDOWS\system32\svchost.exe[808] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D00000
.text C:\WINDOWS\system32\svchost.exe[808] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D00F83
.text C:\WINDOWS\system32\svchost.exe[808] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CF0027
.text C:\WINDOWS\system32\svchost.exe[808] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CF0FA6
.text C:\WINDOWS\system32\svchost.exe[808] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CF0FB7
.text C:\WINDOWS\system32\svchost.exe[808] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CF0FEF
.text C:\WINDOWS\system32\svchost.exe[808] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CF000C
.text C:\WINDOWS\system32\svchost.exe[808] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CF0FD2
.text C:\WINDOWS\system32\svchost.exe[808] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CE000A
.text C:\WINDOWS\System32\svchost.exe[872] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02B10FE5
.text C:\WINDOWS\System32\svchost.exe[872] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02B10F5C
.text C:\WINDOWS\System32\svchost.exe[872] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02B10F6D
.text C:\WINDOWS\System32\svchost.exe[872] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02B10F94
.text C:\WINDOWS\System32\svchost.exe[872] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02B10FA5
.text C:\WINDOWS\System32\svchost.exe[872] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02B1002C
.text C:\WINDOWS\System32\svchost.exe[872] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02B10F2E
.text C:\WINDOWS\System32\svchost.exe[872] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02B10F4B
.text C:\WINDOWS\System32\svchost.exe[872] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02B10EF1
.text C:\WINDOWS\System32\svchost.exe[872] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02B10F02
.text C:\WINDOWS\System32\svchost.exe[872] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02B10ED6
.text C:\WINDOWS\System32\svchost.exe[872] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02B1003D
.text C:\WINDOWS\System32\svchost.exe[872] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02B10000
.text C:\WINDOWS\System32\svchost.exe[872] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02B10076
.text C:\WINDOWS\System32\svchost.exe[872] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02B10FC0
.text C:\WINDOWS\System32\svchost.exe[872] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02B10011
.text C:\WINDOWS\System32\svchost.exe[872] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02B10F1D
.text C:\WINDOWS\System32\svchost.exe[872] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 029A002C
.text C:\WINDOWS\System32\svchost.exe[872] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 029A0069
.text C:\WINDOWS\System32\svchost.exe[872] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 029A0FE5
.text C:\WINDOWS\System32\svchost.exe[872] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 029A001B
.text C:\WINDOWS\System32\svchost.exe[872] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 029A0058
.text C:\WINDOWS\System32\svchost.exe[872] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 029A000A
.text C:\WINDOWS\System32\svchost.exe[872] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 029A0FB6
.text C:\WINDOWS\System32\svchost.exe[872] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [BA, 8A]
.text C:\WINDOWS\System32\svchost.exe[872] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 029A003D
.text C:\WINDOWS\System32\svchost.exe[872] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02990F92
.text C:\WINDOWS\System32\svchost.exe[872] msvcrt.dll!system 77C293C7 5 Bytes JMP 02990FAD
.text C:\WINDOWS\System32\svchost.exe[872] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02990FE3
.text C:\WINDOWS\System32\svchost.exe[872] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02990000
.text C:\WINDOWS\System32\svchost.exe[872] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02990FC8
.text C:\WINDOWS\System32\svchost.exe[872] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0299001D
.text C:\WINDOWS\System32\svchost.exe[872] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01EA0000
.text C:\WINDOWS\System32\svchost.exe[872] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 029B0FEF
.text C:\WINDOWS\System32\svchost.exe[872] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 029B0FD4
.text C:\WINDOWS\System32\svchost.exe[872] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 029B000A
.text C:\WINDOWS\System32\svchost.exe[872] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 029B0FC3
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00770FEF
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0077006B
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00770F80
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0077004E
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0077003D
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0077001B
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007700AD
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00770F5B
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007700EA
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007700D9
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00770F36
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0077002C
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00770FD4
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0077007C
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00770FAF
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0077000A
.text C:\WINDOWS\system32\svchost.exe[920] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007700BE
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00760FC3
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00760051
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00760FD4
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00760014
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00760036
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00760FEF
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00760F94
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [96, 88]
.text C:\WINDOWS\system32\svchost.exe[920] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00760025
.text C:\WINDOWS\system32\svchost.exe[920] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00750FA3
.text C:\WINDOWS\system32\svchost.exe[920] msvcrt.dll!system 77C293C7 5 Bytes JMP 00750038
.text C:\WINDOWS\system32\svchost.exe[920] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0075000C
.text C:\WINDOWS\system32\svchost.exe[920] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00750FE3
.text C:\WINDOWS\system32\svchost.exe[920] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0075001D
.text C:\WINDOWS\system32\svchost.exe[920] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00750FD2

by **tomvilfroy** » Mon Apr 27, 2009 10:20 pm

.text C:\WINDOWS\system32\svchost.exe[920] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00740000
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009C000A
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009C0FA5
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009C009A
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009C0089
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009C0062
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009C002C
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009C0F83
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009C0F94
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009C0F5E
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009C00ED
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009C0112
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009C0047
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009C0FE5
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009C00BF
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009C0FC0
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009C001B
.text C:\WINDOWS\system32\svchost.exe[1016] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009C00DC
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009B001E
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009B0051
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009B0FC3
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009B0FD4
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009B0040
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009B0FEF
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 009B002F
.text C:\WINDOWS\system32\svchost.exe[1016] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009B0FA8
.text C:\WINDOWS\system32\svchost.exe[1016] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009A0F90
.text C:\WINDOWS\system32\svchost.exe[1016] msvcrt.dll!system 77C293C7 5 Bytes JMP 009A0FA1
.text C:\WINDOWS\system32\svchost.exe[1016] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009A0000
.text C:\WINDOWS\system32\svchost.exe[1016] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009A0FE3
.text C:\WINDOWS\system32\svchost.exe[1016] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009A0011
.text C:\WINDOWS\system32\svchost.exe[1016] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009A0FC6
.text C:\WINDOWS\system32\svchost.exe[1016] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00990FEF
.text C:\WINDOWS\Explorer.EXE[1320] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0129000A
.text C:\WINDOWS\Explorer.EXE[1320] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01290F5C
.text C:\WINDOWS\Explorer.EXE[1320] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01290051
.text C:\WINDOWS\Explorer.EXE[1320] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01290040
.text C:\WINDOWS\Explorer.EXE[1320] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01290F83
.text C:\WINDOWS\Explorer.EXE[1320] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01290FAF
.text C:\WINDOWS\Explorer.EXE[1320] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01290093
.text C:\WINDOWS\Explorer.EXE[1320] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01290F4B
.text C:\WINDOWS\Explorer.EXE[1320] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 012900B8
.text C:\WINDOWS\Explorer.EXE[1320] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01290F1F
.text C:\WINDOWS\Explorer.EXE[1320] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01290F0E
.text C:\WINDOWS\Explorer.EXE[1320] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01290F94
.text C:\WINDOWS\Explorer.EXE[1320] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0129001B
.text C:\WINDOWS\Explorer.EXE[1320] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0129006C
.text C:\WINDOWS\Explorer.EXE[1320] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01290FD4
.text C:\WINDOWS\Explorer.EXE[1320] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01290FEF
.text C:\WINDOWS\Explorer.EXE[1320] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01290F30
.text C:\WINDOWS\Explorer.EXE[1320] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 011C0FB9
.text C:\WINDOWS\Explorer.EXE[1320] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 011C0F6F
.text C:\WINDOWS\Explorer.EXE[1320] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 011C0FD4
.text C:\WINDOWS\Explorer.EXE[1320] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 011C000A
.text C:\WINDOWS\Explorer.EXE[1320] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 011C0036
.text C:\WINDOWS\Explorer.EXE[1320] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 011C0FEF
.text C:\WINDOWS\Explorer.EXE[1320] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 011C0025
.text C:\WINDOWS\Explorer.EXE[1320] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 011C0F9E
.text C:\WINDOWS\Explorer.EXE[1320] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 011B0F9C
.text C:\WINDOWS\Explorer.EXE[1320] msvcrt.dll!system 77C293C7 5 Bytes JMP 011B0FB7
.text C:\WINDOWS\Explorer.EXE[1320] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 011B0FE3
.text C:\WINDOWS\Explorer.EXE[1320] msvcrt.dll!_open 77C2F566 5 Bytes JMP 011B000C
.text C:\WINDOWS\Explorer.EXE[1320] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 011B0FD2
.text C:\WINDOWS\Explorer.EXE[1320] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 011B001D
.text C:\WINDOWS\Explorer.EXE[1320] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 01250000
.text C:\WINDOWS\Explorer.EXE[1320] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 01250FDB
.text C:\WINDOWS\Explorer.EXE[1320] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 01250FCA
.text C:\WINDOWS\Explorer.EXE[1320] WININET.dll!InternetOpenUrlW 780BAF69 5 Bytes JMP 01250025
.text C:\WINDOWS\Explorer.EXE[1320] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CF0FE5
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1604] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C340 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1604] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C3C0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\svchost.exe[2340] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\system32\svchost.exe[2340] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BC0064
.text C:\WINDOWS\system32\svchost.exe[2340] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BC0F79
.text C:\WINDOWS\system32\svchost.exe[2340] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BC0F8A
.text C:\WINDOWS\system32\svchost.exe[2340] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BC0047
.text C:\WINDOWS\system32\svchost.exe[2340] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BC001B
.text C:\WINDOWS\system32\svchost.exe[2340] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BC0F3C
.text C:\WINDOWS\system32\svchost.exe[2340] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BC0F4D
.text C:\WINDOWS\system32\svchost.exe[2340] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BC0F10
.text C:\WINDOWS\system32\svchost.exe[2340] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BC0F21
.text C:\WINDOWS\system32\svchost.exe[2340] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BC0EF5
.text C:\WINDOWS\system32\svchost.exe[2340] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BC002C
.text C:\WINDOWS\system32\svchost.exe[2340] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BC0000
.text C:\WINDOWS\system32\svchost.exe[2340] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BC0F5E
.text C:\WINDOWS\system32\svchost.exe[2340] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BC0FB9
.text C:\WINDOWS\system32\svchost.exe[2340] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BC0FCA
.text C:\WINDOWS\system32\svchost.exe[2340] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BC009F
.text C:\WINDOWS\system32\svchost.exe[2340] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BB0011
.text C:\WINDOWS\system32\svchost.exe[2340] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BB0F87
.text C:\WINDOWS\system32\svchost.exe[2340] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BB0FCA
.text C:\WINDOWS\system32\svchost.exe[2340] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BB0FDB
.text C:\WINDOWS\system32\svchost.exe[2340] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BB0044
.text C:\WINDOWS\system32\svchost.exe[2340] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BB0000
.text C:\WINDOWS\system32\svchost.exe[2340] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BB0033
.text C:\WINDOWS\system32\svchost.exe[2340] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BB0022
.text C:\WINDOWS\system32\svchost.exe[2340] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BA003D
.text C:\WINDOWS\system32\svchost.exe[2340] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BA002C
.text C:\WINDOWS\system32\svchost.exe[2340] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BA0FC6
.text C:\WINDOWS\system32\svchost.exe[2340] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BA0000
.text C:\WINDOWS\system32\svchost.exe[2340] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BA001B
.text C:\WINDOWS\system32\svchost.exe[2340] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BA0FD7

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1976] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6113A21C] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1976] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6113A14E] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1976] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [61139B0C] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1976] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6113A18E] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1976] @ C:\WINDOWS\system32\USER32.dll [GDI32.dll!GetStockObject] [61138F3A] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1976] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6113A21C] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1976] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6113A14E] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1976] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [61139B0C] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1976] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6113A18E] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1976] @ C:\WINDOWS\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [61138F3A] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1976] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6113A1CE] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1976] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6113A21C] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1976] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6113A18E] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1976] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6113A14E] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1976] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [61139B0C] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1976] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [61139723] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1976] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [61139723] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1976] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [61138E7D] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1976] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [61138E01] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1976] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [61138E3F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1976] @ C:\WINDOWS\system32\SHELL32.dll [GDI32.dll!GetStockObject] [61138F3A] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1976] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6113A14E] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1976] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6113A18E] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1976] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [61139B0C] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1976] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6113A21C] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1976] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6113A1CE] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1976] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [61138F78] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1976] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [61138E3F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1976] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [61139723] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1976] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [61138E7D] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1976] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [61139723] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1976] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [61138F40] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1976] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [61138E01] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1976] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!LoadLibraryA] [6113A14E] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1976] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [61139B0C] C:\Program Files\Yahoo!\Messenger\yui.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

by **patrik** » Tue Apr 28, 2009 3:25 pm

GMER log looks ok.

Yes and like I said, I can't seem to download it - it gets deleted every time it gets downloaded.

Probably your anvirus has removed the Combofix.
Try disable your antivirus before downloading of combofix.

Click Start -> Run.
Type notepad and press Enter.
Copy all the text below into Notepad.

Code: Select all: dir \jamr.sys /a h /s > File.txt

Save this as find_file.bat to your Desktop (remember to select Save as file type: All files in Notepad.)
Double Click find_file.bat and wait for the dos window to close and file.txt will appear on the desktop.

Post content of file.txt with your answer.

My Anti Spyware

Computer running sluggishly

Computer running sluggishly

Re: Computer running sluggishly

Re: Computer running sluggishly

Re: Computer running sluggishly

Re: Computer running sluggishly

Re: Computer running sluggishly

Re: Computer running sluggishly

Re: Computer running sluggishly

Re: Computer running sluggishly

Re: Computer running sluggishly

Re: Computer running sluggishly

Re: Computer running sluggishly

Re: Computer running sluggishly

Re: Computer running sluggishly

Re: Computer running sluggishly

Who is online