PDA

View Full Version : Odd computer happenings



jvanosda
2009-02-03, 14:27
Ok, I thought I got rid of my problems when I did the virtumonde removal a short time ago, but after not being on my computer since then, it appears there are some new things. When I try to open explorer after the computer is up and going, it crashes on me. I cannot update my malware program, and spybot wont open to the main menu for me, even though it shows up in my system tray, so I cant run it for anything.... I cant find viruses or trojans using the normal means, but when I log to safemode, my macfee finds something. It gives me a message about "NTOSKRNL -HOOK" trojan. I then have tried to have it fix it, and nothing happens. It also will not catch it in normal mode. To get IE to work, I have to open it while it is still loading processes, and then can not shut it down or it will just crash. Even spybot homepage wont load up for me now. Like an idiot, I deleted the NTOSKRNL file, and it still boots my computer up. I have tried restoring it like it says using my windows disk, but cant seem to find the file now. Here is my HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:10:07 PM, on 2/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\winamp toolbar\WinampTbServer.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Spybot - Search & Destroy\SDFiles.exe
C:\Program Files\SolidWorks\sldworks.exe
C:\DOCUME~1\user\LOCALS~1\Temp\SolidWorksLicTemp.0001
C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
C:\Program Files\SolidWorks\swscheduler\swBOEngine.exe
C:\DOCUME~1\user\LOCALS~1\Temp\SolidWorksLicTemp.0001
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Google IME Autoupdater] "C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\user\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SolidWorks Task Scheduler Engine.lnk = C:\Program Files\SolidWorks\swScheduler\swBOEngine.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: e&xport to microsoft excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780b25-18cc-41c8-b9be-3c9c571a8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [java_sun] Java (Sun)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1230435719625
O16 - DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?AuthParam=1231470670_081cb8023912a2a375f10ef7097d378b&GroupName=JSC&FilePath=/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab&File=jinstall-6u11-windows-i586-jc.cab&BHost=javadl.sun.com
O16 - DPF: {cf40acc5-e1bb-4aff-ac72-04c2f616bca7} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{06D3657C-3AB2-4B4B-9116-79D53A357EEF}: NameServer = 168.95.192.1 168.95.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{AF14D017-0F81-4B95-B955-84546BAB7B3F}: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: getPlus(R) Helper (getplus(r) helper) - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
O23 - Service: getPlus(R) Helper (getplus(r) helper) - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (incdsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (lightscribeservice) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee SiteAdvisor Service (mcafee siteadvisor service) - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

--
End of file - 10088 bytes

Shaba
2009-02-05, 20:17
Hi jvanosda

Please download Malwarebytes Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) and save it to your desktop.
alternate download link 1 (http://malwarebytes.gt500.org/mbam-setup.exe)
alternate download link 2 (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Make sure you are connected to the Internet.
Double-click on mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
Update Malwarebytes'' Anti-Malware
Launch Malwarebytes'' Anti-Malware

Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here (http://www.malwarebytes.org/mbam/database/mbam-rules.exe) and just double-click on mbam-rules.exe to install.
On the Scanner tab:
Make sure the "Perform Full Scan" option is selected.
Then click on the Scan button.

If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click ''Show Results'' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download random''s system information tool (RSIT) by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Post:

- mbam log
- rsit logs (taken after mbam run)

jvanosda
2009-02-08, 16:14
Sorry for the slow reply, my time is very limited currently. I ran combofix and it caught some stuff and might have helped to clear it up, but just in case there are more problems, I will continue doing as requested to make sure everything is clean. I am actually able to open explorer and spybot now, in case they are needed. Here are the text logs.

Malwarebytes' Anti-Malware 1.33
Database version: 1738
Windows 5.1.2600 Service Pack 3

2/8/2009 9:58:30 PM
mbam-log-2009-02-08 (21-58-30).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 178837
Time elapsed: 46 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Logfile of random's system information tool 1.05 (written by random/random)
Run by user at 2009-02-08 22:00:39
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 73 GB (76%) free of 95 GB
Total RAM: 3327 MB (77% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:00:48 PM, on 2/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\SolidWorks\swScheduler\swBOEngine.exe
C:\DOCUME~1\user\LOCALS~1\Temp\SolidWorksLicTemp.0001
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\internet explorer\iexplore.exe
c:\program files\winamp toolbar\WinampTbServer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\user\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\user.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: McAfee SiteAdvisor BHO - {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Google IME Autoupdater] "C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [RegKillTray] "C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\user\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SolidWorks Task Scheduler Engine.lnk = C:\Program Files\SolidWorks\swScheduler\swBOEngine.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: e&xport to microsoft excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780b25-18cc-41c8-b9be-3c9c571a8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [java_sun] Java (Sun)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1230435719625
O16 - DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?AuthParam=1231470670_081cb8023912a2a375f10ef7097d378b&GroupName=JSC&FilePath=/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab&File=jinstall-6u11-windows-i586-jc.cab&BHost=javadl.sun.com
O16 - DPF: {cf40acc5-e1bb-4aff-ac72-04c2f616bca7} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{06D3657C-3AB2-4B4B-9116-79D53A357EEF}: NameServer = 168.95.192.1 168.95.1.1
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: getPlus(R) Helper (getplus(r) helper) - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (incdsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (lightscribeservice) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee SiteAdvisor Service (mcafee siteadvisor service) - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

--
End of file - 9794 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\McDefragTask.job
C:\WINDOWS\tasks\McQcTask.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18df081c-e8ad-4283-a596-fa578c2ebdc3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]
Winamp Toolbar Loader - C:\Program Files\Winamp Toolbar\winamptb.dll [2008-07-17 1266992]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-16 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497bb-d6f0-462c-b6eb-d4daf1d92d43}]
Java(tm) Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2009-01-09 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll [2008-06-20 58688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b164e929-a1b6-4a06-b104-2cd0e90a88ff}]
McAfee SiteAdvisor BHO - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2008-11-15 150032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{dbc80044-a445-435b-bc74-9c25c1c588a9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-01-09 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e7e6f031-17ce-4c07-bc86-eabfe594f69c}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-01-09 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - Winamp Toolbar - C:\Program Files\Winamp Toolbar\winamptb.dll [2008-07-17 1266992]
{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - McAfee SiteAdvisor Toolbar - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2008-11-15 150032]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2008-11-13 86016]
"Launch LGDCore"=C:\Program Files\Logitech\G-series Software\LGDCore.exe [2006-03-06 1122304]
"Launch LCDMon"=C:\Program Files\Logitech\G-series Software\LCDMon.exe [2006-03-06 497152]
"mcagent_exe"=C:\Program Files\McAfee.com\Agent\mcagent.exe [2008-07-12 641208]
"WinampAgent"=C:\Program Files\Winamp\winampa.exe [2008-08-04 36352]
"RemoteControl"=C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe [2004-11-03 32768]
"InCD"=C:\Program Files\Ahead\InCD\InCD.exe [2005-07-08 1397760]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-10 155648]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-01-09 136600]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"Google IME Autoupdater"=C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe [2008-10-17 308720]
"nwiz"=nwiz.exe /install []
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-11-13 13672448]
"RegKillElbyCheck"=C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe [2002-11-02 45056]
"RegKillTray"=C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe [2002-11-28 49152]
"KernelFaultCheck"=C:\WINDOWS\system32\dumprep 0 -k []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"cdloader"=C:\Documents and Settings\user\Application Data\mjusbsp\cdloader2.exe [2008-12-18 50520]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-09-17 1833296]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\alcmtr]
C:\WINDOWS\ALCMTR.EXE [2008-06-19 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
C:\WINDOWS\system32\NvCpl.dll [2008-11-13 13672448]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE [2008-03-15 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rthdcpl]
C:\WINDOWS\RTHDCPL.EXE [2008-12-30 18082304]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SolidWorks_CheckForUpdates]
C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe [2007-09-10 6460696]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Documents and Settings\user\Start Menu\Programs\Startup
SolidWorks Task Scheduler Engine.lnk - C:\Program Files\SolidWorks\swScheduler\swBOEngine.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"=C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Winamp Remote\bin\Orb.exe"="C:\Program Files\Winamp Remote\bin\Orb.exe:*:Enabled:Orb"
"C:\Program Files\Winamp Remote\bin\OrbTray.exe"="C:\Program Files\Winamp Remote\bin\OrbTray.exe:*:Enabled:OrbTray"
"C:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe"="C:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe"="C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Documents and Settings\user\Application Data\mjusbsp\magicJack.exe"="C:\Documents and Settings\user\Application Data\mjusbsp\magicJack.exe:*:Enabled:magicJack"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2009-02-08 22:00:39 ----D---- C:\rsit
2009-02-08 21:10:36 ----D---- C:\WINDOWS\Minidump
2009-02-08 20:26:54 ----SHD---- C:\RECYCLER
2009-02-08 20:07:23 ----D---- C:\Program Files\Elaborate Bytes
2009-02-08 19:51:17 ----D---- C:\Program Files\MSXML 4.0
2009-02-03 22:36:11 ----A---- C:\ComboFix.txt
2009-02-03 22:31:40 ----D---- C:\ComboFix
2009-02-03 22:17:44 ----A---- C:\WINDOWS\zip.exe
2009-02-03 22:17:44 ----A---- C:\WINDOWS\VFIND.exe
2009-02-03 22:17:44 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-02-03 22:17:44 ----A---- C:\WINDOWS\SWSC.exe
2009-02-03 22:17:44 ----A---- C:\WINDOWS\SWREG.exe
2009-02-03 22:17:44 ----A---- C:\WINDOWS\sed.exe
2009-02-03 22:17:44 ----A---- C:\WINDOWS\NIRCMD.exe
2009-02-03 22:17:44 ----A---- C:\WINDOWS\grep.exe
2009-02-03 22:17:44 ----A---- C:\WINDOWS\fdsv.exe
2009-02-03 22:17:38 ----AD---- C:\Qoobox
2009-02-03 20:08:39 ----D---- C:\Documents and Settings\user\Application Data\SolidWorks 2008
2009-02-03 20:00:58 ----D---- C:\Documents and Settings\user\Application Data\SolidWorks
2009-02-03 17:47:23 ----A---- C:\WINDOWS\ntbtlog.txt
2009-02-03 17:22:28 ----D---- C:\WINDOWS\system32\GroupPolicy
2009-02-03 17:22:27 ----D---- C:\Documents and Settings\All Users\Application Data\SolidWorks
2009-02-03 17:19:14 ----D---- C:\Program Files\SolidWorks Viewer
2009-02-03 17:16:50 ----D---- C:\Program Files\Windows Desktop Search
2009-02-03 17:16:37 ----HDC---- C:\WINDOWS\$NtUninstallKB917013$
2009-02-03 17:15:54 ----D---- C:\Program Files\SolidWorks
2009-02-03 17:15:53 ----SHD---- C:\Config.Msi
2009-02-03 17:14:38 ----D---- C:\Program Files\Document Manager
2009-02-03 17:12:27 ----D---- C:\Program Files\Common Files\SolidWorks Shared
2009-02-03 17:12:27 ----A---- C:\WINDOWS\eDrawingOfficeAutomator.INI
2009-02-03 17:12:09 ----D---- C:\Program Files\Common Files\eDrawings2008
2009-02-03 17:11:33 ----D---- C:\Documents and Settings\user\Application Data\DWGeditor
2009-02-03 17:11:04 ----D---- C:\Program Files\DWGeditor
2009-02-03 16:08:24 ----D---- C:\SolidWorks Data
2009-02-03 16:04:16 ----D---- C:\Program Files\Common Files\SolidWorks Installation Manager
2009-02-03 16:03:09 ----D---- C:\WINDOWS\SolidWorks
2009-02-03 16:03:07 ----D---- C:\Documents and Settings\user\Application Data\IM
2009-02-03 15:53:39 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-02-03 15:53:36 ----D---- C:\Program Files\Classic Menu for Office
2009-02-03 15:31:14 ----D---- C:\WINDOWS\SxsCaPendDel
2009-02-03 15:25:57 ----D---- C:\Program Files\eclipse
2009-01-20 20:33:12 ----D---- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2009-01-20 20:32:22 ----A---- C:\WINDOWS\vncutil.exe
2009-01-20 20:32:21 ----A---- C:\WINDOWS\system32\RtkCoInstXP.dll
2009-01-20 20:32:21 ----A---- C:\WINDOWS\RtkAudioService.exe
2009-01-20 20:27:35 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2009-01-20 20:19:25 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2009-01-20 18:21:08 ----D---- C:\Program Files\Avanquest update
2009-01-20 18:21:08 ----D---- C:\Documents and Settings\All Users\Application Data\BVRP Software
2009-01-20 18:20:48 ----D---- C:\Program Files\Sony Ericsson
2009-01-20 18:20:48 ----D---- C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2009-01-20 18:20:26 ----D---- C:\Documents and Settings\user\Application Data\InstallShield
2009-01-20 17:50:33 ----D---- C:\WINDOWS\Downloaded Installations
2009-01-20 13:14:32 ----D---- C:\Documents and Settings\user\Application Data\Malwarebytes
2009-01-20 13:14:29 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-01-20 13:14:29 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-01-18 22:23:08 ----A---- C:\Boot.bak
2009-01-18 22:23:04 ----RASHD---- C:\cmdcons
2009-01-18 22:18:27 ----A---- C:\WINDOWS\LCDMedia.INI
2009-01-18 22:14:22 ----D---- C:\WINDOWS\ERDNT
2009-01-18 22:13:37 ----D---- C:\Program Files\ERUNT
2009-01-16 10:05:23 ----A---- C:\WINDOWS\system32\4bc5bf3b-.txt
2009-01-14 21:26:45 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-01-14 01:23:11 ----D---- C:\Program Files\Trend Micro
2009-01-13 15:00:23 ----D---- C:\Program Files\Notepad++
2009-01-13 15:00:23 ----D---- C:\Documents and Settings\user\Application Data\Notepad++
2009-01-13 00:44:05 ----D---- C:\Documents and Settings\user\Application Data\Google
2009-01-13 00:43:45 ----D---- C:\Program Files\Google
2009-01-13 00:43:45 ----D---- C:\Documents and Settings\All Users\Application Data\Google
2009-01-12 23:25:01 ----D---- C:\WINDOWS\system32\XPSViewer
2009-01-12 23:24:21 ----D---- C:\Program Files\Reference Assemblies
2009-01-12 23:23:52 ----N---- C:\WINDOWS\system32\spmsg2.dll
2009-01-12 23:21:58 ----RSD---- C:\WINDOWS\assembly
2009-01-12 23:20:42 ----D---- C:\WINDOWS\Microsoft.NET
2009-01-12 23:19:30 ----D---- C:\Program Files\MSECache
2009-01-12 22:20:34 ----A---- C:\WINDOWS\wininit.ini
2009-01-12 22:19:35 ----D---- C:\Program Files\PowerISO
2009-01-12 21:46:50 ----A---- C:\WINDOWS\mdm.ini
2009-01-12 21:46:18 ----A---- C:\WINDOWS\ODBC.INI
2009-01-12 21:43:45 ----A---- C:\WINDOWS\wplog.txt
2009-01-12 21:43:44 ----D---- C:\Program Files\Web Publish
2009-01-12 10:49:07 ----A---- C:\WINDOWS\system32\jit.dll
2009-01-12 10:49:07 ----A---- C:\WINDOWS\setdebug.exe
2009-01-12 10:49:06 ----A---- C:\WINDOWS\system32\javaee.dll
2009-01-12 10:49:06 ----A---- C:\WINDOWS\system32\dx3j.dll
2009-01-12 10:48:56 ----A---- C:\WINDOWS\wjview.exe
2009-01-12 10:48:56 ----A---- C:\WINDOWS\system32\vmhelper.dll
2009-01-12 10:48:56 ----A---- C:\WINDOWS\system32\msjdbc10.dll
2009-01-12 10:48:56 ----A---- C:\WINDOWS\system32\msjava.dll
2009-01-12 10:48:56 ----A---- C:\WINDOWS\system32\msawt.dll
2009-01-12 10:48:56 ----A---- C:\WINDOWS\system32\jdbgmgr.exe
2009-01-12 10:48:56 ----A---- C:\WINDOWS\jview.exe
2009-01-12 10:48:55 ----A---- C:\WINDOWS\system32\javart.dll
2009-01-12 10:48:55 ----A---- C:\WINDOWS\system32\javaprxy.dll
2009-01-12 10:48:55 ----A---- C:\WINDOWS\system32\javacypt.dll
2009-01-12 10:48:54 ----A---- C:\WINDOWS\extrac32.exe
2009-01-12 10:48:54 ----A---- C:\WINDOWS\clspack.exe
2009-01-12 02:17:27 ----D---- C:\Program Files\Common Files\Adobe AIR
2009-01-12 02:16:51 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-01-12 02:16:35 ----D---- C:\Program Files\Common Files\Adobe
2009-01-12 02:16:35 ----D---- C:\Program Files\Adobe
2009-01-12 02:06:17 ----D---- C:\Documents and Settings\All Users\Application Data\NOS
2009-01-12 02:06:16 ----D---- C:\Program Files\NOS
2009-01-09 22:17:02 ----D---- C:\Program Files\CDisplay
2009-01-09 21:58:11 ----D---- C:\WINDOWS\pss
2009-01-09 21:48:57 ----D---- C:\WINDOWS\system32\m3V02
2009-01-09 11:08:18 ----D---- C:\WINDOWS\Sun
2009-01-09 11:07:46 ----A---- C:\WINDOWS\system32\javaws.exe
2009-01-09 11:07:46 ----A---- C:\WINDOWS\system32\javaw.exe
2009-01-09 11:07:46 ----A---- C:\WINDOWS\system32\java.exe
2009-01-09 11:07:46 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-01-09 11:07:31 ----D---- C:\Program Files\Java
2009-01-09 11:02:03 ----D---- C:\Documents and Settings\user\Application Data\Sun

======List of files/folders modified in the last 1 months======

2009-02-08 22:00:41 ----D---- C:\WINDOWS\Temp
2009-02-08 22:00:22 ----D---- C:\WINDOWS\Prefetch
2009-02-08 21:16:26 ----D---- C:\WINDOWS\system32
2009-02-08 21:16:26 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-02-08 21:13:30 ----D---- C:\WINDOWS\system32\CatRoot2
2009-02-08 21:10:36 ----D---- C:\WINDOWS
2009-02-08 20:58:42 ----A---- C:\WINDOWS\NeroDigital.ini
2009-02-08 20:24:09 ----HD---- C:\WINDOWS\inf
2009-02-08 20:07:24 ----D---- C:\WINDOWS\system32\drivers
2009-02-08 20:07:23 ----RD---- C:\Program Files
2009-02-08 19:51:22 ----SHD---- C:\WINDOWS\Installer
2009-02-08 19:51:21 ----D---- C:\WINDOWS\WinSxS
2009-02-04 03:46:04 ----RASH---- C:\boot.ini
2009-02-03 23:32:59 ----D---- C:\temp
2009-02-03 22:35:07 ----A---- C:\WINDOWS\system.ini
2009-02-03 22:34:30 ----D---- C:\WINDOWS\AppPatch
2009-02-03 22:34:30 ----D---- C:\Program Files\Common Files
2009-02-03 19:52:23 ----D---- C:\WINDOWS\network diagnostic
2009-02-03 18:15:23 ----A---- C:\WINDOWS\win.ini
2009-02-03 17:47:53 ----D---- C:\Documents and Settings
2009-02-03 17:35:56 ----SHD---- C:\System Volume Information
2009-02-03 17:35:56 ----D---- C:\WINDOWS\system32\Restore
2009-02-03 17:25:12 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-02-03 17:23:34 ----RSD---- C:\WINDOWS\Fonts
2009-02-03 17:22:28 ----D---- C:\Program Files\AGEIA Technologies
2009-02-03 17:18:14 ----SD---- C:\Documents and Settings\user\Application Data\Microsoft
2009-02-03 17:16:51 ----D---- C:\WINDOWS\system32\en-us
2009-02-03 17:16:49 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-02-03 17:11:14 ----D---- C:\Program Files\Microsoft Office
2009-02-03 17:11:14 ----D---- C:\Program Files\Common Files\DESIGNER
2009-02-03 16:31:42 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-02-03 15:30:03 ----D---- C:\Program Files\Internet Explorer
2009-01-20 20:35:10 ----D---- C:\WINDOWS\system32\RTCOM
2009-01-20 20:34:59 ----D---- C:\WINDOWS\system32\ReinstallBackups
2009-01-20 20:32:51 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-01-20 20:28:55 ----D---- C:\WINDOWS\system32\CatRoot
2009-01-20 20:27:53 ----A---- C:\WINDOWS\imsins.BAK
2009-01-20 20:27:34 ----HD---- C:\WINDOWS\$hf_mig$
2009-01-20 18:21:08 ----HD---- C:\Program Files\InstallShield Installation Information
2009-01-20 18:06:54 ----A---- C:\WINDOWS\vbaddin.ini
2009-01-18 22:24:55 ----D---- C:\WINDOWS\system32\config
2009-01-18 22:24:04 ----SD---- C:\WINDOWS\Tasks
2009-01-12 23:28:15 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-01-12 23:20:51 ----D---- C:\WINDOWS\system32\mui
2009-01-12 21:51:59 ----D---- C:\WINDOWS\Registration
2009-01-12 21:51:29 ----D---- C:\Program Files\ComPlus Applications
2009-01-12 21:46:18 ----A---- C:\WINDOWS\ODBCINST.INI
2009-01-12 21:43:57 ----A---- C:\WINDOWS\vb.ini
2009-01-12 21:43:44 ----D---- C:\WINDOWS\Help
2009-01-12 21:43:42 ----D---- C:\Program Files\Microsoft Visual Studio
2009-01-12 21:42:04 ----D---- C:\WINDOWS\msapps
2009-01-12 21:41:56 ----D---- C:\WINDOWS\system
2009-01-12 10:49:10 ----D---- C:\WINDOWS\java
2009-01-12 00:13:32 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2009-01-10 09:35:28 ----A---- C:\WINDOWS\system32\MRT.exe
2009-01-09 10:54:34 ----D---- C:\Documents and Settings\user\Application Data\CyberLink
2009-01-09 10:54:31 ----D---- C:\Documents and Settings\All Users\Application Data\CyberLink

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 aspi32;aspi32; C:\WINDOWS\system32\drivers\aspi32.sys [1999-09-10 25244]
R1 incdpass;InCDPass; C:\WINDOWS\System32\DRIVERS\InCDPass.sys [2005-07-09 29696]
R1 incdrm;InCD Reader; C:\WINDOWS\system32\drivers\incdrm.sys [2005-07-08 28672]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14 14592]
R1 mfehidk;McAfee Inc. mfehidk; C:\WINDOWS\system32\drivers\mfehidk.sys [2008-06-27 207656]
R1 MPFP;MPFP; C:\WINDOWS\System32\Drivers\Mpfp.sys [2008-06-03 120136]
R1 scdemu;scdemu; C:\WINDOWS\system32\drivers\scdemu.sys [2008-03-14 46652]
R2 ElbyCDIO;ElbyCDIO Driver; C:\WINDOWS\System32\Drivers\ElbyCDIO.sys [2002-11-29 16320]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-14 60800]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-14 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2009-01-06 4968448]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller; C:\WINDOWS\system32\DRIVERS\l1e51x86.sys [2008-06-26 36864]
R3 mfeavfk;McAfee Inc. mfeavfk; C:\WINDOWS\system32\drivers\mfeavfk.sys [2008-06-27 79240]
R3 mfebopk;McAfee Inc. mfebopk; C:\WINDOWS\system32\drivers\mfebopk.sys [2008-06-27 35240]
R3 mfesmfk;McAfee Inc. mfesmfk; C:\WINDOWS\system32\drivers\mfesmfk.sys [2008-06-27 40488]
R3 MTsensor;ATK0110 ACPI UTILITY; C:\WINDOWS\system32\DRIVERS\ASACPI.sys [2004-08-13 5810]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-14 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-11-13 6188320]
R3 RegKill;RegKill; C:\WINDOWS\System32\Drivers\RegKill.sys [2002-11-28 6400]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
R4 incdfs;InCD File System; C:\WINDOWS\system32\drivers\incdfs.sys [2005-07-09 99584]
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 mferkdk;McAfee Inc. mferkdk; C:\WINDOWS\system32\drivers\mferkdk.sys [2008-06-20 34152]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM); C:\WINDOWS\system32\DRIVERS\s0016bus.sys [2008-05-16 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter; C:\WINDOWS\system32\DRIVERS\s0016mdfl.sys [2008-05-16 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver; C:\WINDOWS\system32\DRIVERS\s0016mdm.sys [2008-05-16 120744]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-14 60032]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 incdsrv;InCD Helper; C:\Program Files\Ahead\InCD\InCDsrv.exe [2005-07-09 871424]
R2 javaquickstarterservice;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-01-09 152984]
R2 lightscribeservice;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2006-02-18 73728]
R2 mcafee siteadvisor service;McAfee SiteAdvisor Service; C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2008-12-06 206096]
R2 mcmscsvc;McAfee Services; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2008-10-11 792696]
R2 McNASvc;McAfee Network Agent; c:\program files\common files\mcafee\mna\mcnasvc.exe [2008-07-19 2482848]
R2 McProxy;McAfee Proxy Service; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2008-07-10 358736]
R2 McShield;McAfee Real-time Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2008-06-20 144704]
R2 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2008-07-10 884360]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-11-13 163908]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-29 38912]
R2 WSearch;Windows Search; C:\WINDOWS\system32\SearchIndexer.exe [2007-02-05 300032]
R3 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2008-09-17 605512]
R3 SolidWorks Licensing Service;SolidWorks Licensing Service; C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe [2009-02-03 79360]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 fontcache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 getplus(r) helper;getPlus(R) Helper; C:\Program Files\NOS\bin\getPlus_HelperSvc.exe []
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [2005-11-14 69632]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 McODS;McAfee Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2008-06-21 361800]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-27 145184]
S3 visual studio analyzer rpc bridge;Visual Studio Analyzer RPC bridge; C:\Program Files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\varpc.exe [1998-06-06 34036]
S4 nettcpportsharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------


info.txt logfile of random's system information tool 1.05 2009-02-08 22:00:50

======Uninstall list======

-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
-->MsiExec /X{AC54E544-3E42-443C-A91D-A00A6974C592}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
Acrobat.com-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.mauby 4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A90000000001}
Atheros Communications Inc.(R) AR8121/AR8113/AR8114 Gigabit/Fast Ethernet Driver-->"C:\Program Files\InstallShield Installation Information\{3108C217-BE83-42E4-AE9E-A56A2A92E549}\Setup.exe" -runfromtemp -l0x0009 -removeonly
Avanquest update-->C:\Program Files\InstallShield Installation Information\{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}\setup.exe -runfromtemp -l0x0009 -removeonly
CDisplay 1.8-->"C:\Program Files\CDisplay\unins000.exe"
Classic Menu 3.x for Office 2007-->"C:\Program Files\Classic Menu for Office\unins000.exe"
DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DVD Region Killer-->"C:\Program Files\Elaborate Bytes\DVD Region Killer\regkill-uninst.exe" /D="C:\Program Files\Elaborate Bytes\DVD Region Killer"
DVD Solution-->"C:\Program Files\Uninstall_CDS.exe"
DVD to VCD AVI DivX Converter v3.2 (build 069)-->C:\PROGRA~1\MAGICD~1\UNWISE.EXE C:\PROGRA~1\MAGICD~1\INSTALL.LOG
DWGeditor-->MsiExec.exe /X{C8DE0FC9-5BD0-4D26-B5AD-D38146F2083C}
Easy MPEG/AVI/DIVX/WMV/RM to DVD 1.6.10-->"C:\Program Files\Easy MPEG AVI DIVX WMV RM to DVD\unins000.exe"
eDrawings 2008 API SDK-->MsiExec.exe /X{E5DA5C32-9223-45CF-A7F0-5593AB05098E}
eDrawings 2008-->MsiExec.exe /I{40345A8F-3B72-44DE-814F-72E8A52B1161}
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
FINAL FANTASY XI for Windows - Official Benchmark Program 3-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{E4D0E11A-CF32-4F7A-8C06-8EC3E2DB2E92} /l1033
FINAL FANTASY XI: Chains of Promathia-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{3C0619B4-4A2C-4244-8077-488E420DF907}
FINAL FANTASY XI: Rise of the Zilart-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{6FC76C41-8C1D-4B43-85E7-0BAA2002F1BE}
FINAL FANTASY XI: Treasures of Aht Urhgan-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{A606C6FF-12E7-40BE-B777-D8F360FF00CD}
FINAL FANTASY XI: Wings of the Goddess-->C:\Program Files\InstallShield Installation Information\{5B037ED7-0755-48D4-9554-808E5AF50F17}\setup.exe -runfromtemp -l0x0409
FINAL FANTASY XI-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{678F6475-D227-432A-94FF-806178A34520}
Google Pinyin IME-->"C:\Program Files\Google\Google Pinyin\Uninstall.exe"
High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
InCD-->C:\WINDOWS\NuNInst.exe /UNINSTALL
Java(TM) 6 Update 11-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
Karen's Alarm Clock-->C:\Program Files\Karen's Power Tools\Alarm Clock\uninst.exe
Logitech G-series Keyboard Software-->MsiExec.exe /X{5A080213-5AEC-4BF2-BB32-796EB0E421EC}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
McAfee SecurityCenter-->C:\Program Files\McAfee\MSC\mcuninst.exe
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office 2003 Web Components-->MsiExec.exe /I{90120000-00A4-0409-0000-0000000FF1CE}
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Professional Plus 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall PROPLUS /dll OSETUP.DLL
Microsoft Office Professional Plus 2007-->MsiExec.exe /X{90120000-0011-0000-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual Studio 6.0 Enterprise Edition-->"C:\Program Files\Microsoft Visual Studio\Common\Setup\1033\Setup.exe"
Microsoft VM for Java-->RunDll32 advpack.dll,LaunchINFSection java.inf,UnInstall
Microsoft Web Publishing Wizard 1.53-->RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpie3x86.inf,WebPostUninstall
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 6.0 Parser (KB925673)-->MsiExec.exe /I{FE9126DB-5F84-495A-BB46-3C724F1C2D08}
Multimedia Launcher-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall
Nero OEM-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Nidesoft DVD to AVI Converter Platinum v5.0-->"C:\Program Files\Nidesoft Studio\Nidesoft DVD to AVI Converter Platinum 5\unins000.exe"
Notepad++-->C:\Program Files\Notepad++\uninstall.exe
NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
NVIDIA PhysX v8.10.13-->MsiExec.exe /X{AC54E544-3E42-443C-A91D-A00A6974C592}
PlayOnline Viewer and Tetra Master-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{47004155-7376-403E-89E9-4C9F44AAF0D0}
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
PowerISO-->"C:\Program Files\PowerISO\uninstall.exe"
PowerProducer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\setup.exe" -uninstall
Project64 1.6-->MsiExec.exe /X{9559F7CA-5E34-4237-A2D9-D856464AD727}
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
SolidWorks 2008 API SDK-->MsiExec.exe /X{F02651E6-BFB4-4CF2-ADE0-DA44D90B573F}
SolidWorks 2008 Document Manager API-->MsiExec.exe /X{46457B11-67CD-4889-A15B-A4D2C4DFBDE4}
SolidWorks 2008 SP0-->MsiExec.exe /I{0FFC026D-9906-441B-9EDA-5C0668927407}
SolidWorks Explorer 2008 sp0-->MsiExec.exe /I{A8567E18-9E80-4EA3-A5C1-A6186C86F2CC}
SolidWorks viewer-->MsiExec.exe /X{CCBFCA70-D1B3-48A7-9504-8D149DD39658}
Sony Ericsson PC Suite 4.006.00-->C:\Program Files\InstallShield Installation Information\{2FFE93F0-BB72-4E52-8761-354D1AAA9387}\ISAdmin.exe -runfromtemp -l0x0009 -removeonly
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Winamp Remote-->"C:\Program Files\Winamp Remote\uninstall.exe"
Winamp Toolbar for Firefox-->"\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\uninstall.exe"
Winamp Toolbar for Internet Explorer-->"C:\Program Files\Winamp Toolbar\uninstall.exe"
Winamp-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Desktop Search 3.01-->"C:\WINDOWS\$NtUninstallKB917013$\spuninst\spuninst.exe"
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

======Security center information======

AV: McAfee VirusScan
FW: McAfee Personal Firewall

System event log

Computer Name: USER-2F46DAC948
Event Code: 51
Message: An error was detected on device \Device\CdRom0 during a paging operation.

Record Number: 32096
Source Name: Cdrom
Time Written: 20090107221510.000000+480
Event Type: warning
User:

Computer Name: USER-2F46DAC948
Event Code: 51
Message: An error was detected on device \Device\CdRom0 during a paging operation.

Record Number: 32095
Source Name: Cdrom
Time Written: 20090107221510.000000+480
Event Type: warning
User:

Computer Name: USER-2F46DAC948
Event Code: 51
Message: An error was detected on device \Device\CdRom0 during a paging operation.

Record Number: 32094
Source Name: Cdrom
Time Written: 20090107221510.000000+480
Event Type: warning
User:

Computer Name: USER-2F46DAC948
Event Code: 51
Message: An error was detected on device \Device\CdRom0 during a paging operation.

Record Number: 32093
Source Name: Cdrom
Time Written: 20090107221509.000000+480
Event Type: warning
User:

Computer Name: USER-2F46DAC948
Event Code: 51
Message: An error was detected on device \Device\CdRom0 during a paging operation.

Record Number: 32092
Source Name: Cdrom
Time Written: 20090107221509.000000+480
Event Type: warning
User:

Application event log

Computer Name: USER-2F46DAC948
Event Code: 1000
Message: Faulting application iexplore.exe, version 7.0.6000.16762, faulting module unknown, version 0.0.0.0, fault address 0x006e006e.

Record Number: 209
Source Name: Application Error
Time Written: 20090112024323.000000+480
Event Type: error
User:

Computer Name: USER-2F46DAC948
Event Code: 11707
Message: Product: Acrobat.com -- Installation completed successfully.

Record Number: 208
Source Name: MsiInstaller
Time Written: 20090112021755.000000+480
Event Type: information
User: USER-2F46DAC948\user

Computer Name: USER-2F46DAC948
Event Code: 11707
Message: Product: Adobe AIR -- Installation completed successfully.

Record Number: 207
Source Name: MsiInstaller
Time Written: 20090112021732.000000+480
Event Type: information
User: USER-2F46DAC948\user

Computer Name: USER-2F46DAC948
Event Code: 11707
Message: Product: Adobe Reader 9 -- Installation operation completed successfully.

Record Number: 206
Source Name: MsiInstaller
Time Written: 20090112021720.000000+480
Event Type: information
User: USER-2F46DAC948\user

Computer Name: USER-2F46DAC948
Event Code: 11728
Message: Product: Microsoft Office Professional Plus 2007 -- Configuration completed successfully.

Record Number: 205
Source Name: MsiInstaller
Time Written: 20090112001336.000000+480
Event Type: information
User: USER-2F46DAC948\user

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 23 Stepping 10, GenuineIntel
"PROCESSOR_REVISION"=170a
"NUMBER_OF_PROCESSORS"=4
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------

Shaba
2009-02-08, 20:18
Combofix shouldn't be ever run without supervision.

But as you have already ran, please post contents of C:\ComboFix.txt next.

jvanosda
2009-02-09, 17:02
Here is combofix txt from my last run.

ComboFix 09-02-02.04 - user 2009-02-03 22:33:39.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2850 [GMT 8:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2009-01-03 to 2009-02-03 )))))))))))))))))))))))))))))))
.

2009-02-03 20:08 . 2009-02-03 20:08 <DIR> d-------- c:\documents and settings\user\Application Data\SolidWorks 2008
2009-02-03 20:00 . 2009-02-03 20:01 <DIR> d-------- c:\documents and settings\user\Application Data\SolidWorks
2009-02-03 18:19 . 2009-02-03 18:34 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Winamp
2009-02-03 17:52 . 2009-02-03 17:52 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-02-03 17:47 . 2009-02-03 17:48 <DIR> d-------- c:\documents and settings\Administrator
2009-02-03 17:25 . 2009-02-03 17:25 23 --ah----- c:\windows\yacht.xws
2009-02-03 17:22 . 2009-02-03 17:22 <DIR> d-------- c:\windows\system32\GroupPolicy
2009-02-03 17:22 . 2009-02-03 20:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\SolidWorks
2009-02-03 17:19 . 2009-02-03 17:19 <DIR> d-------- c:\program files\SolidWorks Viewer
2009-02-03 17:16 . 2009-02-03 17:16 <DIR> d-------- c:\program files\Windows Desktop Search
2009-02-03 17:15 . 2009-02-03 20:00 <DIR> d-------- c:\program files\SolidWorks
2009-02-03 17:14 . 2009-02-03 17:14 <DIR> d-------- c:\program files\Document Manager
2009-02-03 17:12 . 2009-02-03 17:23 <DIR> d-------- c:\program files\Common Files\SolidWorks Shared
2009-02-03 17:12 . 2009-02-03 17:22 <DIR> d-------- c:\program files\Common Files\eDrawings2008
2009-02-03 17:12 . 2009-02-03 17:12 0 --a------ c:\windows\eDrawingOfficeAutomator.INI
2009-02-03 17:11 . 2009-02-03 20:06 <DIR> d-------- c:\program files\DWGeditor
2009-02-03 17:11 . 2009-02-03 17:11 <DIR> d-------- c:\documents and settings\user\Application Data\DWGeditor
2009-02-03 16:25 . 2009-02-03 19:46 4 --a------ c:\windows\system32\gaopdxcounter
2009-02-03 16:08 . 2009-02-03 17:22 <DIR> d-------- C:\SolidWorks Data
2009-02-03 16:04 . 2009-02-03 16:05 <DIR> d-------- c:\program files\Common Files\SolidWorks Installation Manager
2009-02-03 16:03 . 2009-02-03 16:09 <DIR> d-------- c:\windows\SolidWorks
2009-02-03 16:03 . 2009-02-03 20:02 <DIR> d-------- c:\documents and settings\user\Application Data\IM
2009-02-03 15:53 . 2009-02-03 15:53 <DIR> d-------- c:\program files\Classic Menu for Office
2009-02-03 15:53 . 2009-02-03 20:13 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-02-03 15:35 . 2009-02-03 15:35 <DIR> d-------- c:\documents and settings\user\workspace
2009-02-03 15:31 . 2009-02-03 16:31 <DIR> d-------- c:\windows\SxsCaPendDel
2009-02-03 15:25 . 2009-02-03 16:54 <DIR> d-------- c:\program files\eclipse
2009-01-20 20:33 . 2009-01-20 20:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-01-20 20:32 . 2008-08-05 20:10 1,684,736 --a------ c:\windows\system32\drivers\Ambfilt.sys
2009-01-20 20:32 . 2006-01-04 15:41 1,389,056 --a------ c:\windows\system32\drivers\Monfilt.sys
2009-01-20 20:32 . 2008-10-23 17:42 290,816 --a------ c:\windows\vncutil.exe
2009-01-20 20:32 . 2008-06-24 14:46 104,992 --a------ c:\windows\RtkAudioService.exe
2009-01-20 20:32 . 2009-01-05 16:16 34,816 --a------ c:\windows\system32\RtkCoInstXP.dll
2009-01-20 18:21 . 2009-01-20 18:21 <DIR> d-------- c:\program files\Avanquest update
2009-01-20 18:21 . 2009-01-20 18:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\BVRP Software
2009-01-20 18:20 . 2009-01-20 18:20 <DIR> d-------- c:\program files\Sony Ericsson
2009-01-20 18:20 . 2009-01-20 18:20 <DIR> d-------- c:\documents and settings\user\Application Data\InstallShield
2009-01-20 18:20 . 2009-01-20 18:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sony Ericsson
2009-01-20 18:20 . 2008-05-16 12:33 120,744 --a------ c:\windows\system32\drivers\s0016mdm.sys
2009-01-20 18:20 . 2008-05-16 12:33 89,256 --a------ c:\windows\system32\drivers\s0016bus.sys
2009-01-20 18:20 . 2008-05-16 12:33 15,016 --a------ c:\windows\system32\drivers\s0016mdfl.sys
2009-01-20 18:20 . 2008-05-16 12:33 12,200 --a------ c:\windows\system32\drivers\s0016whnt.sys
2009-01-20 18:20 . 2008-05-16 12:33 12,200 --a------ c:\windows\system32\drivers\s0016wh.sys
2009-01-20 18:20 . 2008-05-16 12:33 12,200 --a------ c:\windows\system32\drivers\s0016cmnt.sys
2009-01-20 18:20 . 2008-05-16 12:33 12,200 --a------ c:\windows\system32\drivers\s0016cm.sys
2009-01-20 17:50 . 2009-01-20 17:50 <DIR> d-------- c:\windows\Downloaded Installations
2009-01-20 17:49 . 2009-01-20 17:49 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-20 17:49 . 2009-01-20 17:49 1,409 --a------ c:\windows\QTFont.for
2009-01-20 13:14 . 2009-01-20 13:14 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-20 13:14 . 2009-01-20 13:14 <DIR> d-------- c:\documents and settings\user\Application Data\Malwarebytes
2009-01-20 13:14 . 2009-01-20 13:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-20 13:14 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-20 13:14 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-18 22:18 . 2009-01-18 22:18 0 --a------ c:\windows\LCDMedia.INI
2009-01-18 22:13 . 2009-01-18 22:13 <DIR> d-------- c:\program files\ERUNT
2009-01-14 01:23 . 2009-01-14 01:23 <DIR> d-------- c:\program files\Trend Micro
2009-01-13 15:00 . 2009-01-13 15:00 <DIR> d-------- c:\program files\Notepad++
2009-01-13 15:00 . 2009-01-13 15:00 <DIR> d-------- c:\documents and settings\user\Application Data\Notepad++
2009-01-13 00:43 . 2009-01-13 00:43 <DIR> d-------- c:\program files\Google
2009-01-12 23:25 . 2009-02-03 15:32 <DIR> d-------- c:\windows\system32\XPSViewer
2009-01-12 23:24 . 2009-01-12 23:24 <DIR> d-------- c:\program files\Reference Assemblies
2009-01-12 23:23 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll
2009-01-12 23:19 . 2009-01-12 23:19 <DIR> d-------- c:\program files\MSECache
2009-01-12 22:20 . 2009-01-18 22:48 185 --a------ c:\windows\wininit.ini
2009-01-12 22:19 . 2009-01-12 22:19 <DIR> d-------- c:\program files\PowerISO
2009-01-12 21:53 . 2009-01-12 21:53 <DIR> d-------- c:\documents and settings\user\WINDOWS
2009-01-12 21:46 . 2009-01-12 21:46 288 --a------ c:\windows\ODBC.INI
2009-01-12 21:46 . 2009-01-12 21:46 126 --a------ c:\windows\mdm.ini
2009-01-12 21:43 . 2009-01-12 21:43 <DIR> d-------- c:\program files\Web Publish
2009-01-12 10:49 . 1998-06-02 11:56 313,856 --a------ c:\windows\system32\dx3j.dll
2009-01-12 10:49 . 1998-06-02 14:45 140,048 --a------ c:\windows\system32\jit.dll
2009-01-12 10:49 . 1998-06-02 12:29 135,168 --a------ c:\windows\system32\javaee.dll
2009-01-12 10:49 . 1998-06-02 12:41 42,496 --a------ c:\windows\setdebug.exe
2009-01-12 10:49 . 1998-06-02 12:28 7,356 --a------ c:\windows\system32\javasup.vxd
2009-01-12 10:49 . 1998-06-02 11:57 6,550 --a------ c:\windows\jautoexp.dat
2009-01-12 02:17 . 2009-01-12 02:17 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-01-12 02:16 . 2009-01-12 02:17 <DIR> d-------- c:\program files\Common Files\Adobe
2009-01-12 02:06 . 2009-01-12 11:20 <DIR> d-------- c:\program files\NOS
2009-01-12 02:06 . 2009-01-12 11:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS
2009-01-09 22:17 . 2009-01-09 22:17 <DIR> d-------- c:\program files\CDisplay
2009-01-09 21:48 . 2009-01-09 21:58 <DIR> d-------- c:\windows\system32\m3V02
2009-01-09 21:48 . 2009-01-09 21:48 <DIR> d-------- c:\temp\tmp90
2009-01-09 11:08 . 2009-01-09 11:08 <DIR> d-------- c:\windows\Sun
2009-01-09 11:07 . 2009-01-09 11:07 <DIR> d-------- c:\program files\Java
2009-01-09 11:07 . 2009-01-09 11:07 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-09 11:07 . 2009-01-09 11:07 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-08 01:32 . 2009-01-08 01:35 <DIR> d-------- c:\program files\Project64 1.6
2009-01-08 00:55 . 2009-01-08 01:03 <DIR> d-------- c:\program files\MagicDVDRipper
2009-01-07 23:14 . 2009-01-07 23:14 <DIR> d-------- c:\program files\Karen's Power Tools
2009-01-07 23:14 . 2009-01-07 23:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Karen's Power Tools
2009-01-07 22:15 . 2009-02-03 20:38 <DIR> d-------- C:\temp
2009-01-07 22:12 . 2009-01-07 22:12 <DIR> d-------- c:\program files\Nidesoft Studio
2009-01-07 22:12 . 1999-09-10 12:06 45,056 --a------ c:\windows\system32\WNASPI32.DLL
2009-01-07 22:12 . 1999-09-10 12:06 25,244 --a------ c:\windows\system32\drivers\ASPI32.SYS
2009-01-07 22:12 . 1999-09-10 12:06 5,600 --a------ c:\windows\system\WINASPI.DLL
2009-01-07 22:12 . 1999-09-10 12:06 4,672 --a------ c:\windows\system\WOWPOST.EXE
2009-01-07 21:56 . 2009-01-07 21:56 <DIR> d-------- C:\Output
2009-01-07 21:54 . 2009-01-07 21:54 34 --ah----- c:\windows\system32\DVDRipperDiamond_sysquict.dat
2009-01-07 10:40 . 2009-01-07 21:58 <DIR> d-------- c:\program files\Aglare DVD to AVI WMV MP4 MPEG Converter
2009-01-07 10:12 . 2009-01-07 10:12 <DIR> d-------- c:\program files\Easy MPEG AVI DIVX WMV RM to DVD
2009-01-07 10:12 . 2009-01-07 10:12 67 --a------ c:\windows\Easy Video to DVD.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-03 09:22 --------- d-----w c:\program files\AGEIA Technologies
2009-01-20 10:21 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-11 16:13 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-09 02:54 --------- d-----w c:\documents and settings\user\Application Data\CyberLink
2009-01-09 02:54 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2009-01-06 11:00 4,968,448 ----a-w c:\windows\system32\drivers\RtkHDAud.sys
2009-01-01 08:23 --------- d-----w c:\program files\McAfee
2009-01-01 08:19 --------- d-----w c:\program files\FFXiBench3
2009-01-01 07:54 --------- d-----w c:\documents and settings\user\Application Data\mjusbsp
2008-12-30 23:10 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-12-30 06:58 18,082,304 ----a-w c:\windows\RTHDCPL.EXE
2008-12-30 06:47 --------- d-----w c:\documents and settings\All Users\Application Data\SiteAdvisor
2008-12-30 06:47 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-12-29 06:00 --------- d-----w c:\program files\Transparent
2008-12-29 05:47 --------- d-----w c:\documents and settings\user\Application Data\Winamp
2008-12-29 04:36 --------- d-----w c:\documents and settings\user\Application Data\DivX
2008-12-29 03:53 --------- d-----w c:\program files\Common Files\LightScribe
2008-12-29 03:51 --------- d-----w c:\program files\Common Files\Ahead
2008-12-29 03:51 --------- d-----w c:\program files\Ahead
2008-12-29 03:50 --------- d-----w c:\program files\CyberLink DVD Solution
2008-12-29 03:49 --------- d-----w c:\program files\CyberLink
2008-12-29 03:48 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-29 03:18 --------- d-----w c:\program files\MSBuild
2008-12-29 03:18 --------- d-----w c:\program files\Microsoft Works
2008-12-29 03:08 --------- d-----w c:\program files\Alcohol Soft
2008-12-29 02:49 --------- d-----w c:\program files\PlayOnline
2008-12-28 06:57 --------- d-----w c:\program files\Common Files\McAfee
2008-12-28 06:57 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-28 06:57 --------- d-----w c:\documents and settings\All Users\Application Data\OrbNetworks
2008-12-28 06:56 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-28 06:47 --------- d-----w c:\program files\Winamp Toolbar
2008-12-28 06:47 --------- d-----w c:\program files\Winamp Remote
2008-12-28 06:47 --------- d-----w c:\program files\Winamp
2008-12-28 06:47 --------- d-----w c:\documents and settings\All Users\Application Data\Winamp Toolbar
2008-12-28 06:42 --------- d-----w c:\program files\DivX
2008-12-28 06:32 --------- d-----w c:\program files\McAfee.com
2008-12-28 05:54 --------- d-----w c:\program files\Logitech
2008-12-28 05:54 --------- d-----w c:\documents and settings\All Users\Application Data\Logitech
2008-12-28 03:36 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-28 03:31 --------- d-----w c:\program files\Intel
2008-12-28 03:30 --------- d-----w c:\program files\Realtek
2008-12-28 03:24 --------- d-----w c:\program files\microsoft frontpage
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-21 21:47 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-11-21 21:47 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-11-21 21:47 129,784 ------w c:\windows\system32\pxafs.dll
2008-11-21 21:47 120,056 ------w c:\windows\system32\pxcpyi64.exe
2008-11-21 21:47 118,520 ------w c:\windows\system32\pxinsi64.exe
2008-11-21 21:46 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-11-21 21:46 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-11-21 21:44 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 21:44 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
2008-11-12 21:45 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2006-06-24 06:48 32,768 ----a-r c:\windows\inf\UpdateUSB.exe
2004-10-01 23:00 40,960 ----a-w c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( snapshot@2009-02-03_22.24.00.96 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-03 11:52:42 74,570 ----a-w c:\windows\system32\perfc009.dat
+ 2009-02-03 14:34:26 74,570 ----a-w c:\windows\system32\perfc009.dat
- 2009-02-03 11:52:42 453,730 ----a-w c:\windows\system32\perfh009.dat
+ 2009-02-03 14:34:26 453,730 ----a-w c:\windows\system32\perfh009.dat
+ 2009-02-03 14:29:50 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_100.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\user\Application Data\mjusbsp\cdloader2.exe" [2008-12-18 50520]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-13 86016]
"Launch LGDCore"="c:\program files\Logitech\G-series Software\LGDCore.exe" [2006-03-06 1122304]
"Launch LCDMon"="c:\program files\Logitech\G-series Software\LCDMon.exe" [2006-03-06 497152]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-12 641208]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-04 36352]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2005-07-08 1397760]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-10 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-09 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Google IME Autoupdater"="c:\program files\Google\Google Pinyin\GooglePinyinDaemon.exe" [2008-10-17 308720]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-13 13672448]
"nwiz"="nwiz.exe" [2008-11-13 c:\windows\system32\nwiz.exe]

c:\documents and settings\user\Start Menu\Programs\Startup\
SolidWorks Task Scheduler Engine.lnk - c:\program files\SolidWorks\swScheduler\swBOEngine.exe [2007-09-09 488728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-14 21:42 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-11-13 06:54 13672448 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-03-15 07:50 233472 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SolidWorks_CheckForUpdates]
-ra------ 2007-09-10 14:15 6460696 c:\program files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\alcmtr]
--a------ 2008-06-19 16:20 57344 c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-11-13 06:54 1630208 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rthdcpl]
--a------ 2008-12-30 14:58 18082304 c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Documents and Settings\\user\\Application Data\\mjusbsp\\magicJack.exe"=

R2 mcafee siteadvisor service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-12-30 206096]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [2008-12-28 36864]
S3 getplus(r) helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe --> c:\program files\NOS\bin\getPlus_HelperSvc.exe [?]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [2009-01-20 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [2009-01-20 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [2009-01-20 120744]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - f:\.\swwi\data\swsetup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-28 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-10 10:10]

2008-12-31 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-10 10:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: e&xport to microsoft excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-03 22:35:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-02-03 22:36:10
ComboFix-quarantined-files.txt 2009-02-03 14:36:08
ComboFix2.txt 2009-02-03 14:24:45
ComboFix3.txt 2009-01-20 05:05:40

Pre-Run: 76,306,960,384 bytes free
Post-Run: 76,285,444,096 bytes free

276 --- E O F --- 2009-01-18 14:37:13

Shaba
2009-02-09, 18:22
Download gmer.zip (http://gmer.net/gmer.zip) and save to your desktop.
alternate download site 1 (http://hype.free.googlepages.com/gmer.zip)
alternate download site 2 (http://www.castlecops.com/downloads-file-546.html)

Unzip/extract the file to its own folder. (Click here (http://www.bleepingcomputer.com/tutorials/tutorial105.html) for information on how to do this if not sure. Win 2000 users click here (http://www.bleepingcomputer.com/tutorials/tutorial106.html).
When you have done this, disconnect from the Internet and close all running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double-click on Gmer.exe to start the program.
Allow the gmer.sys driver to load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
Click on "Settings", then check the first five settings:
*System Protection and Tracing
*Processes
*Save created processes to the log
*Drivers
*Save loaded drivers to the log
You will be prompted to restart your computer. Please do so.

Run Gmer again and click on the Rootkit tab.
Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
Click on the "Scan" and wait for the scan to finish.
Note: Before scanning, make sure all other unning programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
Note: If you have any problems, try running GMER in SAFE MODE (http://www.bleepingcomputer.com/forums/tutorial61.html)"
Important! Please do not select the "Show all" checkbox during the scan.

jvanosda
2009-02-10, 08:18
Here is the gmer info.

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-10 14:15:23
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB67E39D2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xB67E3A69]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB67E397D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB67E3996]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB67E3A7D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB67E3AA9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB67E3B17]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB67E3B01]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB67E3A12]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB67E3B43]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xB67E3A55]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB67E3950]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB67E3964]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB67E39E6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xB67E3B7F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB67E3AEB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB67E3AD5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB67E3A93]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xB67E3B6B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xB67E3B57]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB67E39BE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB67E39AA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xB67E3ABF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB67E3A41]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xB67E3B2D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB67E3A28]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB67E39FC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP B67E3A00 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP B67E39D6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP B67E3A16 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 5 Bytes JMP B67E3A2C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E6 7 Bytes JMP B67E39EA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB408 5 Bytes JMP B67E3954 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB694 5 Bytes JMP B67E3968 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE52 5 Bytes JMP B67E39AE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1142 7 Bytes JMP B67E399A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11F8 5 Bytes JMP B67E3981 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1702 5 Bytes JMP B67E39C2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AA 5 Bytes JMP B67E3A45 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 806219CA 7 Bytes JMP B67E3AD9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D18 7 Bytes JMP B67E3AC3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80622042 7 Bytes JMP B67E3B31 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 806228E0 7 Bytes JMP B67E3AEF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231B4 7 Bytes JMP B67E3A97 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 80623792 5 Bytes JMP B67E3A6D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C22 7 Bytes JMP B67E3A81 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623DF2 7 Bytes JMP B67E3AAD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FD2 7 Bytes JMP B67E3B1B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062423C 7 Bytes JMP B67E3B05 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624B64 5 Bytes JMP B67E3A59 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 80624E8A 7 Bytes JMP B67E3B83 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8062514A 5 Bytes JMP B67E3B5B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8062583E 5 Bytes JMP B67E3B6F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80625958 5 Bytes JMP B67E3B47 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[140] kernel32.dll!WriteFile 7C810E17 7 Bytes JMP 01121B19 C:\WINDOWS\system32\mssrch.dll (mssrch.lib/Microsoft Corporation)
.text C:\WINDOWS\system32\wuauclt.exe[540] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B000A
.text C:\WINDOWS\system32\wuauclt.exe[540] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B009F
.text C:\WINDOWS\system32\wuauclt.exe[540] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B008E
.text C:\WINDOWS\system32\wuauclt.exe[540] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0073
.text C:\WINDOWS\system32\wuauclt.exe[540] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0FB6
.text C:\WINDOWS\system32\wuauclt.exe[540] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0FD1
.text C:\WINDOWS\system32\wuauclt.exe[540] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B00D7
.text C:\WINDOWS\system32\wuauclt.exe[540] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B00B0
.text C:\WINDOWS\system32\wuauclt.exe[540] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0103
.text C:\WINDOWS\system32\wuauclt.exe[540] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B0F6A
.text C:\WINDOWS\system32\wuauclt.exe[540] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001B0F45
.text C:\WINDOWS\system32\wuauclt.exe[540] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001B0058
.text C:\WINDOWS\system32\wuauclt.exe[540] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001B001B
.text C:\WINDOWS\system32\wuauclt.exe[540] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001B0F8F
.text C:\WINDOWS\system32\wuauclt.exe[540] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001B003D
.text C:\WINDOWS\system32\wuauclt.exe[540] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001B002C
.text C:\WINDOWS\system32\wuauclt.exe[540] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001B00E8
.text C:\WINDOWS\system32\wuauclt.exe[540] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 002B004A
.text C:\WINDOWS\system32\wuauclt.exe[540] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 002B0080
.text C:\WINDOWS\system32\wuauclt.exe[540] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\system32\wuauclt.exe[540] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 002B001B
.text C:\WINDOWS\system32\wuauclt.exe[540] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 002B0FC3
.text C:\WINDOWS\system32\wuauclt.exe[540] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 002B000A
.text C:\WINDOWS\system32\wuauclt.exe[540] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 002B0FDE
.text C:\WINDOWS\system32\wuauclt.exe[540] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 4B, 88 ]
.text C:\WINDOWS\system32\wuauclt.exe[540] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 002B005B
.text C:\WINDOWS\system32\wuauclt.exe[540] WS2_32.dll!socket 71AB4211 5 Bytes JMP 003C0FEF
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070F7C
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070F8D
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070FA8
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070065
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070FB9
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070F5A
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070096
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000700DF
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 000700CE
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 000700F0
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00070040
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00070F6B
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00070025
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00070FCA
.text C:\WINDOWS\system32\services.exe[840] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 000700BD
.text C:\WINDOWS\system32\services.exe[840] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00060FB9
.text C:\WINDOWS\system32\services.exe[840] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00060F6F
.text C:\WINDOWS\system32\services.exe[840] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00060FCA
.text C:\WINDOWS\system32\services.exe[840] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0006000A
.text C:\WINDOWS\system32\services.exe[840] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00060036
.text C:\WINDOWS\system32\services.exe[840] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[840] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00060025
.text C:\WINDOWS\system32\services.exe[840] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00060F9E
.text C:\WINDOWS\system32\services.exe[840] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E80FEF
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E8006E
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E8005D
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E80F83
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E80040
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E80F9E
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E80F48
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E80090
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E80F08
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E80F23
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00E800BC
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00E80025
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00E80FD4
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00E8007F
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00E80FB9
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00E8000A
.text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00E800AB
.text C:\WINDOWS\system32\lsass.exe[852] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00E70036
.text C:\WINDOWS\system32\lsass.exe[852] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00E70065
.text C:\WINDOWS\system32\lsass.exe[852] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00E70FDB
.text C:\WINDOWS\system32\lsass.exe[852] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00E70011
.text C:\WINDOWS\system32\lsass.exe[852] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00E70F9E
.text C:\WINDOWS\system32\lsass.exe[852] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00E70000
.text C:\WINDOWS\system32\lsass.exe[852] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00E70FB9
.text C:\WINDOWS\system32\lsass.exe[852] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 07, 89 ]
.text C:\WINDOWS\system32\lsass.exe[852] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00E70FCA
.text C:\WINDOWS\system32\lsass.exe[852] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D20000
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 025F0000
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 025F0F70
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 025F005B
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 025F0F8D
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 025F0040
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 025F0FAF
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 025F0F31
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 025F0F42
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 025F009E
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 025F0F05
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 025F0EE0
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 025F0F9E
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 025F0FE5
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 025F0F5F
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 025F0FC0
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 025F0011
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 025F0F20
.text C:\WINDOWS\system32\svchost.exe[1032] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 025E0FB2
.text C:\WINDOWS\system32\svchost.exe[1032] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 025E0F75
.text C:\WINDOWS\system32\svchost.exe[1032] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 025E0FC3
.text C:\WINDOWS\system32\svchost.exe[1032] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 025E0FD4
.text C:\WINDOWS\system32\svchost.exe[1032] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 025E0F86
.text C:\WINDOWS\system32\svchost.exe[1032] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 025E0FEF
.text C:\WINDOWS\system32\svchost.exe[1032] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 025E0028
.text C:\WINDOWS\system32\svchost.exe[1032] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 025E0FA1
.text C:\WINDOWS\system32\svchost.exe[1032] WS2_32.dll!socket 71AB4211 5 Bytes JMP 025A0000
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0105000A
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01050F64
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01050F75
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01050F86
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01050F97
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01050FB9
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01050F2E
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01050F49
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 010500D1
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 010500AC
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 010500EC
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 01050FA8
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01050FE5
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 01050074
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 01050FCA
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 0105001B
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 0105009B
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00FF0FCA
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00FF0062
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00FF0FDB
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00FF001B
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00FF0051
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00FF0FB9
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 1F, 89 ]
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00FF0040
.text C:\WINDOWS\system32\svchost.exe[1104] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FD0FEF
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03720000
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03720F94
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0372007F
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03720062
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03720051
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03720FAF
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 037200C6
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 037200B5
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 03720106
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 037200EB
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 03720F52
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 03720036
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 03720FE5
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 037200A4
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 0372001B
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 03720FCA
.text C:\WINDOWS\System32\svchost.exe[1204] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 03720F63
.text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 031B0FC3
.text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 031B0F7C
.text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 031B0FD4
.text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 031B0FEF
.text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 031B0F97
.text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 031B0000
.text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 031B0039
.text C:\WINDOWS\System32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 031B0FB2
.text C:\WINDOWS\System32\svchost.exe[1204] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02EC0FEF
.text C:\WINDOWS\System32\svchost.exe[1204] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 032E0000
.text C:\WINDOWS\System32\svchost.exe[1204] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 032E001B
.text C:\WINDOWS\System32\svchost.exe[1204] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 032E0FDB
.text C:\WINDOWS\System32\svchost.exe[1204] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 032E0036
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00900FEF
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00900F6F
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00900F80
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00900058
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00900047
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00900FAF
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00900F1C
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00900F2D
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00900EE6
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00900075
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 0090009A
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00900036
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00900000
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00900F54
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00900FCA
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00900011
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00900EF7
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 008F000A
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 008F0025
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 008F0FB9
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 008F0FD4
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 008F0F5E
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 008F0FEF
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 008F0F83
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ AF, 88 ]
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 008F0F9E
.text C:\WINDOWS\system32\svchost.exe[1400] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00840FE5
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D7000A
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D70F6B
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D70F7C
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D70054
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D70F97
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D70FB2
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D70098
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D70F50
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D70F35
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D700C4
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00D70F1A
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00D7002F
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00D70FEF
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00D7007B
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00D70FC3
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00D70FD4
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00D700B3
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00820FD1
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00820FB6
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0082002C
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0082001B
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00820069
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00820000
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 0082004E
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 0082003D
.text C:\WINDOWS\system32\svchost.exe[1436] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00800000
.text C:\WINDOWS\system32\svchost.exe[1436] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00830FE5
.text C:\WINDOWS\system32\svchost.exe[1436] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00830000
.text C:\WINDOWS\system32\svchost.exe[1436] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00830011
.text C:\WINDOWS\system32\svchost.exe[1436] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 0083002C
.text C:\WINDOWS\Explorer.EXE[1880] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01F50000
.text C:\WINDOWS\Explorer.EXE[1880] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01F5009D
.text C:\WINDOWS\Explorer.EXE[1880] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01F50082
.text C:\WINDOWS\Explorer.EXE[1880] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01F50067
.text C:\WINDOWS\Explorer.EXE[1880] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01F50040
.text C:\WINDOWS\Explorer.EXE[1880] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01F50025
.text C:\WINDOWS\Explorer.EXE[1880] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01F500D5
.text C:\WINDOWS\Explorer.EXE[1880] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01F50F8D
.text C:\WINDOWS\Explorer.EXE[1880] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01F50F5A
.text C:\WINDOWS\Explorer.EXE[1880] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01F50F6B
.text C:\WINDOWS\Explorer.EXE[1880] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 01F50F3F
.text C:\WINDOWS\Explorer.EXE[1880] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 01F50FA8
.text C:\WINDOWS\Explorer.EXE[1880] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01F50FE5
.text C:\WINDOWS\Explorer.EXE[1880] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 01F500AE
.text C:\WINDOWS\Explorer.EXE[1880] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 01F50FB9
.text C:\WINDOWS\Explorer.EXE[1880] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 01F50FCA
.text C:\WINDOWS\Explorer.EXE[1880] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 01F50F7C
.text C:\WINDOWS\Explorer.EXE[1880] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 01F30014
.text C:\WINDOWS\Explorer.EXE[1880] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 01F30F7C
.text C:\WINDOWS\Explorer.EXE[1880] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 01F30FC3
.text C:\WINDOWS\Explorer.EXE[1880] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 01F30FD4
.text C:\WINDOWS\Explorer.EXE[1880] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 01F30F8D
.text C:\WINDOWS\Explorer.EXE[1880] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 01F30FEF
.text C:\WINDOWS\Explorer.EXE[1880] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 01F30F9E
.text C:\WINDOWS\Explorer.EXE[1880] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 13, 8A ]
.text C:\WINDOWS\Explorer.EXE[1880] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 01F3002F
.text C:\WINDOWS\Explorer.EXE[1880] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 01F40000
.text C:\WINDOWS\Explorer.EXE[1880] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 01F4001B
.text C:\WINDOWS\Explorer.EXE[1880] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 01F40FE5
.text C:\WINDOWS\Explorer.EXE[1880] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 01F4002C
.text C:\WINDOWS\Explorer.EXE[1880] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01C0000A
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[3640] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041BF60 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[3640] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0041BFE0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxyxyuhkkv.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@userdata -1
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxyxyuhkkv.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxrqvqatnc.dll

---- EOF - GMER 1.0.14 ----

Shaba
2009-02-10, 19:36
Open combofix and allow it to update itself if it asks for it.

Post back a fresh combofix log and a fresh hijackthis log, please.

jvanosda
2009-02-11, 08:33
Here are the new combofix logs and the hjt after combofix was ran.

ComboFix 09-02-10.02 - user 2009-02-11 14:15:12.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2765 [GMT 8:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\gaopdxcounter

.
((((((((((((((((((((((((( Files Created from 2009-01-11 to 2009-02-11 )))))))))))))))))))))))))))))))
.

2009-02-10 18:57 . 2009-02-10 19:00 <DIR> d-------- c:\program files\FFXIP
2009-02-10 13:47 . 2009-02-10 14:05 345 --a------ c:\windows\gmer.ini
2009-02-09 20:46 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2009-02-09 20:46 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll
2009-02-09 20:46 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2009-02-08 23:37 . 2009-02-08 23:37 <DIR> d-------- c:\program files\Windows Live SkyDrive
2009-02-08 23:37 . 2009-02-08 23:37 <DIR> d-------- c:\program files\Microsoft Office Outlook Connector
2009-02-08 23:37 . 2009-02-08 23:37 <DIR> d-------- c:\program files\Microsoft
2009-02-08 23:35 . 2009-02-08 23:35 <DIR> d-------- c:\program files\Common Files\Windows Live
2009-02-08 22:21 . 2009-02-08 22:27 <DIR> d-------- c:\program files\Safer Networking
2009-02-08 22:00 . 2009-02-08 22:00 <DIR> d-------- C:\rsit
2009-02-08 20:07 . 2009-02-08 20:07 <DIR> d-------- c:\program files\Elaborate Bytes
2009-02-08 19:51 . 2009-02-08 19:51 <DIR> d-------- c:\program files\MSXML 4.0
2009-02-03 20:08 . 2009-02-03 20:08 <DIR> d-------- c:\documents and settings\user\Application Data\SolidWorks 2008
2009-02-03 20:00 . 2009-02-03 23:01 <DIR> d-------- c:\documents and settings\user\Application Data\SolidWorks
2009-02-03 18:19 . 2009-02-03 18:34 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Winamp
2009-02-03 17:52 . 2009-02-03 17:52 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-02-03 17:47 . 2009-02-03 17:48 <DIR> d-------- c:\documents and settings\Administrator
2009-02-03 17:25 . 2009-02-03 17:25 23 --ah----- c:\windows\yacht.xws
2009-02-03 17:22 . 2009-02-03 17:22 <DIR> d-------- c:\windows\system32\GroupPolicy
2009-02-03 17:22 . 2009-02-03 20:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\SolidWorks
2009-02-03 17:19 . 2009-02-03 17:19 <DIR> d-------- c:\program files\SolidWorks Viewer
2009-02-03 17:16 . 2009-02-03 17:16 <DIR> d-------- c:\program files\Windows Desktop Search
2009-02-03 17:15 . 2009-02-03 20:00 <DIR> d-------- c:\program files\SolidWorks
2009-02-03 17:14 . 2009-02-03 17:14 <DIR> d-------- c:\program files\Document Manager
2009-02-03 17:12 . 2009-02-03 17:23 <DIR> d-------- c:\program files\Common Files\SolidWorks Shared
2009-02-03 17:12 . 2009-02-03 17:22 <DIR> d-------- c:\program files\Common Files\eDrawings2008
2009-02-03 17:12 . 2009-02-03 17:12 0 --a------ c:\windows\eDrawingOfficeAutomator.INI
2009-02-03 17:11 . 2009-02-03 20:06 <DIR> d-------- c:\program files\DWGeditor
2009-02-03 17:11 . 2009-02-03 17:11 <DIR> d-------- c:\documents and settings\user\Application Data\DWGeditor
2009-02-03 16:08 . 2009-02-03 17:22 <DIR> d-------- C:\SolidWorks Data
2009-02-03 16:04 . 2009-02-03 16:05 <DIR> d-------- c:\program files\Common Files\SolidWorks Installation Manager
2009-02-03 16:03 . 2009-02-03 16:09 <DIR> d-------- c:\windows\SolidWorks
2009-02-03 16:03 . 2009-02-03 20:02 <DIR> d-------- c:\documents and settings\user\Application Data\IM
2009-02-03 15:53 . 2009-02-03 15:53 <DIR> d-------- c:\program files\Classic Menu for Office
2009-02-03 15:53 . 2009-02-11 14:08 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-02-03 15:35 . 2009-02-03 15:35 <DIR> d-------- c:\documents and settings\user\workspace
2009-02-03 15:31 . 2009-02-03 16:31 <DIR> d-------- c:\windows\SxsCaPendDel
2009-02-03 15:25 . 2009-02-10 21:47 <DIR> d-------- c:\program files\eclipse
2009-01-20 20:33 . 2009-01-20 20:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-01-20 20:32 . 2008-08-05 20:10 1,684,736 --a------ c:\windows\system32\drivers\Ambfilt.sys
2009-01-20 20:32 . 2006-01-04 15:41 1,389,056 --a------ c:\windows\system32\drivers\Monfilt.sys
2009-01-20 20:32 . 2008-10-23 17:42 290,816 --a------ c:\windows\vncutil.exe
2009-01-20 20:32 . 2008-06-24 14:46 104,992 --a------ c:\windows\RtkAudioService.exe
2009-01-20 20:32 . 2009-01-05 16:16 34,816 --a------ c:\windows\system32\RtkCoInstXP.dll
2009-01-20 18:21 . 2009-01-20 18:21 <DIR> d-------- c:\program files\Avanquest update
2009-01-20 18:21 . 2009-01-20 18:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\BVRP Software
2009-01-20 18:20 . 2009-01-20 18:20 <DIR> d-------- c:\program files\Sony Ericsson
2009-01-20 18:20 . 2009-01-20 18:20 <DIR> d-------- c:\documents and settings\user\Application Data\InstallShield
2009-01-20 18:20 . 2009-01-20 18:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sony Ericsson
2009-01-20 18:20 . 2008-05-16 12:33 120,744 --a------ c:\windows\system32\drivers\s0016mdm.sys
2009-01-20 18:20 . 2008-05-16 12:33 89,256 --a------ c:\windows\system32\drivers\s0016bus.sys
2009-01-20 18:20 . 2008-05-16 12:33 15,016 --a------ c:\windows\system32\drivers\s0016mdfl.sys
2009-01-20 18:20 . 2008-05-16 12:33 12,200 --a------ c:\windows\system32\drivers\s0016whnt.sys
2009-01-20 18:20 . 2008-05-16 12:33 12,200 --a------ c:\windows\system32\drivers\s0016wh.sys
2009-01-20 18:20 . 2008-05-16 12:33 12,200 --a------ c:\windows\system32\drivers\s0016cmnt.sys
2009-01-20 18:20 . 2008-05-16 12:33 12,200 --a------ c:\windows\system32\drivers\s0016cm.sys
2009-01-20 17:50 . 2009-01-20 17:50 <DIR> d-------- c:\windows\Downloaded Installations
2009-01-20 17:49 . 2009-01-20 17:49 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-20 17:49 . 2009-01-20 17:49 1,409 --a------ c:\windows\QTFont.for
2009-01-20 13:14 . 2009-01-20 13:14 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-20 13:14 . 2009-01-20 13:14 <DIR> d-------- c:\documents and settings\user\Application Data\Malwarebytes
2009-01-20 13:14 . 2009-01-20 13:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-20 13:14 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-20 13:14 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-18 22:18 . 2009-01-18 22:18 0 --a------ c:\windows\LCDMedia.INI
2009-01-18 22:13 . 2009-01-18 22:13 <DIR> d-------- c:\program files\ERUNT
2009-01-14 01:23 . 2009-01-14 01:23 <DIR> d-------- c:\program files\Trend Micro
2009-01-13 15:00 . 2009-01-13 15:00 <DIR> d-------- c:\program files\Notepad++
2009-01-13 15:00 . 2009-01-13 15:00 <DIR> d-------- c:\documents and settings\user\Application Data\Notepad++
2009-01-13 00:43 . 2009-02-08 22:49 <DIR> d-------- c:\program files\Google
2009-01-12 23:25 . 2009-02-03 15:32 <DIR> d-------- c:\windows\system32\XPSViewer
2009-01-12 23:24 . 2009-01-12 23:24 <DIR> d-------- c:\program files\Reference Assemblies
2009-01-12 23:23 . 2006-06-29 13:07 14,048 --------- c:\windows\system32\spmsg2.dll
2009-01-12 23:19 . 2009-01-12 23:19 <DIR> d-------- c:\program files\MSECache
2009-01-12 22:20 . 2009-01-18 22:48 185 --a------ c:\windows\wininit.ini
2009-01-12 22:19 . 2009-01-12 22:19 <DIR> d-------- c:\program files\PowerISO
2009-01-12 21:53 . 2009-01-12 21:53 <DIR> d-------- c:\documents and settings\user\WINDOWS
2009-01-12 21:46 . 2009-01-12 21:46 288 --a------ c:\windows\ODBC.INI
2009-01-12 21:46 . 2009-01-12 21:46 126 --a------ c:\windows\mdm.ini
2009-01-12 21:43 . 2009-01-12 21:43 <DIR> d-------- c:\program files\Web Publish
2009-01-12 10:49 . 1998-06-02 11:56 313,856 --a------ c:\windows\system32\dx3j.dll
2009-01-12 10:49 . 1998-06-02 14:45 140,048 --a------ c:\windows\system32\jit.dll
2009-01-12 10:49 . 1998-06-02 12:29 135,168 --a------ c:\windows\system32\javaee.dll
2009-01-12 10:49 . 1998-06-02 12:41 42,496 --a------ c:\windows\setdebug.exe
2009-01-12 10:49 . 1998-06-02 12:28 7,356 --a------ c:\windows\system32\javasup.vxd
2009-01-12 10:49 . 1998-06-02 11:57 6,550 --a------ c:\windows\jautoexp.dat
2009-01-12 02:17 . 2009-01-12 02:17 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-01-12 02:16 . 2009-01-12 02:17 <DIR> d-------- c:\program files\Common Files\Adobe
2009-01-12 02:06 . 2009-01-12 11:20 <DIR> d-------- c:\program files\NOS
2009-01-12 02:06 . 2009-01-12 11:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-09 12:54 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-03 09:22 --------- d-----w c:\program files\AGEIA Technologies
2009-01-20 10:21 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-09 14:17 --------- d-----w c:\program files\CDisplay
2009-01-09 03:07 --------- d-----w c:\program files\Java
2009-01-09 02:54 --------- d-----w c:\documents and settings\user\Application Data\CyberLink
2009-01-09 02:54 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2009-01-07 17:35 --------- d-----w c:\program files\Project64 1.6
2009-01-07 17:03 --------- d-----w c:\program files\MagicDVDRipper
2009-01-07 15:14 --------- d-----w c:\program files\Karen's Power Tools
2009-01-07 15:14 --------- d-----w c:\documents and settings\All Users\Application Data\Karen's Power Tools
2009-01-07 14:12 --------- d-----w c:\program files\Nidesoft Studio
2009-01-07 13:58 --------- d-----w c:\program files\Aglare DVD to AVI WMV MP4 MPEG Converter
2009-01-07 02:12 --------- d-----w c:\program files\Easy MPEG AVI DIVX WMV RM to DVD
2009-01-06 11:00 4,968,448 ----a-w c:\windows\system32\drivers\RtkHDAud.sys
2009-01-01 08:23 --------- d-----w c:\program files\McAfee
2009-01-01 08:19 --------- d-----w c:\program files\FFXiBench3
2009-01-01 07:54 --------- d-----w c:\documents and settings\user\Application Data\mjusbsp
2008-12-30 23:10 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-12-30 06:58 18,082,304 ----a-w c:\windows\RTHDCPL.EXE
2008-12-30 06:47 --------- d-----w c:\documents and settings\All Users\Application Data\SiteAdvisor
2008-12-30 06:47 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-12-29 06:00 --------- d-----w c:\program files\Transparent
2008-12-29 05:47 --------- d-----w c:\documents and settings\user\Application Data\Winamp
2008-12-29 04:36 --------- d-----w c:\documents and settings\user\Application Data\DivX
2008-12-29 03:53 --------- d-----w c:\program files\Common Files\LightScribe
2008-12-29 03:51 --------- d-----w c:\program files\Common Files\Ahead
2008-12-29 03:51 --------- d-----w c:\program files\Ahead
2008-12-29 03:50 --------- d-----w c:\program files\CyberLink DVD Solution
2008-12-29 03:49 --------- d-----w c:\program files\CyberLink
2008-12-29 03:48 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-29 03:18 --------- d-----w c:\program files\MSBuild
2008-12-29 03:18 --------- d-----w c:\program files\Microsoft Works
2008-12-29 03:08 --------- d-----w c:\program files\Alcohol Soft
2008-12-29 02:49 --------- d-----w c:\program files\PlayOnline
2008-12-28 06:57 --------- d-----w c:\program files\Common Files\McAfee
2008-12-28 06:57 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-28 06:57 --------- d-----w c:\documents and settings\All Users\Application Data\OrbNetworks
2008-12-28 06:56 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-28 06:47 --------- d-----w c:\program files\Winamp Toolbar
2008-12-28 06:47 --------- d-----w c:\program files\Winamp Remote
2008-12-28 06:47 --------- d-----w c:\program files\Winamp
2008-12-28 06:47 --------- d-----w c:\documents and settings\All Users\Application Data\Winamp Toolbar
2008-12-28 06:42 --------- d-----w c:\program files\DivX
2008-12-28 06:32 --------- d-----w c:\program files\McAfee.com
2008-12-28 05:54 --------- d-----w c:\program files\Logitech
2008-12-28 05:54 --------- d-----w c:\documents and settings\All Users\Application Data\Logitech
2008-12-28 03:36 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-28 03:31 --------- d-----w c:\program files\Intel
2008-12-28 03:30 --------- d-----w c:\program files\Realtek
2008-12-28 03:24 --------- d-----w c:\program files\microsoft frontpage
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2006-06-24 06:48 32,768 ----a-r c:\windows\inf\UpdateUSB.exe
2004-10-01 23:00 40,960 ----a-w c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( snapshot@2009-02-03_22.24.00.96 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-03 15:18:57 842,240 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\b5b2feadc3943e3976daebc0bcd2b5e2\AspNetMMCExt.ni.dll
+ 2009-02-03 15:18:32 410,112 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\12629e2f3e315459bee67cbbaac85cb2\ComSvcConfig.ni.exe
+ 2009-02-03 15:19:06 220,672 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\9bea05938bee3555c5aa8763d89a68f9\CustomMarshalers.ni.dll
+ 2009-02-03 15:19:00 14,336 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\dfsvc\f4e38208e88cb4cc314a1d6543b9fcc6\dfsvc.ni.exe
+ 2009-02-03 15:19:07 222,720 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Con#\9b321ebf67587237f576df6104a32588\Microsoft.Build.Conversion.v3.5.ni.dll
+ 2009-02-03 15:19:05 1,888,768 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\6cfe582681724965fb817e8ece5f0909\Microsoft.Build.Engine.ni.dll
+ 2009-02-03 15:19:09 839,680 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\96825c34d7e1f7df1923ff2123bed8da\Microsoft.Build.Engine.ni.dll
+ 2009-02-03 15:19:03 74,752 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\28343d470d992f169ca0e7cdb3cc3117\Microsoft.Build.Framework.ni.dll
+ 2009-02-03 15:19:19 1,966,080 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\a47100d8f4574bed2d49d83d0ab8964e\Microsoft.Build.Tasks.v3.5.ni.dll
+ 2009-02-03 15:19:17 1,620,992 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\bd241492d96db39f20e758c13c845033\Microsoft.Build.Tasks.ni.dll
+ 2009-02-03 15:19:21 175,104 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\4217124db1ea5de5f1a1f3eea75e8d32\Microsoft.Build.Utilities.v3.5.ni.dll
+ 2009-02-03 15:20:20 2,332,160 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.JScript\b261961046545831aa60963e84905968\Microsoft.JScript.ni.dll
+ 2009-02-03 15:18:37 386,560 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\1820d6a012fc0e16c3e1d29d973cd2d0\Microsoft.Transactions.Bridge.Dtc.ni.dll
+ 2009-02-03 15:18:34 1,093,120 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\6b2f62f5e981913fce1d223f645d9ddf\Microsoft.Transactions.Bridge.ni.dll
+ 2009-02-03 15:19:24 1,712,128 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\1c86afc399d0fdd8e069266ffbe748d1\Microsoft.VisualBasic.ni.dll
+ 2009-02-03 15:20:22 55,296 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Vsa\790cf1edb17ee41b59be62ecbd59613b\Microsoft.Vsa.ni.dll
+ 2009-02-03 15:19:03 133,632 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\MSBuild\6d38e317128608bc4516ea46ab94590e\MSBuild.ni.exe
+ 2009-02-03 15:18:40 320,512 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\ServiceModelReg\10a0c9707876fc1f65e64b811a28b020\ServiceModelReg.ni.exe
+ 2009-02-03 15:18:41 256,000 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\9790551187e294b4ed3aaa1c221891c7\SMDiagnostics.ni.dll
+ 2009-02-03 15:18:42 366,080 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\045dd501b7257b1cc26083538ae69045\SMSvcHost.ni.exe
+ 2009-02-03 15:20:32 232,448 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\sysglobl\45067d0793a09d3431d26bfa55c5a76a\sysglobl.ni.dll
+ 2009-02-03 15:19:26 82,944 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn.Contra#\597b20e1b053d6a510cfe033c07a63e6\System.AddIn.Contract.ni.dll
+ 2009-02-03 15:19:26 633,856 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn\ce984d754e3c0b6be4504b785cc43574\System.AddIn.ni.dll
+ 2009-02-03 15:19:28 94,208 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.ComponentMod#\532438e2acfcadc469a4d468c51f8451\System.ComponentModel.DataAnnotations.ni.dll
+ 2009-02-03 15:19:32 135,680 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.DataSet#\1db495ff00bbd14df4af6680c4de0653\System.Data.DataSetExtensions.ni.dll
+ 2009-02-03 15:20:05 756,736 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity.#\392de34573f9f8ec885714f2f3e7f07f\System.Data.Entity.Design.ni.dll
+ 2009-02-03 15:20:01 9,924,096 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity\6479f975b105808a8d9e7a7fdc762551\System.Data.Entity.ni.dll
+ 2009-02-03 15:20:13 354,816 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\1cf3acad6553d6c59df576794f4e8bd6\System.Data.Services.Design.ni.dll
+ 2009-02-03 15:20:12 939,008 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\a4b887f476fa4b8746a93a9fc2208560\System.Data.Services.Client.ni.dll
+ 2009-02-03 15:20:10 1,328,128 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Services\956a513dcbd44d5a6801840ef2b0b47b\System.Data.Services.ni.dll
+ 2009-02-03 15:20:15 881,152 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\8b3bb7a2c2f3ffe94c866283f1cd5957\System.DirectoryServices.AccountManagement.ni.dll
+ 2009-02-03 15:17:42 212,992 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityMode#\68e71147704ef0d34d9a4bece7767fc5\System.IdentityModel.Selectors.ni.dll
+ 2009-02-03 15:17:40 1,056,768 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityModel\c2de8479e54852f56996f79bc93acb13\System.IdentityModel.ni.dll
+ 2009-02-03 15:17:43 381,440 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.IO.Log\7c367a96b10d626ec8cbf8149272d845\System.IO.Log.ni.dll
+ 2009-02-03 15:20:17 330,752 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.I#\1d3fbbd23ce1e8637ef4f40a8d23cd32\System.Management.Instrumentation.ni.dll
+ 2009-02-03 15:20:18 998,400 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management\8642fdfbf02a6cb6f01169fe6fdb5d11\System.Management.ni.dll
+ 2009-02-03 15:21:21 593,408 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Messaging\f48e3419fb2cb012fd160ae801600ae7\System.Messaging.ni.dll
+ 2009-02-03 15:20:23 621,056 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Net\519d9c618341b136f9b963ffb7495308\System.Net.ni.dll
+ 2009-02-03 15:17:48 2,338,304 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\034c91b133dee73d452652c52767b5ea\System.Runtime.Serialization.ni.dll
+ 2009-02-03 15:20:27 1,706,496 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\340cad17fe57947eacbc8fa2cea780da\System.ServiceModel.Web.ni.dll
+ 2009-02-03 15:18:14 17,317,888 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\4146033013edebd7e0cb604e504ebfee\System.ServiceModel.ni.dll
+ 2009-02-03 15:20:30 1,917,440 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Speech\63cf639b6e0a3c25c1643c85016e7422\System.Speech.ni.dll
+ 2009-02-03 15:20:33 141,312 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\00ec08741a765c707bd9169346064a81\System.Web.Abstractions.ni.dll
+ 2009-02-03 15:20:40 36,864 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\19ca1747c1ea18a3b639b302bca8df93\System.Web.DynamicData.Design.ni.dll
+ 2009-02-03 15:20:39 547,328 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\b7891f5659db299dbd1b3c72db7edb9f\System.Web.DynamicData.ni.dll
+ 2009-02-03 15:20:42 301,056 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\d3d65e34fa60f0b6c72ca0d12ec89933\System.Web.Entity.Design.ni.dll
+ 2009-02-03 15:20:41 328,704 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\79c29ac85dd57dd485ab60118ac292ff\System.Web.Entity.ni.dll
+ 2009-02-03 15:20:44 859,648 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\58f62044fa702ea6f936071aa5520baa\System.Web.Extensions.Design.ni.dll
+ 2009-02-03 15:20:37 2,403,328 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\7f64c9d25471b72e1e957bdfe67947c8\System.Web.Extensions.ni.dll
+ 2009-02-03 15:20:46 2,209,280 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\81197e32ec931f439b3114e9031b65d6\System.Web.Mobile.ni.dll
+ 2009-02-03 15:20:34 129,536 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Routing\bb77ea11f46ab438b2b7ed7c180011a1\System.Web.Routing.ni.dll
+ 2009-02-03 15:21:03 37,888 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Pres#\423f794d1f4ed6e120fbb02e436491cb\System.Windows.Presentation.ni.dll
+ 2009-02-03 15:21:08 2,992,640 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Act#\cc99fbbac0b6e4e9ca62093e49b0c16b\System.Workflow.Activities.ni.dll
+ 2009-02-03 15:21:15 4,514,304 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Com#\693a8fbe6f7ad6e4e429052da4317e59\System.Workflow.ComponentModel.ni.dll
+ 2009-02-03 15:21:19 1,908,224 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Run#\d265da36954fcb4cb7ad5adc693ea0f2\System.Workflow.Runtime.ni.dll
+ 2009-02-03 15:21:24 1,356,288 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\ac1750e78d79520dcf19195772eff1b6\System.WorkflowServices.ni.dll
+ 2009-02-03 15:21:25 400,896 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml.Linq\c338a470b14851ce5987bb0f0869c310\System.Xml.Linq.ni.dll
+ 2009-02-03 15:18:44 321,536 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\WsatConfig\2ef5bc3a2edd7570bb23886a4f32294a\WsatConfig.ni.exe
+ 2005-10-20 12:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2009-02-10 05:47:25 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-17 13:13:02 811,008 ----a-w c:\windows\gmer.exe
+ 2006-10-27 04:55:38 138,024 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\IMPMAIL.DLL
+ 2006-09-16 00:25:18 3,611,416 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\OUTLFLTR.DAT
+ 2006-10-27 23:16:36 46,864 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\OUTLRPC.DLL
+ 2007-08-29 07:19:32 136,064 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6215\CONTAB32.DLL
+ 2007-08-24 12:49:12 89,976 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6215\DLGSETP.DLL
+ 2007-10-06 04:37:38 17,927,192 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6215\EXCEL.EXE
+ 2007-08-24 12:49:40 342,888 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6215\MIMEDIR.DLL
+ 2007-08-29 07:38:10 500,648 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6215\MORPH9.DLL
+ 2007-09-15 05:45:58 16,901,168 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6215\MSO.DLL
+ 2007-08-29 07:38:46 9,584,512 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6215\MSPUB.EXE
+ 2007-08-29 07:20:20 2,949,512 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6215\OLMAPI32.DLL
+ 2007-08-24 13:42:40 663,432 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6215\OMSMAIN.DLL
+ 2007-08-24 13:42:44 195,480 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6215\OMSXP32.DLL
+ 2007-08-29 07:20:44 600,992 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6215\OUTLMIME.DLL
+ 2007-09-07 02:01:10 12,836,728 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6215\OUTLOOK.EXE
+ 2007-08-29 07:22:04 180,128 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6215\OUTLPH.DLL
+ 2007-08-29 07:06:16 467,840 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6215\POWERPNT.EXE
+ 2007-08-29 07:06:44 7,990,144 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6215\PPCORE.DLL
+ 2007-08-24 11:43:28 138,648 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6215\PRTF9.DLL
+ 2007-08-24 12:51:48 416,112 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6215\PSTPRX32.DLL
+ 2007-08-29 07:39:14 625,560 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6215\PTXT9.DLL
+ 2007-08-24 11:43:36 593,296 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6215\PUBCONV.DLL
+ 2007-08-24 12:52:08 266,160 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6215\SCNPST32.DLL
+ 2007-08-24 12:52:10 275,896 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6215\SCNPST64.DLL
+ 2007-08-29 07:16:00 350,064 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6215\WINWORD.EXE
+ 2007-09-07 02:03:02 4,280,176 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6215\WRD12CNV.DLL
+ 2007-08-29 08:07:58 24,928 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6215\WRD12EXE.EXE
+ 2007-09-07 01:56:32 17,490,800 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6215\WWLIB.DLL
+ 2007-10-03 04:00:06 14,708,760 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6215\XL12CNV.EXE
+ 2007-08-24 13:14:14 13,712 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.6215\XLCALL32.DLL
+ 2006-10-26 12:30:12 7,042,880 ----a-r c:\windows\Installer\$PatchCache$\Managed\000021094A0090400000000000F01FEC\12.0.4518\OWC11.DLL
+ 2007-08-29 08:19:24 1,654,648 ----a-r c:\windows\Installer\$PatchCache$\Managed\000021094A0090400000000000F01FEC\12.0.6213\OGL.DLL
+ 2009-02-08 11:51:22 32,768 ----a-r c:\windows\Installer\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}\icon.exe
- 2008-12-29 05:35:19 1,165,584 ----a-r c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-02-09 12:54:57 1,165,584 ----a-r c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\accicons.exe
- 2008-12-29 05:35:19 20,240 ----a-r c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-02-09 12:54:57 20,240 ----a-r c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-12-29 05:35:19 159,504 ----a-r c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\inficon.exe
+ 2009-02-09 12:54:57 159,504 ----a-r c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\inficon.exe
- 2008-12-29 05:35:19 217,864 ----a-r c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\misc.exe
+ 2009-02-09 12:54:57 217,864 ----a-r c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\misc.exe
- 2008-12-29 05:35:19 18,704 ----a-r c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-02-09 12:54:57 18,704 ----a-r c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-12-29 05:35:19 35,088 ----a-r c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-02-09 12:54:57 35,088 ----a-r c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-12-29 05:35:19 845,584 ----a-r c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\outicon.exe
+ 2009-02-09 12:54:57 845,584 ----a-r c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\outicon.exe
- 2008-12-29 05:35:19 922,384 ----a-r c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-02-09 12:54:57 922,384 ----a-r c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\pptico.exe
- 2008-12-29 05:35:19 272,648 ----a-r c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\pubs.exe
+ 2009-02-09 12:54:57 272,648 ----a-r c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\pubs.exe
- 2008-12-29 05:35:19 888,080 ----a-r c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-02-09 12:54:57 888,080 ----a-r c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-12-29 05:35:19 1,172,240 ----a-r c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-02-09 12:54:57 1,172,240 ----a-r c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\xlicons.exe
- 2009-01-12 15:19:49 217,864 ----a-r c:\windows\Installer\{90120000-00A4-0409-0000-0000000FF1CE}\misc.exe
+ 2009-02-09 12:53:59 217,864 ----a-r c:\windows\Installer\{90120000-00A4-0409-0000-0000000FF1CE}\misc.exe
+ 2009-02-08 15:38:44 29,316 ----a-r c:\windows\Installer\{95120000-0120-0409-0000-0000000FF1CE}\olc_setup.exe
- 2009-02-03 13:34:23 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-11 05:36:26 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-03 13:34:23 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-11 05:36:26 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-11 05:36:26 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-05-07 09:07:23 135,168 ----a-w c:\windows\system32\cscript.exe
+ 2004-08-09 13:27:08 98,304 ----a-w c:\windows\system32\cscript.exe
- 2008-04-14 13:41:54 32,768 ----a-w c:\windows\system32\dispex.dll
+ 2004-08-09 13:27:00 28,672 ----a-w c:\windows\system32\dispex.dll
- 2008-05-07 09:07:23 135,168 -c----w c:\windows\system32\dllcache\cscript.exe
+ 2004-08-09 13:27:08 98,304 -c--a-w c:\windows\system32\dllcache\cscript.exe
+ 2004-08-09 13:27:00 28,672 -c--a-w c:\windows\system32\dllcache\dispex.dll
- 2008-05-09 10:53:39 512,000 -c----w c:\windows\system32\dllcache\jscript.dll
+ 2004-08-09 13:27:02 466,944 -c--a-w c:\windows\system32\dllcache\jscript.dll
- 2008-05-09 10:53:39 180,224 -c----w c:\windows\system32\dllcache\scrobj.dll
+ 2004-08-09 13:27:04 151,552 -c--a-w c:\windows\system32\dllcache\scrobj.dll
- 2008-05-09 10:53:40 172,032 -c----w c:\windows\system32\dllcache\scrrun.dll
+ 2004-08-09 13:27:04 151,552 -c--a-w c:\windows\system32\dllcache\scrrun.dll
- 2008-05-09 10:53:40 430,080 -c----w c:\windows\system32\dllcache\vbscript.dll
+ 2004-08-09 13:27:06 438,272 -c--a-w c:\windows\system32\dllcache\vbscript.dll
- 2008-05-08 11:24:44 155,648 -c----w c:\windows\system32\dllcache\wscript.exe
+ 2004-08-09 13:27:16 114,688 -c--a-w c:\windows\system32\dllcache\wscript.exe
+ 2004-08-09 13:27:06 28,672 -c--a-w c:\windows\system32\dllcache\wshcon.dll
- 2008-05-09 10:53:40 90,112 -c----w c:\windows\system32\dllcache\wshext.dll
+ 2004-08-09 13:27:06 65,536 -c--a-w c:\windows\system32\dllcache\wshext.dll
+ 2002-11-29 11:38:16 16,320 ----a-w c:\windows\system32\drivers\ElbyCDIO.sys
+ 2009-02-10 05:47:25 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
+ 2002-11-27 21:46:55 6,400 ----a-w c:\windows\system32\drivers\RegKill.sys
+ 2002-12-03 13:54:56 65,536 ----a-w c:\windows\system32\ElbyCDIO.dll
- 2008-05-09 10:53:39 512,000 ----a-w c:\windows\system32\jscript.dll
+ 2004-08-09 13:27:02 466,944 ----a-w c:\windows\system32\jscript.dll
- 2003-04-18 08:46:22 1,233,920 ----a-w c:\windows\system32\msxml4.dll
+ 2008-09-30 08:43:34 1,286,152 ----a-w c:\windows\system32\msxml4.dll
- 2009-02-03 11:52:42 74,570 ----a-w c:\windows\system32\perfc009.dat
+ 2009-02-11 05:35:48 75,414 ----a-w c:\windows\system32\perfc009.dat
- 2009-02-03 11:52:42 453,730 ----a-w c:\windows\system32\perfh009.dat
+ 2009-02-11 05:35:48 456,634 ----a-w c:\windows\system32\perfh009.dat
- 2008-05-09 10:53:39 180,224 ----a-w c:\windows\system32\scrobj.dll
+ 2004-08-09 13:27:04 151,552 ----a-w c:\windows\system32\scrobj.dll
- 2008-05-09 10:53:40 172,032 ----a-w c:\windows\system32\scrrun.dll
+ 2004-08-09 13:27:04 151,552 ----a-w c:\windows\system32\scrrun.dll
- 2008-05-09 10:53:40 430,080 ----a-w c:\windows\system32\vbscript.dll
+ 2004-08-09 13:27:06 438,272 ----a-w c:\windows\system32\vbscript.dll
- 2008-05-08 11:24:44 155,648 ----a-w c:\windows\system32\wscript.exe
+ 2004-08-09 13:27:16 114,688 ----a-w c:\windows\system32\wscript.exe
- 2008-04-14 13:42:12 36,864 ----a-w c:\windows\system32\wshcon.dll
+ 2004-08-09 13:27:06 28,672 ----a-w c:\windows\system32\wshcon.dll
- 2008-05-09 10:53:40 90,112 ----a-w c:\windows\system32\wshext.dll
+ 2004-08-09 13:27:06 65,536 ----a-w c:\windows\system32\wshext.dll
+ 2009-02-11 06:19:46 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_c84.dat
+ 2008-09-30 08:42:08 1,286,152 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9870.0_x-ww_a32d74cf\msxml4.dll
+ 2008-09-30 08:45:12 91,656 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.1.0_x-ww_2a41bceb\msxml4r.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\user\Application Data\mjusbsp\cdloader2.exe" [2008-12-18 50520]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-17 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-13 86016]
"Launch LGDCore"="c:\program files\Logitech\G-series Software\LGDCore.exe" [2006-03-06 1122304]
"Launch LCDMon"="c:\program files\Logitech\G-series Software\LCDMon.exe" [2006-03-06 497152]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-12 641208]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-04 36352]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2005-07-08 1397760]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-10 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-09 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Google IME Autoupdater"="c:\program files\Google\Google Pinyin\GooglePinyinDaemon.exe" [2008-10-17 308720]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-13 13672448]
"RegKillElbyCheck"="c:\program files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" [2002-11-02 45056]
"RegKillTray"="c:\program files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe" [2002-11-28 49152]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-02-08 30192]
"nwiz"="nwiz.exe" [2008-11-13 c:\windows\system32\nwiz.exe]

c:\documents and settings\user\Start Menu\Programs\Startup\
SolidWorks Task Scheduler Engine.lnk - c:\program files\SolidWorks\swScheduler\swBOEngine.exe [2007-09-09 488728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-14 21:42 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-11-13 06:54 13672448 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-03-15 07:50 233472 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SolidWorks_CheckForUpdates]
-ra------ 2007-09-10 14:15 6460696 c:\program files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\alcmtr]
--a------ 2008-06-19 16:20 57344 c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-11-13 06:54 1630208 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rthdcpl]
--a------ 2008-12-30 14:58 18082304 c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Documents and Settings\\user\\Application Data\\mjusbsp\\magicJack.exe"=

R2 mcafee siteadvisor service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-12-30 206096]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [2008-12-28 36864]
R3 RegKill;RegKill;c:\windows\system32\drivers\RegKill.sys [2002-11-28 6400]
S2 gupdate1c989fb9fbc9a4;Google Update Service (gupdate1c989fb9fbc9a4);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-08 133104]
S3 getplus(r) helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe --> c:\program files\NOS\bin\getPlus_HelperSvc.exe [?]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-02-08 30192]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [2009-01-20 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [2009-01-20 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [2009-01-20 120744]
.
Contents of the 'Scheduled Tasks' folder

2009-02-11 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-08 22:39]

2008-12-28 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-10 10:10]

2008-12-31 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-10 10:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: e&xport to microsoft excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {06D3657C-3AB2-4B4B-9116-79D53A357EEF} = 168.95.192.1 168.95.1.1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-11 14:20:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\windows\system32\rundll32.exe
c:\program files\Logitech\G-series Software\Applets\LCDClock.exe
c:\docume~1\user\LOCALS~1\temp\SolidWorksLicTemp.0001
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\searchindexer.exe
c:\program files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
.
**************************************************************************
.
Completion time: 2009-02-11 14:22:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-11 06:22:38
ComboFix2.txt 2009-02-03 14:36:11
ComboFix3.txt 2009-02-03 14:24:45
ComboFix4.txt 2009-01-20 05:05:40

Pre-Run: 74,458,439,680 bytes free
Post-Run: 74,445,705,216 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
468 --- E O F --- 2009-02-09 12:54:59


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:25:02 PM, on 2/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\SolidWorks\swScheduler\swBOEngine.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\DOCUME~1\user\LOCALS~1\Temp\SolidWorksLicTemp.0001
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O2 - BHO: JQSIEStartDetectorImpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Google IME Autoupdater] "C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [RegKillTray] "C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\user\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SolidWorks Task Scheduler Engine.lnk = C:\Program Files\SolidWorks\swScheduler\swBOEngine.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: e&xport to microsoft excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra button: Research - {92780b25-18cc-41c8-b9be-3c9c571a8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [java_sun] Java (Sun)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1230435719625
O16 - DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?AuthParam=1231470670_081cb8023912a2a375f10ef7097d378b&GroupName=JSC&FilePath=/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab&File=jinstall-6u11-windows-i586-jc.cab&BHost=javadl.sun.com
O16 - DPF: {cf40acc5-e1bb-4aff-ac72-04c2f616bca7} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{06D3657C-3AB2-4B4B-9116-79D53A357EEF}: NameServer = 168.95.192.1 168.95.1.1
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: getPlus(R) Helper (getplus(r) helper) - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1c989fb9fbc9a4) (gupdate1c989fb9fbc9a4) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (incdsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (lightscribeservice) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee SiteAdvisor Service (mcafee siteadvisor service) - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

--
End of file - 10774 bytes

Shaba
2009-02-11, 19:09
Thank you :)

Now please re-run gmer and post back its log.

jvanosda
2009-02-13, 07:59
Here is the new gmer log.

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-13 13:56:59
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB6D179CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xB6D17A61]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB6D17A75]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB6D17AA1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB6D17B0F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB6D17AF9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB6D17A0A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB6D17B3B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xB6D17A4D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB6D17950]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB6D17964]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB6D179DE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xB6D17B77]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB6D17AE3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB6D17ACD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB6D17A8B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xB6D17B63]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xB6D17B4F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB6D179B6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB6D179A2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xB6D17AB7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB6D17A39]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xB6D17B25]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB6D17A20]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB6D179F4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP B6D179F8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP B6D179CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP B6D17A0E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 5 Bytes JMP B6D17A24 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E6 7 Bytes JMP B6D179E2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB408 5 Bytes JMP B6D17954 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB694 5 Bytes JMP B6D17968 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE52 5 Bytes JMP B6D179A6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1702 5 Bytes JMP B6D179BA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AA 5 Bytes JMP B6D17A3D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 806219CA 7 Bytes JMP B6D17AD1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D18 7 Bytes JMP B6D17ABB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80622042 7 Bytes JMP B6D17B29 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 806228E0 7 Bytes JMP B6D17AE7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231B4 7 Bytes JMP B6D17A8F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 80623792 5 Bytes JMP B6D17A65 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C22 7 Bytes JMP B6D17A79 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623DF2 7 Bytes JMP B6D17AA5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FD2 7 Bytes JMP B6D17B13 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062423C 7 Bytes JMP B6D17AFD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624B64 5 Bytes JMP B6D17A51 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 80624E8A 7 Bytes JMP B6D17B7B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8062514A 5 Bytes JMP B6D17B53 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8062583E 5 Bytes JMP B6D17B67 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80625958 5 Bytes JMP B6D17B3F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000700A4
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070089
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0007006C
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0007005B
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070040
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 000700BF
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070F83
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000700F5
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070F5C
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00070106
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00070FB9
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 0007000A
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00070F94
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00070025
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 000700DA
.text C:\WINDOWS\system32\services.exe[828] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 0006001B
.text C:\WINDOWS\system32\services.exe[828] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00060F91
.text C:\WINDOWS\system32\services.exe[828] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0006000A
.text C:\WINDOWS\system32\services.exe[828] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00060FDE
.text C:\WINDOWS\system32\services.exe[828] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00060058
.text C:\WINDOWS\system32\services.exe[828] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[828] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00060047
.text C:\WINDOWS\system32\services.exe[828] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00060036
.text C:\WINDOWS\system32\services.exe[828] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F90FE5
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F90F83
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F90078
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F9005D
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F90F94
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F90011
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F90F4B
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F90F72
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F900D3
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F900C2
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00F90F15
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00F90036
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00F90FD4
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00F9009D
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00F90000
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00F90FB9
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00F90F3A
.text C:\WINDOWS\system32\lsass.exe[840] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00F80011
.text C:\WINDOWS\system32\lsass.exe[840] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00F80F5E
.text C:\WINDOWS\system32\lsass.exe[840] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00F80FC0
.text C:\WINDOWS\system32\lsass.exe[840] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00F80000
.text C:\WINDOWS\system32\lsass.exe[840] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00F80F6F
.text C:\WINDOWS\system32\lsass.exe[840] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00F80FEF
.text C:\WINDOWS\system32\lsass.exe[840] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00F80F94
.text C:\WINDOWS\system32\lsass.exe[840] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 18, 89 ]
.text C:\WINDOWS\system32\lsass.exe[840] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00F80FA5
.text C:\WINDOWS\system32\lsass.exe[840] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F60000
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 024F0FEF
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 024F007D
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 024F006C
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 024F0051
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 024F0F94
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 024F0036
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 024F00AE
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 024F0F66
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 024F00E4
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 024F00C9
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 024F00F5
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 024F0FA5
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 024F0FD4
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 024F0F77
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 024F001B
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 024F000A
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 024F0F4B
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 024E0FCA
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 024E0F8D
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 024E0FE5
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 024E001B
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 024E0F9E
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 024E0000
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 024E0036
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 024E0FAF
.text C:\WINDOWS\system32\svchost.exe[1012] WS2_32.dll!socket 71AB4211 5 Bytes JMP 024A0FEF
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F00000
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F00062
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F00F6D
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F00051
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F00040
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F00FB9
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F00F37
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F0007F
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F000C6
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F000B5
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00F000D7
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00F00F9E
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00F00FE5
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00F00F48
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00F00FCA
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00F00025
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00F0009A
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00EF0FAF
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00EF002C
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00EF0FD4
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00EF0FEF
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00EF001B
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00EF000A
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00EF0F79
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 0F, 89 ]
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00EF0F9E
.text C:\WINDOWS\system32\svchost.exe[1080] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00ED0FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[1140] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00250FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[1140] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00250F70
.text C:\Program Files\Internet Explorer\iexplore.exe[1140] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00250F81
.text C:\Program Files\Internet Explorer\iexplore.exe[1140] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00250F9E
.text C:\Program Files\Internet Explorer\iexplore.exe[1140] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0025005B
.text C:\Program Files\Internet Explorer\iexplore.exe[1140] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00250FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[1140] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 002500A7
.text C:\Program Files\Internet Explorer\iexplore.exe[1140] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00250F55
.text C:\Program Files\Internet Explorer\iexplore.exe[1140] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00250F0E
.text C:\Program Files\Internet Explorer\iexplore.exe[1140] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00250F29
.text C:\Program Files\Internet Explorer\iexplore.exe[1140] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 002500B8
.text C:\Program Files\Internet Explorer\iexplore.exe[1140] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00250FB9
.text C:\Program Files\Internet Explorer\iexplore.exe[1140] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 0025000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1140] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00250080
.text C:\Program Files\Internet Explorer\iexplore.exe[1140] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00250036
.text C:\Program Files\Internet Explorer\iexplore.exe[1140] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 0025001B
.text C:\Program Files\Internet Explorer\iexplore.exe[1140] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00250F44
.text C:\Program Files\Internet Explorer\iexplore.exe[1140] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00340047
.text C:\Program Files\Internet Explorer\iexplore.exe[1140] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 0034007D
.text C:\Program Files\Internet Explorer\iexplore.exe[1140] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00340036
.text C:\Program Files\Internet Explorer\iexplore.exe[1140] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0034001B
.text C:\Program Files\Internet Explorer\iexplore.exe[1140] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00340FC0
.text C:\Program Files\Internet Explorer\iexplore.exe[1140] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00340000
.text C:\Program Files\Internet Explorer\iexplore.exe[1140] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00340062
.text C:\Program Files\Internet Explorer\iexplore.exe[1140] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00340FDB
.text C:\Program Files\Internet Explorer\iexplore.exe[1140] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 42F0F341 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1140] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 430A187F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1140] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 430A1800 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1140] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 430A1844 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1140] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 430A178C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1140] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 430A17C6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1140] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 430A18BA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1140] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 42F316F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1140] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 016F000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1140] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 016F0FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[1140] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 016F0FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[1140] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 016F0FB9
.text C:\Program Files\Internet Explorer\iexplore.exe[1140] ws2_32.dll!socket 71AB4211 5 Bytes JMP 021D0FE5
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03920000
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03920F41
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03920F5C
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03920040
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03920F8D
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03920025
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03920F09
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03920051
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 0392007D
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 03920EEE
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 03920EC9
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 03920F9E
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 03920FE5
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 03920F30
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 03920FB9
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 03920FCA
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 0392006C
.text C:\WINDOWS\System32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 033C002C
.text C:\WINDOWS\System32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 033C0FA5
.text C:\WINDOWS\System32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 033C001B
.text C:\WINDOWS\System32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 033C000A
.text C:\WINDOWS\System32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 033C0FC0
.text C:\WINDOWS\System32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 033C0FEF
.text C:\WINDOWS\System32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 033C0058
.text C:\WINDOWS\System32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 033C0047
.text C:\WINDOWS\System32\svchost.exe[1176] WS2_32.dll!socket 71AB4211 5 Bytes JMP 03170000
.text C:\WINDOWS\System32\svchost.exe[1176] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 033D0000
.text C:\WINDOWS\System32\svchost.exe[1176] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 033D0011
.text C:\WINDOWS\System32\svchost.exe[1176] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 033D0FDB
.text C:\WINDOWS\System32\svchost.exe[1176] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 033D002C
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007C000A
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007C007F
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007C0F8A
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007C0058
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007C0F9B
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007C0036
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007C00AB
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007C0F63
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007C0F26
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007C0F37
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 007C00E4
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 007C0047
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 007C0FEF
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 007C0090
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 007C0FD4
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 007C0025
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 007C0F52
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 007B0011
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 007B0058
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 007B0000
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 007B0FD4
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 007B0F91
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 007B0FEF
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 007B0033
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 007B0022
.text C:\WINDOWS\system32\svchost.exe[1360] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006C0FEF
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C70000
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C70FB4
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C700A9
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C70098
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C7007D
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C70FDB
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C70F7E
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C70F8F
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C70F4B
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C70F5C
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00C70F3A
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00C7006C
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00C7001B
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00C700BA
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00C70047
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00C7002C
.text C:\WINDOWS\system32\svchost.exe[1448] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00C70F6D
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00A10036
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00A1007D
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00A1001B
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00A10000
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00A10FC0
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00A10FE5
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00A1006C
.text C:\WINDOWS\system32\svchost.exe[1448] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00A10051
.text C:\WINDOWS\system32\svchost.exe[1448] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009F0000
.text C:\WINDOWS\system32\svchost.exe[1448] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00A20FEF
.text C:\WINDOWS\system32\svchost.exe[1448] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00A20FDE
.text C:\WINDOWS\system32\svchost.exe[1448] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00A20FCD
.text C:\WINDOWS\system32\svchost.exe[1448] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00A20028
.text C:\WINDOWS\Explorer.EXE[1876] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 013D000A
.text C:\WINDOWS\Explorer.EXE[1876] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 013D0073
.text C:\WINDOWS\Explorer.EXE[1876] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 013D0062
.text C:\WINDOWS\Explorer.EXE[1876] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 013D0F88
.text C:\WINDOWS\Explorer.EXE[1876] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 013D0051
.text C:\WINDOWS\Explorer.EXE[1876] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 013D0FC0
.text C:\WINDOWS\Explorer.EXE[1876] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 013D00B5
.text C:\WINDOWS\Explorer.EXE[1876] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 013D009A
.text C:\WINDOWS\Explorer.EXE[1876] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 013D0F2D
.text C:\WINDOWS\Explorer.EXE[1876] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 013D0F3E
.text C:\WINDOWS\Explorer.EXE[1876] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 013D00E1
.text C:\WINDOWS\Explorer.EXE[1876] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 013D0FA5
.text C:\WINDOWS\Explorer.EXE[1876] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 013D0FE5
.text C:\WINDOWS\Explorer.EXE[1876] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 013D0F63
.text C:\WINDOWS\Explorer.EXE[1876] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 013D0036
.text C:\WINDOWS\Explorer.EXE[1876] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 013D001B
.text C:\WINDOWS\Explorer.EXE[1876] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 013D00C6
.text C:\WINDOWS\Explorer.EXE[1876] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 011D0040
.text C:\WINDOWS\Explorer.EXE[1876] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 011D0073
.text C:\WINDOWS\Explorer.EXE[1876] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 011D0FE5
.text C:\WINDOWS\Explorer.EXE[1876] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 011D001B
.text C:\WINDOWS\Explorer.EXE[1876] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 011D0062
.text C:\WINDOWS\Explorer.EXE[1876] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 011D000A
.text C:\WINDOWS\Explorer.EXE[1876] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 011D0051
.text C:\WINDOWS\Explorer.EXE[1876] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 011D0FD4
.text C:\WINDOWS\Explorer.EXE[1876] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 013C0FE5
.text C:\WINDOWS\Explorer.EXE[1876] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 013C0FD4
.text C:\WINDOWS\Explorer.EXE[1876] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 013C000A
.text C:\WINDOWS\Explorer.EXE[1876] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 013C0025
.text C:\WINDOWS\Explorer.EXE[1876] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D20000
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2636] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041BF60 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2636] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0041BFE0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\SearchIndexer.exe[3152] kernel32.dll!WriteFile 7C810E17 7 Bytes JMP 00F31B19 C:\WINDOWS\system32\mssrch.dll (mssrch.lib/Microsoft Corporation)

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxyxyuhkkv.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@userdata -1
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxyxyuhkkv.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxrqvqatnc.dll

---- EOF - GMER 1.0.14 ----

Shaba
2009-02-13, 18:40
Open notepad and copy/paste the text in the codebox below into it:


Driver::
gaopdxserv.sys


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

jvanosda
2009-02-16, 10:45
Here are the new combofix and hjt logs.

ComboFix 09-02-15.01 - user 2009-02-16 16:33:41.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2650 [GMT 8:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-01-16 to 2009-02-16 )))))))))))))))))))))))))))))))
.

2009-02-10 18:57 . 2009-02-10 19:00 <DIR> d-------- c:\program files\FFXIP
2009-02-10 13:47 . 2009-02-13 13:47 345 --a------ c:\windows\gmer.ini
2009-02-09 20:46 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2009-02-09 20:46 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll
2009-02-09 20:46 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2009-02-08 23:37 . 2009-02-08 23:37 <DIR> d-------- c:\program files\Windows Live SkyDrive
2009-02-08 23:37 . 2009-02-08 23:37 <DIR> d-------- c:\program files\Microsoft Office Outlook Connector
2009-02-08 23:37 . 2009-02-08 23:37 <DIR> d-------- c:\program files\Microsoft
2009-02-08 23:35 . 2009-02-08 23:35 <DIR> d-------- c:\program files\Common Files\Windows Live
2009-02-08 22:21 . 2009-02-08 22:27 <DIR> d-------- c:\program files\Safer Networking
2009-02-08 22:00 . 2009-02-08 22:00 <DIR> d-------- C:\rsit
2009-02-08 20:07 . 2009-02-08 20:07 <DIR> d-------- c:\program files\Elaborate Bytes
2009-02-08 19:51 . 2009-02-08 19:51 <DIR> d-------- c:\program files\MSXML 4.0
2009-02-03 20:08 . 2009-02-03 20:08 <DIR> d-------- c:\documents and settings\user\Application Data\SolidWorks 2008
2009-02-03 20:00 . 2009-02-03 23:01 <DIR> d-------- c:\documents and settings\user\Application Data\SolidWorks
2009-02-03 18:19 . 2009-02-03 18:34 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Winamp
2009-02-03 17:52 . 2009-02-03 17:52 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-02-03 17:47 . 2009-02-03 17:48 <DIR> d-------- c:\documents and settings\Administrator
2009-02-03 17:25 . 2009-02-03 17:25 23 --ah----- c:\windows\yacht.xws
2009-02-03 17:22 . 2009-02-03 17:22 <DIR> d-------- c:\windows\system32\GroupPolicy
2009-02-03 17:22 . 2009-02-03 20:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\SolidWorks
2009-02-03 17:19 . 2009-02-03 17:19 <DIR> d-------- c:\program files\SolidWorks Viewer
2009-02-03 17:16 . 2009-02-03 17:16 <DIR> d-------- c:\program files\Windows Desktop Search
2009-02-03 17:15 . 2009-02-03 20:00 <DIR> d-------- c:\program files\SolidWorks
2009-02-03 17:14 . 2009-02-03 17:14 <DIR> d-------- c:\program files\Document Manager
2009-02-03 17:12 . 2009-02-03 17:23 <DIR> d-------- c:\program files\Common Files\SolidWorks Shared
2009-02-03 17:12 . 2009-02-03 17:22 <DIR> d-------- c:\program files\Common Files\eDrawings2008
2009-02-03 17:12 . 2009-02-03 17:12 0 --a------ c:\windows\eDrawingOfficeAutomator.INI
2009-02-03 17:11 . 2009-02-03 20:06 <DIR> d-------- c:\program files\DWGeditor
2009-02-03 17:11 . 2009-02-03 17:11 <DIR> d-------- c:\documents and settings\user\Application Data\DWGeditor
2009-02-03 16:08 . 2009-02-03 17:22 <DIR> d-------- C:\SolidWorks Data
2009-02-03 16:04 . 2009-02-03 16:05 <DIR> d-------- c:\program files\Common Files\SolidWorks Installation Manager
2009-02-03 16:03 . 2009-02-03 16:09 <DIR> d-------- c:\windows\SolidWorks
2009-02-03 16:03 . 2009-02-03 20:02 <DIR> d-------- c:\documents and settings\user\Application Data\IM
2009-02-03 15:53 . 2009-02-03 15:53 <DIR> d-------- c:\program files\Classic Menu for Office
2009-02-03 15:53 . 2009-02-11 19:44 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-02-03 15:35 . 2009-02-03 15:35 <DIR> d-------- c:\documents and settings\user\workspace
2009-02-03 15:31 . 2009-02-03 16:31 <DIR> d-------- c:\windows\SxsCaPendDel
2009-02-03 15:25 . 2009-02-13 17:07 <DIR> d-------- c:\program files\eclipse
2009-01-20 20:33 . 2009-01-20 20:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-01-20 20:32 . 2008-08-05 20:10 1,684,736 --a------ c:\windows\system32\drivers\Ambfilt.sys
2009-01-20 20:32 . 2006-01-04 15:41 1,389,056 --a------ c:\windows\system32\drivers\Monfilt.sys
2009-01-20 20:32 . 2008-10-23 17:42 290,816 --a------ c:\windows\vncutil.exe
2009-01-20 20:32 . 2008-06-24 14:46 104,992 --a------ c:\windows\RtkAudioService.exe
2009-01-20 20:32 . 2009-01-05 16:16 34,816 --a------ c:\windows\system32\RtkCoInstXP.dll
2009-01-20 18:21 . 2009-01-20 18:21 <DIR> d-------- c:\program files\Avanquest update
2009-01-20 18:21 . 2009-01-20 18:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\BVRP Software
2009-01-20 18:20 . 2009-01-20 18:20 <DIR> d-------- c:\program files\Sony Ericsson
2009-01-20 18:20 . 2009-01-20 18:20 <DIR> d-------- c:\documents and settings\user\Application Data\InstallShield
2009-01-20 18:20 . 2009-01-20 18:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sony Ericsson
2009-01-20 18:20 . 2008-05-16 12:33 120,744 --a------ c:\windows\system32\drivers\s0016mdm.sys
2009-01-20 18:20 . 2008-05-16 12:33 89,256 --a------ c:\windows\system32\drivers\s0016bus.sys
2009-01-20 18:20 . 2008-05-16 12:33 15,016 --a------ c:\windows\system32\drivers\s0016mdfl.sys
2009-01-20 18:20 . 2008-05-16 12:33 12,200 --a------ c:\windows\system32\drivers\s0016whnt.sys
2009-01-20 18:20 . 2008-05-16 12:33 12,200 --a------ c:\windows\system32\drivers\s0016wh.sys
2009-01-20 18:20 . 2008-05-16 12:33 12,200 --a------ c:\windows\system32\drivers\s0016cmnt.sys
2009-01-20 18:20 . 2008-05-16 12:33 12,200 --a------ c:\windows\system32\drivers\s0016cm.sys
2009-01-20 17:50 . 2009-01-20 17:50 <DIR> d-------- c:\windows\Downloaded Installations
2009-01-20 17:49 . 2009-01-20 17:49 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-20 17:49 . 2009-01-20 17:49 1,409 --a------ c:\windows\QTFont.for
2009-01-20 13:14 . 2009-01-20 13:14 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-20 13:14 . 2009-01-20 13:14 <DIR> d-------- c:\documents and settings\user\Application Data\Malwarebytes
2009-01-20 13:14 . 2009-01-20 13:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-20 13:14 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-20 13:14 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-18 22:18 . 2009-01-18 22:18 0 --a------ c:\windows\LCDMedia.INI
2009-01-18 22:13 . 2009-01-18 22:13 <DIR> d-------- c:\program files\ERUNT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-16 08:31 --------- d-----w c:\program files\Google
2009-02-16 08:25 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-16 08:24 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-11 06:27 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-03 09:22 --------- d-----w c:\program files\AGEIA Technologies
2009-01-20 10:21 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-13 17:23 --------- d-----w c:\program files\Trend Micro
2009-01-13 07:00 --------- d-----w c:\program files\Notepad++
2009-01-13 07:00 --------- d-----w c:\documents and settings\user\Application Data\Notepad++
2009-01-12 15:24 --------- d-----w c:\program files\Reference Assemblies
2009-01-12 15:19 --------- d-----w c:\program files\MSECache
2009-01-12 14:19 --------- d-----w c:\program files\PowerISO
2009-01-12 13:43 --------- d-----w c:\program files\Web Publish
2009-01-12 03:20 --------- d-----w c:\program files\NOS
2009-01-12 03:20 --------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-01-11 18:17 --------- d-----w c:\program files\Common Files\Adobe AIR
2009-01-11 18:17 --------- d-----w c:\program files\Common Files\Adobe
2009-01-09 14:17 --------- d-----w c:\program files\CDisplay
2009-01-09 03:07 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-01-09 03:07 --------- d-----w c:\program files\Java
2009-01-09 02:54 --------- d-----w c:\documents and settings\user\Application Data\CyberLink
2009-01-09 02:54 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2009-01-07 17:35 --------- d-----w c:\program files\Project64 1.6
2009-01-07 17:03 --------- d-----w c:\program files\MagicDVDRipper
2009-01-07 15:14 --------- d-----w c:\program files\Karen's Power Tools
2009-01-07 15:14 --------- d-----w c:\documents and settings\All Users\Application Data\Karen's Power Tools
2009-01-07 14:12 --------- d-----w c:\program files\Nidesoft Studio
2009-01-07 13:58 --------- d-----w c:\program files\Aglare DVD to AVI WMV MP4 MPEG Converter
2009-01-07 02:12 --------- d-----w c:\program files\Easy MPEG AVI DIVX WMV RM to DVD
2009-01-06 11:00 4,968,448 ----a-w c:\windows\system32\drivers\RtkHDAud.sys
2009-01-01 08:23 --------- d-----w c:\program files\McAfee
2009-01-01 08:19 --------- d-----w c:\program files\FFXiBench3
2009-01-01 07:54 --------- d-----w c:\documents and settings\user\Application Data\mjusbsp
2008-12-30 23:10 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-12-30 06:58 18,082,304 ----a-w c:\windows\RTHDCPL.EXE
2008-12-30 06:47 --------- d-----w c:\documents and settings\All Users\Application Data\SiteAdvisor
2008-12-30 06:47 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-12-29 06:00 --------- d-----w c:\program files\Transparent
2008-12-29 05:47 --------- d-----w c:\documents and settings\user\Application Data\Winamp
2008-12-29 04:36 --------- d-----w c:\documents and settings\user\Application Data\DivX
2008-12-29 03:53 --------- d-----w c:\program files\Common Files\LightScribe
2008-12-29 03:51 --------- d-----w c:\program files\Common Files\Ahead
2008-12-29 03:51 --------- d-----w c:\program files\Ahead
2008-12-29 03:50 --------- d-----w c:\program files\CyberLink DVD Solution
2008-12-29 03:49 --------- d-----w c:\program files\CyberLink
2008-12-29 03:48 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-29 03:18 --------- d-----w c:\program files\MSBuild
2008-12-29 03:18 --------- d-----w c:\program files\Microsoft Works
2008-12-29 03:08 --------- d-----w c:\program files\Alcohol Soft
2008-12-29 02:49 --------- d-----w c:\program files\PlayOnline
2008-12-28 06:57 --------- d-----w c:\program files\Common Files\McAfee
2008-12-28 06:57 --------- d-----w c:\documents and settings\All Users\Application Data\OrbNetworks
2008-12-28 06:47 --------- d-----w c:\program files\Winamp Toolbar
2008-12-28 06:47 --------- d-----w c:\program files\Winamp Remote
2008-12-28 06:47 --------- d-----w c:\program files\Winamp
2008-12-28 06:47 --------- d-----w c:\documents and settings\All Users\Application Data\Winamp Toolbar
2008-12-28 06:42 --------- d-----w c:\program files\DivX
2008-12-28 06:32 --------- d-----w c:\program files\McAfee.com
2008-12-28 05:54 --------- d-----w c:\program files\Logitech
2008-12-28 05:54 --------- d-----w c:\documents and settings\All Users\Application Data\Logitech
2008-12-28 03:36 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-28 03:31 --------- d-----w c:\program files\Intel
2008-12-28 03:30 --------- d-----w c:\program files\Realtek
2008-12-28 03:24 --------- d-----w c:\program files\microsoft frontpage
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
2008-11-21 21:47 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-11-21 21:47 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-11-21 21:47 129,784 ------w c:\windows\system32\pxafs.dll
2008-11-21 21:47 120,056 ------w c:\windows\system32\pxcpyi64.exe
2008-11-21 21:47 118,520 ------w c:\windows\system32\pxinsi64.exe
2008-11-21 21:46 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-11-21 21:46 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-11-21 21:44 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 21:44 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
2006-06-24 06:48 32,768 ----a-r c:\windows\inf\UpdateUSB.exe
2004-10-01 23:00 40,960 ----a-w c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( SnapShot_2009-02-11_14.21.52.84 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-16 20:38:34 124,928 -c----w c:\windows\ie7updates\KB961260-IE7\advpack.dll
+ 2008-10-16 20:38:34 347,136 -c----w c:\windows\ie7updates\KB961260-IE7\dxtmsft.dll
+ 2008-10-16 20:38:34 214,528 -c----w c:\windows\ie7updates\KB961260-IE7\dxtrans.dll
+ 2008-10-16 20:38:35 133,120 -c----w c:\windows\ie7updates\KB961260-IE7\extmgr.dll
+ 2008-10-16 20:38:35 63,488 -c----w c:\windows\ie7updates\KB961260-IE7\icardie.dll
+ 2008-10-16 13:11:09 70,656 -c----w c:\windows\ie7updates\KB961260-IE7\ie4uinit.exe
+ 2008-10-16 20:38:35 153,088 -c----w c:\windows\ie7updates\KB961260-IE7\ieakeng.dll
+ 2008-10-16 20:38:35 230,400 -c----w c:\windows\ie7updates\KB961260-IE7\ieaksie.dll
+ 2008-10-15 07:04:53 161,792 -c----w c:\windows\ie7updates\KB961260-IE7\ieakui.dll
+ 2008-10-16 20:38:35 383,488 -c----w c:\windows\ie7updates\KB961260-IE7\ieapfltr.dll
+ 2008-10-16 20:38:35 384,512 -c----w c:\windows\ie7updates\KB961260-IE7\iedkcs32.dll
+ 2008-10-16 20:38:37 6,066,176 -c----w c:\windows\ie7updates\KB961260-IE7\ieframe.dll
+ 2008-10-16 20:38:37 44,544 -c----w c:\windows\ie7updates\KB961260-IE7\iernonce.dll
+ 2008-10-16 20:38:37 267,776 -c----w c:\windows\ie7updates\KB961260-IE7\iertutil.dll
+ 2008-10-16 13:11:09 13,824 -c----w c:\windows\ie7updates\KB961260-IE7\ieudinit.exe
+ 2008-10-15 07:06:26 633,632 -c----w c:\windows\ie7updates\KB961260-IE7\iexplore.exe
+ 2008-10-16 20:38:37 27,648 -c----w c:\windows\ie7updates\KB961260-IE7\jsproxy.dll
+ 2008-10-16 20:38:37 459,264 -c----w c:\windows\ie7updates\KB961260-IE7\msfeeds.dll
+ 2008-10-16 20:38:37 52,224 -c----w c:\windows\ie7updates\KB961260-IE7\msfeedsbs.dll
+ 2008-12-13 06:40:02 3,593,216 -c----w c:\windows\ie7updates\KB961260-IE7\mshtml.dll
+ 2008-10-16 20:38:38 477,696 -c----w c:\windows\ie7updates\KB961260-IE7\mshtmled.dll
+ 2008-10-16 20:38:38 193,024 -c----w c:\windows\ie7updates\KB961260-IE7\msrating.dll
+ 2008-10-16 20:38:39 671,232 -c----w c:\windows\ie7updates\KB961260-IE7\mstime.dll
+ 2008-10-16 20:38:39 102,912 -c----w c:\windows\ie7updates\KB961260-IE7\occache.dll
+ 2008-10-16 20:38:39 44,544 -c----w c:\windows\ie7updates\KB961260-IE7\pngfilt.dll
+ 2007-03-06 01:22:41 213,216 -c----w c:\windows\ie7updates\KB961260-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w c:\windows\ie7updates\KB961260-IE7\spuninst\updspapi.dll
+ 2008-10-16 20:38:39 105,984 -c----w c:\windows\ie7updates\KB961260-IE7\url.dll
+ 2008-10-16 20:38:39 1,160,192 -c----w c:\windows\ie7updates\KB961260-IE7\urlmon.dll
+ 2008-10-16 20:38:39 233,472 -c----w c:\windows\ie7updates\KB961260-IE7\webcheck.dll
+ 2008-10-16 20:38:40 826,368 -c----w c:\windows\ie7updates\KB961260-IE7\wininet.dll
- 2009-02-09 12:54:57 1,165,584 ----a-r c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-02-11 06:27:23 1,165,584 ----a-r c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\accicons.exe
- 2009-02-09 12:54:57 20,240 ----a-r c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-02-11 06:27:24 20,240 ----a-r c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\cagicon.exe
- 2009-02-09 12:54:57 159,504 ----a-r c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\inficon.exe
+ 2009-02-11 06:27:23 159,504 ----a-r c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\inficon.exe
- 2009-02-09 12:54:57 217,864 ----a-r c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\misc.exe
+ 2009-02-11 06:27:24 217,864 ----a-r c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\misc.exe
- 2009-02-09 12:54:57 18,704 ----a-r c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-02-11 06:27:24 18,704 ----a-r c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\mspicons.exe
- 2009-02-09 12:54:57 35,088 ----a-r c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-02-11 06:27:24 35,088 ----a-r c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\oisicon.exe
- 2009-02-09 12:54:57 845,584 ----a-r c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\outicon.exe
+ 2009-02-11 06:27:23 845,584 ----a-r c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\outicon.exe
- 2009-02-09 12:54:57 922,384 ----a-r c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-02-11 06:27:23 922,384 ----a-r c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\pptico.exe
- 2009-02-09 12:54:57 272,648 ----a-r c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\pubs.exe
+ 2009-02-11 06:27:24 272,648 ----a-r c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\pubs.exe
- 2009-02-09 12:54:57 888,080 ----a-r c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-02-11 06:27:24 888,080 ----a-r c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\wordicon.exe
- 2009-02-09 12:54:57 1,172,240 ----a-r c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-02-11 06:27:23 1,172,240 ----a-r c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\xlicons.exe
- 2008-10-16 20:38:34 124,928 ----a-w c:\windows\system32\advpack.dll
+ 2008-12-20 23:15:11 124,928 ----a-w c:\windows\system32\advpack.dll
- 2009-02-11 05:36:26 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-16 08:32:22 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-11 05:36:26 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-16 08:32:22 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2004-08-09 13:27:08 98,304 ----a-w c:\windows\system32\cscript.exe
+ 2008-05-07 09:07:23 135,168 ----a-w c:\windows\system32\cscript.exe
- 2008-10-16 20:38:34 124,928 -c----w c:\windows\system32\dllcache\advpack.dll
+ 2008-12-20 23:15:11 124,928 -c----w c:\windows\system32\dllcache\advpack.dll
- 2004-08-09 13:27:08 98,304 -c--a-w c:\windows\system32\dllcache\cscript.exe
+ 2008-05-07 09:07:23 135,168 -c--a-w c:\windows\system32\dllcache\cscript.exe
- 2008-10-16 20:38:34 347,136 -c----w c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-12-20 23:15:12 347,136 -c----w c:\windows\system32\dllcache\dxtmsft.dll
- 2008-10-16 20:38:34 214,528 -c----w c:\windows\system32\dllcache\dxtrans.dll
+ 2008-12-20 23:15:13 214,528 -c----w c:\windows\system32\dllcache\dxtrans.dll
- 2008-10-16 20:38:35 133,120 -c----w c:\windows\system32\dllcache\extmgr.dll
+ 2008-12-20 23:15:13 133,120 -c----w c:\windows\system32\dllcache\extmgr.dll
- 2008-10-16 20:38:35 63,488 -c----w c:\windows\system32\dllcache\icardie.dll
+ 2008-12-20 23:15:13 63,488 -c----w c:\windows\system32\dllcache\icardie.dll
- 2008-10-16 13:11:09 70,656 -c----w c:\windows\system32\dllcache\ie4uinit.exe
+ 2008-12-19 09:10:15 70,656 -c----w c:\windows\system32\dllcache\ie4uinit.exe
- 2008-10-16 20:38:35 153,088 -c----w c:\windows\system32\dllcache\ieakeng.dll
+ 2008-12-20 23:15:14 153,088 -c----w c:\windows\system32\dllcache\ieakeng.dll
- 2008-10-16 20:38:35 230,400 -c----w c:\windows\system32\dllcache\ieaksie.dll
+ 2008-12-20 23:15:14 230,400 -c----w c:\windows\system32\dllcache\ieaksie.dll
- 2008-10-15 07:04:53 161,792 -c----w c:\windows\system32\dllcache\ieakui.dll
+ 2008-12-19 05:23:56 161,792 -c----w c:\windows\system32\dllcache\ieakui.dll
- 2008-10-16 20:38:35 383,488 -c----w c:\windows\system32\dllcache\ieapfltr.dll
+ 2008-12-20 23:15:15 383,488 -c----w c:\windows\system32\dllcache\ieapfltr.dll
- 2008-10-16 20:38:35 384,512 -c----w c:\windows\system32\dllcache\iedkcs32.dll
+ 2008-12-20 23:15:16 384,512 -c----w c:\windows\system32\dllcache\iedkcs32.dll
- 2008-10-16 20:38:37 6,066,176 -c----w c:\windows\system32\dllcache\ieframe.dll
+ 2008-12-20 23:15:21 6,066,688 -c----w c:\windows\system32\dllcache\ieframe.dll
- 2008-10-16 20:38:37 44,544 -c----w c:\windows\system32\dllcache\iernonce.dll
+ 2008-12-20 23:15:21 44,544 -c----w c:\windows\system32\dllcache\iernonce.dll
- 2008-10-16 20:38:37 267,776 -c----w c:\windows\system32\dllcache\iertutil.dll
+ 2008-12-20 23:15:22 267,776 -c----w c:\windows\system32\dllcache\iertutil.dll
- 2008-10-16 13:11:09 13,824 -c----w c:\windows\system32\dllcache\ieudinit.exe
+ 2008-12-19 09:10:15 13,824 -c----w c:\windows\system32\dllcache\ieudinit.exe
- 2008-10-15 07:06:26 633,632 -c----w c:\windows\system32\dllcache\iexplore.exe
+ 2008-12-19 05:25:25 634,024 -c----w c:\windows\system32\dllcache\iexplore.exe
- 2004-08-09 13:27:02 466,944 -c--a-w c:\windows\system32\dllcache\jscript.dll
+ 2008-05-09 10:53:39 512,000 -c--a-w c:\windows\system32\dllcache\jscript.dll
- 2008-10-16 20:38:37 27,648 -c----w c:\windows\system32\dllcache\jsproxy.dll
+ 2008-12-20 23:15:23 27,648 -c----w c:\windows\system32\dllcache\jsproxy.dll
- 2008-10-16 20:38:37 459,264 -c----w c:\windows\system32\dllcache\msfeeds.dll
+ 2008-12-20 23:15:23 459,264 -c----w c:\windows\system32\dllcache\msfeeds.dll
- 2008-10-16 20:38:37 52,224 -c----w c:\windows\system32\dllcache\msfeedsbs.dll
+ 2008-12-20 23:15:24 52,224 -c----w c:\windows\system32\dllcache\msfeedsbs.dll
- 2008-12-13 06:40:02 3,593,216 -c----w c:\windows\system32\dllcache\mshtml.dll
+ 2009-01-16 13:35:14 3,594,752 -c----w c:\windows\system32\dllcache\mshtml.dll
- 2008-10-16 20:38:38 477,696 -c----w c:\windows\system32\dllcache\mshtmled.dll
+ 2008-12-20 23:15:30 477,696 -c----w c:\windows\system32\dllcache\mshtmled.dll
- 2008-10-16 20:38:38 193,024 -c----w c:\windows\system32\dllcache\msrating.dll
+ 2008-12-20 23:15:31 193,024 -c----w c:\windows\system32\dllcache\msrating.dll
- 2008-10-16 20:38:39 671,232 -c----w c:\windows\system32\dllcache\mstime.dll
+ 2008-12-20 23:15:32 671,232 -c----w c:\windows\system32\dllcache\mstime.dll
- 2008-10-16 20:38:39 102,912 -c----w c:\windows\system32\dllcache\occache.dll
+ 2008-12-20 23:15:38 102,912 -c----w c:\windows\system32\dllcache\occache.dll
- 2008-10-16 20:38:39 44,544 -c----w c:\windows\system32\dllcache\pngfilt.dll
+ 2008-12-20 23:15:38 44,544 -c----w c:\windows\system32\dllcache\pngfilt.dll
- 2004-08-09 13:27:04 151,552 -c--a-w c:\windows\system32\dllcache\scrobj.dll
+ 2008-05-09 10:53:39 180,224 -c--a-w c:\windows\system32\dllcache\scrobj.dll
- 2004-08-09 13:27:04 151,552 -c--a-w c:\windows\system32\dllcache\scrrun.dll
+ 2008-05-09 10:53:40 172,032 -c--a-w c:\windows\system32\dllcache\scrrun.dll
- 2008-10-16 20:38:39 105,984 -c----w c:\windows\system32\dllcache\url.dll
+ 2008-12-20 23:15:39 105,984 -c----w c:\windows\system32\dllcache\url.dll
- 2008-10-16 20:38:39 1,160,192 -c----w c:\windows\system32\dllcache\urlmon.dll
+ 2008-12-20 23:15:40 1,160,192 -c----w c:\windows\system32\dllcache\urlmon.dll
- 2004-08-09 13:27:06 438,272 -c--a-w c:\windows\system32\dllcache\vbscript.dll
+ 2008-05-09 10:53:40 430,080 -c--a-w c:\windows\system32\dllcache\vbscript.dll
- 2008-10-16 20:38:39 233,472 -c----w c:\windows\system32\dllcache\webcheck.dll
+ 2008-12-20 23:15:40 233,472 -c----w c:\windows\system32\dllcache\webcheck.dll
- 2008-10-16 20:38:40 826,368 -c----w c:\windows\system32\dllcache\wininet.dll
+ 2008-12-20 23:15:41 826,368 -c----w c:\windows\system32\dllcache\wininet.dll
- 2004-08-09 13:27:16 114,688 -c--a-w c:\windows\system32\dllcache\wscript.exe
+ 2008-05-08 11:24:44 155,648 -c--a-w c:\windows\system32\dllcache\wscript.exe
- 2004-08-09 13:27:06 65,536 -c--a-w c:\windows\system32\dllcache\wshext.dll
+ 2008-05-09 10:53:40 90,112 -c--a-w c:\windows\system32\dllcache\wshext.dll
- 2008-10-16 20:38:34 347,136 ----a-w c:\windows\system32\dxtmsft.dll
+ 2008-12-20 23:15:12 347,136 ----a-w c:\windows\system32\dxtmsft.dll
- 2008-10-16 20:38:34 214,528 ----a-w c:\windows\system32\dxtrans.dll
+ 2008-12-20 23:15:13 214,528 ----a-w c:\windows\system32\dxtrans.dll
- 2008-10-16 20:38:35 133,120 ------w c:\windows\system32\extmgr.dll
+ 2008-12-20 23:15:13 133,120 ------w c:\windows\system32\extmgr.dll
- 2008-10-16 20:38:35 63,488 ----a-w c:\windows\system32\icardie.dll
+ 2008-12-20 23:15:13 63,488 ----a-w c:\windows\system32\icardie.dll
- 2008-10-16 13:11:09 70,656 ------w c:\windows\system32\ie4uinit.exe
+ 2008-12-19 09:10:15 70,656 ------w c:\windows\system32\ie4uinit.exe
- 2008-10-16 20:38:35 153,088 ------w c:\windows\system32\ieakeng.dll
+ 2008-12-20 23:15:14 153,088 ------w c:\windows\system32\ieakeng.dll
- 2008-10-16 20:38:35 230,400 ------w c:\windows\system32\ieaksie.dll
+ 2008-12-20 23:15:14 230,400 ------w c:\windows\system32\ieaksie.dll
- 2008-10-15 07:04:53 161,792 ------w c:\windows\system32\ieakui.dll
+ 2008-12-19 05:23:56 161,792 ------w c:\windows\system32\ieakui.dll
- 2008-10-16 20:38:35 383,488 ----a-w c:\windows\system32\ieapfltr.dll
+ 2008-12-20 23:15:15 383,488 ----a-w c:\windows\system32\ieapfltr.dll
- 2008-10-16 20:38:35 384,512 ------w c:\windows\system32\iedkcs32.dll
+ 2008-12-20 23:15:16 384,512 ------w c:\windows\system32\iedkcs32.dll
- 2008-10-16 20:38:37 6,066,176 ----a-w c:\windows\system32\ieframe.dll
+ 2008-12-20 23:15:21 6,066,688 ----a-w c:\windows\system32\ieframe.dll
- 2008-10-16 20:38:37 44,544 ------w c:\windows\system32\iernonce.dll
+ 2008-12-20 23:15:21 44,544 ------w c:\windows\system32\iernonce.dll
- 2008-10-16 20:38:37 267,776 ----a-w c:\windows\system32\iertutil.dll
+ 2008-12-20 23:15:22 267,776 ----a-w c:\windows\system32\iertutil.dll
- 2008-10-16 13:11:09 13,824 ----a-w c:\windows\system32\ieudinit.exe
+ 2008-12-19 09:10:15 13,824 ----a-w c:\windows\system32\ieudinit.exe
- 2004-08-09 13:27:02 466,944 ----a-w c:\windows\system32\jscript.dll
+ 2008-05-09 10:53:39 512,000 ----a-w c:\windows\system32\jscript.dll
- 2008-10-16 20:38:37 27,648 ----a-w c:\windows\system32\jsproxy.dll
+ 2008-12-20 23:15:23 27,648 ----a-w c:\windows\system32\jsproxy.dll
- 2009-01-10 01:35:28 20,853,704 ----a-w c:\windows\system32\MRT.exe
+ 2009-02-03 23:21:12 21,244,864 ----a-w c:\windows\system32\MRT.exe
- 2008-10-16 20:38:37 459,264 ----a-w c:\windows\system32\msfeeds.dll
+ 2008-12-20 23:15:23 459,264 ----a-w c:\windows\system32\msfeeds.dll
- 2008-10-16 20:38:37 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
+ 2008-12-20 23:15:24 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
- 2008-12-13 06:40:02 3,593,216 ----a-w c:\windows\system32\mshtml.dll
+ 2009-01-16 13:35:14 3,594,752 ----a-w c:\windows\system32\mshtml.dll
- 2008-10-16 20:38:38 477,696 ----a-w c:\windows\system32\mshtmled.dll
+ 2008-12-20 23:15:30 477,696 ----a-w c:\windows\system32\mshtmled.dll
- 2008-10-16 20:38:38 193,024 ------w c:\windows\system32\msrating.dll
+ 2008-12-20 23:15:31 193,024 ------w c:\windows\system32\msrating.dll
- 2008-10-16 20:38:39 671,232 ------w c:\windows\system32\mstime.dll
+ 2008-12-20 23:15:32 671,232 ------w c:\windows\system32\mstime.dll
- 2008-10-16 20:38:39 102,912 ------w c:\windows\system32\occache.dll
+ 2008-12-20 23:15:38 102,912 ------w c:\windows\system32\occache.dll
- 2009-02-11 05:35:48 75,414 ----a-w c:\windows\system32\perfc009.dat
+ 2009-02-16 08:30:45 75,414 ----a-w c:\windows\system32\perfc009.dat
- 2009-02-11 05:35:48 456,634 ----a-w c:\windows\system32\perfh009.dat
+ 2009-02-16 08:30:45 456,634 ----a-w c:\windows\system32\perfh009.dat
- 2008-10-16 20:38:39 44,544 ----a-w c:\windows\system32\pngfilt.dll
+ 2008-12-20 23:15:38 44,544 ----a-w c:\windows\system32\pngfilt.dll
- 2004-08-09 13:27:04 151,552 ----a-w c:\windows\system32\scrobj.dll
+ 2008-05-09 10:53:39 180,224 ----a-w c:\windows\system32\scrobj.dll
- 2004-08-09 13:27:04 151,552 ----a-w c:\windows\system32\scrrun.dll
+ 2008-05-09 10:53:40 172,032 ----a-w c:\windows\system32\scrrun.dll
- 2008-10-16 20:38:39 105,984 ----a-w c:\windows\system32\url.dll
+ 2008-12-20 23:15:39 105,984 ----a-w c:\windows\system32\url.dll
- 2008-10-16 20:38:39 1,160,192 ----a-w c:\windows\system32\urlmon.dll
+ 2008-12-20 23:15:40 1,160,192 ----a-w c:\windows\system32\urlmon.dll
- 2004-08-09 13:27:06 438,272 ----a-w c:\windows\system32\vbscript.dll
+ 2008-05-09 10:53:40 430,080 ----a-w c:\windows\system32\vbscript.dll
- 2008-10-16 20:38:39 233,472 ----a-w c:\windows\system32\webcheck.dll
+ 2008-12-20 23:15:40 233,472 ----a-w c:\windows\system32\webcheck.dll
- 2004-08-09 13:27:16 114,688 ----a-w c:\windows\system32\wscript.exe
+ 2008-05-08 11:24:44 155,648 ----a-w c:\windows\system32\wscript.exe
- 2004-08-09 13:27:06 65,536 ----a-w c:\windows\system32\wshext.dll
+ 2008-05-09 10:53:40 90,112 ----a-w c:\windows\system32\wshext.dll
+ 2009-02-16 08:26:16 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_af4.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\user\Application Data\mjusbsp\cdloader2.exe" [2008-12-18 50520]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-13 86016]
"Launch LGDCore"="c:\program files\Logitech\G-series Software\LGDCore.exe" [2006-03-06 1122304]
"Launch LCDMon"="c:\program files\Logitech\G-series Software\LCDMon.exe" [2006-03-06 497152]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-12 641208]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-04 36352]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2005-07-08 1397760]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-10 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-09 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Google IME Autoupdater"="c:\program files\Google\Google Pinyin\GooglePinyinDaemon.exe" [2008-10-17 308720]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-13 13672448]
"RegKillElbyCheck"="c:\program files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" [2002-11-02 45056]
"RegKillTray"="c:\program files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe" [2002-11-28 49152]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-02-08 30192]
"nwiz"="nwiz.exe" [2008-11-13 c:\windows\system32\nwiz.exe]

c:\documents and settings\user\Start Menu\Programs\Startup\
SolidWorks Task Scheduler Engine.lnk - c:\program files\SolidWorks\swScheduler\swBOEngine.exe [2007-09-09 488728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-14 21:42 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-11-13 06:54 13672448 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-03-15 07:50 233472 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SolidWorks_CheckForUpdates]
-ra------ 2007-09-10 14:15 6460696 c:\program files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\alcmtr]
--a------ 2008-06-19 16:20 57344 c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-11-13 06:54 1630208 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rthdcpl]
--a------ 2008-12-30 14:58 18082304 c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Documents and Settings\\user\\Application Data\\mjusbsp\\magicJack.exe"=

R2 mcafee siteadvisor service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-12-30 206096]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [2008-12-28 36864]
R3 RegKill;RegKill;c:\windows\system32\drivers\RegKill.sys [2002-11-28 6400]
S2 gupdate1c989fb9fbc9a4;Google Update Service (gupdate1c989fb9fbc9a4);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-08 133104]
S3 getplus(r) helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe --> c:\program files\NOS\bin\getPlus_HelperSvc.exe [?]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-02-08 30192]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [2009-01-20 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [2009-01-20 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [2009-01-20 120744]
.
Contents of the 'Scheduled Tasks' folder

2009-02-16 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-08 22:39]

2008-12-28 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-10 10:10]

2008-12-31 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-10 10:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: e&xport to microsoft excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {06D3657C-3AB2-4B4B-9116-79D53A357EEF} = 168.95.192.1 168.95.1.1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-16 16:35:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-02-16 16:36:12
ComboFix-quarantined-files.txt 2009-02-16 08:36:10
ComboFix2.txt 2009-02-11 06:22:42
ComboFix3.txt 2009-02-03 14:36:11
ComboFix4.txt 2009-02-03 14:24:45
ComboFix5.txt 2009-02-16 08:33:18

Pre-Run: 74,374,053,888 bytes free
Post-Run: 74,386,231,296 bytes free

476 --- E O F --- 2009-02-11 06:28:25


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:38:58 PM, on 2/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\SolidWorks\swScheduler\swBOEngine.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O2 - BHO: JQSIEStartDetectorImpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Google IME Autoupdater] "C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [RegKillTray] "C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\user\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SolidWorks Task Scheduler Engine.lnk = C:\Program Files\SolidWorks\swScheduler\swBOEngine.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: e&xport to microsoft excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra button: Research - {92780b25-18cc-41c8-b9be-3c9c571a8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [java_sun] Java (Sun)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1230435719625
O16 - DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?AuthParam=1231470670_081cb8023912a2a375f10ef7097d378b&GroupName=JSC&FilePath=/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab&File=jinstall-6u11-windows-i586-jc.cab&BHost=javadl.sun.com
O16 - DPF: {cf40acc5-e1bb-4aff-ac72-04c2f616bca7} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{06D3657C-3AB2-4B4B-9116-79D53A357EEF}: NameServer = 168.95.192.1 168.95.1.1
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: getPlus(R) Helper (getplus(r) helper) - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1c989fb9fbc9a4) (gupdate1c989fb9fbc9a4) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (incdsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (lightscribeservice) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee SiteAdvisor Service (mcafee siteadvisor service) - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

--
End of file - 10639 bytes

Shaba
2009-02-16, 18:58
Looks like combofix doesn't find it.

Please rerun gmer and post back its log.

jvanosda
2009-02-17, 05:50
Here is the new gmer log.

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-17 11:48:30
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB6BF79CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xB6BF7A61]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB6BF7A75]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB6BF7AA1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB6BF7B0F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB6BF7AF9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB6BF7A0A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB6BF7B3B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xB6BF7A4D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB6BF7950]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB6BF7964]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB6BF79DE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xB6BF7B77]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB6BF7AE3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB6BF7ACD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB6BF7A8B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xB6BF7B63]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xB6BF7B4F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB6BF79B6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB6BF79A2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xB6BF7AB7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB6BF7A39]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xB6BF7B25]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB6BF7A20]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB6BF79F4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP B6BF79F8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP B6BF79CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP B6BF7A0E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 5 Bytes JMP B6BF7A24 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E6 7 Bytes JMP B6BF79E2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB408 5 Bytes JMP B6BF7954 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB694 5 Bytes JMP B6BF7968 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE52 5 Bytes JMP B6BF79A6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1702 5 Bytes JMP B6BF79BA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AA 5 Bytes JMP B6BF7A3D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 806219CA 7 Bytes JMP B6BF7AD1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D18 7 Bytes JMP B6BF7ABB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80622042 7 Bytes JMP B6BF7B29 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 806228E0 7 Bytes JMP B6BF7AE7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231B4 7 Bytes JMP B6BF7A8F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 80623792 5 Bytes JMP B6BF7A65 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C22 7 Bytes JMP B6BF7A79 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623DF2 7 Bytes JMP B6BF7AA5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FD2 7 Bytes JMP B6BF7B13 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062423C 7 Bytes JMP B6BF7AFD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624B64 5 Bytes JMP B6BF7A51 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 80624E8A 7 Bytes JMP B6BF7B7B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8062514A 5 Bytes JMP B6BF7B53 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8062583E 5 Bytes JMP B6BF7B67 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80625958 5 Bytes JMP B6BF7B3F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 000700AC
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070091
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070076
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070FB9
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070047
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 000700C9
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070F81
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00070F4B
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070F5C
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 000700F5
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00070FCA
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 0007001B
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00070F92
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00070FDB
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 0007002C
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 000700DA
.text C:\WINDOWS\system32\services.exe[828] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00060033
.text C:\WINDOWS\system32\services.exe[828] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00060FB6
.text C:\WINDOWS\system32\services.exe[828] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00060022
.text C:\WINDOWS\system32\services.exe[828] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00060011
.text C:\WINDOWS\system32\services.exe[828] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00060FC7
.text C:\WINDOWS\system32\services.exe[828] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[828] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00060069
.text C:\WINDOWS\system32\services.exe[828] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 0006004E
.text C:\WINDOWS\system32\services.exe[828] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0004000A
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F50FEF
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F5009A
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F50089
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F5006C
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F50FAF
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F50036
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F50F68
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F50F79
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F500DF
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F50F46
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00F500F0
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00F50051
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00F5000A
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00F50F8A
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00F5001B
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00F50FD4
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00F50F57
.text C:\WINDOWS\system32\lsass.exe[840] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00F4002F
.text C:\WINDOWS\system32\lsass.exe[840] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00F4008A
.text C:\WINDOWS\system32\lsass.exe[840] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00F40FDE
.text C:\WINDOWS\system32\lsass.exe[840] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00F4000A
.text C:\WINDOWS\system32\lsass.exe[840] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00F4006F
.text C:\WINDOWS\system32\lsass.exe[840] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00F40FEF
.text C:\WINDOWS\system32\lsass.exe[840] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00F40FCD
.text C:\WINDOWS\system32\lsass.exe[840] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 14, 89 ]
.text C:\WINDOWS\system32\lsass.exe[840] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00F40054
.text C:\WINDOWS\system32\lsass.exe[840] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F20000
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 024B0FEF
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 024B0F4B
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 024B0F66
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 024B0F77
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 024B0040
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 024B0F9E
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 024B0F24
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 024B006C
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 024B0EF1
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 024B0F02
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 024B0EE0
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 024B0025
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 024B0FDE
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 024B005B
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 024B0014
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 024B0FCD
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 024B0F13
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 024A0FC3
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 024A0054
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 024A000A
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 024A0FD4
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 024A0F8D
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 024A0FEF
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 024A0FA8
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 6A, 8A ]
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 024A002F
.text C:\WINDOWS\system32\svchost.exe[1008] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02460FEF
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F40FE5
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!VirtualProtectEx 7C801A61 1 Byte [ E9 ]
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!VirtualProtectEx + 2 7C801A63 3 Bytes [ E5, 73, 84 ]
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F40F66
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F40F77
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F40F94
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F4002F
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F40F1F
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F40F3A
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F40EFD
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F40096
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00F400B1
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00F40040
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00F40FD4
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00F40F4B
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00F40FB9
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00F4000A
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00F40F0E
.text C:\WINDOWS\system32\svchost.exe[1076] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00F30FCA
.text C:\WINDOWS\system32\svchost.exe[1076] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00F3006C
.text C:\WINDOWS\system32\svchost.exe[1076] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00F30025
.text C:\WINDOWS\system32\svchost.exe[1076] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00F30014
.text C:\WINDOWS\system32\svchost.exe[1076] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00F30051
.text C:\WINDOWS\system32\svchost.exe[1076] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00F30FEF
.text C:\WINDOWS\system32\svchost.exe[1076] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00F30036
.text C:\WINDOWS\system32\svchost.exe[1076] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00F30FAF
.text C:\WINDOWS\system32\svchost.exe[1076] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F1000A
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 032D0000
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 032D00D5
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 032D00BA
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 032D00A9
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 032D0098
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 032D006C
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 032D0FB2
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 032D0FC3
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 032D0F97
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 032D0126
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 032D0F86
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 032D007D
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 032D001B
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 032D00F0
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 032D0047
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 032D002C
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 032D0115
.text C:\WINDOWS\System32\svchost.exe[1172] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 03190FB9
.text C:\WINDOWS\System32\svchost.exe[1172] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 03190F7C
.text C:\WINDOWS\System32\svchost.exe[1172] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 03190000
.text C:\WINDOWS\System32\svchost.exe[1172] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 03190FD4
.text C:\WINDOWS\System32\svchost.exe[1172] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 03190039
.text C:\WINDOWS\System32\svchost.exe[1172] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 03190FEF
.text C:\WINDOWS\System32\svchost.exe[1172] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 03190F97
.text C:\WINDOWS\System32\svchost.exe[1172] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 39, 8B ]
.text C:\WINDOWS\System32\svchost.exe[1172] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 03190FA8
.text C:\WINDOWS\System32\svchost.exe[1172] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02F8000A
.text C:\WINDOWS\System32\svchost.exe[1172] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 03270FEF
.text C:\WINDOWS\System32\svchost.exe[1172] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 03270014
.text C:\WINDOWS\System32\svchost.exe[1172] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 03270025
.text C:\WINDOWS\System32\svchost.exe[1172] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 03270040
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007C0000
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007C0F5E
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007C0F83
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007C0F94
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007C0FA5
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007C0FC0
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007C0090
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007C007F
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007C00CD
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007C00B2
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 007C00DE
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 007C0047
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 007C0025
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 007C006E
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 007C0FE5
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 007C0036
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 007C00A1
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 007B0FD4
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 007B006C
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 007B0025
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 007B0FEF
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 007B0FAF
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 007B000A
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 007B0051
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 007B0036
.text C:\WINDOWS\system32\svchost.exe[1360] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006C0FE5
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C7000A
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C70F57
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C70F68
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C70F83
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C70F94
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C70040
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C70089
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C70078
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C70F15
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C700AE
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00C70EF0
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00C70FAF
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00C70FEF
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00C70067
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00C70FD4
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00C70025
.text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00C70F30
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00A10014
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00A10040
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00A10FC3
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00A10FD4
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00A10F83
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00A10FEF
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00A1002F
.text C:\WINDOWS\system32\svchost.exe[1400] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00A10FA8
.text C:\WINDOWS\system32\svchost.exe[1400] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009F0000
.text C:\WINDOWS\system32\svchost.exe[1400] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00A2000A
.text C:\WINDOWS\system32\svchost.exe[1400] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00A2001B
.text C:\WINDOWS\system32\svchost.exe[1400] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00A20FE5
.text C:\WINDOWS\system32\svchost.exe[1400] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00A20036
.text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01330000
.text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0133006E
.text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01330F79
.text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0133005D
.text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01330F94
.text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01330036
.text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01330F4D
.text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01330089
.text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01330F10
.text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01330F21
.text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 01330EF5
.text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 01330FA5
.text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01330FE5
.text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 01330F5E
.text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 01330FCA
.text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 0133001B
.text C:\WINDOWS\Explorer.EXE[1836] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 01330F32
.text C:\WINDOWS\Explorer.EXE[1836] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 01310FB9
.text C:\WINDOWS\Explorer.EXE[1836] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 01310051
.text C:\WINDOWS\Explorer.EXE[1836] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 01310FD4
.text C:\WINDOWS\Explorer.EXE[1836] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0131000A
.text C:\WINDOWS\Explorer.EXE[1836] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 01310036
.text C:\WINDOWS\Explorer.EXE[1836] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 01310FEF
.text C:\WINDOWS\Explorer.EXE[1836] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 01310F9E
.text C:\WINDOWS\Explorer.EXE[1836] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 51, 89 ]
.text C:\WINDOWS\Explorer.EXE[1836] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 01310025
.text C:\WINDOWS\Explorer.EXE[1836] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 01320FE5
.text C:\WINDOWS\Explorer.EXE[1836] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 01320000
.text C:\WINDOWS\Explorer.EXE[1836] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 0132001B
.text C:\WINDOWS\Explorer.EXE[1836] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 01320FCA
.text C:\WINDOWS\Explorer.EXE[1836] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D00FEF
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1948] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041BF60 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1948] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0041BFE0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Internet Explorer\iexplore.exe[1956] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00250000
.text C:\Program Files\Internet Explorer\iexplore.exe[1956] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 002500A1
.text C:\Program Files\Internet Explorer\iexplore.exe[1956] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00250086
.text C:\Program Files\Internet Explorer\iexplore.exe[1956] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00250069
.text C:\Program Files\Internet Explorer\iexplore.exe[1956] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00250FAC
.text C:\Program Files\Internet Explorer\iexplore.exe[1956] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0025003D
.text C:\Program Files\Internet Explorer\iexplore.exe[1956] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00250F7B
.text C:\Program Files\Internet Explorer\iexplore.exe[1956] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 002500CD
.text C:\Program Files\Internet Explorer\iexplore.exe[1956] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 002500F9
.text C:\Program Files\Internet Explorer\iexplore.exe[1956] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00250F60
.text C:\Program Files\Internet Explorer\iexplore.exe[1956] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00250F45
.text C:\Program Files\Internet Explorer\iexplore.exe[1956] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0025004E
.text C:\Program Files\Internet Explorer\iexplore.exe[1956] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00250FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[1956] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 002500B2
.text C:\Program Files\Internet Explorer\iexplore.exe[1956] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 0025002C
.text C:\Program Files\Internet Explorer\iexplore.exe[1956] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 0025001B
.text C:\Program Files\Internet Explorer\iexplore.exe[1956] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 002500E8
.text C:\Program Files\Internet Explorer\iexplore.exe[1956] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00340F9E
.text C:\Program Files\Internet Explorer\iexplore.exe[1956] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 0034002F
.text C:\Program Files\Internet Explorer\iexplore.exe[1956] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00340FAF
.text C:\Program Files\Internet Explorer\iexplore.exe[1956] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00340FCA
.text C:\Program Files\Internet Explorer\iexplore.exe[1956] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00340F72
.text C:\Program Files\Internet Explorer\iexplore.exe[1956] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00340FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[1956] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 0034000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1956] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00340F83
.text C:\Program Files\Internet Explorer\iexplore.exe[1956] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 42F0F341 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1956] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 430A187F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1956] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 430A1800 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1956] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 430A1844 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1956] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 430A178C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1956] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 430A17C6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1956] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 430A18BA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1956] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 42F316F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1956] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 016F0FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[1956] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 016F000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1956] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 016F0FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[1956] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 016F0025
.text C:\Program Files\Internet Explorer\iexplore.exe[1956] ws2_32.dll!socket 71AB4211 5 Bytes JMP 023C0000
.text C:\WINDOWS\system32\SearchIndexer.exe[2504] kernel32.dll!WriteFile 7C810E17 7 Bytes JMP 00F31B19 C:\WINDOWS\system32\mssrch.dll (mssrch.lib/Microsoft Corporation)

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxyxyuhkkv.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@userdata -1
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxyxyuhkkv.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxrqvqatnc.dll

---- EOF - GMER 1.0.14 ----

Shaba
2009-02-17, 12:53
OK, let's do this:

Run this CFScript as before:


Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gaopdxserv.sys]

Re-run gmer after that.

Post:

- a fresh combofix log
- a fresh gmer log
- a fresh hijackthis log

jvanosda
2009-02-17, 14:02
That didn't appear to work. Here are the three log files.

ComboFix 09-02-15.01 - user 2009-02-17 19:32:09.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2488 [GMT 8:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-01-17 to 2009-02-17 )))))))))))))))))))))))))))))))
.

2009-02-10 18:57 . 2009-02-10 19:00 <DIR> d-------- c:\program files\FFXIP
2009-02-10 13:47 . 2009-02-17 11:41 345 --a------ c:\windows\gmer.ini
2009-02-09 20:46 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2009-02-09 20:46 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll
2009-02-09 20:46 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2009-02-08 23:37 . 2009-02-08 23:37 <DIR> d-------- c:\program files\Windows Live SkyDrive
2009-02-08 23:37 . 2009-02-08 23:37 <DIR> d-------- c:\program files\Microsoft Office Outlook Connector
2009-02-08 23:37 . 2009-02-08 23:37 <DIR> d-------- c:\program files\Microsoft
2009-02-08 23:35 . 2009-02-08 23:35 <DIR> d-------- c:\program files\Common Files\Windows Live
2009-02-08 22:21 . 2009-02-08 22:27 <DIR> d-------- c:\program files\Safer Networking
2009-02-08 22:00 . 2009-02-08 22:00 <DIR> d-------- C:\rsit
2009-02-08 20:07 . 2009-02-08 20:07 <DIR> d-------- c:\program files\Elaborate Bytes
2009-02-08 19:51 . 2009-02-08 19:51 <DIR> d-------- c:\program files\MSXML 4.0
2009-02-03 20:08 . 2009-02-03 20:08 <DIR> d-------- c:\documents and settings\user\Application Data\SolidWorks 2008
2009-02-03 20:00 . 2009-02-03 23:01 <DIR> d-------- c:\documents and settings\user\Application Data\SolidWorks
2009-02-03 18:19 . 2009-02-03 18:34 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Winamp
2009-02-03 17:52 . 2009-02-03 17:52 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-02-03 17:47 . 2009-02-03 17:48 <DIR> d-------- c:\documents and settings\Administrator
2009-02-03 17:25 . 2009-02-03 17:25 23 --ah----- c:\windows\yacht.xws
2009-02-03 17:22 . 2009-02-03 17:22 <DIR> d-------- c:\windows\system32\GroupPolicy
2009-02-03 17:22 . 2009-02-03 20:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\SolidWorks
2009-02-03 17:19 . 2009-02-03 17:19 <DIR> d-------- c:\program files\SolidWorks Viewer
2009-02-03 17:16 . 2009-02-03 17:16 <DIR> d-------- c:\program files\Windows Desktop Search
2009-02-03 17:15 . 2009-02-03 20:00 <DIR> d-------- c:\program files\SolidWorks
2009-02-03 17:14 . 2009-02-03 17:14 <DIR> d-------- c:\program files\Document Manager
2009-02-03 17:12 . 2009-02-03 17:23 <DIR> d-------- c:\program files\Common Files\SolidWorks Shared
2009-02-03 17:12 . 2009-02-03 17:22 <DIR> d-------- c:\program files\Common Files\eDrawings2008
2009-02-03 17:12 . 2009-02-03 17:12 0 --a------ c:\windows\eDrawingOfficeAutomator.INI
2009-02-03 17:11 . 2009-02-03 20:06 <DIR> d-------- c:\program files\DWGeditor
2009-02-03 17:11 . 2009-02-03 17:11 <DIR> d-------- c:\documents and settings\user\Application Data\DWGeditor
2009-02-03 16:08 . 2009-02-03 17:22 <DIR> d-------- C:\SolidWorks Data
2009-02-03 16:04 . 2009-02-03 16:05 <DIR> d-------- c:\program files\Common Files\SolidWorks Installation Manager
2009-02-03 16:03 . 2009-02-03 16:09 <DIR> d-------- c:\windows\SolidWorks
2009-02-03 16:03 . 2009-02-03 20:02 <DIR> d-------- c:\documents and settings\user\Application Data\IM
2009-02-03 15:53 . 2009-02-03 15:53 <DIR> d-------- c:\program files\Classic Menu for Office
2009-02-03 15:53 . 2009-02-16 16:54 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-02-03 15:35 . 2009-02-03 15:35 <DIR> d-------- c:\documents and settings\user\workspace
2009-02-03 15:31 . 2009-02-03 16:31 <DIR> d-------- c:\windows\SxsCaPendDel
2009-02-03 15:25 . 2009-02-17 17:19 <DIR> d-------- c:\program files\eclipse
2009-01-20 20:33 . 2009-01-20 20:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-01-20 20:32 . 2008-08-05 20:10 1,684,736 --a------ c:\windows\system32\drivers\Ambfilt.sys
2009-01-20 20:32 . 2006-01-04 15:41 1,389,056 --a------ c:\windows\system32\drivers\Monfilt.sys
2009-01-20 20:32 . 2008-10-23 17:42 290,816 --a------ c:\windows\vncutil.exe
2009-01-20 20:32 . 2008-06-24 14:46 104,992 --a------ c:\windows\RtkAudioService.exe
2009-01-20 20:32 . 2009-01-05 16:16 34,816 --a------ c:\windows\system32\RtkCoInstXP.dll
2009-01-20 18:21 . 2009-01-20 18:21 <DIR> d-------- c:\program files\Avanquest update
2009-01-20 18:21 . 2009-01-20 18:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\BVRP Software
2009-01-20 18:20 . 2009-01-20 18:20 <DIR> d-------- c:\program files\Sony Ericsson
2009-01-20 18:20 . 2009-01-20 18:20 <DIR> d-------- c:\documents and settings\user\Application Data\InstallShield
2009-01-20 18:20 . 2009-01-20 18:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sony Ericsson
2009-01-20 18:20 . 2008-05-16 12:33 120,744 --a------ c:\windows\system32\drivers\s0016mdm.sys
2009-01-20 18:20 . 2008-05-16 12:33 89,256 --a------ c:\windows\system32\drivers\s0016bus.sys
2009-01-20 18:20 . 2008-05-16 12:33 15,016 --a------ c:\windows\system32\drivers\s0016mdfl.sys
2009-01-20 18:20 . 2008-05-16 12:33 12,200 --a------ c:\windows\system32\drivers\s0016whnt.sys
2009-01-20 18:20 . 2008-05-16 12:33 12,200 --a------ c:\windows\system32\drivers\s0016wh.sys
2009-01-20 18:20 . 2008-05-16 12:33 12,200 --a------ c:\windows\system32\drivers\s0016cmnt.sys
2009-01-20 18:20 . 2008-05-16 12:33 12,200 --a------ c:\windows\system32\drivers\s0016cm.sys
2009-01-20 17:50 . 2009-01-20 17:50 <DIR> d-------- c:\windows\Downloaded Installations
2009-01-20 17:49 . 2009-01-20 17:49 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-20 17:49 . 2009-01-20 17:49 1,409 --a------ c:\windows\QTFont.for
2009-01-20 13:14 . 2009-01-20 13:14 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-20 13:14 . 2009-01-20 13:14 <DIR> d-------- c:\documents and settings\user\Application Data\Malwarebytes
2009-01-20 13:14 . 2009-01-20 13:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-20 13:14 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-20 13:14 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-18 22:18 . 2009-01-18 22:18 0 --a------ c:\windows\LCDMedia.INI
2009-01-18 22:13 . 2009-01-18 22:13 <DIR> d-------- c:\program files\ERUNT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-16 08:31 --------- d-----w c:\program files\Google
2009-02-16 08:25 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-16 08:24 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-11 06:27 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-03 09:22 --------- d-----w c:\program files\AGEIA Technologies
2009-01-20 10:21 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-13 17:23 --------- d-----w c:\program files\Trend Micro
2009-01-13 07:00 --------- d-----w c:\program files\Notepad++
2009-01-13 07:00 --------- d-----w c:\documents and settings\user\Application Data\Notepad++
2009-01-12 15:24 --------- d-----w c:\program files\Reference Assemblies
2009-01-12 15:19 --------- d-----w c:\program files\MSECache
2009-01-12 14:19 --------- d-----w c:\program files\PowerISO
2009-01-12 13:43 --------- d-----w c:\program files\Web Publish
2009-01-12 03:20 --------- d-----w c:\program files\NOS
2009-01-12 03:20 --------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-01-11 18:17 --------- d-----w c:\program files\Common Files\Adobe AIR
2009-01-11 18:17 --------- d-----w c:\program files\Common Files\Adobe
2009-01-09 14:17 --------- d-----w c:\program files\CDisplay
2009-01-09 03:07 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-01-09 03:07 --------- d-----w c:\program files\Java
2009-01-09 02:54 --------- d-----w c:\documents and settings\user\Application Data\CyberLink
2009-01-09 02:54 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2009-01-07 17:35 --------- d-----w c:\program files\Project64 1.6
2009-01-07 17:03 --------- d-----w c:\program files\MagicDVDRipper
2009-01-07 15:14 --------- d-----w c:\program files\Karen's Power Tools
2009-01-07 15:14 --------- d-----w c:\documents and settings\All Users\Application Data\Karen's Power Tools
2009-01-07 14:12 --------- d-----w c:\program files\Nidesoft Studio
2009-01-07 13:58 --------- d-----w c:\program files\Aglare DVD to AVI WMV MP4 MPEG Converter
2009-01-07 02:12 --------- d-----w c:\program files\Easy MPEG AVI DIVX WMV RM to DVD
2009-01-06 11:00 4,968,448 ----a-w c:\windows\system32\drivers\RtkHDAud.sys
2009-01-01 08:23 --------- d-----w c:\program files\McAfee
2009-01-01 08:19 --------- d-----w c:\program files\FFXiBench3
2009-01-01 07:54 --------- d-----w c:\documents and settings\user\Application Data\mjusbsp
2008-12-30 23:10 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-12-30 06:58 18,082,304 ----a-w c:\windows\RTHDCPL.EXE
2008-12-30 06:47 --------- d-----w c:\documents and settings\All Users\Application Data\SiteAdvisor
2008-12-30 06:47 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2008-12-29 06:00 --------- d-----w c:\program files\Transparent
2008-12-29 05:47 --------- d-----w c:\documents and settings\user\Application Data\Winamp
2008-12-29 04:36 --------- d-----w c:\documents and settings\user\Application Data\DivX
2008-12-29 03:53 --------- d-----w c:\program files\Common Files\LightScribe
2008-12-29 03:51 --------- d-----w c:\program files\Common Files\Ahead
2008-12-29 03:51 --------- d-----w c:\program files\Ahead
2008-12-29 03:50 --------- d-----w c:\program files\CyberLink DVD Solution
2008-12-29 03:49 --------- d-----w c:\program files\CyberLink
2008-12-29 03:48 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-29 03:18 --------- d-----w c:\program files\MSBuild
2008-12-29 03:18 --------- d-----w c:\program files\Microsoft Works
2008-12-29 03:08 --------- d-----w c:\program files\Alcohol Soft
2008-12-29 02:49 --------- d-----w c:\program files\PlayOnline
2008-12-28 06:57 --------- d-----w c:\program files\Common Files\McAfee
2008-12-28 06:57 --------- d-----w c:\documents and settings\All Users\Application Data\OrbNetworks
2008-12-28 06:47 --------- d-----w c:\program files\Winamp Toolbar
2008-12-28 06:47 --------- d-----w c:\program files\Winamp Remote
2008-12-28 06:47 --------- d-----w c:\program files\Winamp
2008-12-28 06:47 --------- d-----w c:\documents and settings\All Users\Application Data\Winamp Toolbar
2008-12-28 06:42 --------- d-----w c:\program files\DivX
2008-12-28 06:32 --------- d-----w c:\program files\McAfee.com
2008-12-28 05:54 --------- d-----w c:\program files\Logitech
2008-12-28 05:54 --------- d-----w c:\documents and settings\All Users\Application Data\Logitech
2008-12-28 03:36 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-28 03:31 --------- d-----w c:\program files\Intel
2008-12-28 03:30 --------- d-----w c:\program files\Realtek
2008-12-28 03:24 --------- d-----w c:\program files\microsoft frontpage
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
2008-11-21 21:47 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-11-21 21:47 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-11-21 21:47 129,784 ------w c:\windows\system32\pxafs.dll
2008-11-21 21:47 120,056 ------w c:\windows\system32\pxcpyi64.exe
2008-11-21 21:47 118,520 ------w c:\windows\system32\pxinsi64.exe
2008-11-21 21:46 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-11-21 21:46 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-11-21 21:44 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 21:44 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
2006-06-24 06:48 32,768 ----a-r c:\windows\inf\UpdateUSB.exe
2004-10-01 23:00 40,960 ----a-w c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( SnapShot_2009-02-16_16.35.29.35 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-16 08:32:22 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-17 08:22:03 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-16 08:32:22 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-17 08:22:03 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-02-16 08:30:45 75,414 ----a-w c:\windows\system32\perfc009.dat
+ 2009-02-17 08:21:12 75,414 ----a-w c:\windows\system32\perfc009.dat
- 2009-02-16 08:30:45 456,634 ----a-w c:\windows\system32\perfh009.dat
+ 2009-02-17 08:21:12 456,634 ----a-w c:\windows\system32\perfh009.dat
+ 2009-02-17 08:16:39 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_bc0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\user\Application Data\mjusbsp\cdloader2.exe" [2008-12-18 50520]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-13 86016]
"Launch LGDCore"="c:\program files\Logitech\G-series Software\LGDCore.exe" [2006-03-06 1122304]
"Launch LCDMon"="c:\program files\Logitech\G-series Software\LCDMon.exe" [2006-03-06 497152]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2008-07-12 641208]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-04 36352]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2005-07-08 1397760]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-10 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-09 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Google IME Autoupdater"="c:\program files\Google\Google Pinyin\GooglePinyinDaemon.exe" [2008-10-17 308720]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-13 13672448]
"RegKillElbyCheck"="c:\program files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" [2002-11-02 45056]
"RegKillTray"="c:\program files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe" [2002-11-28 49152]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-02-08 30192]
"nwiz"="nwiz.exe" [2008-11-13 c:\windows\system32\nwiz.exe]

c:\documents and settings\user\Start Menu\Programs\Startup\
SolidWorks Task Scheduler Engine.lnk - c:\program files\SolidWorks\swScheduler\swBOEngine.exe [2007-09-09 488728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-14 21:42 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-11-13 06:54 13672448 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-03-15 07:50 233472 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SolidWorks_CheckForUpdates]
-ra------ 2007-09-10 14:15 6460696 c:\program files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\alcmtr]
--a------ 2008-06-19 16:20 57344 c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-11-13 06:54 1630208 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rthdcpl]
--a------ 2008-12-30 14:58 18082304 c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Documents and Settings\\user\\Application Data\\mjusbsp\\magicJack.exe"=

R2 mcafee siteadvisor service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-12-30 206096]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [2008-12-28 36864]
R3 RegKill;RegKill;c:\windows\system32\drivers\RegKill.sys [2002-11-28 6400]
S2 gupdate1c989fb9fbc9a4;Google Update Service (gupdate1c989fb9fbc9a4);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-08 133104]
S3 getplus(r) helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe --> c:\program files\NOS\bin\getPlus_HelperSvc.exe [?]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-02-08 30192]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [2009-01-20 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [2009-01-20 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [2009-01-20 120744]
.
Contents of the 'Scheduled Tasks' folder

2009-02-17 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-08 22:39]

2008-12-28 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-10 10:10]

2008-12-31 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-10 10:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: e&xport to microsoft excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {06D3657C-3AB2-4B4B-9116-79D53A357EEF} = 168.95.192.1 168.95.1.1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-17 19:33:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-02-17 19:34:54
ComboFix-quarantined-files.txt 2009-02-17 11:34:52
ComboFix2.txt 2009-02-16 08:36:12
ComboFix3.txt 2009-02-11 06:22:42
ComboFix4.txt 2009-02-03 14:36:11
ComboFix5.txt 2009-02-17 11:31:43

Pre-Run: 68,071,436,288 bytes free
Post-Run: 68,106,989,568 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
282 --- E O F --- 2009-02-11 06:28:25


GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-17 19:47:07
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB6DCC9CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xB6DCCA61]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB6DCCA75]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB6DCCAA1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB6DCCB0F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB6DCCAF9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB6DCCA0A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB6DCCB3B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xB6DCCA4D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB6DCC950]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB6DCC964]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB6DCC9DE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xB6DCCB77]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB6DCCAE3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB6DCCACD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB6DCCA8B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xB6DCCB63]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xB6DCCB4F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB6DCC9B6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB6DCC9A2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xB6DCCAB7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB6DCCA39]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xB6DCCB25]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB6DCCA20]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB6DCC9F4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP B6DCC9F8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP B6DCC9CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP B6DCCA0E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 5 Bytes JMP B6DCCA24 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E6 7 Bytes JMP B6DCC9E2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB408 5 Bytes JMP B6DCC954 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB694 5 Bytes JMP B6DCC968 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE52 5 Bytes JMP B6DCC9A6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1702 5 Bytes JMP B6DCC9BA \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AA 5 Bytes JMP B6DCCA3D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 806219CA 7 Bytes JMP B6DCCAD1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D18 7 Bytes JMP B6DCCABB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80622042 7 Bytes JMP B6DCCB29 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 806228E0 7 Bytes JMP B6DCCAE7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231B4 7 Bytes JMP B6DCCA8F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 80623792 5 Bytes JMP B6DCCA65 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C22 7 Bytes JMP B6DCCA79 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623DF2 7 Bytes JMP B6DCCAA5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FD2 7 Bytes JMP B6DCCB13 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062423C 7 Bytes JMP B6DCCAFD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624B64 5 Bytes JMP B6DCCA51 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 80624E8A 7 Bytes JMP B6DCCB7B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8062514A 5 Bytes JMP B6DCCB53 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8062583E 5 Bytes JMP B6DCCB67 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80625958 5 Bytes JMP B6DCCB3F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0007000A
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070F94
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070FA5
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070089
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0007006C
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070040
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070F72
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070F83
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00070F2B
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070F3C
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00070F10
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0007005B
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 000700A4
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00070025
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[828] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00070F61
.text C:\WINDOWS\system32\services.exe[828] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 0006002C
.text C:\WINDOWS\system32\services.exe[828] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 0006004E
.text C:\WINDOWS\system32\services.exe[828] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00060011
.text C:\WINDOWS\system32\services.exe[828] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[828] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00060F9B
.text C:\WINDOWS\system32\services.exe[828] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[828] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00060FB6
.text C:\WINDOWS\system32\services.exe[828] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 26, 88 ]
.text C:\WINDOWS\system32\services.exe[828] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 0006003D
.text C:\WINDOWS\system32\services.exe[828] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FE5
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F90FEF
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F90F5E
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F90053
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F90F79
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F90036
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F90FA5
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F90F2F
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F90075
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F900C8
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F900AD
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00F90F1E
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00F90F94
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00F9000A
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00F90064
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00F90FCA
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00F9001B
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00F9009C
.text C:\WINDOWS\system32\lsass.exe[840] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00F80FCA
.text C:\WINDOWS\system32\lsass.exe[840] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00F80F8A
.text C:\WINDOWS\system32\lsass.exe[840] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00F80FE5
.text C:\WINDOWS\system32\lsass.exe[840] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00F8001B
.text C:\WINDOWS\system32\lsass.exe[840] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00F80047
.text C:\WINDOWS\system32\lsass.exe[840] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00F80000
.text C:\WINDOWS\system32\lsass.exe[840] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00F8002C
.text C:\WINDOWS\system32\lsass.exe[840] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00F80FAF
.text C:\WINDOWS\system32\lsass.exe[840] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F60FEF
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 024F0FEF
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 024F0F61
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 024F0F86
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 024F0060
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 024F0039
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 024F0FB2
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 024F0F46
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 024F0098
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 024F0F06
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 024F00A9
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 024F0EEB
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 024F0F97
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 024F0FD4
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 024F0071
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 024F0FC3
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 024F000A
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 024F0F35
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 024E0FAF
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 024E0F54
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 024E0FCA
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 024E0000
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 024E001B
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 024E0FE5
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 024E0F79
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 6E, 8A ]
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 024E0F9E
.text C:\WINDOWS\system32\svchost.exe[1012] WS2_32.dll!socket 71AB4211 5 Bytes JMP 024A0FEF
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EC0FEF
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EC005D
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EC0042
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EC0031
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EC0F68
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EC0F8D
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EC0089
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EC0078
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EC0EF0
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EC0F0B
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00EC00AE
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00EC0014
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00EC0FDE
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00EC0F4D
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00EC0F9E
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00EC0FB9
.text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00EC0F26
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00EB0033
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00EB006C
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00EB0022
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00EB0011
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00EB0FA5
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00EB0000
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00EB0FC0
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 0B, 89 ]
.text C:\WINDOWS\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00EB0FD1
.text C:\WINDOWS\system32\svchost.exe[1080] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E90000
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 033E0000
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 033E0082
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 033E0071
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 033E0F97
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 033E0FA8
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 033E0FB9
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 033E00AE
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 033E0F72
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 033E0F37
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 033E00DA
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 033E00EB
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 033E0040
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 033E0FDB
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 033E009D
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 033E0FCA
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 033E001B
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 033E00BF
.text C:\WINDOWS\System32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 03360025
.text C:\WINDOWS\System32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 03360F94
.text C:\WINDOWS\System32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 03360FD4
.text C:\WINDOWS\System32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 03360000
.text C:\WINDOWS\System32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 03360051
.text C:\WINDOWS\System32\svchost.exe[1176] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 03360FE5
.text C:\WINDOWS\System32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 03360FAF
.text C:\WINDOWS\System32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 56, 8B ]
.text C:\WINDOWS\System32\svchost.exe[1176] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 03360036
.text C:\WINDOWS\System32\svchost.exe[1176] WS2_32.dll!socket 71AB4211 5 Bytes JMP 03330FE5
.text C:\WINDOWS\System32\svchost.exe[1176] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 03370FE5
.text C:\WINDOWS\System32\svchost.exe[1176] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 03370FD4
.text C:\WINDOWS\System32\svchost.exe[1176] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 0337000A
.text C:\WINDOWS\System32\svchost.exe[1176] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 03370025
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00810FEF
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00810F30
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00810025
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00810F4B
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00810F72
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00810F94
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0081005D
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00810F15
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00810EC4
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00810EDF
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00810078
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00810F83
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00810FCA
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00810040
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 0081000A
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00810FB9
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00810EFA
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00800025
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 0080004A
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00800014
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00800FD4
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00800F8D
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00800FE5
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00800F9E
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ A0, 88 ]
.text C:\WINDOWS\system32\svchost.exe[1360] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00800FB9
.text C:\WINDOWS\system32\svchost.exe[1360] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007E000A
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C70FE5
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C70F77
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C70F88
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C70F99
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C70062
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C70036
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C70F4B
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C70F5C
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C700C9
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C70F30
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00C700E4
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00C70047
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00C70000
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00C7007D
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00C70FC0
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00C70011
.text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00C700A4
.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00A10FA5
.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00A10047
.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00A10000
.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00A10FD4
.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00A1002C
.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00A10FE5
.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00A10F8A
.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ C1, 88 ]
.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00A10011
.text C:\WINDOWS\system32\svchost.exe[1452] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009F000A
.text C:\WINDOWS\system32\svchost.exe[1452] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00A20FEF
.text C:\WINDOWS\system32\svchost.exe[1452] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00A2000A
.text C:\WINDOWS\system32\svchost.exe[1452] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00A20025
.text C:\WINDOWS\system32\svchost.exe[1452] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00A20040
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[3388] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041BF60 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[3388] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0041BFE0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\SearchIndexer.exe[3980] kernel32.dll!WriteFile 7C810E17 7 Bytes JMP 00F31B19 C:\WINDOWS\system32\mssrch.dll (mssrch.lib/Microsoft Corporation)

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxyxyuhkkv.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@userdata -1
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxyxyuhkkv.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxrqvqatnc.dll

---- EOF - GMER 1.0.14 ----

jvanosda
2009-02-17, 14:04
Sorry, the post was to long, so here is my HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:49:10 PM, on 2/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\SolidWorks\swScheduler\swBOEngine.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\winamp toolbar\WinampTbServer.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O2 - BHO: JQSIEStartDetectorImpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Google IME Autoupdater] "C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [RegKillTray] "C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\user\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SolidWorks Task Scheduler Engine.lnk = C:\Program Files\SolidWorks\swScheduler\swBOEngine.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: e&xport to microsoft excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra button: Research - {92780b25-18cc-41c8-b9be-3c9c571a8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [java_sun] Java (Sun)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1230435719625
O16 - DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?AuthParam=1231470670_081cb8023912a2a375f10ef7097d378b&GroupName=JSC&FilePath=/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab&File=jinstall-6u11-windows-i586-jc.cab&BHost=javadl.sun.com
O16 - DPF: {cf40acc5-e1bb-4aff-ac72-04c2f616bca7} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{06D3657C-3AB2-4B4B-9116-79D53A357EEF}: NameServer = 168.95.192.1 168.95.1.1
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: getPlus(R) Helper (getplus(r) helper) - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1c989fb9fbc9a4) (gupdate1c989fb9fbc9a4) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (incdsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (lightscribeservice) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee SiteAdvisor Service (mcafee siteadvisor service) - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

--
End of file - 10714 bytes

Shaba
2009-02-17, 18:37
Yes it didn't work so we try manual way.

Go to start - run

Type regedit and click ok.

Browse to HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services

Locate gaopdxserv.sys, right-click it and choose delete.

Re-run gmer and post back a fresh gmer log, please.

jvanosda
2009-02-18, 09:01
It won't let me delete it. It says "Cannot delete gaopdxserv.sys: Error while deleting key."
Also, when I go to regedit, it doesnt show subfolders or anything other then default. When I open it in gmer, it shows a ref folder named "modules" and has a group, imagepath, start, type, and userdata column under name, as well as gaopdlx and gaopdxserv registries. I also did a search for all gao* files, and it shows them all in QooBox quarintine.
Also when I did some research, I found the registry issues dealing with this file. On the Malwarebytes forums, the user used Rootrepeal to remove it from the registry. I'm not planning on doing this, just figured I would let you know about what I found out.

Shaba
2009-02-18, 20:17
Well first of all key without files isn't dangerous.

Please try this (http://technet.microsoft.com/en-us/library/cc786173.aspx) next. After taking ownership, attempt again to delete that key. Let me know how it went.

jvanosda
2009-02-21, 09:37
It still tells me that there was an error when I try to delete the key. When I attempt to take ownership of just the key, it allows that, but wont allow deletion. When I attempt to change permission using the checkbox "Replace owner on subcontainers and object", it tells me access is denied.

Shaba
2009-02-21, 10:24
Please try then first to take ownership of any subkeys and then for parent key.

jvanosda
2009-02-21, 20:29
I cant see the subfolders when using regedit, only when using gmer to look at the registry. Then it shows the subfolder, regedit does not show the subfolder or all the other registry entries for that registry item. I can take a screenshot for you and post it to compare the differences if you would like.

Shaba
2009-02-21, 20:33
So let's then try this:


Go here (http://www.microsoft.com/downloads/details.aspx?familyid=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en) and download subinacl.msi
Double click on subinacl.msi to start the installation of Subinacl
Click Next>
Select I accept and click Next>
Click browse
From the drop down menu select C:\
Double click on WINDOWS and then system32
Click OK
Click Install now
Click Finish


Copy text below to Notepad and save it as remgaopdxserv.bat (save it as all files, *.*)

@echo off
FOR %%R IN (
"HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gaopdxserv.sys"
) Do (
subinacl.exe /subkeyreg %%R /setowner=%username% /grant=%username%=F
reg delete %%R /f
)

It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/bat.JPG

Doubleclick remgaopdxserv.bat; black dos windows will flash, that's normal.

Let me know if gmer still finds it.

jvanosda
2009-02-24, 05:41
No, I don't see the gaop* root in my regedit or gmer registry anymore:D:

Shaba
2009-02-24, 07:07
Great :)

Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select ''Run as administrator'' to perform this scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.

If you need a tutorial, see here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif)

Shaba
2009-03-01, 12:02
Due to the lack of feedback this Topic is closed.

If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.