2 infected computers with unpredict. behaviuor

Unknown · February 2009

Hello,
After the surfing the site below:
www.davosstudio.com/Animal%20Protection/Teghut/Animals%20and%20Birds.htm
my PCs started behave unpredictably.

I lost the mouse and different windows started to POP-UP randomly.
I had to shutdown the PCs.
I was able to use the PCs after I booted for 10 min and the sane behavior started again.
Please help
See the attached is the hijack... log filebelow

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:21:24 PM, on 2/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD7/JSCDL/jdk/6u12-b04/jinstall-6u12-windows-i586-jc.cab?e=1234754906184&h=e70087987fa6875b61531888006694f3/&filename=jinstall-6u12-windows-i586-jc.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 9841 bytes

Robert.

Katana · February 2009

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

Please Read All Instructions Carefully
If you don't understand something, stop and ask! Don't keep going on.
Please do not run any other tools or scans whilst I am helping you
Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those few things, everything should go smoothly

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe

Hi Robert,

There is nothing obvious showing there, so let's get a bit more info before we proceed.

Download and Run RSIT

Please download Random's System Information Tool by random/random from here and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open:
- log.txt will be opened maximized.
- info.txt will be opened minimized.
Please post the contents of both log.txt and info.txt.

robert_st · February 2009

Katana wrote:

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
Please Read All Instructions Carefully

If you don't understand something, stop and ask! Don't keep going on.

Please do not run any other tools or scans whilst I am helping you

Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those few things, everything should go smoothly

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe

Hi Robert,

There is nothing obvious showing there, so let's get a bit more info before we proceed.

Download and Run RSIT
Please download Random's System Information Tool by random/random from here and save it to your desktop.

Double click on RSIT.exe to run RSIT.

Click Continue at the disclaimer screen.

Once it has finished, two logs will open:
log.txt will be opened maximized.

info.txt will be opened minimized.

Please post the contents of both log.txt and info.txt.

Hello,

see below:

C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Documents and Settings\Natuha & Kids\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Natuha & Kids.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD7/JSCDL/jdk/6u12-b04/jinstall-6u12-windows-i586-jc.cab?e=1234754906184&h=e70087987fa6875b61531888006694f3/&filename=jinstall-6u12-windows-i586-jc.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 9820 bytes
======Scheduled tasks folder======
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00C6482D-C502-44C8-8409-FCE54AD9C208}]
HelperObject Class - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll [2006-03-14 49152]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2009-01-26 1879896]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll [2006-11-30 67136]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2008-11-06 251504]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
Adobe PDF Conversion Toolbar Helper - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2007-05-10 321120]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll [2008-11-06 657904]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll [2008-11-06 522224]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-02-15 35840]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-02-15 73728]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2008-11-06 251504]
{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - SnagIt - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll [2006-03-14 131072]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll [2007-05-10 321120]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2004-02-26 65024]
"SoundMAXPnP"=C:\Program Files\Analog Devices\Core\smax4pnp.exe [2004-10-14 1404928]
"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2004-11-02 32768]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-05-16 13529088]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2008-05-16 86016]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-11-04 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088]
"ShStatEXE"=C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE [2006-11-30 112216]
"McAfeeUpdaterUI"=C:\Program Files\McAfee\Common Framework\UdaterUI.exe [2006-11-17 136768]
"ZoneAlarm Client"=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2008-03-13 919016]
"Acrobat Assistant 8.0"=C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe [2008-10-14 623992]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-02-15 148888]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
SnagIt 8.lnk - C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Documents and Settings\Natuha & Kids\Start Menu\Programs\Startup
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\McAfee\Common Framework\FrameworkService.exe"="C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7924468c-b744-11dd-b5bc-000cf18c130d}]
shell\AutoRun\command - I:\LaunchU3.exe -a

======List of files/folders created in the last 1 months======
2009-02-17 15:56:00 ----D---- C:\rsit
2009-02-15 22:29:59 ----D---- C:\Documents and Settings\Natuha & Kids\Application Data\FastStone
2009-02-15 22:29:52 ----D---- C:\Program Files\FastStone Image Viewer
2009-02-15 22:27:55 ----D---- C:\WINDOWS\Sun
2009-02-15 22:27:40 ----A---- C:\WINDOWS\system32\javaws.exe
2009-02-15 22:27:40 ----A---- C:\WINDOWS\system32\javaw.exe
2009-02-15 22:27:40 ----A---- C:\WINDOWS\system32\java.exe
2009-02-15 22:27:40 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-02-15 22:27:15 ----D---- C:\Program Files\Java
2009-02-15 22:26:39 ----D---- C:\Documents and Settings\Natuha & Kids\Application Data\Sun
2009-02-15 22:19:38 ----D---- C:\Documents and Settings\Natuha & Kids\Application Data\WinRAR
2009-02-15 22:18:56 ----D---- C:\Program Files\WinRAR
2009-02-15 22:16:13 ----D---- C:\Program Files\Lavalys
2009-02-15 16:41:50 ----D---- C:\System Volume Information
2009-02-15 15:33:51 ----A---- C:\Win-Files.txt
2009-02-15 15:28:09 ----D---- C:\WINDOWS\Prefetch
2009-02-15 15:28:09 ----D---- C:\WINDOWS\Cookies
2009-02-15 15:27:39 ----D---- C:\WINDOWS\Temporary Internet Files
2009-02-15 15:27:38 ----D---- C:\WINDOWS\Temp
2009-02-15 15:27:37 ----D---- C:\WINDOWS\Recent
2009-02-15 15:27:34 ----D---- C:\WINDOWS\History
2009-02-14 14:07:14 ----D---- C:\Program Files\Bonjour
2009-02-12 03:01:01 ----HDC---- C:\WINDOWS\$NtUninstallKB960715$
2009-02-08 17:42:34 ----D---- C:\IKEA
======List of files/folders modified in the last 1 months======
2009-02-17 08:31:49 ----D---- C:\WINDOWS\Internet Logs
2009-02-16 21:42:04 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-02-16 21:42:02 ----D---- C:\WINDOWS\system32\CatRoot2
2009-02-15 22:29:52 ----RD---- C:\Program Files
2009-02-15 22:27:55 ----D---- C:\WINDOWS
2009-02-15 22:27:53 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-02-15 22:27:51 ----SHD---- C:\WINDOWS\Installer
2009-02-15 22:27:40 ----D---- C:\WINDOWS\system32
2009-02-15 21:58:13 ----D---- C:\Program Files\RegistryFix7
2009-02-15 21:44:25 ----D---- C:\WINDOWS\system32\Restore
2009-02-15 21:44:05 ----D---- C:\Program Files\Yahoo!
2009-02-15 21:32:18 ----HD---- C:\WINDOWS\inf
2009-02-15 21:24:21 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-02-15 21:23:56 ----D---- C:\Program Files\SpywareBlaster
2009-02-15 21:20:53 ----D---- C:\Documents and Settings\All Users\Application Data\Yahoo!
2009-02-15 21:20:30 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-02-15 21:20:29 ----SD---- C:\WINDOWS\Tasks
2009-02-15 21:18:50 ----D---- C:\Documents and Settings\Natuha & Kids\Application Data\Yahoo!
2009-02-15 21:13:37 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-02-15 17:14:38 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-02-15 17:14:37 ----D---- C:\WINDOWS\system32\drivers
2009-02-15 15:37:25 ----SH---- C:\boot.ini
2009-02-13 20:41:57 ----D---- C:\Robert
2009-02-12 03:08:40 ----D---- C:\Program Files\Internet Explorer
2009-02-12 03:01:00 ----HD---- C:\WINDOWS\$hf_mig$
2009-02-12 03:00:58 ----A---- C:\WINDOWS\imsins.BAK
2009-02-12 03:00:49 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-02-12 03:00:34 ----D---- C:\WINDOWS\ie7updates
2009-02-09 17:37:48 ----D---- C:\Isabella
2009-02-09 17:37:47 ----A---- C:\WINDOWS\Debug.ini
2009-02-09 17:37:47 ----A---- C:\LM9831Log.txt
2009-02-09 17:37:46 ----A---- C:\WINDOWS\Temp.ini
2009-02-09 17:37:28 ----A---- C:\WINDOWS\umaxuapi.ini
2009-02-09 10:13:52 ----A---- C:\WINDOWS\nscstiu_error.txt
2009-02-08 17:51:35 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-02-03 18:21:12 ----A---- C:\WINDOWS\system32\MRT.exe
2009-01-30 16:06:54 ----D---- C:\QUARANTINE
2009-01-25 16:55:12 ----D---- C:\Documents and Settings\Natuha & Kids\Application Data\Adobe
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 KLIF;KLIF; C:\WINDOWS\system32\DRIVERS\klif.sys [2007-07-19 127768]
R1 mfetdik;McAfee Inc.; C:\WINDOWS\system32\drivers\mfetdik.sys [2006-11-30 52136]
R1 vsdatant;vsdatant; C:\WINDOWS\System32\vsdatant.sys [2008-03-13 394952]
R3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2003-03-04 145408]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 mfeapfk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfeapfk.sys [2006-11-30 64360]
R3 mfeavfk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfeavfk.sys [2006-11-30 72264]
R3 mfebopk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfebopk.sys [2006-11-30 34152]
R3 mfehidk;McAfee Inc.; C:\WINDOWS\system32\drivers\mfehidk.sys [2006-11-30 168776]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-05-16 6557408]
R3 senfilt;senfilt; C:\WINDOWS\system32\drivers\senfilt.sys [2004-09-17 732928]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2005-01-27 260352]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter; C:\WINDOWS\system32\DRIVERS\ADM8511.SYS [2001-08-17 20160]
S3 ALCXSENS;Service for WDM 3D Audio Driver; C:\WINDOWS\system32\drivers\ALCXSENS.SYS [2004-02-24 400384]
S3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2004-02-26 611820]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-02-15 152984]
R2 McAfeeFramework;McAfee Framework Service; C:\Program Files\McAfee\Common Framework\FrameworkService.exe [2006-11-17 104000]
R2 McShield;McAfee McShield; C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe [2006-11-30 144960]
R2 McTaskManager;McAfee Task Manager; C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe [2006-11-30 54872]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-05-16 159812]
R2 vsmon;TrueVector Internet Monitor; C:\WINDOWS\system32\ZoneLabs\vsmon.exe [2008-03-13 75304]
R3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2009-01-11 654848]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2008-11-03 72704]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-06 137200]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]

EOF

info.txt logfile of random's system information tool 1.05 2009-02-17 15:56:21
======Uninstall list======
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 8.1.3 Professional-->msiexec /I {AC76BA86-1033-F400-7760-000000000003}
Adobe Bridge 1.0-->MsiExec.exe /I{B74D4E10-6884-0000-0000-000000000103}
Adobe Common File Installer-->MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Help Center 1.0-->MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Media Player-->MsiExec.exe /X{C7888C3F-0506-555F-7907-CDD3F81719A5}
Adobe Photoshop CS2-->msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Stock Photos 1.0-->MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
Apple Mobile Device Support-->MsiExec.exe /I{EC4455AB-F155-4CC1-A4C5-88F3777F9886}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
EVEREST Ultimate Edition v4.20-->"C:\Program Files\Lavalys\EVEREST Ultimate Edition\unins000.exe"
FastStone Image Viewer 3.6-->C:\Program Files\FastStone Image Viewer\uninst.exe
Google Toolbar for Internet Explorer-->"C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_0C68A50B7874478D.exe" /uninstall
Google Toolbar for Internet Explorer-->MsiExec.exe /I{18455581-E099-4BA8-BC6B-F34B2F06600C}
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
IKEA Home Planner-->MsiExec.exe /I{E7310F2E-C551-4FAB-BA07-EAC2E158B1BB}
Intel(R) PRO Network Adapters and Drivers-->Prounstl.exe
iTunes-->MsiExec.exe /I{318AB667-3230-41B5-A617-CB3BF748D371}
Java(TM) 6 Update 12-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216012FF}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Math Success Elementary-->MsiExec.exe /X{4C975420-4971-41B0-9F07-65516105DE71}
Math-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57229518-6EC8-4174-B16A-1514A4C9D964}\setup.exe" -l0x9 -removeonly
McAfee VirusScan Enterprise-->MsiExec.exe /I{35C03C04-3F1F-42C2-A989-A757EE691F65}
Microsoft .NET Framework (English) v1.0.3705-->C:\WINDOWS\Microsoft.NET\Framework\Install.exe /u /p Microsoft .NET Framework Full v1.0.3705 (1033)
Microsoft .NET Framework (English)-->MsiExec.exe /X{B43357AA-3A6D-4D94-B56E-43C44D09E548}
Microsoft .NET Framework 1.0 Hotfix (KB928367)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Updates\M928367\M928367Uninstall.msp"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Text-to-Speech Engine 4.0 (English)-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msTTSa22.inf, Uninstall
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Nero OEM-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
QuickTime-->MsiExec.exe /I{F958CA02-BB40-4007-894B-258729456EE4}
Realtek AC'97 Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
RegistryFix v7.0-->"C:\Program Files\RegistryFix7\unins000.exe"
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956390)-->"C:\WINDOWS\$NtUninstallKB956390$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
SnagIt 8-->MsiExec.exe /I{0AEA9ECE-2AD0-4DF0-932E-F0AC6B771749}
SoundMAX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\SETUP.exe" -l0x9 -removeonly
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster 4.1-->"C:\Program Files\SpywareBlaster\unins000.exe"
Ten Thumbs 4.1-->MsiExec.exe /I{CF4FC80D-B573-49B0-BDA6-4F169FFDD2AB}
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
ZoneAlarm-->C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe
=====HijackThis Backups=====
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
======Hosts File======
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
======Security center information======
AV: McAfee VirusScan Enterprise
FW: ZoneAlarm Firewall
System event log
Computer Name: NATUHA-KIDS
Event Code: 7035
Message: The Fast User Switching Compatibility service was successfully sent a start control.
Record Number: 5
Source Name: Service Control Manager
Time Written: 20090213081253.000000-300
Event Type: information
User: NT AUTHORITY\SYSTEM
Computer Name: NATUHA-KIDS
Event Code: 7036
Message: The Terminal Services service entered the running state.
Record Number: 4
Source Name: Service Control Manager
Time Written: 20090213081253.000000-300
Event Type: information
User:
Computer Name: NATUHA-KIDS
Event Code: 5
Message: Adapter Intel(R) PRO/100 VE Network Connection: Adapter Link Up
Record Number: 3
Source Name: E100B
Time Written: 20090213081244.000000-300
Event Type: information
User:
Computer Name: NATUHA-KIDS
Event Code: 6005
Message: The Event log service was started.
Record Number: 2
Source Name: EventLog
Time Written: 20090213081217.000000-300
Event Type: information
User:
Computer Name: NATUHA-KIDS
Event Code: 6009
Message: Microsoft (R) Windows (R) 5.01. 2600 Service Pack 3 Multiprocessor Free.
Record Number: 1
Source Name: EventLog
Time Written: 20090213081217.000000-300
Event Type: information
User:
Application event log
Computer Name: NATUHA-KIDS
Event Code: 257
Message: The Scan was unable to scan password protected file C:\Documents and Settings\Natuha & Kids\Local Settings\Temporary Internet Files\Content.IE5\658BAN85\recently_featured[1]\recently_featured[1]. Scan engine version used is 5300.2777 DAT version 5449.0000.
Record Number: 566
Source Name: McLogEvent
Time Written: 20081130160113.000000-300
Event Type: information
User: NT AUTHORITY\SYSTEM
Computer Name: NATUHA-KIDS
Event Code: 257
Message: The Scan was unable to scan password protected file C:\Documents and Settings\Natuha & Kids\Local Settings\Temporary Internet Files\Content.IE5\T05AKBE3\recently_featured[1]\recently_featured[1]. Scan engine version used is 5300.2777 DAT version 5449.0000.
Record Number: 565
Source Name: McLogEvent
Time Written: 20081130150113.000000-300
Event Type: information
User: NT AUTHORITY\SYSTEM
Computer Name: NATUHA-KIDS
Event Code: 257
Message: The Scan was unable to scan password protected file C:\Documents and Settings\Natuha & Kids\Local Settings\Temporary Internet Files\Content.IE5\KIE8YQD0\recently_featured[1]\recently_featured[1]. Scan engine version used is 5300.2777 DAT version 5449.0000.
Record Number: 564
Source Name: McLogEvent
Time Written: 20081130140113.000000-300
Event Type: information
User: NT AUTHORITY\SYSTEM
Computer Name: NATUHA-KIDS
Event Code: 257
Message: The Scan was unable to scan password protected file C:\Documents and Settings\Natuha & Kids\Local Settings\Temporary Internet Files\Content.IE5\T05AKBE3\recently_featured[1]\recently_featured[1]. Scan engine version used is 5300.2777 DAT version 5449.0000.
Record Number: 563
Source Name: McLogEvent
Time Written: 20081130130113.000000-300
Event Type: information
User: NT AUTHORITY\SYSTEM
Computer Name: NATUHA-KIDS
Event Code: 257
Message: The Scan was unable to scan password protected file C:\Documents and Settings\Natuha & Kids\Local Settings\Temporary Internet Files\Content.IE5\658BAN85\recently_featured[1]\recently_featured[1]. Scan engine version used is 5300.2777 DAT version 5449.0000.
Record Number: 562
Source Name: McLogEvent
Time Written: 20081130120113.000000-300
Event Type: information
User: NT AUTHORITY\SYSTEM
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 9, GenuineIntel
"PROCESSOR_REVISION"=0209
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
"QTJAVA"=C:\Program Files\QuickTime\QTSystem\QTJava.zip
"VSEDEFLOGDIR"=C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
"DEFLOGDIR"=C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection
"tvdumpflags"=8

EOF

Katana · February 2009

There is nothing dramatic showing there either, are you still having any problems ?

Please Download GMER to your desktop

Download GMER and extract it to your desktop.

***Please close any open programs ***

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

Click Yes.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.

Click the Scan button and let the program do its work. GMER will produce a log.
Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER scan in your reply.

robert_st · February 2009

first PC gmer.txt:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-17 17:14:31
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.14 ----
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwConnectPort [0xF59FB040]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateFile [0xF59F7930]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateKey [0xF5A02A80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreatePort [0xF59FB510]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateProcess [0xF5A01870]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateProcessEx [0xF5A01AA0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateSection [0xF5A04FD0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateWaitablePort [0xF59FB600]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteFile [0xF59F7F20]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteKey [0xF5A036E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteValueKey [0xF5A03440]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDuplicateObject [0xF5A01580]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwLoadKey [0xF5A038B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenFile [0xF59F7D70]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenProcess [0xF5A01350]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenThread [0xF5A01150]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRenameKey [0xF5A04250]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwReplaceKey [0xF5A03CB0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRequestWaitReplyPort [0xF59FAC00]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRestoreKey [0xF5A04080]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSecureConnectPort [0xF59FB220]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetInformationFile [0xF59F8120]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetValueKey [0xF5A03140]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwTerminateProcess [0xF5A01CD0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9C893A7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xB9C892C7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB9C89367]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9C893BD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9C89391]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
---- Kernel code sections - GMER 1.0.14 ----
.text ntoskrnl.exe!ZwYieldExecution + 133 804E496D 7 Bytes [ 18, A0, F5, A0, 1A, A0, F5 ]
.text ntoskrnl.exe!ZwYieldExecution 80515A6A 7 Bytes JMP B9C89395 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80572BF4 5 Bytes JMP B9C892CB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 8057DEF1 5 Bytes JMP B9C893C1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 8057E369 7 Bytes JMP B9C893AB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80581889 7 Bytes JMP B9C8936B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? srescan.sys The system cannot find the file specified. !
---- User code sections - GMER 1.0.14 ----
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070051
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070040
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070F72
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070F83
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0007001B
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070087
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0007006C
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00070F1A
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 000700A9
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00070F09
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00070F9E
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00070F41
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00070FB9
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00070FCA
.text C:\WINDOWS\system32\services.exe[736] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00070098
.text C:\WINDOWS\system32\services.exe[736] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00060FDB
.text C:\WINDOWS\system32\services.exe[736] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00060069
.text C:\WINDOWS\system32\services.exe[736] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0006002C
.text C:\WINDOWS\system32\services.exe[736] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00060011
.text C:\WINDOWS\system32\services.exe[736] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00060FAC
.text C:\WINDOWS\system32\services.exe[736] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[736] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 0006004E
.text C:\WINDOWS\system32\services.exe[736] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 0006003D
.text C:\WINDOWS\system32\services.exe[736] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F80000
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F80F9B
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F80090
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F80073
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F80FC0
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F80FE5
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F800C1
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F80F79
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F800F0
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F80F57
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00F80101
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00F80062
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00F80011
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00F80F8A
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00F80047
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00F8002C
.text C:\WINDOWS\system32\lsass.exe[764] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00F80F68
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00F70FD4
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00F70FA8
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00F70025
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00F70000
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00F70FB9
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00F70FE5
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00F70065
.text C:\WINDOWS\system32\lsass.exe[764] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00F70040
.text C:\WINDOWS\system32\lsass.exe[764] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F3000A
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F30F74
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F30F8F
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F30FA0
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F30069
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F30047
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F30F4D
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F30095
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F30F32
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F300CB
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00F30F21
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00F30058
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00F30FEF
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00F30084
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00F30036
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00F30025
.text C:\WINDOWS\system32\svchost.exe[904] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00F300BA
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00F2001B
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00F20047
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00F20FCA
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00F20000
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00F20036
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00F20FEF
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00F20F94
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 12, 89 ]
.text C:\WINDOWS\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00F20FAF
.text C:\WINDOWS\system32\svchost.exe[904] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F00000
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C80000
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C8005B
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C80F70
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C80F8D
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C80FA8
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C80FC3
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C80F4B
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C80093
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C800C9
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C80F30
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00C800DA
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00C8004A
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00C80FEF
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00C80076
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00C80FD4
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00C80025
.text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00C800AE
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00C7000A
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00C7005B
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00C70FB9
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00C70FD4
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00C70040
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00C70FEF
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00C7002F
.text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00C70FA8
.text C:\WINDOWS\system32\svchost.exe[984] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C50000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1032] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01D30000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1032] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01D30F66
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1032] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01D3005B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1032] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01D30F83
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1032] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01D30F94
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1032] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01D3002C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1032] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01D30F2E
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1032] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01D30F49
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1032] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01D300AC
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1032] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01D30F1D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1032] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 01D300C7
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1032] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 01D30FA5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1032] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01D30FE5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1032] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 01D30076
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1032] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 01D3001B
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1032] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 01D30FCA
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1032] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 01D30091
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1032] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 01D2002F
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1032] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 01D20F8D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1032] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 01D20FD4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1032] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 01D2000A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1032] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 01D20FA8
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1032] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 01D20FE5
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1032] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 01D20FB9
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1032] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ F2, 89 ]
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1032] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 01D20040
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1032] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01D00000
.text C:\WINDOWS\System32\svchost.exe[1080] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03060FEF
.text C:\WINDOWS\System32\svchost.exe[1080] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 030600B5
.text C:\WINDOWS\System32\svchost.exe[1080] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 030600A4
.text C:\WINDOWS\System32\svchost.exe[1080] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0306007D
.text C:\WINDOWS\System32\svchost.exe[1080] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0306006C
.text C:\WINDOWS\System32\svchost.exe[1080] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03060051
.text C:\WINDOWS\System32\svchost.exe[1080] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03060F8D
.text C:\WINDOWS\System32\svchost.exe[1080] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03060F9E
.text C:\WINDOWS\System32\svchost.exe[1080] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 03060101
.text C:\WINDOWS\System32\svchost.exe[1080] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 03060F68
.text C:\WINDOWS\System32\svchost.exe[1080] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 0306011C
.text C:\WINDOWS\System32\svchost.exe[1080] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 03060FD4
.text C:\WINDOWS\System32\svchost.exe[1080] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 0306000A
.text C:\WINDOWS\System32\svchost.exe[1080] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 03060FAF
.text C:\WINDOWS\System32\svchost.exe[1080] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 03060040
.text C:\WINDOWS\System32\svchost.exe[1080] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 0306001B
.text C:\WINDOWS\System32\svchost.exe[1080] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 030600E6
.text C:\WINDOWS\System32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 02B60FB9
.text C:\WINDOWS\System32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 02B60F7C
.text C:\WINDOWS\System32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 02B60FCA
.text C:\WINDOWS\System32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 02B6000A
.text C:\WINDOWS\System32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 02B60039
.text C:\WINDOWS\System32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 02B60FEF
.text C:\WINDOWS\System32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 02B60F97
.text C:\WINDOWS\System32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ D6, 8A ]
.text C:\WINDOWS\System32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 02B60FA8
.text C:\WINDOWS\System32\svchost.exe[1080] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0278000A
.text C:\WINDOWS\System32\svchost.exe[1080] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 02B70000
.text C:\WINDOWS\System32\svchost.exe[1080] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 02B70011
.text C:\WINDOWS\System32\svchost.exe[1080] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 02B70022
.text C:\WINDOWS\System32\svchost.exe[1080] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 02B70033
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A2000A
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A200AE
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A20FAF
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A20FC0
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A20FD1
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A20062
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A200DC
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A20F94
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A20F57
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A20F68
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00A20115
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00A2007D
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00A2001B
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00A200BF
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00A20047
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00A20036
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00A20F83
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00A10FC0
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00A10F83
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00A10011
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00A10000
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00A10F9E
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00A10FE5
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00A10FAF
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ C1, 88 ]
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00A1002C
.text C:\WINDOWS\system32\svchost.exe[1204] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009E0FEF
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CE000A
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CE0083
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CE0F8E
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CE0FAB
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CE0068
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CE0043
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CE0F67
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CE00AF
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CE00E5
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CE0F4C
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00CE010A
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00CE0FBC
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00CE0FEF
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00CE009E
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00CE0FCD
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00CE0FDE
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00CE00D4
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00A50FA8
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00A50F4D
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00A50FC3
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00A50FD4
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00A50F72
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00A50FE5
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00A50014
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00A50F97
.text C:\WINDOWS\system32\svchost.exe[1244] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A30000
.text C:\WINDOWS\system32\svchost.exe[1244] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00A60000
.text C:\WINDOWS\system32\svchost.exe[1244] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00A60FE5
.text C:\WINDOWS\system32\svchost.exe[1244] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00A6001B
.text C:\WINDOWS\system32\svchost.exe[1244] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00A60FD4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1456] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FF0000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1456] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FF0F88
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1456] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FF007D
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1456] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FF0062
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1456] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FF0051
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1456] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FF002C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1456] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FF00C9
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1456] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FF00A2
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1456] kernel32.dll!CreateProcessW 7C802336 1 Byte [ E9 ]
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1456] kernel32.dll!CreateProcessW + 2 7C802338 3 Bytes [ EB, 7E, 84 ]
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1456] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FF0F4B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1456] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00FF0F29
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1456] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00FF0FA5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1456] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00FF0FE5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1456] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00FF0F77
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1456] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00FF001B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1456] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00FF0FCA
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1456] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00FF0F5C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1456] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00FE0FCA
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1456] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00FE0F80
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1456] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00FE0FDB
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1456] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00FE0011
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1456] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00FE0047
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1456] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00FE0000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1456] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00FE002C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1456] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00FE0FA5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1456] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FC0FE5
.text C:\WINDOWS\Explorer.EXE[1872] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 018C0000
.text C:\WINDOWS\Explorer.EXE[1872] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 018C0F92
.text C:\WINDOWS\Explorer.EXE[1872] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 018C0FA3
.text C:\WINDOWS\Explorer.EXE[1872] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 018C007D
.text C:\WINDOWS\Explorer.EXE[1872] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 018C0FC0
.text C:\WINDOWS\Explorer.EXE[1872] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 018C0058
.text C:\WINDOWS\Explorer.EXE[1872] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 018C0F5A
.text C:\WINDOWS\Explorer.EXE[1872] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 018C0F6B
.text C:\WINDOWS\Explorer.EXE[1872] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 018C00C7
.text C:\WINDOWS\Explorer.EXE[1872] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 018C0F2E
.text C:\WINDOWS\Explorer.EXE[1872] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 018C0F13
.text C:\WINDOWS\Explorer.EXE[1872] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 018C0FD1
.text C:\WINDOWS\Explorer.EXE[1872] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 018C001B
.text C:\WINDOWS\Explorer.EXE[1872] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 018C00A2
.text C:\WINDOWS\Explorer.EXE[1872] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 018C003D
.text C:\WINDOWS\Explorer.EXE[1872] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 018C002C
.text C:\WINDOWS\Explorer.EXE[1872] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 018C0F3F
.text C:\WINDOWS\Explorer.EXE[1872] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 018A002F
.text C:\WINDOWS\Explorer.EXE[1872] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 018A0FA8
.text C:\WINDOWS\Explorer.EXE[1872] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 018A0FD4
.text C:\WINDOWS\Explorer.EXE[1872] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 018A0000
.text C:\WINDOWS\Explorer.EXE[1872] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 018A0065
.text C:\WINDOWS\Explorer.EXE[1872] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 018A0FEF
.text C:\WINDOWS\Explorer.EXE[1872] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 018A0FC3
.text C:\WINDOWS\Explorer.EXE[1872] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ AA, 89 ]
.text C:\WINDOWS\Explorer.EXE[1872] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 018A0040
.text C:\WINDOWS\Explorer.EXE[1872] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 018B0FEF
.text C:\WINDOWS\Explorer.EXE[1872] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 018B0FDE
.text C:\WINDOWS\Explorer.EXE[1872] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 018B0FB9
.text C:\WINDOWS\Explorer.EXE[1872] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 018B000A
.text C:\WINDOWS\Explorer.EXE[1872] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01760FEF
.text C:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B80000
.text C:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B80047
.text C:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B8002C
.text C:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B80F52
.text C:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B80F6F
.text C:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B80F8A
.text C:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B80073
.text C:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B80F37
.text C:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B80F06
.text C:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B80095
.text C:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00B80EEB
.text C:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00B80011
.text C:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00B80FDB
.text C:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00B80062
.text C:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00B80FAF
.text C:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00B80FCA
.text C:\WINDOWS\system32\svchost.exe[1916] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00B80084
.text C:\WINDOWS\system32\svchost.exe[1916] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00B70FD4
.text C:\WINDOWS\system32\svchost.exe[1916] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00B70079
.text C:\WINDOWS\system32\svchost.exe[1916] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00B70025
.text C:\WINDOWS\system32\svchost.exe[1916] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00B7000A
.text C:\WINDOWS\system32\svchost.exe[1916] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00B70054
.text C:\WINDOWS\system32\svchost.exe[1916] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00B70FEF
.text C:\WINDOWS\system32\svchost.exe[1916] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00B70FB2
.text C:\WINDOWS\system32\svchost.exe[1916] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ D7, 88 ]
.text C:\WINDOWS\system32\svchost.exe[1916] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00B70FC3
.text C:\WINDOWS\System32\svchost.exe[3224] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\System32\svchost.exe[3224] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A00A2
.text C:\WINDOWS\System32\svchost.exe[3224] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0087
.text C:\WINDOWS\System32\svchost.exe[3224] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0076
.text C:\WINDOWS\System32\svchost.exe[3224] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A005B
.text C:\WINDOWS\System32\svchost.exe[3224] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FC3
.text C:\WINDOWS\System32\svchost.exe[3224] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F9C
.text C:\WINDOWS\System32\svchost.exe[3224] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A00E4
.text C:\WINDOWS\System32\svchost.exe[3224] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0F55
.text C:\WINDOWS\System32\svchost.exe[3224] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F66
.text C:\WINDOWS\System32\svchost.exe[3224] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001A0F44
.text C:\WINDOWS\System32\svchost.exe[3224] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001A004A
.text C:\WINDOWS\System32\svchost.exe[3224] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001A000A
.text C:\WINDOWS\System32\svchost.exe[3224] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001A00BD
.text C:\WINDOWS\System32\svchost.exe[3224] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001A002F
.text C:\WINDOWS\System32\svchost.exe[3224] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001A0FDE
.text C:\WINDOWS\System32\svchost.exe[3224] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001A0F8B
.text C:\WINDOWS\System32\svchost.exe[3224] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 0029004A
.text C:\WINDOWS\System32\svchost.exe[3224] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00290FC3
.text C:\WINDOWS\System32\svchost.exe[3224] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00290FEF
.text C:\WINDOWS\System32\svchost.exe[3224] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0029001B
.text C:\WINDOWS\System32\svchost.exe[3224] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00290080
.text C:\WINDOWS\System32\svchost.exe[3224] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00290000
.text C:\WINDOWS\System32\svchost.exe[3224] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00290FDE
.text C:\WINDOWS\System32\svchost.exe[3224] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [ 49, 88 ]
.text C:\WINDOWS\System32\svchost.exe[3224] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 0029005B
.text C:\WINDOWS\System32\svchost.exe[3224] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009B0FEF
---- Kernel IAT/EAT - GMER 1.0.14 ----
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F59FFCA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F5A001C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F5A00320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F59FFE10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F59FFE10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F59FFCA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F5A001C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F5A00320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F59FFCA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F59FFE10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F5A00320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F5A001C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F5A00320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F5A001C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F59FFCA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F59FFE10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F59FFCA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F5A001C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F5A00320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile] [F5A0D330] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F59FFCA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F59FFE10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F5A00320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F5A001C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [F59F85C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [F59F8770] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateFile] [F59F82D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtOpenFile] [F59F8670] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
---- Devices - GMER 1.0.14 ----
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
---- EOF - GMER 1.0.14 ----

second PC gmer.txt:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-17 16:55:56
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.14 ----
SSDT FF9A2898 ZwConnectPort
---- Devices - GMER 1.0.14 ----
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
---- EOF - GMER 1.0.14 ----

Katana · February 2009

There are no problems showing there, what is actually happening with your PC ?

Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

robert_st · February 2009

When I opened the site I mentioned in the first post multiple windows and screens started to pop out. I lost the mouse and could not control the PC.
I shut it down and for the 5 to 10 min everythig was fine, then the same scenario repeated and repeated again.
Now for the both Pc that are sharing the same network.

robert_st · February 2009

Please let me what else need to be done,

Regards,

Robert

Katana · February 2009

robert_st wrote:

Please let me what else need to be done,

Please run the Kaspersky Scan in my previous post

robert_st · February 2009

Here you are:

first PC:

KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, February 17, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, February 17, 2009 22:48:44
Records in database: 1809779

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
Scan statistics:
Files scanned: 64739
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:37:12
No malware has been detected. The scan area is clean.
The selected area was scanned.

second PC:

KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, February 18, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, February 18, 2009 01:24:20
Records in database: 1810228

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
Scan statistics:
Files scanned: 70462
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 05:11:35
No malware has been detected. The scan area is clean.
The selected area was scanned.

Thanks!

Katana · February 2009

robert_st wrote:

When I opened the site I mentioned in the first post multiple windows and screens started to pop out. I lost the mouse and could not control the PC.

Are you having problems if you don't visit that site ?
Or is it only when you visit ?

robert_st · February 2009

I had a problem when I just opend the site.
I shutdown my PC and restarted my PC.
And the same problem came back again.
And at this point I had only one PC on the network.
Next day I strated my second PC and the same issue appeard on the second machine.
I did not have any problem r-now, but I keep only one PC on the network.

Robert

Katana · February 2009

robert_st wrote:

Next day I strated my second PC and the same issue appeard on the second machine.

Do you have a router ?

If yes, then it it possible that your router DNS settings have been changed.

robert_st · February 2009

Yes, I use Router to establish the nerwork.

Robert

Katana · February 2009

If the problem happens again, I recommend that you re-set your router to factory settings.

robert_st · February 2009

I keep you posted.

Thanks for your time and help.

2 infected computers with unpredict. behaviuor

Comments