Results 1 to 10 of 39

Thread: Can't download/install/run any anti virus...

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. 2007-01-09, 05:10 #1
    sgregg3
    sgregg3 is offline
    Junior Member
    Join Date
    Jan 2007
    Posts
    25

    Default

    NOTE:

    The "silentrunners" link you provided didn't execute as per your instructions. So I went to their website downloaded a .zip file, extracted the file into the "silentrunners" folder and ran it that way. Not sure if this would affect the results or not?!?!
  2. 2007-01-09, 19:52 #2
    Mr_JAk3
    Mr_JAk3 is offline
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    3,934

    Default

    Hi

    A little more research...

    Please run a GMER Rootkit scan:

    Download GMER's application from here:
    http://www.majorgeeks.com/GMER_d5198.html

    Unzip it and start the GMER.exe
    Click the Rootkit tab and click the Scan button.

    Once done, click the Copy button.
    This will copy the results to your clipboard.
    Paste the results in your next reply.

    Warning ! Please, do not select the "Show all" checkbox during the scan.
    MalWare Removal University - You too could train to help others
    UNITE & ASAP member since 2006
  3. 2007-01-10, 21:44 #3
    sgregg3
    sgregg3 is offline
    Junior Member
    Join Date
    Jan 2007
    Posts
    25

    Default

    This is (#1) of (3) posts...


    GMER 1.0.12.12011 - http://www.gmer.net
    Rootkit scan 2007-01-10 14:41:25
    Windows 5.1.2600 Service Pack 2


    ---- System - GMER 1.0.12 ----

    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwClose
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateProcess
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateProcessEx
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateSection
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateSymbolicLinkObject
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateThread
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwDuplicateObject
    SSDT kl1.sys ZwOpenFile
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwOpenProcess
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwOpenSection
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQuerySystemInformation
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwResumeThread
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetContextThread
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationFile
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationProcess
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetSecurityObject
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSuspendThread
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwTerminateProcess
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwWriteVirtualMemory
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[284]
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[285]
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[286]
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[287]
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[288]
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[289]
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[290]
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[291]
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[292]
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[293]
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[294]
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[295]
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[296]

    Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateFile
    Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateKey
    Code \SystemRoot\system32\drivers\mfehidk.sys ZwDeleteKey
    Code \SystemRoot\system32\drivers\mfehidk.sys ZwDeleteValueKey
    Code \SystemRoot\system32\drivers\mfehidk.sys ZwMapViewOfSection
    Code \SystemRoot\system32\drivers\mfehidk.sys ZwOpenKey
    Code \SystemRoot\system32\drivers\mfehidk.sys ZwProtectVirtualMemory
    Code \SystemRoot\system32\drivers\mfehidk.sys ZwRenameKey
    Code \SystemRoot\system32\drivers\mfehidk.sys ZwSetValueKey
    Code \SystemRoot\system32\drivers\mfehidk.sys ZwUnmapViewOfSection
    Code \SystemRoot\system32\drivers\mfehidk.sys ZwYieldExecution
    Code \??\C:\WINDOWS\system32\drivers\klif.sys FsRtlCheckLockForReadAccess
    Code \??\C:\WINDOWS\system32\drivers\klif.sys IoIsOperationSynchronous
    Code \SystemRoot\system32\drivers\mfehidk.sys NtCreateFile
    Code \SystemRoot\system32\drivers\mfehidk.sys NtMapViewOfSection

    ---- Kernel code sections - GMER 1.0.12 ----

    .text ntoskrnl.exe!KiDispatchInterrupt + BA 804DB92E 2 Bytes JMP EF9D4D70 \??\C:\WINDOWS\system32\drivers\klif.sys
    .text ntoskrnl.exe!KiDispatchInterrupt + BD 804DB931 4 Bytes [ 4F, 6F, 90, 90 ]
    .text ntoskrnl.exe!IoIsOperationSynchronous 804E8752 5 Bytes JMP EF9D2000 \??\C:\WINDOWS\system32\drivers\klif.sys
    .text ntoskrnl.exe!ZwYieldExecution 804FB0F3 7 Bytes JMP EF1052FD \SystemRoot\system32\drivers\mfehidk.sys
    .text ntoskrnl.exe!FsRtlCheckLockForReadAccess 804FBE09 5 Bytes JMP EF9D1B70 \??\C:\WINDOWS\system32\drivers\klif.sys
    PAGE ntoskrnl.exe!ZwOpenKey 80567CFB 5 Bytes JMP EF10522B \SystemRoot\system32\drivers\mfehidk.sys
    PAGE ntoskrnl.exe!ZwCreateKey 8056E7A9 5 Bytes JMP EF10523F \SystemRoot\system32\drivers\mfehidk.sys
    PAGE ntoskrnl.exe!NtCreateFile 8056FBF8 5 Bytes JMP EF1052BF \SystemRoot\system32\drivers\mfehidk.sys
    PAGE ntoskrnl.exe!ZwUnmapViewOfSection 80571EF1 5 Bytes JMP EF105329 \SystemRoot\system32\drivers\mfehidk.sys
    PAGE ntoskrnl.exe!NtMapViewOfSection 8057236C 7 Bytes JMP EF105313 \SystemRoot\system32\drivers\mfehidk.sys
    PAGE ntoskrnl.exe!ZwProtectVirtualMemory 805730B5 7 Bytes JMP EF1052D3 \SystemRoot\system32\drivers\mfehidk.sys
    PAGE ntoskrnl.exe!ZwSetValueKey 80573C8D 7 Bytes JMP EF105295 \SystemRoot\system32\drivers\mfehidk.sys
    PAGE ntoskrnl.exe!ZwDeleteValueKey 80593AAC 7 Bytes JMP EF10527F \SystemRoot\system32\drivers\mfehidk.sys
    PAGE ntoskrnl.exe!ZwDeleteKey 80595136 7 Bytes JMP EF105253 \SystemRoot\system32\drivers\mfehidk.sys
    PAGE ntoskrnl.exe!ZwRenameKey 8064D02D 7 Bytes JMP EF105269 \SystemRoot\system32\drivers\mfehidk.sys

    ---- User code sections - GMER 1.0.12 ----

    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 0026000A
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0026007D
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0026006C
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00260F5C
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00260F6D
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 002600BD
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00260F30
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 0026001B
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 002600A2
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 0026002C
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00260FDB
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00260F41
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00340FCA
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00340076
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00340025
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00340FEF
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 0034005B
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00340FB9
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00340000
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00340040
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] WININET.dll!InternetOpenA 771CA6DD 5 Bytes JMP 00360FEF
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] WININET.dll!InternetOpenW 771CAFC2 5 Bytes JMP 00360000
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 0036001B
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 0036002C
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00F70FEF
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] WS2_32.dll!bind
  4. 2007-01-10, 21:45 #4
    sgregg3
    sgregg3 is offline
    Junior Member
    Join Date
    Jan 2007
    Posts
    25

    Default

    (#2) of (3)

    71AB3E00 5 Bytes JMP 00F7000A
    .text C:\WINDOWS\system32\svchost.exe[400] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00830000
    .text C:\WINDOWS\system32\svchost.exe[400] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00830076
    .text C:\WINDOWS\system32\svchost.exe[400] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00830F8D
    .text C:\WINDOWS\system32\svchost.exe[400] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00830F72
    .text C:\WINDOWS\system32\svchost.exe[400] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 008300AC
    .text C:\WINDOWS\system32\svchost.exe[400] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00830F57
    .text C:\WINDOWS\system32\svchost.exe[400] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 008300E4
    .text C:\WINDOWS\system32\svchost.exe[400] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00830011
    .text C:\WINDOWS\system32\svchost.exe[400] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 0083009B
    .text C:\WINDOWS\system32\svchost.exe[400] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00830FCA
    .text C:\WINDOWS\system32\svchost.exe[400] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00830FDB
    .text C:\WINDOWS\system32\svchost.exe[400] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 008300D3
    .text C:\WINDOWS\system32\svchost.exe[400] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00820FE5
    .text C:\WINDOWS\system32\svchost.exe[400] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00820062
    .text C:\WINDOWS\system32\svchost.exe[400] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00820036
    .text C:\WINDOWS\system32\svchost.exe[400] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 0082001B
    .text C:\WINDOWS\system32\svchost.exe[400] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00820FA5
    .text C:\WINDOWS\system32\svchost.exe[400] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00820FC0
    .text C:\WINDOWS\system32\svchost.exe[400] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00820000
    .text C:\WINDOWS\system32\svchost.exe[400] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00820051
    .text C:\WINDOWS\system32\services.exe[616] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00DD0FEF
    .text C:\WINDOWS\system32\services.exe[616] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00DD0F21
    .text C:\WINDOWS\system32\services.exe[616] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00DD001E
    .text C:\WINDOWS\system32\services.exe[616] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00DD0EEE
    .text C:\WINDOWS\system32\services.exe[616] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00DD0EFF
    .text C:\WINDOWS\system32\services.exe[616] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00DD006A
    .text C:\WINDOWS\system32\services.exe[616] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00DD0ED3
    .text C:\WINDOWS\system32\services.exe[616] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00DD0FD4
    .text C:\WINDOWS\system32\services.exe[616] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00DD0F10
    .text C:\WINDOWS\system32\services.exe[616] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00DD0F9E
    .text C:\WINDOWS\system32\services.exe[616] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00DD0FB9
    .text C:\WINDOWS\system32\services.exe[616] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00DD0045
    .text C:\WINDOWS\system32\services.exe[616] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00DC0022
    .text C:\WINDOWS\system32\services.exe[616] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00DC0062
    .text C:\WINDOWS\system32\services.exe[616] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00DC0011
    .text C:\WINDOWS\system32\services.exe[616] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00DC0000
    .text C:\WINDOWS\system32\services.exe[616] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00DC0FA5
    .text C:\WINDOWS\system32\services.exe[616] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00DC0FB6
    .text C:\WINDOWS\system32\services.exe[616] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00DC0FE5
    .text C:\WINDOWS\system32\services.exe[616] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00DC003D
    .text C:\WINDOWS\system32\services.exe[616] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00B90FE5
    .text C:\WINDOWS\system32\services.exe[616] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00B90FD4
    .text C:\WINDOWS\system32\lsass.exe[628] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00F90FEF
    .text C:\WINDOWS\system32\lsass.exe[628] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00F90F79
    .text C:\WINDOWS\system32\lsass.exe[628] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00F9006C
    .text C:\WINDOWS\system32\lsass.exe[628] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00F900AE
    .text C:\WINDOWS\system32\lsass.exe[628] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00F90F68
    .text C:\WINDOWS\system32\lsass.exe[628] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00F90F3C
    .text C:\WINDOWS\system32\lsass.exe[628] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00F90F4D
    .text C:\WINDOWS\system32\lsass.exe[628] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00F90000
    .text C:\WINDOWS\system32\lsass.exe[628] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00F90087
    .text C:\WINDOWS\system32\lsass.exe[628] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00F90FCA
    .text C:\WINDOWS\system32\lsass.exe[628] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00F90011
    .text C:\WINDOWS\system32\lsass.exe[628] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00F900BF
    .text C:\WINDOWS\system32\lsass.exe[628] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00F80FDE
    .text C:\WINDOWS\system32\lsass.exe[628] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00F80F97
    .text C:\WINDOWS\system32\lsass.exe[628] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00F80FEF
    .text C:\WINDOWS\system32\lsass.exe[628] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00F80025
    .text C:\WINDOWS\system32\lsass.exe[628] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00F8004A
    .text C:\WINDOWS\system32\lsass.exe[628] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00F80FA8
    .text C:\WINDOWS\system32\lsass.exe[628] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00F8000A
    .text C:\WINDOWS\system32\lsass.exe[628] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00F80FC3
    .text C:\WINDOWS\system32\lsass.exe[628] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00F60000
    .text C:\WINDOWS\system32\lsass.exe[628] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00F60FDB
    .text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 008C0FE5
    .text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 008C0F43
    .text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 008C0036
    .text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 008C0062
    .text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 008C0047
    .text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 008C0EF7
    .text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 008C0084
    .text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 008C0FD4
    .text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 008C0F28
    .text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 008C0FAF
    .text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 008C000A
    .text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 008C0073
    .text C:\WINDOWS\system32\svchost.exe[776] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 008B0FC3
    .text C:\WINDOWS\system32\svchost.exe[776] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 008B0054
    .text C:\WINDOWS\system32\svchost.exe[776] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 008B0FD4
    .text C:\WINDOWS\system32\svchost.exe[776] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 008B0014
    .text C:\WINDOWS\system32\svchost.exe[776] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 008B0F97
    .text C:\WINDOWS\system32\svchost.exe[776] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 008B0039
    .text C:\WINDOWS\system32\svchost.exe[776] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 008B0FEF
    .text C:\WINDOWS\system32\svchost.exe[776] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 008B0FB2
    .text C:\WINDOWS\system32\svchost.exe[776] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00890000
    .text C:\WINDOWS\system32\svchost.exe[776] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00890011
    .text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01B90000
    .text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01B90073
    .text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01B90062
    .text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 01B90F43
    .text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01B90F54
    .text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 01B900C6
    .text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01B900AB
    .text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 01B90011
    .text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 01B90F6F
    .text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 01B90FDB
    .text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 01B9002C
    .text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 01B9009A
    .text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 01950FD1
    .text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 01950F91
    .text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 01950022
    .text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 01950011
    .text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 0195004E
    .text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 0195003D
    .text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 01950000
    .text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 01950FC0
  5. 2007-01-10, 21:46 #5
    sgregg3
    sgregg3 is offline
    Junior Member
    Join Date
    Jan 2007
    Posts
    25

    Default

    #3 of (3)


    .text C:\WINDOWS\system32\svchost.exe[952] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 01B70000
    .text C:\WINDOWS\system32\svchost.exe[952] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 01B70011
    .text C:\WINDOWS\system32\svchost.exe[952] WININET.dll!InternetOpenA 771CA6DD 5 Bytes JMP 01B80FE5
    .text C:\WINDOWS\system32\svchost.exe[952] WININET.dll!InternetOpenW 771CAFC2 5 Bytes JMP 01B80FD4
    .text C:\WINDOWS\system32\svchost.exe[952] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 01B80FAF
    .text C:\WINDOWS\system32\svchost.exe[952] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 01B80F9E
    .text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00750FEF
    .text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0075006C
    .text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00750F79
    .text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00750F4A
    .text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0075008E
    .text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 007500BF
    .text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00750F28
    .text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00750000
    .text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 0075007D
    .text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00750FAF
    .text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00750FCA
    .text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00750F39
    .text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00740036
    .text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 0074007D
    .text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 0074001B
    .text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00740FE5
    .text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00740FC0
    .text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00740058
    .text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00740000
    .text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00740047
    .text C:\WINDOWS\system32\svchost.exe[1044] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00720000
    .text C:\WINDOWS\system32\svchost.exe[1044] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00720FEF
    .text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00A70000
    .text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00A70F8A
    .text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00A7007D
    .text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00A70F6F
    .text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00A700B5
    .text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A700EB
    .text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A700DA
    .text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00A7001B
    .text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00A70098
    .text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00A70FDB
    .text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00A7002C
    .text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00A70F5E
    .text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00800FBC
    .text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00800F75
    .text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00800FCD
    .text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00800FDE
    .text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00800028
    .text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00800F86
    .text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00800FEF
    .text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00800FA1
    .text C:\WINDOWS\system32\svchost.exe[1096] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 007D0FEF
    .text C:\WINDOWS\system32\svchost.exe[1096] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 007D000A
    .text C:\WINDOWS\system32\svchost.exe[1096] WININET.dll!InternetOpenA 771CA6DD 5 Bytes JMP 007E0000
    .text C:\WINDOWS\system32\svchost.exe[1096] WININET.dll!InternetOpenW 771CAFC2 5 Bytes JMP 007E001B
    .text C:\WINDOWS\system32\svchost.exe[1096] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 007E0FE5
    .text C:\WINDOWS\system32\svchost.exe[1096] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 007E0FD4
    .text C:\WINDOWS\explorer.exe[3812] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001A0FEF
    .text C:\WINDOWS\explorer.exe[3812] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001A005B
    .text C:\WINDOWS\explorer.exe[3812] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001A0F68
    .text C:\WINDOWS\explorer.exe[3812] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001A0087
    .text C:\WINDOWS\explorer.exe[3812] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001A0F4D
    .text C:\WINDOWS\explorer.exe[3812] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001A0098
    .text C:\WINDOWS\explorer.exe[3812] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001A0F0B
    .text C:\WINDOWS\explorer.exe[3812] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 001A0FD4
    .text C:\WINDOWS\explorer.exe[3812] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 001A006C
    .text C:\WINDOWS\explorer.exe[3812] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 001A0FB9
    .text C:\WINDOWS\explorer.exe[3812] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 001A0000
    .text C:\WINDOWS\explorer.exe[3812] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 001A0F1C
    .text C:\WINDOWS\explorer.exe[3812] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00290FA8
    .text C:\WINDOWS\explorer.exe[3812] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00290F6B
    .text C:\WINDOWS\explorer.exe[3812] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00290FB9
    .text C:\WINDOWS\explorer.exe[3812] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00290FD4
    .text C:\WINDOWS\explorer.exe[3812] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00290F7C
    .text C:\WINDOWS\explorer.exe[3812] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00290F97
    .text C:\WINDOWS\explorer.exe[3812] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00290FE5
    .text C:\WINDOWS\explorer.exe[3812] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 0029001E
    .text C:\WINDOWS\explorer.exe[3812] WININET.dll!InternetOpenA 771CA6DD 5 Bytes JMP 002B0FEF
    .text C:\WINDOWS\explorer.exe[3812] WININET.dll!InternetOpenW 771CAFC2 5 Bytes JMP 002B0014
    .text C:\WINDOWS\explorer.exe[3812] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 002B0FD4
    .text C:\WINDOWS\explorer.exe[3812] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 002B0FC3
    .text C:\WINDOWS\explorer.exe[3812] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 01180FEF
    .text C:\WINDOWS\explorer.exe[3812] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 01180FD4

    ---- Files - GMER 1.0.12 ----

    ADS C:\200601_Retail_Forecast_Shannon_Gregg(1).xls:KAVICHS
    ADS C:\AlbumArt_{0AFE16AC-6E14-4760-B176-FD8E7CCA390D}_Large.jpg:KAVICHS
    ADS C:\AlbumArt_{0AFE16AC-6E14-4760-B176-FD8E7CCA390D}_Small.jpg:KAVICHS
    ADS C:\AlbumArt_{162B0AE5-8632-4871-8D36-02BB5BAAE078}_Large.jpg:KAVICHS
    ADS C:\AlbumArt_{162B0AE5-8632-4871-8D36-02BB5BAAE078}_Small.jpg:KAVICHS
    ADS C:\AlbumArt_{18AE5AFB-B8DD-49B6-8C84-386CC0105FFF}_Large.jpg:KAVICHS
    ADS C:\AlbumArt_{18AE5AFB-B8DD-49B6-8C84-386CC0105FFF}_Small.jpg:KAVICHS
    ADS C:\AlbumArt_{1B865DD2-BCA6-41BA-A620-3F96FE244163}_Large.jpg:KAVICHS
    ADS C:\AlbumArt_{1B865DD2-BCA6-41BA-A620-3F96FE244163}_Small.jpg:KAVICHS
    ADS C:\AlbumArt_{1D70EF3C-9FF6-4721-8EEB-B72498B579DF}_Large.jpg:KAVICHS
    ADS C:\AlbumArt_{1D70EF3C-9FF6-4721-8EEB-B72498B579DF}_Small.jpg:KAVICHS
    ADS ...
    ADS C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat:KAVICHS
    ADS C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG:KAVICHS

    ---- EOF - GMER 1.0.12 ----


    Thanks for all the assistance...
  6. 2007-01-11, 13:17 #6
    Mr_JAk3
    Mr_JAk3 is offline
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    3,934

    Default

    Hi

    GMER pointed out that you have some services from Kaspersky antivirus still running. So you've had Kaspersky once and uninstalled it ?

    The leftovers may conflict with McAfee and others and cause the freezing. We'll clean those...

    Generate a HijackThis Startup list:
    Open HijackThis:
    • Click on "Open the Misc Tools Section"
    • Check the following boxes to the right of "Generate StartupList Log":
      • List also minor sections (Full)
      • List empty sections (Complete)
    • Click "Generate StartupListLog"
    • Click "Yes" at the prompt.
    • A Notepad window will open with the contents of the HijackThis Startup list displayed
    • Copy & Paste that log to here


    You may need to use several messages so that you can post everything.
    MalWare Removal University - You too could train to help others
    UNITE & ASAP member since 2006
  7. 2007-01-11, 15:31 #7
    sgregg3
    sgregg3 is offline
    Junior Member
    Join Date
    Jan 2007
    Posts
    25

    Default

    Yes...Kaspersky was used in the past, however, it was/should've been "uninstalled" over a year ago.

    Post #1

    StartupList report, 1/11/2007, 8:28:37 AM
    StartupList version: 1.52.2
    Started from : C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.EXE
    Detected: Windows XP SP2 (WinNT 5.01.2600)
    Detected: Internet Explorer v7.00 (7.00.5730.0011)
    * Using default options
    * Including empty and uninteresting sections
    * Showing rarely important sections
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Brmfrmps.exe
    C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
    C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
    C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
    c:\program files\common files\mcafee\mna\mcnasvc.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
    c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\PROGRA~1\McAfee\MSC\mctskshd.exe
    C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\Owner\Start Menu\Programs\Startup]
    *No files*

    Shell folders AltStartup:
    *Folder not found*

    User shell folders Startup:
    *Folder not found*

    User shell folders AltStartup:
    *Folder not found*

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    *No files*

    Shell folders Common AltStartup:
    *Folder not found*

    User shell folders Common Startup:
    *Folder not found*

    User shell folders Alternate Common Startup:
    *Folder not found*

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
    *Registry key not found*

    [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    *Registry value not found*

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    Sunkist2k = "C:\Program Files\Multimedia Card Reader\shwicon2k.exe"
    TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    WINDVDPatch = CTHELPER.EXE
    UpdReg = C:\WINDOWS\UpdReg.EXE
    Jet Detection = "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    [OptionalComponents]
    *No values found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
    *Registry key not found*

    --------------------------------------------------

    File association entry for .EXE:
    HKEY_CLASSES_ROOT\exefile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .COM:
    HKEY_CLASSES_ROOT\comfile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .BAT:
    HKEY_CLASSES_ROOT\batfile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .PIF:
    HKEY_CLASSES_ROOT\piffile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .SCR:
    HKEY_CLASSES_ROOT\scrfile\shell\open\command

    (Default) = "%1" /S

    --------------------------------------------------

    File association entry for .HTA:
    HKEY_CLASSES_ROOT\htafile\shell\open\command

    (Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

    --------------------------------------------------

    File association entry for .TXT:
    HKEY_CLASSES_ROOT\txtfile\shell\open\command

    (Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}] *
    StubPath = C:\WINDOWS\system32\ieudinit.exe

    [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

    [>{26923b43-4d38-484f-9b9e-de460746276c}] *
    StubPath = C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig

    [>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] *
    StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

    [>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

    [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
    StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

    [{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

    [{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

    [{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp11.inf,PerUserStub

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

    [{89820200-ECBD-11cf-8B85-00AA005B4340}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = C:\WINDOWS\system32\ie4uinit.exe -BaseSettings

    [{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
    StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

    [{8b15971b-5355-4c82-8c07-7e181ea07608}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser

    --------------------------------------------------

    Enumerating ICQ Agent Autostart apps:
    HKCU\Software\Mirabilis\ICQ\Agent\Apps

    *Registry key not found*

    --------------------------------------------------

    Load/Run keys from C:\WINDOWS\WIN.INI:

    load=*INI section not found*
    run=*INI section not found*

    Load/Run keys from Registry:

    HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
    HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules