Page 3 of 4 FirstFirst 1234 LastLast
Results 21 to 30 of 39

Thread: Can't download/install/run any anti virus...

  1. #21
    Junior Member
    Join Date
    Jan 2007
    Posts
    25

    Default

    This is (#1) of (3) posts...


    GMER 1.0.12.12011 - http://www.gmer.net
    Rootkit scan 2007-01-10 14:41:25
    Windows 5.1.2600 Service Pack 2


    ---- System - GMER 1.0.12 ----

    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwClose
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateProcess
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateProcessEx
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateSection
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateSymbolicLinkObject
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateThread
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwDuplicateObject
    SSDT kl1.sys ZwOpenFile
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwOpenProcess
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwOpenSection
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwQuerySystemInformation
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwResumeThread
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetContextThread
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationFile
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationProcess
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSetSecurityObject
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwSuspendThread
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwTerminateProcess
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys ZwWriteVirtualMemory
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[284]
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[285]
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[286]
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[287]
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[288]
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[289]
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[290]
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[291]
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[292]
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[293]
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[294]
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[295]
    SSDT \??\C:\WINDOWS\system32\drivers\klif.sys SSDT[296]

    Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateFile
    Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateKey
    Code \SystemRoot\system32\drivers\mfehidk.sys ZwDeleteKey
    Code \SystemRoot\system32\drivers\mfehidk.sys ZwDeleteValueKey
    Code \SystemRoot\system32\drivers\mfehidk.sys ZwMapViewOfSection
    Code \SystemRoot\system32\drivers\mfehidk.sys ZwOpenKey
    Code \SystemRoot\system32\drivers\mfehidk.sys ZwProtectVirtualMemory
    Code \SystemRoot\system32\drivers\mfehidk.sys ZwRenameKey
    Code \SystemRoot\system32\drivers\mfehidk.sys ZwSetValueKey
    Code \SystemRoot\system32\drivers\mfehidk.sys ZwUnmapViewOfSection
    Code \SystemRoot\system32\drivers\mfehidk.sys ZwYieldExecution
    Code \??\C:\WINDOWS\system32\drivers\klif.sys FsRtlCheckLockForReadAccess
    Code \??\C:\WINDOWS\system32\drivers\klif.sys IoIsOperationSynchronous
    Code \SystemRoot\system32\drivers\mfehidk.sys NtCreateFile
    Code \SystemRoot\system32\drivers\mfehidk.sys NtMapViewOfSection

    ---- Kernel code sections - GMER 1.0.12 ----

    .text ntoskrnl.exe!KiDispatchInterrupt + BA 804DB92E 2 Bytes JMP EF9D4D70 \??\C:\WINDOWS\system32\drivers\klif.sys
    .text ntoskrnl.exe!KiDispatchInterrupt + BD 804DB931 4 Bytes [ 4F, 6F, 90, 90 ]
    .text ntoskrnl.exe!IoIsOperationSynchronous 804E8752 5 Bytes JMP EF9D2000 \??\C:\WINDOWS\system32\drivers\klif.sys
    .text ntoskrnl.exe!ZwYieldExecution 804FB0F3 7 Bytes JMP EF1052FD \SystemRoot\system32\drivers\mfehidk.sys
    .text ntoskrnl.exe!FsRtlCheckLockForReadAccess 804FBE09 5 Bytes JMP EF9D1B70 \??\C:\WINDOWS\system32\drivers\klif.sys
    PAGE ntoskrnl.exe!ZwOpenKey 80567CFB 5 Bytes JMP EF10522B \SystemRoot\system32\drivers\mfehidk.sys
    PAGE ntoskrnl.exe!ZwCreateKey 8056E7A9 5 Bytes JMP EF10523F \SystemRoot\system32\drivers\mfehidk.sys
    PAGE ntoskrnl.exe!NtCreateFile 8056FBF8 5 Bytes JMP EF1052BF \SystemRoot\system32\drivers\mfehidk.sys
    PAGE ntoskrnl.exe!ZwUnmapViewOfSection 80571EF1 5 Bytes JMP EF105329 \SystemRoot\system32\drivers\mfehidk.sys
    PAGE ntoskrnl.exe!NtMapViewOfSection 8057236C 7 Bytes JMP EF105313 \SystemRoot\system32\drivers\mfehidk.sys
    PAGE ntoskrnl.exe!ZwProtectVirtualMemory 805730B5 7 Bytes JMP EF1052D3 \SystemRoot\system32\drivers\mfehidk.sys
    PAGE ntoskrnl.exe!ZwSetValueKey 80573C8D 7 Bytes JMP EF105295 \SystemRoot\system32\drivers\mfehidk.sys
    PAGE ntoskrnl.exe!ZwDeleteValueKey 80593AAC 7 Bytes JMP EF10527F \SystemRoot\system32\drivers\mfehidk.sys
    PAGE ntoskrnl.exe!ZwDeleteKey 80595136 7 Bytes JMP EF105253 \SystemRoot\system32\drivers\mfehidk.sys
    PAGE ntoskrnl.exe!ZwRenameKey 8064D02D 7 Bytes JMP EF105269 \SystemRoot\system32\drivers\mfehidk.sys

    ---- User code sections - GMER 1.0.12 ----

    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 0026000A
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0026007D
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0026006C
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00260F5C
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00260F6D
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 002600BD
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00260F30
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 0026001B
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 002600A2
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 0026002C
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00260FDB
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00260F41
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00340FCA
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00340076
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00340025
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00340FEF
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 0034005B
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00340FB9
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00340000
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00340040
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] WININET.dll!InternetOpenA 771CA6DD 5 Bytes JMP 00360FEF
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] WININET.dll!InternetOpenW 771CAFC2 5 Bytes JMP 00360000
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 0036001B
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 0036002C
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00F70FEF
    .text C:\PROGRA~1\WinZip\WINZIP32.EXE[388] WS2_32.dll!bind

  2. #22
    Junior Member
    Join Date
    Jan 2007
    Posts
    25

    Default

    (#2) of (3)

    71AB3E00 5 Bytes JMP 00F7000A
    .text C:\WINDOWS\system32\svchost.exe[400] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00830000
    .text C:\WINDOWS\system32\svchost.exe[400] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00830076
    .text C:\WINDOWS\system32\svchost.exe[400] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00830F8D
    .text C:\WINDOWS\system32\svchost.exe[400] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00830F72
    .text C:\WINDOWS\system32\svchost.exe[400] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 008300AC
    .text C:\WINDOWS\system32\svchost.exe[400] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00830F57
    .text C:\WINDOWS\system32\svchost.exe[400] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 008300E4
    .text C:\WINDOWS\system32\svchost.exe[400] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00830011
    .text C:\WINDOWS\system32\svchost.exe[400] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 0083009B
    .text C:\WINDOWS\system32\svchost.exe[400] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00830FCA
    .text C:\WINDOWS\system32\svchost.exe[400] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00830FDB
    .text C:\WINDOWS\system32\svchost.exe[400] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 008300D3
    .text C:\WINDOWS\system32\svchost.exe[400] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00820FE5
    .text C:\WINDOWS\system32\svchost.exe[400] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00820062
    .text C:\WINDOWS\system32\svchost.exe[400] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00820036
    .text C:\WINDOWS\system32\svchost.exe[400] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 0082001B
    .text C:\WINDOWS\system32\svchost.exe[400] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00820FA5
    .text C:\WINDOWS\system32\svchost.exe[400] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00820FC0
    .text C:\WINDOWS\system32\svchost.exe[400] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00820000
    .text C:\WINDOWS\system32\svchost.exe[400] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00820051
    .text C:\WINDOWS\system32\services.exe[616] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00DD0FEF
    .text C:\WINDOWS\system32\services.exe[616] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00DD0F21
    .text C:\WINDOWS\system32\services.exe[616] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00DD001E
    .text C:\WINDOWS\system32\services.exe[616] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00DD0EEE
    .text C:\WINDOWS\system32\services.exe[616] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00DD0EFF
    .text C:\WINDOWS\system32\services.exe[616] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00DD006A
    .text C:\WINDOWS\system32\services.exe[616] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00DD0ED3
    .text C:\WINDOWS\system32\services.exe[616] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00DD0FD4
    .text C:\WINDOWS\system32\services.exe[616] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00DD0F10
    .text C:\WINDOWS\system32\services.exe[616] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00DD0F9E
    .text C:\WINDOWS\system32\services.exe[616] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00DD0FB9
    .text C:\WINDOWS\system32\services.exe[616] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00DD0045
    .text C:\WINDOWS\system32\services.exe[616] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00DC0022
    .text C:\WINDOWS\system32\services.exe[616] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00DC0062
    .text C:\WINDOWS\system32\services.exe[616] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00DC0011
    .text C:\WINDOWS\system32\services.exe[616] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00DC0000
    .text C:\WINDOWS\system32\services.exe[616] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00DC0FA5
    .text C:\WINDOWS\system32\services.exe[616] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00DC0FB6
    .text C:\WINDOWS\system32\services.exe[616] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00DC0FE5
    .text C:\WINDOWS\system32\services.exe[616] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00DC003D
    .text C:\WINDOWS\system32\services.exe[616] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00B90FE5
    .text C:\WINDOWS\system32\services.exe[616] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00B90FD4
    .text C:\WINDOWS\system32\lsass.exe[628] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00F90FEF
    .text C:\WINDOWS\system32\lsass.exe[628] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00F90F79
    .text C:\WINDOWS\system32\lsass.exe[628] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00F9006C
    .text C:\WINDOWS\system32\lsass.exe[628] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00F900AE
    .text C:\WINDOWS\system32\lsass.exe[628] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00F90F68
    .text C:\WINDOWS\system32\lsass.exe[628] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00F90F3C
    .text C:\WINDOWS\system32\lsass.exe[628] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00F90F4D
    .text C:\WINDOWS\system32\lsass.exe[628] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00F90000
    .text C:\WINDOWS\system32\lsass.exe[628] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00F90087
    .text C:\WINDOWS\system32\lsass.exe[628] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00F90FCA
    .text C:\WINDOWS\system32\lsass.exe[628] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00F90011
    .text C:\WINDOWS\system32\lsass.exe[628] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00F900BF
    .text C:\WINDOWS\system32\lsass.exe[628] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00F80FDE
    .text C:\WINDOWS\system32\lsass.exe[628] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00F80F97
    .text C:\WINDOWS\system32\lsass.exe[628] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00F80FEF
    .text C:\WINDOWS\system32\lsass.exe[628] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00F80025
    .text C:\WINDOWS\system32\lsass.exe[628] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00F8004A
    .text C:\WINDOWS\system32\lsass.exe[628] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00F80FA8
    .text C:\WINDOWS\system32\lsass.exe[628] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00F8000A
    .text C:\WINDOWS\system32\lsass.exe[628] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00F80FC3
    .text C:\WINDOWS\system32\lsass.exe[628] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00F60000
    .text C:\WINDOWS\system32\lsass.exe[628] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00F60FDB
    .text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 008C0FE5
    .text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 008C0F43
    .text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 008C0036
    .text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 008C0062
    .text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 008C0047
    .text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 008C0EF7
    .text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 008C0084
    .text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 008C0FD4
    .text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 008C0F28
    .text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 008C0FAF
    .text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 008C000A
    .text C:\WINDOWS\system32\svchost.exe[776] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 008C0073
    .text C:\WINDOWS\system32\svchost.exe[776] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 008B0FC3
    .text C:\WINDOWS\system32\svchost.exe[776] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 008B0054
    .text C:\WINDOWS\system32\svchost.exe[776] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 008B0FD4
    .text C:\WINDOWS\system32\svchost.exe[776] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 008B0014
    .text C:\WINDOWS\system32\svchost.exe[776] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 008B0F97
    .text C:\WINDOWS\system32\svchost.exe[776] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 008B0039
    .text C:\WINDOWS\system32\svchost.exe[776] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 008B0FEF
    .text C:\WINDOWS\system32\svchost.exe[776] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 008B0FB2
    .text C:\WINDOWS\system32\svchost.exe[776] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00890000
    .text C:\WINDOWS\system32\svchost.exe[776] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00890011
    .text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01B90000
    .text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01B90073
    .text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01B90062
    .text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 01B90F43
    .text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01B90F54
    .text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 01B900C6
    .text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01B900AB
    .text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 01B90011
    .text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 01B90F6F
    .text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 01B90FDB
    .text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 01B9002C
    .text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 01B9009A
    .text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 01950FD1
    .text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 01950F91
    .text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 01950022
    .text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 01950011
    .text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 0195004E
    .text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 0195003D
    .text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 01950000
    .text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 01950FC0

  3. #23
    Junior Member
    Join Date
    Jan 2007
    Posts
    25

    Default

    #3 of (3)


    .text C:\WINDOWS\system32\svchost.exe[952] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 01B70000
    .text C:\WINDOWS\system32\svchost.exe[952] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 01B70011
    .text C:\WINDOWS\system32\svchost.exe[952] WININET.dll!InternetOpenA 771CA6DD 5 Bytes JMP 01B80FE5
    .text C:\WINDOWS\system32\svchost.exe[952] WININET.dll!InternetOpenW 771CAFC2 5 Bytes JMP 01B80FD4
    .text C:\WINDOWS\system32\svchost.exe[952] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 01B80FAF
    .text C:\WINDOWS\system32\svchost.exe[952] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 01B80F9E
    .text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00750FEF
    .text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 0075006C
    .text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00750F79
    .text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00750F4A
    .text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0075008E
    .text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 007500BF
    .text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00750F28
    .text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00750000
    .text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 0075007D
    .text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00750FAF
    .text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00750FCA
    .text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00750F39
    .text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00740036
    .text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 0074007D
    .text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 0074001B
    .text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00740FE5
    .text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00740FC0
    .text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00740058
    .text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00740000
    .text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00740047
    .text C:\WINDOWS\system32\svchost.exe[1044] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00720000
    .text C:\WINDOWS\system32\svchost.exe[1044] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00720FEF
    .text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00A70000
    .text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00A70F8A
    .text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00A7007D
    .text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00A70F6F
    .text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00A700B5
    .text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A700EB
    .text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A700DA
    .text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00A7001B
    .text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00A70098
    .text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00A70FDB
    .text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00A7002C
    .text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00A70F5E
    .text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00800FBC
    .text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00800F75
    .text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00800FCD
    .text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00800FDE
    .text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00800028
    .text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00800F86
    .text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00800FEF
    .text C:\WINDOWS\system32\svchost.exe[1096] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00800FA1
    .text C:\WINDOWS\system32\svchost.exe[1096] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 007D0FEF
    .text C:\WINDOWS\system32\svchost.exe[1096] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 007D000A
    .text C:\WINDOWS\system32\svchost.exe[1096] WININET.dll!InternetOpenA 771CA6DD 5 Bytes JMP 007E0000
    .text C:\WINDOWS\system32\svchost.exe[1096] WININET.dll!InternetOpenW 771CAFC2 5 Bytes JMP 007E001B
    .text C:\WINDOWS\system32\svchost.exe[1096] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 007E0FE5
    .text C:\WINDOWS\system32\svchost.exe[1096] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 007E0FD4
    .text C:\WINDOWS\explorer.exe[3812] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001A0FEF
    .text C:\WINDOWS\explorer.exe[3812] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001A005B
    .text C:\WINDOWS\explorer.exe[3812] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001A0F68
    .text C:\WINDOWS\explorer.exe[3812] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001A0087
    .text C:\WINDOWS\explorer.exe[3812] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001A0F4D
    .text C:\WINDOWS\explorer.exe[3812] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001A0098
    .text C:\WINDOWS\explorer.exe[3812] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001A0F0B
    .text C:\WINDOWS\explorer.exe[3812] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 001A0FD4
    .text C:\WINDOWS\explorer.exe[3812] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 001A006C
    .text C:\WINDOWS\explorer.exe[3812] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 001A0FB9
    .text C:\WINDOWS\explorer.exe[3812] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 001A0000
    .text C:\WINDOWS\explorer.exe[3812] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 001A0F1C
    .text C:\WINDOWS\explorer.exe[3812] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00290FA8
    .text C:\WINDOWS\explorer.exe[3812] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00290F6B
    .text C:\WINDOWS\explorer.exe[3812] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00290FB9
    .text C:\WINDOWS\explorer.exe[3812] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00290FD4
    .text C:\WINDOWS\explorer.exe[3812] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00290F7C
    .text C:\WINDOWS\explorer.exe[3812] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00290F97
    .text C:\WINDOWS\explorer.exe[3812] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00290FE5
    .text C:\WINDOWS\explorer.exe[3812] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 0029001E
    .text C:\WINDOWS\explorer.exe[3812] WININET.dll!InternetOpenA 771CA6DD 5 Bytes JMP 002B0FEF
    .text C:\WINDOWS\explorer.exe[3812] WININET.dll!InternetOpenW 771CAFC2 5 Bytes JMP 002B0014
    .text C:\WINDOWS\explorer.exe[3812] WININET.dll!InternetOpenUrlA 771CC8BD 5 Bytes JMP 002B0FD4
    .text C:\WINDOWS\explorer.exe[3812] WININET.dll!InternetOpenUrlW 77215A51 5 Bytes JMP 002B0FC3
    .text C:\WINDOWS\explorer.exe[3812] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 01180FEF
    .text C:\WINDOWS\explorer.exe[3812] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 01180FD4

    ---- Files - GMER 1.0.12 ----

    ADS C:\200601_Retail_Forecast_Shannon_Gregg(1).xls:KAVICHS
    ADS C:\AlbumArt_{0AFE16AC-6E14-4760-B176-FD8E7CCA390D}_Large.jpg:KAVICHS
    ADS C:\AlbumArt_{0AFE16AC-6E14-4760-B176-FD8E7CCA390D}_Small.jpg:KAVICHS
    ADS C:\AlbumArt_{162B0AE5-8632-4871-8D36-02BB5BAAE078}_Large.jpg:KAVICHS
    ADS C:\AlbumArt_{162B0AE5-8632-4871-8D36-02BB5BAAE078}_Small.jpg:KAVICHS
    ADS C:\AlbumArt_{18AE5AFB-B8DD-49B6-8C84-386CC0105FFF}_Large.jpg:KAVICHS
    ADS C:\AlbumArt_{18AE5AFB-B8DD-49B6-8C84-386CC0105FFF}_Small.jpg:KAVICHS
    ADS C:\AlbumArt_{1B865DD2-BCA6-41BA-A620-3F96FE244163}_Large.jpg:KAVICHS
    ADS C:\AlbumArt_{1B865DD2-BCA6-41BA-A620-3F96FE244163}_Small.jpg:KAVICHS
    ADS C:\AlbumArt_{1D70EF3C-9FF6-4721-8EEB-B72498B579DF}_Large.jpg:KAVICHS
    ADS C:\AlbumArt_{1D70EF3C-9FF6-4721-8EEB-B72498B579DF}_Small.jpg:KAVICHS
    ADS ...
    ADS C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat:KAVICHS
    ADS C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG:KAVICHS

    ---- EOF - GMER 1.0.12 ----


    Thanks for all the assistance...

  4. #24
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    3,934

    Default

    Hi

    GMER pointed out that you have some services from Kaspersky antivirus still running. So you've had Kaspersky once and uninstalled it ?

    The leftovers may conflict with McAfee and others and cause the freezing. We'll clean those...

    Generate a HijackThis Startup list:
    Open HijackThis:
    • Click on "Open the Misc Tools Section"
    • Check the following boxes to the right of "Generate StartupList Log":
      • List also minor sections (Full)
      • List empty sections (Complete)
    • Click "Generate StartupListLog"
    • Click "Yes" at the prompt.
    • A Notepad window will open with the contents of the HijackThis Startup list displayed
    • Copy & Paste that log to here


    You may need to use several messages so that you can post everything.
    MalWare Removal University - You too could train to help others
    UNITE & ASAP member since 2006

  5. #25
    Junior Member
    Join Date
    Jan 2007
    Posts
    25

    Default

    Yes...Kaspersky was used in the past, however, it was/should've been "uninstalled" over a year ago.

    Post #1

    StartupList report, 1/11/2007, 8:28:37 AM
    StartupList version: 1.52.2
    Started from : C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.EXE
    Detected: Windows XP SP2 (WinNT 5.01.2600)
    Detected: Internet Explorer v7.00 (7.00.5730.0011)
    * Using default options
    * Including empty and uninteresting sections
    * Showing rarely important sections
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Brmfrmps.exe
    C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
    C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
    C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
    c:\program files\common files\mcafee\mna\mcnasvc.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
    c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\PROGRA~1\McAfee\MSC\mctskshd.exe
    C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\Owner\Start Menu\Programs\Startup]
    *No files*

    Shell folders AltStartup:
    *Folder not found*

    User shell folders Startup:
    *Folder not found*

    User shell folders AltStartup:
    *Folder not found*

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    *No files*

    Shell folders Common AltStartup:
    *Folder not found*

    User shell folders Common Startup:
    *Folder not found*

    User shell folders Alternate Common Startup:
    *Folder not found*

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
    *Registry key not found*

    [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    *Registry value not found*

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    Sunkist2k = "C:\Program Files\Multimedia Card Reader\shwicon2k.exe"
    TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    WINDVDPatch = CTHELPER.EXE
    UpdReg = C:\WINDOWS\UpdReg.EXE
    Jet Detection = "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    [OptionalComponents]
    *No values found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
    *Registry key not found*

    --------------------------------------------------

    File association entry for .EXE:
    HKEY_CLASSES_ROOT\exefile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .COM:
    HKEY_CLASSES_ROOT\comfile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .BAT:
    HKEY_CLASSES_ROOT\batfile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .PIF:
    HKEY_CLASSES_ROOT\piffile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .SCR:
    HKEY_CLASSES_ROOT\scrfile\shell\open\command

    (Default) = "%1" /S

    --------------------------------------------------

    File association entry for .HTA:
    HKEY_CLASSES_ROOT\htafile\shell\open\command

    (Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

    --------------------------------------------------

    File association entry for .TXT:
    HKEY_CLASSES_ROOT\txtfile\shell\open\command

    (Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}] *
    StubPath = C:\WINDOWS\system32\ieudinit.exe

    [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

    [>{26923b43-4d38-484f-9b9e-de460746276c}] *
    StubPath = C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig

    [>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] *
    StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

    [>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

    [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
    StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

    [{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

    [{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

    [{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp11.inf,PerUserStub

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

    [{89820200-ECBD-11cf-8B85-00AA005B4340}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = C:\WINDOWS\system32\ie4uinit.exe -BaseSettings

    [{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
    StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

    [{8b15971b-5355-4c82-8c07-7e181ea07608}] *
    StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser

    --------------------------------------------------

    Enumerating ICQ Agent Autostart apps:
    HKCU\Software\Mirabilis\ICQ\Agent\Apps

    *Registry key not found*

    --------------------------------------------------

    Load/Run keys from C:\WINDOWS\WIN.INI:

    load=*INI section not found*
    run=*INI section not found*

    Load/Run keys from Registry:

    HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
    HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

  6. #26
    Junior Member
    Join Date
    Jan 2007
    Posts
    25

    Default

    Post 2 of 3

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINDOWS\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINDOWS\Explorer\Explorer.exe: not present
    C:\WINDOWS\System\Explorer.exe: not present
    C:\WINDOWS\System32\Explorer.exe: not present
    C:\WINDOWS\Command\Explorer.exe: not present
    C:\WINDOWS\Fonts\Explorer.exe: not present

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    --------------------------------------------------

    Verifying REGEDIT.EXE integrity:

    - Regedit.exe found in C:\WINDOWS
    - .reg open command is normal (regedit.exe %1)
    - Company name OK: 'Microsoft Corporation'
    - Original filename OK: 'REGEDIT.EXE'
    - File description: 'Registry Editor'

    Registry check passed

    --------------------------------------------------

    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - C:\Program Files\SiteAdvisor\4979\SiteAdv.dll - {089FD14D-132B-48FC-8861-0048AE113215}
    (no name) - C:\Program Files\Yahoo!\Common\yiesrvc.dll - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
    (no name) - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
    scriptproxy - c:\program files\mcafee\virusscan\scriptcl.dll - {7DB2D5A0-7241-4E79-B68D-6309F01C5231}
    (no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    McDefragTask.job
    McQcTask.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Windows Genuine Advantage Validation Tool]
    InProcServer32 = C:\WINDOWS\system32\LegitCheckControl.DLL
    CODEBASE = http://download.microsoft.com/downlo...eckControl.cab

    [{1F2F4C9E-6F09-47BC-970D-3C54734667FE}]
    CODEBASE = http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab

    [Groove Control]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\OTOYAX.dll
    CODEBASE = http://atv.disney.go.com/global/down.../OTOYAX29b.cab

    [Java Plug-in 1.5.0_09]
    InProcServer32 = C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    CODEBASE = http://java.sun.com/update/1.5.0/jin...ndows-i586.cab

    [ZoneIntro Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZIntro.ocx
    CODEBASE = http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab

    [{C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3}]
    CODEBASE = http://a532.g.akamai.net/f/532/6712/.../installer.exe

    [Java Plug-in 1.5.0_09]
    InProcServer32 = C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    CODEBASE = http://java.sun.com/update/1.5.0/jin...ndows-i586.cab

    [Java Plug-in 1.5.0_09]
    InProcServer32 = C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
    CODEBASE = http://java.sun.com/update/1.5.0/jin...ndows-i586.cab

    [ActiveDataInfo Class]
    CODEBASE = http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab

    [{D4323BF2-006A-4440-A2F5-27E3E7AB25F8}]
    CODEBASE = http://a532.g.akamai.net/f/532/6712/.../installer.exe

    --------------------------------------------------

    Enumerating Winsock LSP files:

    NameSpace #1: C:\WINDOWS\System32\mswsock.dll
    NameSpace #2: C:\WINDOWS\System32\winrnr.dll
    NameSpace #3: C:\WINDOWS\System32\mswsock.dll
    Protocol #1: SpSubLSP.dll (file MISSING)
    Protocol #2: SpSubLSP.dll (file MISSING)
    Protocol #3: SpSubLSP.dll (file MISSING)
    Protocol #4: SpSubLSP.dll (file MISSING)
    Protocol #5: SpSubLSP.dll (file MISSING)
    Protocol #6: C:\WINDOWS\system32\mswsock.dll
    Protocol #7: C:\WINDOWS\system32\mswsock.dll
    Protocol #8: C:\WINDOWS\system32\mswsock.dll
    Protocol #9: C:\WINDOWS\system32\rsvpsp.dll
    Protocol #10: C:\WINDOWS\system32\rsvpsp.dll
    Protocol #11: SpSubLSP.dll (file MISSING)
    Protocol #12: C:\WINDOWS\system32\mswsock.dll
    Protocol #13: C:\WINDOWS\system32\mswsock.dll
    Protocol #14: C:\WINDOWS\system32\mswsock.dll
    Protocol #15: C:\WINDOWS\system32\mswsock.dll
    Protocol #16: C:\WINDOWS\system32\mswsock.dll
    Protocol #17: C:\WINDOWS\system32\mswsock.dll
    Protocol #18: C:\WINDOWS\system32\mswsock.dll
    Protocol #19: C:\WINDOWS\system32\mswsock.dll
    Protocol #20: C:\WINDOWS\system32\mswsock.dll
    Protocol #21: C:\WINDOWS\system32\mswsock.dll

  7. #27
    Junior Member
    Join Date
    Jan 2007
    Posts
    25

    Default

    Post 3 of 3

    --------------------------------------------------

    Enumerating Windows NT/2000/XP services

    Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
    Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
    AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
    Agere Systems Soft Modem: System32\DRIVERS\AGRSM.sys (manual start)
    Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
    Service for WDM 3D Audio Driver: system32\drivers\ALCXSENS.SYS (manual start)
    Service for Realtek AC97 Audio (WDM): system32\drivers\ALCXWDM.SYS (manual start)
    Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
    Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
    AMD K7 Processor Driver: System32\DRIVERS\amdk7.sys (system)
    Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
    ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (manual start)
    RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
    Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
    ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
    Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
    Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    BACKPACK Finder: system32\DRIVERS\bpfinder.sys (system)
    BACKPACK Filter: system32\DRIVERS\bpflt.sys (manual start)
    BACKPACK PC Card: system32\DRIVERS\bppccard.sys (manual start)
    BACKPACK Driver: system32\DRIVERS\bppnpdrv.sys (manual start)
    BACKPACK USB 1 Cable: system32\DRIVERS\bpusbdrv.sys (manual start)
    BACKPACK USB Filter: System32\DRIVERS\bpusbflt.sys (manual start)
    Brother MFC Filter Driver: System32\Drivers\Brfilt.sys (manual start)
    Brother Popup Suspend service for Resource manager: "C:\WINDOWS\system32\Brmfrmps.exe" -service (autostart)
    BrSplService: C:\WINDOWS\system32\brsvc01a.exe (disabled)
    Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Brother WDM Serial driver: System32\Drivers\BrSerWdm.sys (manual start)
    Brother MFC USB Fax Only Modem: System32\Drivers\BrUsbMdm.sys (manual start)
    Brother MFC USB Scanner driver: System32\Drivers\BrUsbScn.sys (manual start)
    CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
    Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
    ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
    .NET Runtime Optimization Service v2.0.50727_X86: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (manual start)
    COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
    Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Creative AC3 Software Decoder: System32\drivers\ctac32k.sys (manual start)
    Creative Audio Driver (WDM): system32\drivers\ctaud2k.sys (manual start)
    Creative SBLive! Gameport: System32\DRIVERS\ctljystk.sys (manual start)
    Creative Proxy Driver: System32\drivers\ctprxy2k.sys (manual start)
    Creative SoundFont Management Device Driver: System32\drivers\ctsfm2k.sys (manual start)
    DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
    DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Disk Driver: System32\DRIVERS\disk.sys (system)
    Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
    dmboot: System32\drivers\dmboot.sys (disabled)
    dmio: System32\drivers\dmio.sys (disabled)
    dmload: System32\drivers\dmload.sys (disabled)
    Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
    DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
    Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
    McAfee E-mail Proxy: C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe (manual start)
    Creative SB Live! (WDM): system32\drivers\emu10k1m.sys (manual start)
    Creative Interface Manager Driver (WDM): system32\drivers\ctlfacem.sys (manual start)
    E-mu Plug-in Architecture Driver: System32\drivers\emupia2k.sys (manual start)
    EraserUtilRebootDrv: \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (manual start)
    Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Event Log: %SystemRoot%\system32\services.exe (autostart)
    COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
    fasttx2k: System32\DRIVERS\fasttx2k.sys (system)
    Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Fax: %systemroot%\system32\fxssvc.exe (manual start)
    Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
    Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
    FltMgr: system32\drivers\fltmgr.sys (system)
    Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
    Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
    gmer: System32\DRIVERS\gmer.sys (manual start)
    Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
    Creative Hardware Abstract Layer Driver: system32\drivers\ha10kx2k.sys (manual start)
    Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
    IEEE-1284.4 Driver HPZid412: system32\DRIVERS\HPZid412.sys (manual start)
    Print Class Driver for IEEE-1284.4 HPZipr12: system32\DRIVERS\HPZipr12.sys (manual start)
    USB to IEEE-1284.4 Translation Driver HPZius12: system32\DRIVERS\HPZius12.sys (manual start)
    HTTP: System32\Drivers\HTTP.sys (manual start)
    HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
    i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
    ialm: System32\DRIVERS\ialmnt5.sys (manual start)
    InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" (manual start)
    CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
    IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
    IntelIde: System32\DRIVERS\intelide.sys (system)
    Intel Processor Driver: System32\DRIVERS\intelppm.sys (system)
    IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
    IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (autostart)
    IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
    IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
    iPodService: C:\Program Files\iPod\bin\iPodService.exe (manual start)
    IPSEC driver: System32\DRIVERS\ipsec.sys (system)
    IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
    PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
    kavsvc: "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exe" (disabled)
    Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
    Kl1: system32\drivers\kl1.sys (system)
    Klif: \??\C:\WINDOWS\system32\drivers\klif.sys (system)
    Klmc: System32\drivers\klmc.sys (system)
    Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
    Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
    McAfee HackerWatch Service: "C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe" (autostart)
    McAfee Log Manager: C:\PROGRA~1\McAfee\MSC\mclogsrv.exe (autostart)
    McAfee Update Manager: C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe (autostart)
    McAfee Network Agent: "c:\program files\common files\mcafee\mna\mcnasvc.exe" (autostart)
    McAfee Scanner: C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe (autostart)
    McAfee Protection Manager: C:\PROGRA~1\McAfee\MSC\mcpromgr.exe (autostart)
    McAfee Redirector Service: c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe (autostart)
    McAfee Real-time Scanner: C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (autostart)
    McAfee SystemGuards: C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (autostart)
    McAfee Task Scheduler: C:\PROGRA~1\McAfee\MSC\mctskshd.exe (autostart)
    McAfee User Manager: C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe (autostart)
    Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
    mf: System32\DRIVERS\mf.sys (manual start)
    McAfee Inc.: system32\drivers\mfeavfk.sys (manual start)
    McAfee Inc.: system32\drivers\mfebopk.sys (manual start)
    McAfee Inc.: system32\drivers\mfehidk.sys (manual start)
    McAfee Inc.: system32\drivers\mferkdk.sys (manual start)
    McAfee Inc.: system32\drivers\mfesmfk.sys (manual start)
    NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
    Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
    MPFP: System32\Drivers\Mpfp.sys (system)
    McAfee Personal Firewall Service: "C:\Program Files\McAfee\MPF\MPFSrv.exe" (autostart)
    WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
    MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
    Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
    Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
    Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
    Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
    Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
    Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
    Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
    NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
    Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
    NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
    NetBT: System32\DRIVERS\netbt.sys (system)
    Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
    Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
    Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
    Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
    Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
    nv: System32\DRIVERS\nv4_mini.sys (manual start)
    NVIDIA nForce AGP Bus Filter: System32\DRIVERS\nv_agp.sys (system)
    IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
    IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
    Office Source Engine: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (manual start)
    Creative OS Services Driver: system32\drivers\ctoss2k.sys (manual start)
    Parallel port driver: System32\DRIVERS\parport.sys (manual start)
    PCI Bus Driver: System32\DRIVERS\pci.sys (system)
    PCIIde: \SystemRoot\System32\DRIVERS\pciide.sys (disabled)
    Padus ASPI Shell: \??\C:\WINDOWS\System32\drivers\pfc.sys (manual start)
    PfModNT: \??\C:\WINDOWS\system32\PfModNT.sys (autostart)
    Plug and Play: %SystemRoot%\system32\services.exe (autostart)
    Pml Driver HPZ12: C:\WINDOWS\system32\HPZipm12.exe (autostart)
    IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
    WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
    Processor Driver: System32\DRIVERS\processr.sys (system)
    Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
    PS2: System32\DRIVERS\PS2.sys (manual start)
    QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
    Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
    PxHelp20: System32\DRIVERS\PxHelp20.sys (system)
    Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
    Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
    WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
    Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
    Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
    Rdbss: System32\DRIVERS\rdbss.sys (system)
    RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
    Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
    Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
    Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
    Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
    Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
    QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
    Realtek RTL8139/810x Family Fast Ethernet NIC NT Driver: System32\DRIVERS\R8139n51.SYS (manual start)
    Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
    Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
    Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Secdrv: System32\DRIVERS\secdrv.sys (manual start)
    Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
    Serial port driver: System32\DRIVERS\serial.sys (system)
    Creative SoundFont Manager Driver (WDM): system32\drivers\sfmanm.sys (manual start)
    Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    SiS315: System32\DRIVERS\sisgrp.sys (manual start)
    SiS AGP Filter: System32\DRIVERS\SISAGPX.sys (system)
    SiSkp: System32\DRIVERS\srvkp.sys (system)
    SiteAdvisor Service: C:\Program Files\SiteAdvisor\4608\SAService.exe (autostart)
    Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
    Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
    System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
    System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Srv: System32\DRIVERS\srv.sys (manual start)
    SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
    Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
    Alcor Micro Corp - 9360: \??\C:\WINDOWS\System32\Drivers\sunkfilt.sys (manual start)
    HP && Alcor Micro Corp for Phison: \??\C:\WINDOWS\System32\Drivers\sunkfiltp.sys (manual start)
    Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
    Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
    MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{AA15C0AD-C142-4AF5-B6C1-D6301B6A8C15} (manual start)
    symlcbrd: \??\C:\WINDOWS\system32\drivers\symlcbrd.sys (autostart)
    Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
    Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
    Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
    Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
    Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
    Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
    Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
    Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
    Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
    Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
    USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
    Microsoft USB Open Host Controller Miniport Driver: System32\DRIVERS\usbohci.sys (manual start)
    Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
    USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
    USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
    Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
    Messenger Sharing USN Journal Reader service: C:\WINDOWS\system32\svchost.exe -k usnsvc (manual start)
    VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
    VIA AGP Filter: System32\DRIVERS\viaagp1.sys (system)
    viagfx: System32\DRIVERS\vtmini.sys (manual start)
    ViaIde: \SystemRoot\System32\DRIVERS\viaide.sys (disabled)
    Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
    Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
    Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
    WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
    Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
    Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
    Windows Media Player Network Sharing Service: "C:\Program Files\Windows Media Player\WMPNetwk.exe" (manual start)
    Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (system)
    Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
    Windows Driver Foundation - User-mode Driver Framework Platform Driver: system32\DRIVERS\WudfPf.sys (manual start)
    Windows Driver Foundation - User-mode Driver Framework Reflector: system32\DRIVERS\wudfrd.sys (manual start)
    Windows Driver Foundation - User-mode Driver Framework: %SystemRoot%\system32\svchost.exe -k WudfServiceGroup (manual start)
    Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
    Intel(R) Graphics Platform (SoftBIOS) Driver: system32\drivers\ialmsbw.sys (manual start)
    Intel(R) Graphics Chipset (KCH) Driver: system32\drivers\ialmkchw.sys (manual start)

  8. #28
    Junior Member
    Join Date
    Jan 2007
    Posts
    25

    Default

    Post #3 (cont')

    --------------------------------------------------

    Enumerating Windows NT logon/logoff scripts:
    *No scripts set to run*

    Windows NT checkdisk command:
    BootExecute = autocheck autochk *

    Windows NT 'Wininit.ini':
    PendingFileRenameOperations: C:\DOCUME~1\Owner\LOCALS~1\Temp\~GLH0000.TMP => C:\DOCUME~1\Owner\LOCALS~1\Temp\gtapi.dll|C:\DOCUME~1\Owner\LOCALS~1\Temp\~GLH0001.TMP => C:\DOCUME~1\Owner\LOCALS~1\Temp\GoogleInstall.dll|||

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\system32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll
    WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

    --------------------------------------------------
    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

    *No values found*

    --------------------------------------------------

    End of report, 38,515 bytes
    Report generated in 1.922 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only

  9. #29
    Junior Member
    Join Date
    Jan 2007
    Posts
    25

    Default

    fyi....McAfee viruscan '07 should be the only A/V installed and running. Please advise if you see others.

  10. #30
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    3,934

    Default

    Hi good work

    OK let's get rid of Kaspersky leftovers...

    Please download the KisKav6Remove.zip
    to your desktop. Unzip all the contents to eg C:\KavRemover folder.

    Restart the computer to the safe mode.
    Go to the C:\KavRemover folder and run the file "avp_remove.cmd"

    Reboot to the normal mode.

    Let me know how the pc is running
    MalWare Removal University - You too could train to help others
    UNITE & ASAP member since 2006

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •