Unsolved
This post is more than 5 years old
22 Posts
0
2824
June 9th, 2008 22:00
Generic.dx trojan is wreaking havok with my Latitude 620 laptop...Help please.
Requesting Assistance: McAfee can't remove generic.dx trojan
I want to thank you in advance for your help, it is deeply appreciated.
I have a Dell latitude D620 laptop. I'm running Win XP Professional, service pack 3 (v.3311). I use IE 7 as my internet browser. I use McAfee security center ver. 8.0 (build 8.0.247) and McAfee VirusScan ver. 12.0 (build 12.0.177), DAT version 5312 (created 6/6/08), Engine version 5200.2160.
Within the last week, after trying to open windows explorer, McAfee virus scan, running in realtime, gave me the following alert:
"McAfee has automatically blocked and removed a Trojan.
About this Trojan:
Detection name: Generic.dx (Trojan), Generic.dx (Trojan)
File: C:\WINDOWS\system32\cfgmgr3.dll
Process: C:\WINDOWS\Explorer.EXE
Process description: Windows Explorer"
This alert happens everytime I try to launch windows explorer. I updated my virus definitions and I ran a manual McAfee scan. The scanner detected the same trojan and file, however it could not remove it or delete it. When I try to manually delete the cfgmgr3.dll file from my system32 directory, I get a system error that says that I can't modify or move that file.
I should also mention that whenever I try to launch IE 7, it would open and then after a few seconds it would automatically close. This happens everytime I launch IE 7 since I have been infected with the trojan.
I have a Dell latitude D620 laptop. I'm running Win XP Professional, service pack 3 (v.3311). I use IE 7 as my internet browser. I use McAfee security center ver. 8.0 (build 8.0.247) and McAfee VirusScan ver. 12.0 (build 12.0.177), DAT version 5312 (created 6/6/08), Engine version 5200.2160.
Within the last week, after trying to open windows explorer, McAfee virus scan, running in realtime, gave me the following alert:
"McAfee has automatically blocked and removed a Trojan.
About this Trojan:
Detection name: Generic.dx (Trojan), Generic.dx (Trojan)
File: C:\WINDOWS\system32\cfgmgr3.dll
Process: C:\WINDOWS\Explorer.EXE
Process description: Windows Explorer"
This alert happens everytime I try to launch windows explorer. I updated my virus definitions and I ran a manual McAfee scan. The scanner detected the same trojan and file, however it could not remove it or delete it. When I try to manually delete the cfgmgr3.dll file from my system32 directory, I get a system error that says that I can't modify or move that file.
I should also mention that whenever I try to launch IE 7, it would open and then after a few seconds it would automatically close. This happens everytime I launch IE 7 since I have been infected with the trojan.
So far I have done the following:
1) Uninstalled Win XP service pack 3 and downgraded to service pack 2. Reason: I was using the release candidate version of SP3 and thought that maybe this would help. It didn't.
2) Reinstalled Internet Explorer 7. Reason: Everytime I try to launch IE7 it would open for a few seconds and then close. Reinstalling the application did not help. I currently do not have a functional browser.
I ran the HJT scan. Below are the results. I humbly plead for someone to review this. I am more than willing to barter professional services in the future. Thank you.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:39:31 AM, on 6/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.914.9778\swg.dll
O2 - BHO: (no name) - {C5F506DF-836B-41A3-A6D2-7A5A4C3BF1DF} - C:\WINDOWS\system32\cfgmgr3.dll
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http:\\desktop.private
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1186683090018
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1186682995488
O17 - HKLM\System\CCS\Services\Tcpip\..\{107E4C5A-2AFF-4948-A814-A48A0F5AB5EF}: NameServer = 204.127.198.19,63.240.76.19,66.75.164.90
O17 - HKLM\System\CS1\Services\Tcpip\..\{107E4C5A-2AFF-4948-A814-A48A0F5AB5EF}: NameServer = 204.127.198.19,63.240.76.19,66.75.164.90
O17 - HKLM\System\CS4\Services\Tcpip\..\{107E4C5A-2AFF-4948-A814-A48A0F5AB5EF}: NameServer = 204.127.198.19,63.240.76.19,66.75.164.90
O17 - HKLM\System\CS5\Services\Tcpip\..\{107E4C5A-2AFF-4948-A814-A48A0F5AB5EF}: NameServer = 204.127.198.19,63.240.76.19,66.75.164.90
O20 - AppInit_DLLs:
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 10225 bytes
1) Uninstalled Win XP service pack 3 and downgraded to service pack 2. Reason: I was using the release candidate version of SP3 and thought that maybe this would help. It didn't.
2) Reinstalled Internet Explorer 7. Reason: Everytime I try to launch IE7 it would open for a few seconds and then close. Reinstalling the application did not help. I currently do not have a functional browser.
I ran the HJT scan. Below are the results. I humbly plead for someone to review this. I am more than willing to barter professional services in the future. Thank you.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:39:31 AM, on 6/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.914.9778\swg.dll
O2 - BHO: (no name) - {C5F506DF-836B-41A3-A6D2-7A5A4C3BF1DF} - C:\WINDOWS\system32\cfgmgr3.dll
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http:\\desktop.private
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1186683090018
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1186682995488
O17 - HKLM\System\CCS\Services\Tcpip\..\{107E4C5A-2AFF-4948-A814-A48A0F5AB5EF}: NameServer = 204.127.198.19,63.240.76.19,66.75.164.90
O17 - HKLM\System\CS1\Services\Tcpip\..\{107E4C5A-2AFF-4948-A814-A48A0F5AB5EF}: NameServer = 204.127.198.19,63.240.76.19,66.75.164.90
O17 - HKLM\System\CS4\Services\Tcpip\..\{107E4C5A-2AFF-4948-A814-A48A0F5AB5EF}: NameServer = 204.127.198.19,63.240.76.19,66.75.164.90
O17 - HKLM\System\CS5\Services\Tcpip\..\{107E4C5A-2AFF-4948-A814-A48A0F5AB5EF}: NameServer = 204.127.198.19,63.240.76.19,66.75.164.90
O20 - AppInit_DLLs:
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 10225 bytes
bamajim
10.4K Posts
0
June 9th, 2008 22:00
1. Go HERE and download File Lister.
Rt Click ->> Extract all ->> And extract it to your Desktop
Additional help on extracting zip files can be found HERE
Open the File Lister Folder.
Rt Click FileLister.vbe ->>Select Open Then Open to confirm.
As the program runs, it will appear that nothing is happening.
When the program is fnished it will produce a log for you C:\Files.txt
Copy and paste the contents of that log in your reply.
"The world is what you make of it"
Blkthght06
22 Posts
0
June 9th, 2008 23:00
Part 2:
=== Running Processes ======
System Idle Process [0]
System [4]
smss.exe [496] \SystemRoot\System32\smss.exe
csrss.exe [892]
winlogon.exe [920] winlogon.exe
services.exe [964] C:\WINDOWS\system32\services.exe
lsass.exe [976] C:\WINDOWS\system32\lsass.exe
svchost.exe [1144] C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe [1212]
svchost.exe [1252] C:\WINDOWS\System32\svchost.exe -k netsvcs
EvtEng.exe [1316] "C:\Program Files\Intel\Wireless\Bin\EvtEng.exe"
S24EvMon.exe [1388] "C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe"
WLKEEPER.exe [1412] "C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe"
svchost.exe [1528]
svchost.exe [1608]
spoolsv.exe [1804] C:\WINDOWS\system32\spoolsv.exe
scardsvr.exe [1860]
AppleMobileDeviceService.exe [1912] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"
btwdins.exe [1936] "C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe"
svchost.exe [2028] C:\WINDOWS\System32\svchost.exe -k HTTPFilter
mcmscsvc.exe [260] C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
McNASvc.exe [320] "c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe"
McProxy.exe [348] c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
Mcshield.exe [452] C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
MDM.EXE [588] "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"
nvsvc32.exe [668] C:\WINDOWS\system32\nvsvc32.exe
RegSrvc.exe [708] "C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe"
wmpnetwk.exe [1032]
explorer.exe [2436] C:\WINDOWS\Explorer.EXE
alg.exe [2680]
mcagent.exe [2776] C:\PROGRA~1\McAfee.com\Agent\mcagent.exe -Embedding
UdaterUI.exe [3368] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
ZCfgSvc.exe [3436] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
iFrmewrk.exe [3472] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
stsystra.exe [3492] "C:\WINDOWS\stsystra.exe"
Apoint.exe [3512] "C:\Program Files\Apoint\Apoint.exe"
PDVDDXSrv.exe [3524] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
rundll32.exe [3552] "C:\WINDOWS\system32\rundll32.exe" nvHotkey.dll,Start
wuauclt.exe [3680] "C:\WINDOWS\system32\wuauclt.exe" /RunStoreAsComServer Local\[4e4]SUSDS454ba00dbe2fdf4a984ab49c37d53fe4
hidfind.exe [3696] "C:\Program Files\Apoint\HidFind.exe"
ApntEx.exe [3700] "Apntex.exe"
iTunesHelper.exe [3820] "C:\Program Files\iTunes\iTunesHelper.exe"
ctfmon.exe [3828] "C:\WINDOWS\system32\ctfmon.exe"
NMBgMonitor.exe [3860] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
TeaTimer.exe [4000] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
BTTray.exe [2260] "C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe"
NMIndexingService.exe [1868] "C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe"
NMIndexStoreSvr.exe [2416] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" -Embedding
iPodService.exe [2616] "C:\Program Files\iPod\bin\iPodService.exe"
mcsysmon.exe [3384] C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
mcupdmgr.exe [808]
wmiprvse.exe [2812]
mcvsmap.exe [1172]
wscript.exe [2836] "C:\WINDOWS\System32\WScript.exe" "C:\Documents and Settings\santa\Desktop\FileLister\FileLister.vbe"
wmiprvse.exe [276]
=== Uninstall List From Registry ======
Adobe Flash Player ActiveX
AOL Instant Messenger
Ares 2.0.9
AVI Codec Pack
Azureus Vuze
CleanUp!
Conexant HDA D110 MDC V.92 Modem
Intel(R) Graphics Media Accelerator Driver
HijackThis 2.0.2
Microsoft Internationalized Domain Names Mitigation APIs
Windows Internet Explorer 7
OZ776 SCR CardBus Windows Driver
High Definition Audio Driver Package - KB835221
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows Media Format SDK Hotfix - KB891122
Windows XP Hotfix - KB891781
Windows Genuine Advantage Validation Tool (KB892130)
Security Update for Windows XP (KB893756)
Windows Installer 3.1 (KB893803)
Update for Windows XP (KB894391)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB896344)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Update for Windows XP (KB898461)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Update for Windows XP (KB900485)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Update for Windows XP (KB904942)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Update for Windows XP (KB908531)
Hotfix for Windows XP (KB908673)
Microsoft Base Smart Card Cryptographic Service Provider Package
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows Media Player (KB911564)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB914642)
Hotfix for Windows XP (KB915865)
Update for Windows XP (KB916595)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Update for Windows XP (KB920342)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Update for Windows XP (KB920872)
Hotfix for Windows XP (KB921411)
Security Update for Windows XP (KB921503)
Update for Windows XP (KB922582)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows Media Player 6.4 (KB925398)
Update for Windows XP (KB925720)
Update for Windows XP (KB925876)
Security Update for Windows XP (KB925902)
Hotfix for Windows XP (KB926239)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Update for Windows XP (KB927891)
Security Update for Windows XP (KB928090)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Hotfix for Windows Media Format 11 SDK (KB928788)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Hotfix for Windows Media Format 11 SDK (KB929399)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows XP (KB930178)
Update for Windows XP (KB930916)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Update for Windows XP (KB931836)
Security Update for Windows XP (KB932168)
Update for Windows XP (KB933360)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Update for Windows XP (KB936357)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Internet Explorer 7 (KB938127)
Update for Windows XP (KB938828)
Security Update for Windows XP (KB938829)
Security Update for Windows Internet Explorer 7 (KB939653)
Hotfix for Windows Media Player 11 (KB939683)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB943460)
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
McAfee SecurityCenter
Microsoft Compression Client Pack 1.0 for Windows XP
MSN
Microsoft National Language Support Downlevel APIs
NVIDIA Drivers
Picasa 2
Intel(R) PROSet/Wireless Software
Spybot - Search & Destroy 1.5.2.20
Tag&Rename 3.4
Windows Media Player - Todae - Resume plugin
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Notifications (KB905474)
Windows Imaging Component
Windows Media Format 11 runtime
Windows Media Player 11
WinRAR archiver
Windows Media Format 11 runtime
Windows Media Player 11
Microsoft User-Mode Driver Framework Feature Pack 1.0
XML Paper Specification Shared Components Pack 1.0
Yahoo! Messenger
SlingPlayer
mSSO
MSXML 6.0 Parser (KB933579)
mLogView
Microsoft .NET Framework 3.0
QuickTime
AutoUpdate
Google Earth
Google Toolbar for Internet Explorer
mProSafe
PowerDVD
OZ776 SCR CardBus Windows Driver
WebFldrs XP
Sonic Activation Module
MSXML 4.0 SP2 (KB927978)
VCRedistSetup
mIWA
WIDCOMM Bluetooth Software
Apple Mobile Device Support
Bonjour
Windows Communication Foundation
mHlpDell
Windows Live Messenger
neroxml
iTunes
mWMI
Microsoft .NET Framework 2.0
DivX Codec
Windows Workflow Foundation
DivX Player
Nero 8
mPfMgr
Microsoft Office Professional Edition 2003
mPfWiz
mDrWiFi
mZConfig
mXML
ALPS Touch Pad Driver
mDriver
SigmaTel Audio
Windows Live installer
Adobe Reader 8
Windows Live Sign-in Assistant
DivX Converter
Spybot - Search & Destroy
DivX Web Player
Apple Software Update
Broadcom Gigabit Integrated Controller
Windows Presentation Foundation
MSXML 4.0 SP2 (KB936181)
Microsoft .NET Framework 1.1
WMPCDText 1.0
DivX Content Uploader
Microsoft XML Parser
Google Toolbar for Internet Explorer
Ad-Aware 2007
mCore
mMHouse
mWlsSafe
Blkthght06
22 Posts
0
June 9th, 2008 23:00
Bama,
Thank you for your quick reply. I apologize for the delay, but as I mentioned in my initial post, my IE7 is not working so I have to use a usb thumbdrive to move files back and forth. Below is the result of the FileLister scan. I have to break it up in pieces.
Part 1:
+++++++++++++++++++++++++++++++++
+
+ File Lister
+
+ Version 1.0.2
+
+ By bamajim
+
+++++++++++++++++++++++++++++++++
=== Values under HKLM\~\Run ======
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,\
73,74,65,6d,33,32,5c,6d,6f,62,73,79,6e,63,2e,65,78,65,20,2f,6c,6f,67,6f,6e,\
00
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UdaterUI.exe\" /StartedFromRunKey"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"Persistence"="C:\\WINDOWS\\system32\\igfxpers.exe"
"IntelZeroConfig"="\"C:\\Program Files\\Intel\\Wireless\\bin\\ZCfgSvc.exe\""
"IntelWireless"="\"C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe\" /tf Intel PROSet/Wireless"
"SigmatelSysTrayApp"="stsystra.exe"
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"PDVDDXSrv"="\"C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe\""
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /installquiet"
"NVHotkey"="rundll32.exe nvHotkey.dll,Start"
"Ad-Watch"="C:\\Program Files\\Lavasoft\\Ad-Aware 2007\\Ad-Watch2007.exe"
"mcagent_exe"="C:\\Program Files\\McAfee.com\\Agent\\mcagent.exe /runkey"
"NBKeyScan"="\"C:\\Program Files\\Nero\\Nero8\\Nero BackItUp\\NBKeyScan.exe\""
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Nero\\Lib\\NeroCheck.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\QTTask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
=== Values under HKCU\~\Run ======
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Nero\\Lib\\NMBgMonitor.exe\""
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
=== Folders and Files from "%\" and "%\Windows" Created Last 30 Days ======
6/9/2008 5:15:42 PM 171 32 C:\Files.txt
6/8/2008 2:07:17 PM 4002176 C:\WINDOWS\Prefetch
5/27/2008 11:34:08 PM 350426 32 C:\WINDOWS\ntbtlog.txt
6/7/2008 6:53:11 PM 2550 32 C:\WINDOWS\unins000.dat
6/7/2008 6:53:11 PM 691545 32 C:\WINDOWS\unins000.exe
5/28/2008 9:31:25 PM 552 32 C:\WINDOWS\system32\d3d8caps.dat
=== Files under "\Administrator\Startup" Last 30 Days======
=== Files under "\All Users\Startup" Last 30 Days======
=== Folders under "\Program Files" Last 30 Days======
6/7/2008 6:46:51 PM 34264502 C:\Program Files\Spybot - Search & Destroy
6/7/2008 6:46:53 PM 55992 C:\Program Files\Spybot - Search & Destroy\Dummies
6/7/2008 6:46:53 PM 483876 C:\Program Files\Spybot - Search & Destroy\Help
6/7/2008 6:55:51 PM 7752385 C:\Program Files\Spybot - Search & Destroy\Includes
6/7/2008 6:46:54 PM 143112 C:\Program Files\Spybot - Search & Destroy\Languages
6/7/2008 6:46:53 PM 121344 C:\Program Files\Spybot - Search & Destroy\Plugins
6/7/2008 6:46:54 PM 49349 C:\Program Files\Spybot - Search & Destroy\Skins
6/7/2008 6:55:51 PM 2920 C:\Program Files\Spybot - Search & Destroy\Updates
6/7/2008 3:49:26 PM 406515 C:\Program Files\Trend Micro
6/7/2008 3:49:26 PM 406515 C:\Program Files\Trend Micro\HijackThis
=== Files under "\System32\Drivers" Last 30 Days======
=== Files under "\User\Local Settings\Temp" Last 30 Days======
=== Files and Folders under "All Users\Application Data" Last 30 Days======
6/7/2008 6:46:51 PM 33187209 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
6/7/2008 6:47:05 PM 33126176 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups
6/7/2008 6:46:51 PM 586 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Excludes
6/7/2008 6:47:05 PM 24440 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs
6/7/2008 6:47:05 PM 24161 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery
6/7/2008 6:57:54 PM 3106 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots
6/7/2008 6:57:54 PM 2932 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2
=== Values under HKLM\Software\microsoft\shared tools\msconfig\startupreg ======
HKLM\Software\microsoft\shared tools\msconfig\startupreg\
=== BHO's under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects ======
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}
scriptproxy
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C5F506DF-836B-41A3-A6D2-7A5A4C3BF1DF}
bamajim
10.4K Posts
0
June 10th, 2008 13:00
Something is protecting that file. We can remove it, but let's make sure we get all of the infection.
Download gmer from HERE
Rt click->>Extract All->>and extract it to your Desktop
Open the gmer folder->>Double click the gmer.exe to run it
Select the rootkit tab, press the "Scan" button
Make sure the all the boxes are checked
When it finishes Select "copy" Copy it to Notepad
Click the >>> tab at the top next to the Rootkit tab
It will expand Select the Auto Start tab
Copy that to Notepad as well
Copy and paste those logs as a reply to this thread
"The world is what you make of it"
Blkthght06
22 Posts
0
June 10th, 2008 16:00
part 7:
.text C:\WINDOWS\system32\svchost.exe[1172] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00B40FEF
.text C:\WINDOWS\Explorer.EXE[1224] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 022D0000
.text C:\WINDOWS\Explorer.EXE[1224] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 022D007D
.text C:\WINDOWS\Explorer.EXE[1224] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 022D0F88
.text C:\WINDOWS\Explorer.EXE[1224] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 022D0062
.text C:\WINDOWS\Explorer.EXE[1224] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 022D0FA5
.text C:\WINDOWS\Explorer.EXE[1224] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 022D0FC0
.text C:\WINDOWS\Explorer.EXE[1224] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 022D0F35
.text C:\WINDOWS\Explorer.EXE[1224] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 022D0F46
.text C:\WINDOWS\Explorer.EXE[1224] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 022D00C4
.text C:\WINDOWS\Explorer.EXE[1224] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 022D00B3
.text C:\WINDOWS\Explorer.EXE[1224] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 022D00DF
.text C:\WINDOWS\Explorer.EXE[1224] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 022D0047
.text C:\WINDOWS\Explorer.EXE[1224] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 022D0011
.text C:\WINDOWS\Explorer.EXE[1224] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 022D0F6D
.text C:\WINDOWS\Explorer.EXE[1224] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 022D0FD1
.text C:\WINDOWS\Explorer.EXE[1224] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 022D0022
.text C:\WINDOWS\Explorer.EXE[1224] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 022D008E
.text C:\WINDOWS\Explorer.EXE[1224] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 022C0FC3
.text C:\WINDOWS\Explorer.EXE[1224] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 022C0054
.text C:\WINDOWS\Explorer.EXE[1224] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 022C000A
.text C:\WINDOWS\Explorer.EXE[1224] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 022C0FDE
.text C:\WINDOWS\Explorer.EXE[1224] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 022C0F8D
.text C:\WINDOWS\Explorer.EXE[1224] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 022C002F
.text C:\WINDOWS\Explorer.EXE[1224] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 022C0FEF
.text C:\WINDOWS\Explorer.EXE[1224] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 022C0FA8
.text C:\WINDOWS\Explorer.EXE[1224] WININET.dll!InternetOpenA 42C2C869 5 Bytes JMP 0207000A
.text C:\WINDOWS\Explorer.EXE[1224] WININET.dll!InternetOpenW 42C2CE99 5 Bytes JMP 0207001B
.text C:\WINDOWS\Explorer.EXE[1224] WININET.dll!InternetOpenUrlA 42C306DD 5 Bytes JMP 02070FE5
.text C:\WINDOWS\Explorer.EXE[1224] WININET.dll!InternetOpenUrlW 42C7AB41 5 Bytes JMP 02070036
.text C:\WINDOWS\Explorer.EXE[1224] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 020E0FEF
Blkthght06
22 Posts
0
June 10th, 2008 16:00
Ok Bama,
Sorry for the delay. I very much appreciate your assistance. I'm in the Los Angeles area and I had a meeting this morning. Here is the result of the Gmer rootkit scan (part 1):
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-06-10 09:42:43
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.14 ----
SSDT spbc.sys ZwCreateKey [0xB9EAA0E0]
SSDT spbc.sys ZwEnumerateKey [0xB9EC7CA2]
SSDT spbc.sys ZwEnumerateValueKey [0xB9EC8030]
SSDT spbc.sys ZwOpenKey [0xB9EAA0C0]
SSDT spbc.sys ZwQueryKey [0xB9EC8108]
SSDT spbc.sys ZwQueryValueKey [0xB9EC7F88]
SSDT spbc.sys ZwSetValueKey [0xB9EC819A]
INT 0x62 ? 8A7E1BF8
INT 0x82 ? 8A7E1BF8
INT 0x84 ? 8A69ABF8
INT 0x94 ? 8A69ABF8
INT 0xA4 ? 8A69ABF8
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB6E2197A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB6E21928]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB6E2193C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB6E21A2B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB6E21A57]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB6E219BA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB6E21AF1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB6E21900]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB6E21914]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB6E2198E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB6E21A99]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB6E21A41]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xB6E21B19]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xB6E21B05]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB6E21966]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB6E21952]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB6E219E9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xB6E21ADB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB6E219D0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB6E219A4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess
Blkthght06
22 Posts
0
June 10th, 2008 16:00
part 3:
---- User code sections - GMER 1.0.14 ----
.text C:\WINDOWS\System32\svchost.exe[536] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00CA0000
.text C:\WINDOWS\System32\svchost.exe[536] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00CA008E
.text C:\WINDOWS\System32\svchost.exe[536] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00CA0F8F
.text C:\WINDOWS\System32\svchost.exe[536] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00CA0069
.text C:\WINDOWS\System32\svchost.exe[536] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00CA0058
.text C:\WINDOWS\System32\svchost.exe[536] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00CA003D
.text C:\WINDOWS\System32\svchost.exe[536] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00CA00BC
.text C:\WINDOWS\System32\svchost.exe[536] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00CA00AB
.text C:\WINDOWS\System32\svchost.exe[536] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00CA00F2
.text C:\WINDOWS\System32\svchost.exe[536] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00CA00D7
.text C:\WINDOWS\System32\svchost.exe[536] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00CA0F3E
.text C:\WINDOWS\System32\svchost.exe[536] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00CA0FB6
.text C:\WINDOWS\System32\svchost.exe[536] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00CA0FE5
.text C:\WINDOWS\System32\svchost.exe[536] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00CA0F7E
.text C:\WINDOWS\System32\svchost.exe[536] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00CA002C
.text C:\WINDOWS\System32\svchost.exe[536] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00CA001B
.text C:\WINDOWS\System32\svchost.exe[536] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00CA0F59
.text C:\WINDOWS\System32\svchost.exe[536] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00C90039
.text C:\WINDOWS\System32\svchost.exe[536] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00C90FB9
.text C:\WINDOWS\System32\svchost.exe[536] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00C90014
.text C:\WINDOWS\System32\svchost.exe[536] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00C90FDE
.text C:\WINDOWS\System32\svchost.exe[536] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00C90076
.text C:\WINDOWS\System32\svchost.exe[536] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00C90065
.text C:\WINDOWS\System32\svchost.exe[536] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00C90FEF
.text C:\WINDOWS\System32\svchost.exe[536] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00C9004A
.text C:\WINDOWS\System32\svchost.exe[536] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00C70000
Blkthght06
22 Posts
0
June 10th, 2008 16:00
part 9:
.text C:\WINDOWS\system32\svchost.exe[1588] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 007A0FCA
.text C:\WINDOWS\system32\svchost.exe[1588] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 007A0051
.text C:\WINDOWS\system32\svchost.exe[1588] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 007A0FE5
.text C:\WINDOWS\system32\svchost.exe[1588] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 007A0025
.text C:\WINDOWS\system32\svchost.exe[1588] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 007A0040
.text C:\WINDOWS\system32\svchost.exe[1588] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 007A0F9E
.text C:\WINDOWS\system32\svchost.exe[1588] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 007A0000
.text C:\WINDOWS\system32\svchost.exe[1588] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 007A0FB9
.text C:\WINDOWS\system32\svchost.exe[1588] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 0078000A
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00C20000
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00C20FA3
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00C2008E
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00C2007D
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00C2006C
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00C20051
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00C20F7E
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00C200C6
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00C20F63
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00C20106
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00C20F52
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00C20FCA
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00C20025
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00C200A9
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00C20FE5
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00C20036
.text C:\WINDOWS\system32\svchost.exe[1728] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00C200EB
.text C:\WINDOWS\system32\svchost.exe[1728] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00C10014
.text C:\WINDOWS\system32\svchost.exe[1728] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00C1005E
.text C:\WINDOWS\system32\svchost.exe[1728] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00C10FC3
.text C:\WINDOWS\system32\svchost.exe[1728] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00C10FD4
.text C:\WINDOWS\system32\svchost.exe[1728] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00C10F97
.text C:\WINDOWS\system32\svchost.exe[1728] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00C1002F
.text C:\WINDOWS\system32\svchost.exe[1728] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00C10FEF
.text C:\WINDOWS\system32\svchost.exe[1728] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00C10FA8
.text C:\WINDOWS\system32\svchost.exe[1728] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00BF0FEF
Blkthght06
22 Posts
0
June 10th, 2008 16:00
Bama,
That was very painful. Is there a way around the 20K character limit? Or should I bypass Notepad and just try to edit out the spaces in the log files in MSword. I apologize in advance for the formatting, but that is what Notepad and gmer spit out. Anyway, below is the "autostart" tab log file that you requested:
part 1:
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-06-10 09:42:43
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.14 ----
SSDT spbc.sys ZwCreateKey [0xB9EAA0E0]
SSDT spbc.sys ZwEnumerateKey [0xB9EC7CA2]
SSDT spbc.sys ZwEnumerateValueKey [0xB9EC8030]
SSDT spbc.sys ZwOpenKey [0xB9EAA0C0]
SSDT spbc.sys ZwQueryKey [0xB9EC8108]
SSDT spbc.sys ZwQueryValueKey [0xB9EC7F88]
SSDT spbc.sys ZwSetValueKey [0xB9EC819A]
INT 0x62 ? 8A7E1BF8
INT 0x82 ? 8A7E1BF8
INT 0x84 ? 8A69ABF8
INT 0x94 ? 8A69ABF8
INT 0xA4 ? 8A69ABF8
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB6E2197A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB6E21928]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB6E2193C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB6E21A2B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB6E21A57]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB6E219BA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB6E21AF1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB6E21900]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB6E21914]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB6E2198E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB6E21A99]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB6E21A41]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xB6E21B19]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xB6E21B05]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB6E21966]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB6E21952]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB6E219E9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xB6E21ADB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB6E219D0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB6E219A4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess
Blkthght06
22 Posts
0
June 10th, 2008 16:00
part 10:
---- Kernel IAT/EAT - GMER 1.0.14 ----
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EAB046] spbc.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EAB142] spbc.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EAB0C4] spbc.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EAB7CE] spbc.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EAB6A4] spbc.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EB6D7A] spbc.sys
IAT \SystemRoot\System32\Drivers\a1il74bf.SYS[HAL.dll!KfAcquireSpinLock] 0A64D90F
IAT \SystemRoot\System32\Drivers\a1il74bf.SYS[HAL.dll!READ_PORT_UCHAR] 046FD406
IAT \SystemRoot\System32\Drivers\a1il74bf.SYS[HAL.dll!KeGetCurrentIrql] 1672C31D
IAT \SystemRoot\System32\Drivers\a1il74bf.SYS[HAL.dll!KfRaiseIrql] 1879CE14
IAT \SystemRoot\System32\Drivers\a1il74bf.SYS[HAL.dll!KfLowerIrql] 3248ED2B
IAT \SystemRoot\System32\Drivers\a1il74bf.SYS[HAL.dll!HalGetInterruptVector] 3C43E022
IAT \SystemRoot\System32\Drivers\a1il74bf.SYS[HAL.dll!HalTranslateBusAddress] 2E5EF739
IAT \SystemRoot\System32\Drivers\a1il74bf.SYS[HAL.dll!KeStallExecutionProcessor] 2055FA30
IAT \SystemRoot\System32\Drivers\a1il74bf.SYS[HAL.dll!KfReleaseSpinLock] EC01B79A
IAT \SystemRoot\System32\Drivers\a1il74bf.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] E20ABA93
IAT \SystemRoot\System32\Drivers\a1il74bf.SYS[HAL.dll!READ_PORT_USHORT] F017AD88
IAT \SystemRoot\System32\Drivers\a1il74bf.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] FE1CA081
IAT \SystemRoot\System32\Drivers\a1il74bf.SYS[HAL.dll!WRITE_PORT_UCHAR] D42D83BE
IAT \SystemRoot\System32\Drivers\a1il74bf.SYS[WMILIB.SYS!WmiSystemControl] C83B99AC
IAT \SystemRoot\System32\Drivers\a1il74bf.SYS[WMILIB.SYS!WmiCompleteRequest] C63094A5
---- Devices - GMER 1.0.14 ----
Device \FileSystem\Ntfs \Ntfs 8A7E01F8
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
Device \FileSystem\Fastfat \FatCdrom 893E21F8
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip NSDriver.sys (Driver for Ad-Watch network monitoring/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\Ip ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Driver\usbuhci \Device\USBPDO-0 8A5971F8
Device \Driver\usbuhci \Device\USBPDO-1 8A5971F8
Device \Driver\usbuhci \Device\USBPDO-2 8A5971F8
Device \Driver\PCI_PNP0574 \Device\00000053 spbc.sys
Device \Driver\usbuhci \Device\USBPDO-3 8A5971F8
Device \Driver\usbehci \Device\USBPDO-4 8A5671F8
Blkthght06
22 Posts
0
June 10th, 2008 16:00
part 2:
---- Kernel code sections - GMER 1.0.14 ----
.text ntkrnlpa.exe!ZwYieldExecution 805040F8 7 Bytes JMP B6E219A8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80577F46 5 Bytes JMP B6E2197E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B0BC4 7 Bytes JMP B6E219BE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B19D2 5 Bytes JMP B6E219D4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B6F98 7 Bytes JMP B6E21992 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ObReferenceObjectByHandle + 44F 805BA49F 7 Bytes JMP BA3292C6 ofpumxhh.dat
PAGE ntkrnlpa.exe!NtOpenProcess 805C9EBA 5 Bytes JMP B6E21904 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CA146 5 Bytes JMP B6E21918 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CC904 5 Bytes JMP B6E21956 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805CFBDA 7 Bytes JMP B6E21940 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805CFC90 5 Bytes JMP B6E2192C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D019A 5 Bytes JMP B6E2196A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D13E4 5 Bytes JMP B6E219ED \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 806206DA 5 Bytes JMP B6E21B09 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80620C5A 7 Bytes JMP B6E21ADF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 806214A0 7 Bytes JMP B6E21A9D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80621CF8 7 Bytes JMP B6E21A45 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80622762 7 Bytes JMP B6E21A2F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80622932 7 Bytes JMP B6E21A5B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 80623EB2 5 Bytes JMP B6E21B1D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80623FCC 5 Bytes JMP B6E21AF5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? spbc.sys The system cannot find the file specified. !
? ofpumxhh.dat The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B96A868E 5 Bytes JMP 8A69A1D8
.text a1il74bf.SYS B95ED384 1 Byte [ 20 ]
.text a1il74bf.SYS B95ED386 35 Bytes [ 00, 68, 00, 00, 00, 00, 00, ... ]
.text a1il74bf.SYS B95ED3AA 24 Bytes [ 00, 00, 20, 00, 00, E0, 00, ... ]
.text a1il74bf.SYS B95ED3C4 3 Bytes [ 00, 00, 00 ]
.text a1il74bf.SYS B95ED3C9 1 Byte [ 00 ]
Blkthght06
22 Posts
0
June 10th, 2008 16:00
Bama,
I don't have the time to post the rest autostart log file. Just from looking at it very quickly, it looks identical to the previous log file. However, if you need me to, let me know and I will do it during my lunch break. Is there a way that I can just email you the file or attach it to my reply post????
Thank you.
Blkthght06
Blkthght06
22 Posts
0
June 10th, 2008 16:00
part 5:
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00F30FE5
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00F30F55
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00F30F66
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00F3004A
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00F30F8D
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00F30FA8
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00F30F2E
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00F30076
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00F30EF8
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00F30F13
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00F30EE7
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00F3002F
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00F30000
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00F30065
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00F30FB9
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00F30FD4
.text C:\WINDOWS\system32\lsass.exe[932] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00F30091
.text C:\WINDOWS\system32\lsass.exe[932] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00F20FBC
.text C:\WINDOWS\system32\lsass.exe[932] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00F2006F
.text C:\WINDOWS\system32\lsass.exe[932] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00F20FCD
.text C:\WINDOWS\system32\lsass.exe[932] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00F20FDE
.text C:\WINDOWS\system32\lsass.exe[932] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00F2005E
.text C:\WINDOWS\system32\lsass.exe[932] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00F20043
.text C:\WINDOWS\system32\lsass.exe[932] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00F20FEF
.text C:\WINDOWS\system32\lsass.exe[932] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00F2001E
.text C:\WINDOWS\system32\lsass.exe[932] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00E4000A
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00960FEF
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00960F57
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0096004C
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00960F72
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00960F8D
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0096002F
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00960F35
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0096007D
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00960F10
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 009600A9
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 009600CE
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00960F9E
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00960FDE
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00960F46
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00960FC3
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00960014
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00960098
Blkthght06
22 Posts
0
June 10th, 2008 16:00
part 8:
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1264] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0041C340 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1264] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 0041C3C0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 05160FEF
.text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 05160F63
.text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 05160062
.text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 05160F8A
.text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 05160047
.text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 05160036
.text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 05160084
.text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 05160F3C
.text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 051600B0
.text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 0516009F
.text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 05160F06
.text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 05160FAF
.text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 05160FD4
.text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 05160073
.text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 0516001B
.text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 0516000A
.text C:\WINDOWS\System32\svchost.exe[1316] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 05160F21
.text C:\WINDOWS\System32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 05150FC3
.text C:\WINDOWS\System32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 05150051
.text C:\WINDOWS\System32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 05150FD4
.text C:\WINDOWS\System32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 05150FE5
.text C:\WINDOWS\System32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 05150040
.text C:\WINDOWS\System32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 0515002F
.text C:\WINDOWS\System32\svchost.exe[1316] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 05150000
.text C:\WINDOWS\System32\svchost.exe[1316] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 05150FA8
.text C:\WINDOWS\System32\svchost.exe[1316] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 05140FE5
.text C:\WINDOWS\System32\svchost.exe[1316] WININET.dll!InternetOpenA 42C2C869 5 Bytes JMP 05130000
.text C:\WINDOWS\System32\svchost.exe[1316] WININET.dll!InternetOpenW 42C2CE99 5 Bytes JMP 05130011
.text C:\WINDOWS\System32\svchost.exe[1316] WININET.dll!InternetOpenUrlA 42C306DD 5 Bytes JMP 05130036
.text C:\WINDOWS\System32\svchost.exe[1316] WININET.dll!InternetOpenUrlW 42C7AB41 5 Bytes JMP 05130FE5
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 007B0000
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 007B009D
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 007B0082
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 007B0FA8
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 007B0FC3
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 007B004A
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 007B0F6B
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 007B0F7C
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 007B0F49
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 007B0F5A
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 007B00FD
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 007B0065
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 007B001B
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 007B0F8D
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 007B0FDE
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 007B0FEF
.text C:\WINDOWS\system32\svchost.exe[1588] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 007B00CE
Blkthght06
22 Posts
0
June 10th, 2008 16:00
part 6:
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00950FEF
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00950087
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00950036
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00950025
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 0095006C
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00950FD4
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 0095000A
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00950051
.text C:\WINDOWS\system32\svchost.exe[1104] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00940000
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00B60000
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00B60093
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00B60F94
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00B6006C
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00B6005B
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00B60FCA
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00B60F68
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00B60F83
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00B60F2B
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00B60F46
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00B60F10
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00B60FB9
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00B60011
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00B600AE
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00B60036
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00B60FDB
.text C:\WINDOWS\system32\svchost.exe[1172] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00B60F57
.text C:\WINDOWS\system32\svchost.exe[1172] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00B50039
.text C:\WINDOWS\system32\svchost.exe[1172] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00B5006F
.text C:\WINDOWS\system32\svchost.exe[1172] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00B50FDE
.text C:\WINDOWS\system32\svchost.exe[1172] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00B5000A
.text C:\WINDOWS\system32\svchost.exe[1172] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00B5005E
.text C:\WINDOWS\system32\svchost.exe[1172] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00B50FBC
.text C:\WINDOWS\system32\svchost.exe[1172] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00B50FEF
.text C:\WINDOWS\system32\svchost.exe[1172] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00B50FCD