WE'RE SURE THAT YOU'LL LOVE US!
Hey there! 
Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. 
Join 93083 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.
Try What the Tech -- It's free!
Trojan.CWSMeup.b
Started by
cortspop
, Mar 16 2007 08:57 PM
-
This topic is locked
91 replies to this topic
#1
cortspop
-
- Authentic Member
-
- 162 posts
Authentic Member
Posted 16 March 2007 - 08:57 PM
Register to Remove
#2
Susan528
-
- Authentic Member
-
- 3,194 posts
SuperMember
Posted 17 March 2007 - 05:35 AM
Hello cortspop and Welcome to TomCoyote,
Please post (reply) with a hijackthis log first so we can better evaluate the situation.
Use this link to get HijackThis.
Save it to your desktop and then double-click to run it.
It will install the program in c:\program files\HijackThis.
Browse to that location with windows explorer, and double click on the HijackThis.exe program to run. Chose the 'Do a system scan and save a logfile'
That will allow you to save the log to the desktop (or some other place) and leave open a notepad file with the HijackThis log in it.
Please post (reply) with a hijackthis log first so we can better evaluate the situation.
Use this link to get HijackThis.
Save it to your desktop and then double-click to run it.
It will install the program in c:\program files\HijackThis.
Browse to that location with windows explorer, and double click on the HijackThis.exe program to run. Chose the 'Do a system scan and save a logfile'
That will allow you to save the log to the desktop (or some other place) and leave open a notepad file with the HijackThis log in it.
Proud member of ASAP since 2005
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.
Want to help others? Come join us in the Class Room and learn how.
#3
cortspop
-
- Authentic Member
-
- 162 posts
Authentic Member
Posted 17 March 2007 - 08:45 AM
Logfile of HijackThis v1.99.1
Scan saved at 9:40:50 AM, on 3/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\progra~1\vision~1\paperp~1\pptd40nt.exe
C:\WINDOWS\twain_32\paprport\3100b\flatbed.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Fisher-Price\FP3 Player\sspnotifier.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.n...lbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.c...;from=whatwhere
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.n...lbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~2.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: (no name) - {EEE7178C-BBC3-4153-9DDE-CD0E9AB1B5B6} - (no file)
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~2.DLL
O3 - Toolbar: (no name) - {C17590D2-ECB4-4b15-8820-F58798DCC118} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\vision~1\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [PP3100b] C:\WINDOWS\twain_32\paprport\3100b\flatbed.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [killall] uio.exe
O4 - HKLM\..\Run: [10010] backd.exe
O4 - HKLM\..\Run: [Microsoft Office] C:\WINDOWS\system32\msvcp.exe
O4 - HKLM\..\Run: [dmxvw.exe] C:\WINDOWS\system32\dmxvw.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SSP Notifier] C:\Program Files\Fisher-Price\FP3 Player\sspnotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [uio] avpmondll.exe
O4 - HKCU\..\Run: [msag] typeconf.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ERTYDF] ExchangeMaster.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\6.1.4.37-7288971L\Program\runner.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Webshots Photo Search - res://C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.web...wsaxcontrol.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) -
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in) -
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in) -
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Scan saved at 9:40:50 AM, on 3/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\progra~1\vision~1\paperp~1\pptd40nt.exe
C:\WINDOWS\twain_32\paprport\3100b\flatbed.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Fisher-Price\FP3 Player\sspnotifier.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.n...lbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.c...;from=whatwhere
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.n...lbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~2.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: (no name) - {EEE7178C-BBC3-4153-9DDE-CD0E9AB1B5B6} - (no file)
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~2.DLL
O3 - Toolbar: (no name) - {C17590D2-ECB4-4b15-8820-F58798DCC118} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\vision~1\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [PP3100b] C:\WINDOWS\twain_32\paprport\3100b\flatbed.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [killall] uio.exe
O4 - HKLM\..\Run: [10010] backd.exe
O4 - HKLM\..\Run: [Microsoft Office] C:\WINDOWS\system32\msvcp.exe
O4 - HKLM\..\Run: [dmxvw.exe] C:\WINDOWS\system32\dmxvw.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SSP Notifier] C:\Program Files\Fisher-Price\FP3 Player\sspnotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [uio] avpmondll.exe
O4 - HKCU\..\Run: [msag] typeconf.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ERTYDF] ExchangeMaster.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\6.1.4.37-7288971L\Program\runner.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Webshots Photo Search - res://C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.web...wsaxcontrol.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) -
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in) -
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in) -
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
#4
Susan528
-
- Authentic Member
-
- 3,194 posts
SuperMember
Posted 17 March 2007 - 09:32 AM
Hi cortspop
You may want to print out these instructions for reference, since you will have to restart your computer during the fix.
Please download FixWareout from one of these sites:
http://downloads.sub.../Fixwareout.exe
http://www.bleepingc.../Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
At the end of the fix, you may need to restart your computer again.
====
Silent Runners
Download Silentrunners.zip from here and unzip it a new folder on your desktop.
You may want to print out these instructions for reference, since you will have to restart your computer during the fix.
Please download FixWareout from one of these sites:
http://downloads.sub.../Fixwareout.exe
http://www.bleepingc.../Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
At the end of the fix, you may need to restart your computer again.
====
Silent Runners
Download Silentrunners.zip from here and unzip it a new folder on your desktop.
- Run the SilentRunners.vbs file.
- You will receive a prompt: "Do you want to skip supplementary searches?" - click NO
- If your antivirus has a script blocker, you will get a warning asking if you want to allow SilentRunners.vbs to run.
- This script is not malicious so please allow it.
- A text file will appear in the folder - it's not done, let it run (it won't appear to be doing anything!)
- Once the "All Done!" prompt flashes up, open the text file and copy & paste it in your next reply.
Proud member of ASAP since 2005
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.
Want to help others? Come join us in the Class Room and learn how.
#5
cortspop
-
- Authentic Member
-
- 162 posts
Authentic Member
Posted 17 March 2007 - 10:26 AM
Fixwareout Last edited 2/11/2007
Post this report in the forums please
...
»»»»»Prerun check
HKLM\SOFTWARE\~\CurrentVersion\Run\ ="dmxvw"
»»»»» System restarted
»»»»» Postrun check
HKLM\SOFTWARE\~\version\Run\ "dmxvw"
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
HKLM\~\currentversion\run "dmxvw.exe" Deleted
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....
Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.
Click browse, find the file then click submit.
http://www.virustota...h/index_en.html
Or http://virusscan.jotti.org/
»»»»» Other
»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ISUSPM Startup"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"MMTray"="\"C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mm_tray.exe\""
"MPSExe"="c:\\PROGRA~1\\mcafee.com\\mps\\mscifapp.exe /embedding"
"PaperPort PTD"="c:\\progra~1\\vision~1\\paperp~1\\pptd40nt.exe"
"PP3100b"="C:\\WINDOWS\\twain_32\\paprport\\3100b\\flatbed.exe"
"MimBoot"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~3\\mimboot.exe"
"killall"="uio.exe"
"10010"="backd.exe"
"Microsoft Office"="C:\\WINDOWS\\system32\\msvcp.exe"
@=""
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
"SSP Notifier"="C:\\Program Files\\Fisher-Price\\FP3 Player\\sspnotifier.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"uio"="avpmondll.exe"
"msag"="typeconf.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"ERTYDF"="ExchangeMaster.exe"
"Creative Detector"="C:\\Program Files\\Creative\\MediaSource\\Detector\\CTDetect.exe /R"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
Post this report in the forums please
...
»»»»»Prerun check
HKLM\SOFTWARE\~\CurrentVersion\Run\ ="dmxvw"
»»»»» System restarted
»»»»» Postrun check
HKLM\SOFTWARE\~\version\Run\ "dmxvw"
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
HKLM\~\currentversion\run "dmxvw.exe" Deleted
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....
Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.
Click browse, find the file then click submit.
http://www.virustota...h/index_en.html
Or http://virusscan.jotti.org/
»»»»» Other
»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ISUSPM Startup"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"MMTray"="\"C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mm_tray.exe\""
"MPSExe"="c:\\PROGRA~1\\mcafee.com\\mps\\mscifapp.exe /embedding"
"PaperPort PTD"="c:\\progra~1\\vision~1\\paperp~1\\pptd40nt.exe"
"PP3100b"="C:\\WINDOWS\\twain_32\\paprport\\3100b\\flatbed.exe"
"MimBoot"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~3\\mimboot.exe"
"killall"="uio.exe"
"10010"="backd.exe"
"Microsoft Office"="C:\\WINDOWS\\system32\\msvcp.exe"
@=""
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
"SSP Notifier"="C:\\Program Files\\Fisher-Price\\FP3 Player\\sspnotifier.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"uio"="avpmondll.exe"
"msag"="typeconf.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"ERTYDF"="ExchangeMaster.exe"
"Creative Detector"="C:\\Program Files\\Creative\\MediaSource\\Detector\\CTDetect.exe /R"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
#6
cortspop
-
- Authentic Member
-
- 162 posts
Authentic Member
Posted 17 March 2007 - 10:33 AM
I'm not sure how to follow the second part of these instructions. I downloaded the file but can't seem to open it.
Marty
#7
Susan528
-
- Authentic Member
-
- 3,194 posts
SuperMember
Posted 17 March 2007 - 08:28 PM
Hi Marty,
Let's do this instead please.
Disable TeaTimer:
Please disable TeaTimer as it may hinder the removal of some entries. You can re-enable it after you're clean.To disable TeaTimer:
Please set your system to show all files; please see here if you're unsure how to do this.
Scan with HijackThis. Place a check against each of the following:
O2 - BHO: (no name) - {EEE7178C-BBC3-4153-9DDE-CD0E9AB1B5B6} - (no file)
O4 - HKLM\..\Run: [killall] uio.exe
O4 - HKLM\..\Run: [10010] backd.exe
O4 - HKLM\..\Run: [Microsoft Office] C:\WINDOWS\system32\msvcp.exe
O4 - HKLM\..\Run: [dmxvw.exe] C:\WINDOWS\system32\dmxvw.exe
O4 - HKCU\..\Run: [uio] avpmondll.exe
O4 - HKCU\..\Run: [msag] typeconf.exe
O4 - HKCU\..\Run: [ERTYDF] ExchangeMaster.exe
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} -
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in) -
Close all windows or browsers except for Hijackthis. Click on Fix Checked when finished and exit HijackThis.
Reboot into Safe Mode: please see here if you are not sure how to do this.
Using Windows Explorer, locate the following files/folders, and delete them (if they exist):
Some files you may need to do a search for since the path is not specified
uio.exe<=file
backd.exe<=file
C:\WINDOWS\system32\msvcp.exe<=file
C:\WINDOWS\system32\dmxvw.exe<=file
avpmondll.exe<=file
typeconf.exe<=file
ExchangeMaster.exe<=file
Exit Explorer, and reboot as normal afterwards.
Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
______________________________
Reboot your computer in Safe Mode.
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
______________________________
Please post:
Let's do this instead please.
Disable TeaTimer:
Please disable TeaTimer as it may hinder the removal of some entries. You can re-enable it after you're clean.To disable TeaTimer:
- Run Spybot-S&D
- Go to the Mode menu , and make sure "Advanced Mode " is selected
- On the left hand side, choose Tools -> Resident
- Uncheck "Resident TeaTimer " and OK any prompts
- Restart your computer.
Please set your system to show all files; please see here if you're unsure how to do this.
Scan with HijackThis. Place a check against each of the following:
O2 - BHO: (no name) - {EEE7178C-BBC3-4153-9DDE-CD0E9AB1B5B6} - (no file)
O4 - HKLM\..\Run: [killall] uio.exe
O4 - HKLM\..\Run: [10010] backd.exe
O4 - HKLM\..\Run: [Microsoft Office] C:\WINDOWS\system32\msvcp.exe
O4 - HKLM\..\Run: [dmxvw.exe] C:\WINDOWS\system32\dmxvw.exe
O4 - HKCU\..\Run: [uio] avpmondll.exe
O4 - HKCU\..\Run: [msag] typeconf.exe
O4 - HKCU\..\Run: [ERTYDF] ExchangeMaster.exe
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} -
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in) -
Close all windows or browsers except for Hijackthis. Click on Fix Checked when finished and exit HijackThis.
Reboot into Safe Mode: please see here if you are not sure how to do this.
Using Windows Explorer, locate the following files/folders, and delete them (if they exist):
Some files you may need to do a search for since the path is not specified
uio.exe<=file
backd.exe<=file
C:\WINDOWS\system32\msvcp.exe<=file
C:\WINDOWS\system32\dmxvw.exe<=file
avpmondll.exe<=file
typeconf.exe<=file
ExchangeMaster.exe<=file
Exit Explorer, and reboot as normal afterwards.
Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
- Install AVG Anti-Spyware by double clicking the installer.
- Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
- On the main screen under Your Computer's security
- Click on Change state next to Resident shield. It should now change to inactive.
- Click on Change state next to Automatic updates. It should now change to inactive.
- Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
- Wait until you see the Update succesfull message.
- Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
- Right-click the AVG Anti-Spyware Tray Icon and select Exit.
- Confirm by clicking Yes.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
______________________________
Reboot your computer in Safe Mode.
- If the computer is running, shut down Windows, and then turn off the power.
- Wait 30 seconds, and then turn the computer on.
- Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
- Ensure that the Safe Mode option is selected.
- Press Enter. The computer then begins to start in Safe mode.
- Login on your usual account.
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
- Click on Scanner on the toolbar.
- Click on the Settings tab.
- Under How to act?
- Click on Recommended Action and choose Quarantine from the popup menu.
- Under How to scan?
- All checkboxes should be ticked.
- Under Possibly unwanted software:
- All checkboxes should be ticked.
- Under Reports:
- Select Automatically generate report after every scan and uncheck Only if threats were found.
- Under What to scan?
- Select Scan every file.
- Under How to act?
- Click on the Scan tab.
- Click on Complete System Scan to start the scan process.
- Let the program scan the machine.
- When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.- Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
- At the bottom of the window click on the Apply all Actions button. (3)
- When done, click the Save Scan Report button. (4)
- Click the Save Report as button.
- Save the report to your Desktop.
- Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
______________________________
Please post:
- AVG Anti-spyware log
- A new HijackThis log
Proud member of ASAP since 2005
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.
Want to help others? Come join us in the Class Room and learn how.
#8
cortspop
-
- Authentic Member
-
- 162 posts
Authentic Member
Posted 17 March 2007 - 09:52 PM
I'm not sure what to do now. I had previously downloaded and installed AVG antivirus but I think the free trial period has run out. I can still scan but not sure how to complete the directions from here.
#9
Susan528
-
- Authentic Member
-
- 3,194 posts
SuperMember
Posted 18 March 2007 - 04:26 AM
I am sorry about that. Yes, it is hit and miss sometimes with the trials because we don't know if the trial has expired. Let's just try Kapersky.
Now run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner
* Turn off the real time scanner of any existing antivirus program while performing the online scan
Next Click on Launch Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
**Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.
Please post (reply) with the log from Kapersky and a fresh hijackthis log.
Now run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner
* Turn off the real time scanner of any existing antivirus program while performing the online scan
Next Click on Launch Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
- The program will launch and then begin downloading the latest definition files:
- Once the files have been downloaded click on NEXT
- Now click on Scan Settings
- In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Standard
- Scan Options:
- Scan Archives
- Scan Mail Bases
- Click OK
- Now under select a target to scan:
- Select My Computer
- This will program will start and scan your system.
- The scan will take a while so be patient and let it run.
- Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
- Save the file to your desktop.
**Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.
Please post (reply) with the log from Kapersky and a fresh hijackthis log.
Proud member of ASAP since 2005
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.
Want to help others? Come join us in the Class Room and learn how.
#10
cortspop
-
- Authentic Member
-
- 162 posts
Authentic Member
Posted 18 March 2007 - 12:09 PM
I did the Kapersky scan and it found nothing but there was no Save as Text button to click. Here is the HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 1:04:51 PM, on 3/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\progra~1\vision~1\paperp~1\pptd40nt.exe
C:\WINDOWS\twain_32\paprport\3100b\flatbed.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Fisher-Price\FP3 Player\sspnotifier.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Webshots\webshots.scr
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Marty Sellers\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.n...lbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.c...;from=whatwhere
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.n...lbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~2.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~2.DLL
O3 - Toolbar: (no name) - {C17590D2-ECB4-4b15-8820-F58798DCC118} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\vision~1\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [PP3100b] C:\WINDOWS\twain_32\paprport\3100b\flatbed.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SSP Notifier] C:\Program Files\Fisher-Price\FP3 Player\sspnotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\6.1.4.37-7288971L\Program\runner.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Webshots Photo Search - res://C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.web...wsaxcontrol.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) -
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in) -
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Logfile of HijackThis v1.99.1
Scan saved at 1:04:51 PM, on 3/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\progra~1\vision~1\paperp~1\pptd40nt.exe
C:\WINDOWS\twain_32\paprport\3100b\flatbed.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Fisher-Price\FP3 Player\sspnotifier.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Webshots\webshots.scr
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Marty Sellers\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.n...lbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.c...;from=whatwhere
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.n...lbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~2.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~2.DLL
O3 - Toolbar: (no name) - {C17590D2-ECB4-4b15-8820-F58798DCC118} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\vision~1\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [PP3100b] C:\WINDOWS\twain_32\paprport\3100b\flatbed.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SSP Notifier] C:\Program Files\Fisher-Price\FP3 Player\sspnotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\6.1.4.37-7288971L\Program\runner.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Webshots Photo Search - res://C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.web...wsaxcontrol.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) -
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in) -
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Register to Remove
#11
Susan528
-
- Authentic Member
-
- 3,194 posts
SuperMember
Posted 18 March 2007 - 06:56 PM
Your hijackthis log appears to be clean. One thing I noticed is that you have a Symantec reference in your hijackthis log when you are using McAfee. Did you have problems uninstalling the Symante product and switch to McAfee?
Updating Java
Please set your system to show all files; please see here if you're unsure how to do this.
Scan with HijackThis. Place a check against each of the following:
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Close all windows or browsers except for Hijackthis. Click on Fix Checked when finished and exit HijackThis.
Post (reply) with a fresh HijackThis log and we will take another look.
Updating Java
- Download the latest version of Java Runtime Environment (JRE) 6.0.
- Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
- Click the "Download" button to the right.
- Check the box that says: "Accept License Agreement".
- The page will refresh.
- Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
- Close any programs you may have running - especially your web browser.
- Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
- Check any item with Java Runtime Environment (JRE or J2SE) in the name.
- Click the Remove or Change/Remove button.
- Repeat as many times as necessary to remove each Java versions.
- Reboot your computer once all Java components are removed.
- Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
- Go to Start > Run and type in Services.msc then cllick OK
- Click the Extended tab.
- Scroll down until you find Symantec Core LC
- Click once on the service to highlight it.
- Click Stop
- Right-Click on the service.
- Click on 'Properties'
- Select the 'General' tab
- Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box
- From the drop-down menu, click on ‘Disabled'
- Click the 'Apply' tab, then click 'OK'
Please set your system to show all files; please see here if you're unsure how to do this.
Scan with HijackThis. Place a check against each of the following:
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Close all windows or browsers except for Hijackthis. Click on Fix Checked when finished and exit HijackThis.
Post (reply) with a fresh HijackThis log and we will take another look.
Proud member of ASAP since 2005
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.
Want to help others? Come join us in the Class Room and learn how.
#12
cortspop
-
- Authentic Member
-
- 162 posts
Authentic Member
Posted 18 March 2007 - 07:36 PM
Logfile of HijackThis v1.99.1
Scan saved at 8:31:59 PM, on 3/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\progra~1\vision~1\paperp~1\pptd40nt.exe
C:\WINDOWS\twain_32\paprport\3100b\flatbed.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Fisher-Price\FP3 Player\sspnotifier.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Documents and Settings\Marty Sellers\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.n...lbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.c...;from=whatwhere
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.n...lbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~2.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~2.DLL
O3 - Toolbar: (no name) - {C17590D2-ECB4-4b15-8820-F58798DCC118} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\vision~1\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [PP3100b] C:\WINDOWS\twain_32\paprport\3100b\flatbed.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SSP Notifier] C:\Program Files\Fisher-Price\FP3 Player\sspnotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\6.1.4.37-7288971L\Program\runner.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Webshots Photo Search - res://C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.web...wsaxcontrol.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) -
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
Scan saved at 8:31:59 PM, on 3/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\progra~1\vision~1\paperp~1\pptd40nt.exe
C:\WINDOWS\twain_32\paprport\3100b\flatbed.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Fisher-Price\FP3 Player\sspnotifier.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Documents and Settings\Marty Sellers\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.n...lbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.c...;from=whatwhere
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.n...lbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~2.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~2.DLL
O3 - Toolbar: (no name) - {C17590D2-ECB4-4b15-8820-F58798DCC118} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\vision~1\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [PP3100b] C:\WINDOWS\twain_32\paprport\3100b\flatbed.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SSP Notifier] C:\Program Files\Fisher-Price\FP3 Player\sspnotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\6.1.4.37-7288971L\Program\runner.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Webshots Photo Search - res://C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.web...wsaxcontrol.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) -
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
#13
Susan528
-
- Authentic Member
-
- 3,194 posts
SuperMember
Posted 18 March 2007 - 07:58 PM
Your hijackthis log looks good, I missed a couple of imcomplete do-nothing entries to remove and tidy up the log. Let’s run GMER though just to make sure no rootkit exists which is sometimes present with the Wareout infections.
How is your computer running now?
Scan with HijackThis. Place a check against each of the following:
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O3 - Toolbar: (no name) - {C17590D2-ECB4-4b15-8820-F58798DCC118} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) -
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -
Close all windows or browsers except for Hijackthis. Click on Fix Checked when finished and exit HijackThis.
======
GMER
Please create a new subfolder in the Program Files folder called GMER. If you have an older version of GMER installed, you must delete it.
At the end of the scan, click "Copy" to copy the scan results to the clipboard. Then paste the results in a notepad file and also paste them back in your next reply.
Please post (reply) with the results from the GMER scan, and a fresh hijackthis log.
How is your computer running now?
Scan with HijackThis. Place a check against each of the following:
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O3 - Toolbar: (no name) - {C17590D2-ECB4-4b15-8820-F58798DCC118} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) -
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -
Close all windows or browsers except for Hijackthis. Click on Fix Checked when finished and exit HijackThis.
======
GMER
Please create a new subfolder in the Program Files folder called GMER. If you have an older version of GMER installed, you must delete it.
- Download GMER and extract it to the C:\program files\GMER folder.
- Please rename the GMER file
Note: You can rename gmer.exe to anything you like as long as you keep the .exe ending.
Run the Gmer.exe renamed program by double-clicking the executable file (gmer.exe) in Windows Explorer.
You may be prompted to scan immediately if GMER detects rootkit activity. - If you are prompted to scan your system click "yes" to begin the scan.
- If you are not prompted, Click the "Rootkit" tab, then click "Scan".
At the end of the scan, click "Copy" to copy the scan results to the clipboard. Then paste the results in a notepad file and also paste them back in your next reply.
Please post (reply) with the results from the GMER scan, and a fresh hijackthis log.
Edited by Susan528, 18 March 2007 - 08:01 PM.
Proud member of ASAP since 2005
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.
Want to help others? Come join us in the Class Room and learn how.
#14
cortspop
-
- Authentic Member
-
- 162 posts
Authentic Member
Posted 18 March 2007 - 09:10 PM
GMER 1.0.12.12086 - http://www.gmer.net
Rootkit scan 2007-03-18 22:00:08
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.12 ----
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwDeleteKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwDeleteValueKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys ZwOpenKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwProtectVirtualMemory
Code \SystemRoot\system32\drivers\mfehidk.sys ZwRenameKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwSetValueKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwUnmapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys ZwYieldExecution
Code \SystemRoot\system32\drivers\mfehidk.sys NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys NtMapViewOfSection
---- Kernel code sections - GMER 1.0.12 ----
.text ntoskrnl.exe!ZwYieldExecution 804F8B8D 7 Bytes JMP EEAE25BF \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwOpenKey 80567CFB 5 Bytes JMP EEAE24EB \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwCreateKey 8056E7A9 5 Bytes JMP EEAE24FF \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!NtCreateFile 8056FBF8 5 Bytes JMP EEAE2581 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 80571EF1 5 Bytes JMP EEAE25EB \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!NtMapViewOfSection 8057236C 7 Bytes JMP EEAE25D5 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 805730B5 7 Bytes JMP EEAE2595 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwSetValueKey 80573C8D 7 Bytes JMP EEAE2555 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwDeleteValueKey 80593AAC 7 Bytes JMP EEAE253F \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwDeleteKey 80595136 7 Bytes JMP EEAE2513 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwCreateProcess 805B0AA4 5 Bytes JMP EEAE25AB \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwRenameKey 8064D02D 7 Bytes JMP EEAE2529 \SystemRoot\system32\drivers\mfehidk.sys
---- User code sections - GMER 1.0.12 ----
.text C:\Program Files\Messenger\msmsgs.exe[144] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00E50000
.text C:\Program Files\Messenger\msmsgs.exe[144] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00E50F72
.text C:\Program Files\Messenger\msmsgs.exe[144] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00E50067
.text C:\Program Files\Messenger\msmsgs.exe[144] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00E5004A
.text C:\Program Files\Messenger\msmsgs.exe[144] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00E50F8D
.text C:\Program Files\Messenger\msmsgs.exe[144] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00E50FC3
.text C:\Program Files\Messenger\msmsgs.exe[144] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00E50F33
.text C:\Program Files\Messenger\msmsgs.exe[144] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00E50F44
.text C:\Program Files\Messenger\msmsgs.exe[144] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00E50F22
.text C:\Program Files\Messenger\msmsgs.exe[144] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00E500B1
.text C:\Program Files\Messenger\msmsgs.exe[144] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00E50F11
.text C:\Program Files\Messenger\msmsgs.exe[144] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00E50FA8
.text C:\Program Files\Messenger\msmsgs.exe[144] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00E5001B
.text C:\Program Files\Messenger\msmsgs.exe[144] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00E50F61
.text C:\Program Files\Messenger\msmsgs.exe[144] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00E50FD4
.text C:\Program Files\Messenger\msmsgs.exe[144] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00E50FE5
.text C:\Program Files\Messenger\msmsgs.exe[144] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00E500A0
.text C:\Program Files\Messenger\msmsgs.exe[144] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00E40FCA
.text C:\Program Files\Messenger\msmsgs.exe[144] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00E4005B
.text C:\Program Files\Messenger\msmsgs.exe[144] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00E4001B
.text C:\Program Files\Messenger\msmsgs.exe[144] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00E40FEF
.text C:\Program Files\Messenger\msmsgs.exe[144] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00E40F9E
.text C:\Program Files\Messenger\msmsgs.exe[144] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00E40040
.text C:\Program Files\Messenger\msmsgs.exe[144] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00E40000
.text C:\Program Files\Messenger\msmsgs.exe[144] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00E40FB9
.text C:\Program Files\Messenger\msmsgs.exe[144] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00E10000
.text C:\Program Files\Messenger\msmsgs.exe[144] WININET.dll!InternetOpenA 771CC859 5 Bytes JMP 00E20000
.text C:\Program Files\Messenger\msmsgs.exe[144] WININET.dll!InternetOpenW 771CCE91 5 Bytes JMP 00E2001B
.text C:\Program Files\Messenger\msmsgs.exe[144] WININET.dll!InternetOpenUrlA 771D06CD 5 Bytes JMP 00E2002C
.text C:\Program Files\Messenger\msmsgs.exe[144] WININET.dll!InternetOpenUrlW 7721A881 5 Bytes JMP 00E20FE5
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00FF0FAF
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00FF009A
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00FF0089
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00FF0062
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00FF0FCA
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00FF00BF
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00FF0F77
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00FF0110
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00FF00EB
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00FF0121
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00FF0047
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00FF001B
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00FF0F94
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00FF0036
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00FF0FE5
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00FF00D0
.text C:\WINDOWS\system32\services.exe[696] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00FE001E
.text C:\WINDOWS\system32\services.exe[696] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00FE0F86
.text C:\WINDOWS\system32\services.exe[696] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00FE0FC3
.text C:\WINDOWS\system32\services.exe[696] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00FE0FD4
.text C:\WINDOWS\system32\services.exe[696] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00FE0F97
.text C:\WINDOWS\system32\services.exe[696] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00FE0FA8
.text C:\WINDOWS\system32\services.exe[696] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00FE0FE5
.text C:\WINDOWS\system32\services.exe[696] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00FE0039
.text C:\WINDOWS\system32\services.exe[696] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00C3000A
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00860000
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00860F5C
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00860F77
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0086005B
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00860F9E
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0086002C
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00860F41
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00860089
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 008600B5
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 0086009A
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 008600D0
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00860FAF
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00860FE5
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 0086006C
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00860FC0
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00860011
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00860F26
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00850014
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00850F68
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00850FC3
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00850FDE
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00850F83
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00850F9E
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00850FEF
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00850025
.text C:\WINDOWS\system32\svchost.exe[860] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00830000
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00D90000
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00D90F8A
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00D90089
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!LoadLibraryExW 7C801AF1 3 Bytes JMP 00D90FAF
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!LoadLibraryExW + 4 7C801AF5 1 Byte [ 84 ]
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00D9006C
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00D9004A
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00D900C1
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00D90F79
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00D900F7
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00D900DC
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00D90108
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00D9005B
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00D90025
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00D900A4
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00D90FD4
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00D90FE5
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00D90F5E
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00D80FC0
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00D80062
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00D80011
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00D80FDB
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00D80FA5
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00D80047
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00D80000
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00D80036
.text C:\WINDOWS\system32\svchost.exe[940] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00D60000
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 02CF0FEF
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 02CF007F
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 02CF0064
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 02CF0F8A
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 02CF0047
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 02CF0025
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 02CF0F59
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 02CF00A1
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 02CF00F2
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 02CF00D7
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 02CF0F3E
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 02CF0036
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 02CF0FDE
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 02CF0090
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 02CF0FC3
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 02CF000A
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 02CF00C6
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 0234000A
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 02340F97
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 02340FB9
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 02340FD4
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 02340FA8
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 0234004A
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 02340FE5
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 02340025
.text C:\WINDOWS\system32\svchost.exe[1044] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 02310FEF
.text C:\WINDOWS\system32\svchost.exe[1044] WININET.dll!InternetOpenA 771CC859 5 Bytes JMP 02320FEF
.text C:\WINDOWS\system32\svchost.exe[1044] WININET.dll!InternetOpenW 771CCE91 5 Bytes JMP 02320000
.text C:\WINDOWS\system32\svchost.exe[1044] WININET.dll!InternetOpenUrlA 771D06CD 5 Bytes JMP 0232001B
.text C:\WINDOWS\system32\svchost.exe[1044] WININET.dll!InternetOpenUrlW 7721A881 5 Bytes JMP 02320FD4
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 009A0000
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 009A0067
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 009A0F72
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 009A0F83
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 009A0F94
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 009A0FC0
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 009A009F
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 009A0F57
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 009A0F10
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 009A0F21
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 009A0EF5
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 009A0FAF
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 009A0011
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 009A0082
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 009A002C
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 009A0FD1
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 009A0F32
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 0099002C
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00990073
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00990FDB
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00990011
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00990062
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00990047
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00990000
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00990FC0
.text C:\WINDOWS\system32\svchost.exe[1104] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00970000
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00940FE5
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00940F3A
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0094002F
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0094001E
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00940F6B
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00940F8D
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00940F02
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00940F1F
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00940EC2
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00940065
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00940EA7
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00940F7C
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00940FD4
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 0094004A
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00940F9E
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00940FB9
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00940EE7
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 006E0FB9
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 006E004A
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 006E0014
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 006E0FDE
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 006E0F8D
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 006E002F
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 006E0FEF
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 006E0FA8
.text C:\WINDOWS\system32\svchost.exe[1144] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 006B000A
.text C:\WINDOWS\system32\svchost.exe[1144] WININET.dll!InternetOpenA 771CC859 5 Bytes JMP 006C0FEF
.text C:\WINDOWS\system32\svchost.exe[1144] WININET.dll!InternetOpenW 771CCE91 5 Bytes JMP 006C000A
.text C:\WINDOWS\system32\svchost.exe[1144] WININET.dll!InternetOpenUrlA 771D06CD 5 Bytes JMP 006C0FDE
.text C:\WINDOWS\system32\svchost.exe[1144] WININET.dll!InternetOpenUrlW 7721A881 5 Bytes JMP 006C0FCD
.text C:\WINDOWS\explorer.exe[1540] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01F30000
.text C:\WINDOWS\explorer.exe[1540] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01F30F68
.text C:\WINDOWS\explorer.exe[1540] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01F30F8D
.text C:\WINDOWS\explorer.exe[1540] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 01F3005B
.text C:\WINDOWS\explorer.exe[1540] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 01F30F9E
.text C:\WINDOWS\explorer.exe[1540] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01F30FAF
.text C:\WINDOWS\explorer.exe[1540] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 01F300A6
.text C:\WINDOWS\explorer.exe[1540] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01F30089
.text C:\WINDOWS\explorer.exe[1540] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 01F300D2
.text C:\WINDOWS\explorer.exe[1540] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01F30F39
.text C:\WINDOWS\explorer.exe[1540] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 01F30F1E
.text C:\WINDOWS\explorer.exe[1540] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 01F30036
.text C:\WINDOWS\explorer.exe[1540] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 01F30011
.text C:\WINDOWS\explorer.exe[1540] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 01F30078
.text C:\WINDOWS\explorer.exe[1540] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 01F30FCA
.text C:\WINDOWS\explorer.exe[1540] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 01F30FDB
.text C:\WINDOWS\explorer.exe[1540] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 01F300B7
.text C:\WINDOWS\explorer.exe[1540] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 01F20036
.text C:\WINDOWS\explorer.exe[1540] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 01F20FAF
.text C:\WINDOWS\explorer.exe[1540] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 01F20025
.text C:\WINDOWS\explorer.exe[1540] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 01F20FEF
.text C:\WINDOWS\explorer.exe[1540] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 01F20062
.text C:\WINDOWS\explorer.exe[1540] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 01F20051
.text C:\WINDOWS\explorer.exe[1540] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 01F20000
.text C:\WINDOWS\explorer.exe[1540] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 01F20FCA
.text C:\WINDOWS\explorer.exe[1540] WININET.dll!InternetOpenA 771CC859 5 Bytes JMP 01840FEF
.text C:\WINDOWS\explorer.exe[1540] WININET.dll!InternetOpenW 771CCE91 5 Bytes JMP 0184000A
.text C:\WINDOWS\explorer.exe[1540] WININET.dll!InternetOpenUrlA 771D06CD 5 Bytes JMP 01840FDE
.text C:\WINDOWS\explorer.exe[1540] WININET.dll!InternetOpenUrlW 7721A881 5 Bytes JMP 01840FCD
.text C:\WINDOWS\explorer.exe[1540] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 016D0FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 0025000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 002500AE
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0025009D
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00250080
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00250FC3
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00250FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 002500D3
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00250F97
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00250109
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 002500EE
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 0025011A
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00250FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00250025
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00250FA8
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00250051
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00250036
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00250F70
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00330FAF
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 0033001B
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00330FCA
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00330000
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00330F5E
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00330F79
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00330FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00330F94
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] USER32.dll!DialogBoxParamW 77D5662C 5 Bytes JMP 7E1FF205 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] USER32.dll!DialogBoxIndirectParamW 77D62043 5 Bytes JMP 7E38FEBF C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] USER32.dll!MessageBoxIndirectA 77D6A05A 5 Bytes JMP 7E38FE40 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] USER32.dll!DialogBoxParamA 77D6B11C 5 Bytes JMP 7E38FE84 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] USER32.dll!MessageBoxExW 77D80538 5 Bytes JMP 7E38FDCC C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] USER32.dll!MessageBoxExA 77D8055C 5 Bytes JMP 7E38FE06 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] USER32.dll!DialogBoxIndirectParamA 77D86CAD 5 Bytes JMP 7E38FEFA C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] USER32.dll!MessageBoxIndirectW 77D96093 5 Bytes JMP 7E2215DA C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] WININET.dll!InternetOpenA 771CC859 5 Bytes JMP 01C60FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] WININET.dll!InternetOpenW 771CCE91 5 Bytes JMP 01C60000
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] WININET.dll!InternetOpenUrlA 771D06CD 5 Bytes JMP 01C60FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] WININET.dll!InternetOpenUrlW 7721A881 5 Bytes JMP 01C60FB9
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] ws2_32.dll!socket 71AB3B91 5 Bytes JMP 01EE0FEF
---- EOF - GMER 1.0.12 ----
Rootkit scan 2007-03-18 22:00:08
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.12 ----
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwDeleteKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwDeleteValueKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys ZwOpenKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwProtectVirtualMemory
Code \SystemRoot\system32\drivers\mfehidk.sys ZwRenameKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwSetValueKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwUnmapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys ZwYieldExecution
Code \SystemRoot\system32\drivers\mfehidk.sys NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys NtMapViewOfSection
---- Kernel code sections - GMER 1.0.12 ----
.text ntoskrnl.exe!ZwYieldExecution 804F8B8D 7 Bytes JMP EEAE25BF \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwOpenKey 80567CFB 5 Bytes JMP EEAE24EB \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwCreateKey 8056E7A9 5 Bytes JMP EEAE24FF \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!NtCreateFile 8056FBF8 5 Bytes JMP EEAE2581 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 80571EF1 5 Bytes JMP EEAE25EB \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!NtMapViewOfSection 8057236C 7 Bytes JMP EEAE25D5 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 805730B5 7 Bytes JMP EEAE2595 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwSetValueKey 80573C8D 7 Bytes JMP EEAE2555 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwDeleteValueKey 80593AAC 7 Bytes JMP EEAE253F \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwDeleteKey 80595136 7 Bytes JMP EEAE2513 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwCreateProcess 805B0AA4 5 Bytes JMP EEAE25AB \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwRenameKey 8064D02D 7 Bytes JMP EEAE2529 \SystemRoot\system32\drivers\mfehidk.sys
---- User code sections - GMER 1.0.12 ----
.text C:\Program Files\Messenger\msmsgs.exe[144] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00E50000
.text C:\Program Files\Messenger\msmsgs.exe[144] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00E50F72
.text C:\Program Files\Messenger\msmsgs.exe[144] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00E50067
.text C:\Program Files\Messenger\msmsgs.exe[144] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00E5004A
.text C:\Program Files\Messenger\msmsgs.exe[144] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00E50F8D
.text C:\Program Files\Messenger\msmsgs.exe[144] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00E50FC3
.text C:\Program Files\Messenger\msmsgs.exe[144] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00E50F33
.text C:\Program Files\Messenger\msmsgs.exe[144] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00E50F44
.text C:\Program Files\Messenger\msmsgs.exe[144] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00E50F22
.text C:\Program Files\Messenger\msmsgs.exe[144] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00E500B1
.text C:\Program Files\Messenger\msmsgs.exe[144] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00E50F11
.text C:\Program Files\Messenger\msmsgs.exe[144] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00E50FA8
.text C:\Program Files\Messenger\msmsgs.exe[144] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00E5001B
.text C:\Program Files\Messenger\msmsgs.exe[144] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00E50F61
.text C:\Program Files\Messenger\msmsgs.exe[144] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00E50FD4
.text C:\Program Files\Messenger\msmsgs.exe[144] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00E50FE5
.text C:\Program Files\Messenger\msmsgs.exe[144] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00E500A0
.text C:\Program Files\Messenger\msmsgs.exe[144] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00E40FCA
.text C:\Program Files\Messenger\msmsgs.exe[144] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00E4005B
.text C:\Program Files\Messenger\msmsgs.exe[144] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00E4001B
.text C:\Program Files\Messenger\msmsgs.exe[144] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00E40FEF
.text C:\Program Files\Messenger\msmsgs.exe[144] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00E40F9E
.text C:\Program Files\Messenger\msmsgs.exe[144] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00E40040
.text C:\Program Files\Messenger\msmsgs.exe[144] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00E40000
.text C:\Program Files\Messenger\msmsgs.exe[144] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00E40FB9
.text C:\Program Files\Messenger\msmsgs.exe[144] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00E10000
.text C:\Program Files\Messenger\msmsgs.exe[144] WININET.dll!InternetOpenA 771CC859 5 Bytes JMP 00E20000
.text C:\Program Files\Messenger\msmsgs.exe[144] WININET.dll!InternetOpenW 771CCE91 5 Bytes JMP 00E2001B
.text C:\Program Files\Messenger\msmsgs.exe[144] WININET.dll!InternetOpenUrlA 771D06CD 5 Bytes JMP 00E2002C
.text C:\Program Files\Messenger\msmsgs.exe[144] WININET.dll!InternetOpenUrlW 7721A881 5 Bytes JMP 00E20FE5
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00FF0FAF
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00FF009A
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00FF0089
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00FF0062
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00FF0FCA
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00FF00BF
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00FF0F77
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00FF0110
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00FF00EB
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00FF0121
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00FF0047
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00FF001B
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00FF0F94
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00FF0036
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00FF0FE5
.text C:\WINDOWS\system32\services.exe[696] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00FF00D0
.text C:\WINDOWS\system32\services.exe[696] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00FE001E
.text C:\WINDOWS\system32\services.exe[696] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00FE0F86
.text C:\WINDOWS\system32\services.exe[696] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00FE0FC3
.text C:\WINDOWS\system32\services.exe[696] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00FE0FD4
.text C:\WINDOWS\system32\services.exe[696] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00FE0F97
.text C:\WINDOWS\system32\services.exe[696] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00FE0FA8
.text C:\WINDOWS\system32\services.exe[696] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00FE0FE5
.text C:\WINDOWS\system32\services.exe[696] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00FE0039
.text C:\WINDOWS\system32\services.exe[696] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00C3000A
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00860000
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00860F5C
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00860F77
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0086005B
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00860F9E
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 0086002C
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00860F41
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00860089
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 008600B5
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 0086009A
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 008600D0
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00860FAF
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00860FE5
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 0086006C
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00860FC0
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00860011
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00860F26
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00850014
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00850F68
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00850FC3
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00850FDE
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00850F83
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00850F9E
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00850FEF
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00850025
.text C:\WINDOWS\system32\svchost.exe[860] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00830000
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00D90000
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00D90F8A
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00D90089
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!LoadLibraryExW 7C801AF1 3 Bytes JMP 00D90FAF
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!LoadLibraryExW + 4 7C801AF5 1 Byte [ 84 ]
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00D9006C
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00D9004A
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00D900C1
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00D90F79
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00D900F7
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00D900DC
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00D90108
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00D9005B
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00D90025
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00D900A4
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00D90FD4
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00D90FE5
.text C:\WINDOWS\system32\svchost.exe[940] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00D90F5E
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00D80FC0
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00D80062
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00D80011
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00D80FDB
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00D80FA5
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00D80047
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00D80000
.text C:\WINDOWS\system32\svchost.exe[940] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00D80036
.text C:\WINDOWS\system32\svchost.exe[940] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00D60000
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 02CF0FEF
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 02CF007F
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 02CF0064
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 02CF0F8A
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 02CF0047
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 02CF0025
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 02CF0F59
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 02CF00A1
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 02CF00F2
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 02CF00D7
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 02CF0F3E
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 02CF0036
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 02CF0FDE
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 02CF0090
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 02CF0FC3
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 02CF000A
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 02CF00C6
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 0234000A
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 02340F97
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 02340FB9
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 02340FD4
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 02340FA8
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 0234004A
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 02340FE5
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 02340025
.text C:\WINDOWS\system32\svchost.exe[1044] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 02310FEF
.text C:\WINDOWS\system32\svchost.exe[1044] WININET.dll!InternetOpenA 771CC859 5 Bytes JMP 02320FEF
.text C:\WINDOWS\system32\svchost.exe[1044] WININET.dll!InternetOpenW 771CCE91 5 Bytes JMP 02320000
.text C:\WINDOWS\system32\svchost.exe[1044] WININET.dll!InternetOpenUrlA 771D06CD 5 Bytes JMP 0232001B
.text C:\WINDOWS\system32\svchost.exe[1044] WININET.dll!InternetOpenUrlW 7721A881 5 Bytes JMP 02320FD4
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 009A0000
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 009A0067
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 009A0F72
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 009A0F83
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 009A0F94
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 009A0FC0
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 009A009F
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 009A0F57
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 009A0F10
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 009A0F21
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 009A0EF5
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 009A0FAF
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 009A0011
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 009A0082
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 009A002C
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 009A0FD1
.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 009A0F32
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 0099002C
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00990073
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00990FDB
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00990011
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00990062
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00990047
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00990000
.text C:\WINDOWS\system32\svchost.exe[1104] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00990FC0
.text C:\WINDOWS\system32\svchost.exe[1104] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00970000
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00940FE5
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00940F3A
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0094002F
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0094001E
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00940F6B
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00940F8D
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00940F02
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00940F1F
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00940EC2
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00940065
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00940EA7
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00940F7C
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00940FD4
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 0094004A
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00940F9E
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00940FB9
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00940EE7
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 006E0FB9
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 006E004A
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 006E0014
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 006E0FDE
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 006E0F8D
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 006E002F
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 006E0FEF
.text C:\WINDOWS\system32\svchost.exe[1144] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 006E0FA8
.text C:\WINDOWS\system32\svchost.exe[1144] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 006B000A
.text C:\WINDOWS\system32\svchost.exe[1144] WININET.dll!InternetOpenA 771CC859 5 Bytes JMP 006C0FEF
.text C:\WINDOWS\system32\svchost.exe[1144] WININET.dll!InternetOpenW 771CCE91 5 Bytes JMP 006C000A
.text C:\WINDOWS\system32\svchost.exe[1144] WININET.dll!InternetOpenUrlA 771D06CD 5 Bytes JMP 006C0FDE
.text C:\WINDOWS\system32\svchost.exe[1144] WININET.dll!InternetOpenUrlW 7721A881 5 Bytes JMP 006C0FCD
.text C:\WINDOWS\explorer.exe[1540] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01F30000
.text C:\WINDOWS\explorer.exe[1540] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01F30F68
.text C:\WINDOWS\explorer.exe[1540] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01F30F8D
.text C:\WINDOWS\explorer.exe[1540] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 01F3005B
.text C:\WINDOWS\explorer.exe[1540] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 01F30F9E
.text C:\WINDOWS\explorer.exe[1540] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01F30FAF
.text C:\WINDOWS\explorer.exe[1540] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 01F300A6
.text C:\WINDOWS\explorer.exe[1540] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 01F30089
.text C:\WINDOWS\explorer.exe[1540] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 01F300D2
.text C:\WINDOWS\explorer.exe[1540] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01F30F39
.text C:\WINDOWS\explorer.exe[1540] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 01F30F1E
.text C:\WINDOWS\explorer.exe[1540] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 01F30036
.text C:\WINDOWS\explorer.exe[1540] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 01F30011
.text C:\WINDOWS\explorer.exe[1540] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 01F30078
.text C:\WINDOWS\explorer.exe[1540] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 01F30FCA
.text C:\WINDOWS\explorer.exe[1540] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 01F30FDB
.text C:\WINDOWS\explorer.exe[1540] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 01F300B7
.text C:\WINDOWS\explorer.exe[1540] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 01F20036
.text C:\WINDOWS\explorer.exe[1540] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 01F20FAF
.text C:\WINDOWS\explorer.exe[1540] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 01F20025
.text C:\WINDOWS\explorer.exe[1540] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 01F20FEF
.text C:\WINDOWS\explorer.exe[1540] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 01F20062
.text C:\WINDOWS\explorer.exe[1540] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 01F20051
.text C:\WINDOWS\explorer.exe[1540] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 01F20000
.text C:\WINDOWS\explorer.exe[1540] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 01F20FCA
.text C:\WINDOWS\explorer.exe[1540] WININET.dll!InternetOpenA 771CC859 5 Bytes JMP 01840FEF
.text C:\WINDOWS\explorer.exe[1540] WININET.dll!InternetOpenW 771CCE91 5 Bytes JMP 0184000A
.text C:\WINDOWS\explorer.exe[1540] WININET.dll!InternetOpenUrlA 771D06CD 5 Bytes JMP 01840FDE
.text C:\WINDOWS\explorer.exe[1540] WININET.dll!InternetOpenUrlW 7721A881 5 Bytes JMP 01840FCD
.text C:\WINDOWS\explorer.exe[1540] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 016D0FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 0025000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 002500AE
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 0025009D
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00250080
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00250FC3
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00250FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 002500D3
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00250F97
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00250109
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 002500EE
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 0025011A
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00250FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00250025
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00250FA8
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00250051
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00250036
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00250F70
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00330FAF
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 0033001B
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00330FCA
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00330000
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00330F5E
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00330F79
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00330FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00330F94
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] USER32.dll!DialogBoxParamW 77D5662C 5 Bytes JMP 7E1FF205 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] USER32.dll!DialogBoxIndirectParamW 77D62043 5 Bytes JMP 7E38FEBF C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] USER32.dll!MessageBoxIndirectA 77D6A05A 5 Bytes JMP 7E38FE40 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] USER32.dll!DialogBoxParamA 77D6B11C 5 Bytes JMP 7E38FE84 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] USER32.dll!MessageBoxExW 77D80538 5 Bytes JMP 7E38FDCC C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] USER32.dll!MessageBoxExA 77D8055C 5 Bytes JMP 7E38FE06 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] USER32.dll!DialogBoxIndirectParamA 77D86CAD 5 Bytes JMP 7E38FEFA C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] USER32.dll!MessageBoxIndirectW 77D96093 5 Bytes JMP 7E2215DA C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] WININET.dll!InternetOpenA 771CC859 5 Bytes JMP 01C60FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] WININET.dll!InternetOpenW 771CCE91 5 Bytes JMP 01C60000
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] WININET.dll!InternetOpenUrlA 771D06CD 5 Bytes JMP 01C60FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] WININET.dll!InternetOpenUrlW 7721A881 5 Bytes JMP 01C60FB9
.text C:\Program Files\Internet Explorer\iexplore.exe[3988] ws2_32.dll!socket 71AB3B91 5 Bytes JMP 01EE0FEF
---- EOF - GMER 1.0.12 ----
#15
cortspop
-
- Authentic Member
-
- 162 posts
Authentic Member
Posted 18 March 2007 - 09:11 PM
Logfile of HijackThis v1.99.1
Scan saved at 10:07:43 PM, on 3/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\progra~1\vision~1\paperp~1\pptd40nt.exe
C:\WINDOWS\twain_32\paprport\3100b\flatbed.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Fisher-Price\FP3 Player\sspnotifier.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Documents and Settings\Marty Sellers\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.n...lbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.c...;from=whatwhere
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.n...lbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~2.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~2.DLL
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\vision~1\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [PP3100b] C:\WINDOWS\twain_32\paprport\3100b\flatbed.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SSP Notifier] C:\Program Files\Fisher-Price\FP3 Player\sspnotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\6.1.4.37-7288971L\Program\runner.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Webshots Photo Search - res://C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.web...wsaxcontrol.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec...m/ols/fscax.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
Scan saved at 10:07:43 PM, on 3/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\progra~1\vision~1\paperp~1\pptd40nt.exe
C:\WINDOWS\twain_32\paprport\3100b\flatbed.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Fisher-Price\FP3 Player\sspnotifier.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Documents and Settings\Marty Sellers\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.n...lbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.c...;from=whatwhere
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.n...lbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~2.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~2.DLL
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\vision~1\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [PP3100b] C:\WINDOWS\twain_32\paprport\3100b\flatbed.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SSP Notifier] C:\Program Files\Fisher-Price\FP3 Player\sspnotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\6.1.4.37-7288971L\Program\runner.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Webshots Photo Search - res://C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.web...wsaxcontrol.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec...m/ols/fscax.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
