WiredWX Hobby Weather ToolsLog in

 


Multiple Virus

4 posters

descriptionMultiple Virus - Page 2 EmptyRe: Multiple Virus

more_horiz
K it saved it on desktop! first scan that didn't quit! Smile.... here is the log in sections cause I don't know how much can fit per post.



"Silent Runners.vbs", revision 59, http://www.silentrunners.org/
Operating System: Windows Vista
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"TOSCDSPD" = "C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" ["TOSHIBA"]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer-Networking Ltd."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"StartCCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"" ["Advanced Micro Devices, Inc."]
"RtHDVCpl" = "RtHDVCpl.exe" ["Realtek Semiconductor"]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"TPwrMain" = "C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE"
"HSON" = "C:\Program Files\TOSHIBA\TBS\HSON.exe"
"SmoothView" = "C:\Program Files\Toshiba\SmoothView\SmoothView.exe"
"Windows Defender" = "C:\Program Files\Windows Defender\MSASCui.exe -hide"
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre6\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"McENUI" = "C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide" ["McAfee, Inc."]
"mcagent_exe" = "C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey" ["McAfee, Inc."]
"ISTray" = ""C:\Program Files\Spyware Doctor\pctsTray.exe"" ["PC Tools"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"(Default)" = "(empty string)" [file not found]
"GrpConv" = "grpconv -o" [MS]
"Malwarebytes' Anti-Malware" = "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent" ["Malwarebytes Corporation"]
"Cleanup" = "C:\cleanup.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{089FD14D-132B-48FC-8861-0048AE113215}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\SiteAdvisor\6145\SiteAdv.dll" ["McAfee, Inc."]
{377C180E-6F0E-4D4C-980F-F45BD3D40CF4}\(Default) = "McAntiPhishingBHO"
-> {HKLM...CLSID} = "McAfee Phishing Filter"
\InProcServer32\(Default) = "c:\PROGRA~1\mcafee\msk\mcapbho.dll" ["McAfee, Inc."]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{7DB2D5A0-7241-4E79-B68D-6309F01C5231}\(Default) = "scriptproxy"
-> {HKLM...CLSID} = "scriptproxy"
\InProcServer32\(Default) = "C:\Program Files\McAfee\VirusScan\scriptsn.dll" ["McAfee, Inc."]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live ID Sign-in Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]
{DBC80044-A445-435b-BC74-9C25C1C588A9}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Java(tm) Plug-In 2 SSV Helper"
\InProcServer32\(Default) = "C:\Program Files\Java\jre6\bin\jp2ssv.dll" ["Sun Microsystems, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{00020d75-0000-0000-c000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll" [null data]
"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]
"{11016101-E366-4D22-BC06-4ADA335C892B}" = "IE History and Feeds Shell Data Source for Windows Search"
-> {HKLM...CLSID} = "IE History and Feeds Shell Data Source for Windows Search"
\InProcServer32\(Default) = "C:\Windows\System32\ieframe.dll" [MS]
"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
"{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}" = "NeroCoverEd Live Icons"
-> {HKLM...CLSID} = "NeroCoverEdLiveIcons Class"
\InProcServer32\(Default) = "C:\Program Files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]
"{28803F59-3A75-4058-995F-4EE5503B023C}" = "Wireless Devices"
-> {HKLM...CLSID} = "Bluetooth Devices"
\InProcServer32\(Default) = "C:\Windows\system32\FunctionDiscoveryFolder.dll" [MS]
"{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7}" = "Enhanced Storage Data Source"
-> {HKLM...CLSID} = "Enhanced Storage Data Source"
\InProcServer32\(Default) = "C:\Windows\system32\EhStorShell.dll" [MS]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
Cover Designer\(Default) = "{73FCA462-9BD5-4065-A73F-A8E5F6904EF7}"
-> {HKLM...CLSID} = "NeroCoverEdContextMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]
McCtxMenu\(Default) = "{01576F39-90DE-4D6E-A068-5B20C22BAAEE}"
-> {HKLM...CLSID} = "CtxMenu Class"
\InProcServer32\(Default) = "c:\PROGRA~1\mcafee\VIRUSS~1\mcctxmnu.dll" ["McAfee, Inc."]
SDContextExt\(Default) = "{70F8E90E-353A-47AB-B297-C576345EE693}"
-> {HKLM...CLSID} = "PC Tools Context Menu Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\SDCONT~1.DLL" ["PC Tools"]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
McCtxMenu\(Default) = "{01576F39-90DE-4D6E-A068-5B20C22BAAEE}"
-> {HKLM...CLSID} = "CtxMenu Class"
\InProcServer32\(Default) = "c:\PROGRA~1\mcafee\VIRUSS~1\mcctxmnu.dll" ["McAfee, Inc."]
SDContextExt\(Default) = "{70F8E90E-353A-47AB-B297-C576345EE693}"
-> {HKLM...CLSID} = "PC Tools Context Menu Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\SDCONT~1.DLL" ["PC Tools"]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]

descriptionMultiple Virus - Page 2 EmptyRe: Multiple Virus

more_horiz
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"BindDirectlyToPropertySetStorage" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

HKCU\Software\Policies\Microsoft\Windows\System\

"DisableCMD" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to the command prompt}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"ConsentPromptBehaviorAdmin" = (REG_DWORD) dword:0x00000002
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode}

"ConsentPromptBehaviorUser" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Behavior Of The Elevation Prompt For Standard Users}

"EnableInstallerDetection" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Detect Application Installations And Prompt For Elevation}

"EnableLUA" = (REG_DWORD) dword:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Run All Administrators In Admin Approval Mode}

"EnableSecureUIAPaths" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Only elevate UIAccess applications that are installed in secure locations}

"EnableVirtualization" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Virtualize file and registry write failures to per-user locations}

"PromptOnSecureDesktop" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Switch to the secure desktop when prompting for elevation}

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"FilterAdministratorToken" = (REG_DWORD) dword:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Admin Approval Mode for the Built-in Administrator Account}

"EnableUIADesktopToggle" = (REG_DWORD) dword:0x00000000
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Windows\system32\config\systemprofile\Pictures\planets\star feild.jpg"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Users\Justyn\Pictures\planets\star feild.jpg"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\Windows\system32\Ribbons.scr" [MS]


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

DMFMADFolder\
"Provider" = "Ulead DVD MovieFactory 5"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:\Program Files\Ulead Systems\DVD MovieFactory for TOSHIBA\Ulead DVD MovieFactory 5\MovieHunter.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "Shell Execute Hardware Event Handler"
\LocalServer32\(Default) = "C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

ImgBurnBluRayBurningOnArrival_BuildImage\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleBluRayBurningOnArrival_BuildImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleBluRayBurningOnArrival_BuildImage\Command\(Default) = ""C:\Program Files\ImgBurn\ImgBurn.exe" /MODE BUILD /BUILDMODE DEVICE /DEST "%1"" ["LIGHTNING UK!"]

ImgBurnBluRayBurningOnArrival_BurnImage\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleBluRayBurningOnArrival_BurnImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleBluRayBurningOnArrival_BurnImage\Command\(Default) = ""C:\Program Files\ImgBurn\ImgBurn.exe" /MODE WRITE /DEST "%1"" ["LIGHTNING UK!"]

ImgBurnCDBurningOnArrival_BuildImage\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleCDBurningOnArrival_BuildImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleCDBurningOnArrival_BuildImage\Command\(Default) = ""C:\Program Files\ImgBurn\ImgBurn.exe" /MODE BUILD /BUILDMODE DEVICE /DEST "%1"" ["LIGHTNING UK!"]

ImgBurnCDBurningOnArrival_BurnImage\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleCDBurningOnArrival_BurnImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleCDBurningOnArrival_BurnImage\Command\(Default) = ""C:\Program Files\ImgBurn\ImgBurn.exe" /MODE WRITE /DEST "%1"" ["LIGHTNING UK!"]

ImgBurnDVDBurningOnArrival_BuildImage\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleDVDBurningOnArrival_BuildImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleDVDBurningOnArrival_BuildImage\Command\(Default) = ""C:\Program Files\ImgBurn\ImgBurn.exe" /MODE BUILD /BUILDMODE DEVICE /DEST "%1"" ["LIGHTNING UK!"]

ImgBurnDVDBurningOnArrival_BurnImage\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleDVDBurningOnArrival_BurnImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleDVDBurningOnArrival_BurnImage\Command\(Default) = ""C:\Program Files\ImgBurn\ImgBurn.exe" /MODE WRITE /DEST "%1"" ["LIGHTNING UK!"]

ImgBurnHDDVDBurningOnArrival_BuildImage\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleHDDVDBurningOnArrival_BuildImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleHDDVDBurningOnArrival_BuildImage\Command\(Default) = ""C:\Program Files\ImgBurn\ImgBurn.exe" /MODE BUILD /BUILDMODE DEVICE /DEST "%1"" ["LIGHTNING UK!"]

ImgBurnHDDVDBurningOnArrival_BurnImage\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleHDDVDBurningOnArrival_BurnImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleHDDVDBurningOnArrival_BurnImage\Command\(Default) = ""C:\Program Files\ImgBurn\ImgBurn.exe" /MODE WRITE /DEST "%1"" ["LIGHTNING UK!"]

ImgBurnPlayBluRayOnArrival_ReadDisc\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "PlayBluRayOnArrival_ReadDisc"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\PlayBluRayOnArrival_ReadDisc\Command\(Default) = ""C:\Program Files\ImgBurn\ImgBurn.exe" /MODE READ /SRC "%1"" ["LIGHTNING UK!"]

ImgBurnPlayCDAudioOnArrival_ReadDisc\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "PlayCDAudioOnArrival_ReadDisc"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\PlayCDAudioOnArrival_ReadDisc\Command\(Default) = ""C:\Program Files\ImgBurn\ImgBurn.exe" /MODE READ /SRC "%1"" ["LIGHTNING UK!"]

ImgBurnPlayDVDMovieOnArrival_ReadDisc\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "PlayDVDMovieOnArrival_ReadDisc"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\PlayDVDMovieOnArrival_ReadDisc\Command\(Default) = ""C:\Program Files\ImgBurn\ImgBurn.exe" /MODE READ /SRC "%1"" ["LIGHTNING UK!"]

ImgBurnPlayHDDVDOnArrival_ReadDisc\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "PlayHDDVDOnArrival_ReadDisc"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\PlayHDDVDOnArrival_ReadDisc\Command\(Default) = ""C:\Program Files\ImgBurn\ImgBurn.exe" /MODE READ /SRC "%1"" ["LIGHTNING UK!"]

MSEnhancedStorageHandler\
"Provider" = "@C:\Windows\system32\EhStorShell.dll,-108"
"ProgID" = "EhStorShell.AutoplayHandler"
"InitCmdLine" = "Authorize"
HKLM\SOFTWARE\Classes\EhStorShell.AutoplayHandler\CLSID\(Default) = "{36F54939-CD3B-4C73-92D5-F9A389ED631C}"
-> {HKLM...CLSID} = "Enhanced Storage Autoplay Handler Class"
\InProcServer32\(Default) = "C:\Windows\system32\EhStorShell.dll" [MS]

MSWMEncVCArrival\
"Provider" = "Windows Media Encoder 9 Series"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:\Program Files\Windows Media Components\Encoder\WMEnc.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "Shell Execute Hardware Event Handler"
\LocalServer32\(Default) = "C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

NeroAutoPlay8AudioToNeroDigital\
"Provider" = "Nero Burning ROM"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "AudioToNeroDigital_PlayCDAudioOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\AudioToNeroDigital_PlayCDAudioOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe /Dialog:SaveTracks %L" ["Nero AG"]

NeroAutoPlay8CDAudio\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "CDAudio_HandleCDBurningOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\CDAudio_HandleCDBurningOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe -w /New:AudioCD" ["Nero AG"]

NeroAutoPlay8CopyCD\
"Provider" = "Nero Burning ROM"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "CopyCD_PlayMusicFilesOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\CopyCD_PlayMusicFilesOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe /Dialog:DiscCopy %L" ["Nero AG"]

NeroAutoPlay8DataDisc_CD\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "DataDisc_CD_HandleCDBurningOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\DataDisc_CD_HandleCDBurningOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe -w /New:ISODisc /Media:CD %L" ["Nero AG"]

NeroAutoPlay8DataDisc_DVD\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "DataDisc_DVD_HandleDVDBurningOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\DataDisc_DVD_HandleDVDBurningOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe -w /New:ISODisc /Media:DVD %L" ["Nero AG"]

NeroAutoPlay8LaunchNeroStartSmart\
"Provider" = "Nero StartSmart"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "LaunchNeroStartSmart_HandleDVDBurningOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\LaunchNeroStartSmart_HandleDVDBurningOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero StartSmart\NeroStartSmart.exe /AutoPlay" ["Nero AG"]

NeroAutoPlay8PlayAudioCD\
"Provider" = "Nero ShowTime"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "PlayAudioCD_PlayMusicFilesOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\PlayAudioCD_PlayMusicFilesOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero ShowTime\ShowTime.exe /Play %L" ["Nero AG"]

NeroAutoPlay8PlayDVD\
"Provider" = "Nero ShowTime"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "PlayDVD_PlayVideoFilesOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\PlayDVD_PlayVideoFilesOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero ShowTime\ShowTime.exe /Play %L" ["Nero AG"]

NeroAutoPlay8RipCD\
"Provider" = "Nero Burning ROM"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "RipCD_PlayCDAudioOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\RipCD_PlayCDAudioOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe /Dialog:SaveTracks %L" ["Nero AG"]

NeroAutoPlay8TranscodeVideo\
"Provider" = "Nero Recode"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "TranscodeVideo_PlayDVDMovieOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\TranscodeVideo_PlayDVDMovieOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Recode\Recode.exe /New:CopyDVDVideo" ["Nero AG"]

NeroAutoPlay8VideoCapture\
"Provider" = "Nero Vision"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = ""C:\Program Files\Nero\Nero8\Nero Vision\NeroVision.exe" /New:VideoCapture"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "Shell Execute Hardware Event Handler"
\LocalServer32\(Default) = "C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

NeroAutoPlay8ViewPhotos\
"Provider" = "Nero PhotoSnap Viewer"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "ViewPhotos_ShowPicturesOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\ViewPhotos_ShowPicturesOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero PhotoSnap\PhotoSnapViewer.exe /" ["Nero AG"]

descriptionMultiple Virus - Page 2 EmptyRe: Multiple Virus

more_horiz
TosDVDPlayHandler\
"Provider" = "TOSHIBA DVD PLAYER"
"InvokeProgID" = "TosDvdPlayer"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\TosDvdPlayer\shell\play\command\(Default) = ""C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TosHDDVD.exe"" ["TOSHIBA Corporation"]

VLCPlayCDAudioOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.CDAudio"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\play\command\(Default) = ""C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file cdda://%1" ["the VideoLAN Team"]

VLCPlayDVDMovieOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.DVDMovie"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\play\command\(Default) = ""C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file dvd://%1" ["the VideoLAN Team"]

WinampMTPHandler\
"Provider" = "Winamp"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:\Program Files\Winamp\winamp.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "Shell Execute Hardware Event Handler"
\LocalServer32\(Default) = "C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

WinampPlayMediaOnArrival\
"Provider" = "Winamp"
"InvokeProgID" = "Winamp.File"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command\(Default) = ""C:\Program Files\Winamp\winamp.exe" "%1"" ["Nullsoft"]
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\DropTarget\CLSID = "{46986115-84D6-459c-8F95-52DD653E532E}"
-> {HKLM...CLSID} = (no title provided)
\LocalServer32\(Default) = ""C:\Program Files\Winamp\winamp.exe"" ["Nullsoft"]


Non-disabled Scheduled Tasks:
-----------------------------

C:\Windows\System32\Tasks
"{16BB71AF-1698-41B6-95C2-D63E8817E881}" -> launches: "C:\Windows\system32\pcalua.exe -a "C:\Program Files\InstallShield Installation Information\{68BEE9AE-D577-4CFA-9201-02B0CF288FC5}\setup.exe" -c -runfromtemp -l0x0409" [MS]
"{7B02EF0B-A410-4938-8480-9BA26420A627}" -> (HIDDEN!) launches: "C:\Windows\TEMP\b.exe" [file not found]
"{BB65B0FB-5712-401b-B616-E69AC55E2757}" -> (HIDDEN!) launches: "C:\Windows\TEMP\a.exe" [file not found]

C:\Windows\System32\Tasks\Apple
"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]

C:\Windows\System32\Tasks\Microsoft\Windows\Active Directory Rights Management Services Client
"AD RMS Rights Policy Template Management (Manual)" -> launches: "{BF5CB148-7C77-4d8a-A53E-D81C70CF743C}"
-> {HKLM...CLSID} = "AD RMS Rights Policy Template Management (Manual) Task Handler"
\InProcServer32\(Default) = "C:\Windows\system32\msdrm.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Bluetooth
"UninstallDeviceTask" -> launches: "BthUdTask.exe $(Arg0)" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient
"SystemTask" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}"
-> {HKLM...CLSID} = "Certificate Services Client Task Handler"
\InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS]
"UserTask" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}"
-> {HKLM...CLSID} = "Certificate Services Client Task Handler"
\InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS]
"UserTask-Roam" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}"
-> {HKLM...CLSID} = "Certificate Services Client Task Handler"
\InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program
"Consolidator" -> launches: "%SystemRoot%\System32\wsqmcons.exe" [MS]
"OptinNotification" -> launches: "%SystemRoot%\System32\wsqmcons.exe -n 0x1C577FA2B69CAD0" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Defrag
"ManualDefrag" -> launches: "%windir%\system32\defrag.exe \\?\Volume{7d5bf50a-49af-11de-a2d4-001e33b8ad14}\" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Media Center
"ehDRMInit" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DRMInit" [MS]
"mcupdate" -> launches: "%SystemRoot%\ehome\mcupdate $(Arg0) -gc" [MS]
"OCURActivate" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /OCURActivate" [MS]
"OCURDiscovery" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /OCURDiscovery" [MS]
"UpdateRecordPath" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DoUpdateRecordPath $(Arg0)" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\MobilePC
"HotStart" -> launches: "{06DA0625-9701-43da-BFD7-FBEEA2180A1E}"
-> {HKLM...CLSID} = "HotStart User Agent"
\InProcServer32\(Default) = "C:\Windows\System32\HotStartUserAgent.dll" [MS]
"TMM" -> launches: "{35EF4182-F900-4632-B072-8639E4478A61}"
-> {HKLM...CLSID} = "Transient Multi-Monitor Manager"
\InProcServer32\(Default) = "C:\Windows\System32\TMM.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\MUI
"LPRemove" -> launches: "%windir%\system32\lpremove.exe" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Multimedia
"SystemSoundsService" -> launches: "{2DEA658F-54C1-4227-AF9B-260AB5FC3543}"
-> {HKLM...CLSID} = "Microsoft PlaySoundService Class"
\InProcServer32\(Default) = "C:\Windows\System32\PlaySndSrv.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\NetworkAccessProtection
"NAPStatus UI" -> launches: "{f09878a1-4652-4292-aa63-8c7d4fd7648f}"
-> {HKLM...CLSID} = "Nap ITask Handler Implementation"
\InProcServer32\(Default) = "C:\Windows\System32\QAgent.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\PLA\System
"ConvertLogEntries" -> (HIDDEN!) launches: "%windir%\system32\rundll32.exe %windir%\system32\pla.dll,PlaConvertLogEntries" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\RAC
"RACAgent" -> (HIDDEN!) launches: "%windir%\system32\RacAgent.exe" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\RemoteAssistance
"RemoteAssistanceTask" -> (HIDDEN!) launches: "%windir%\system32\RAServer.exe /offerraupdate" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Shell
"CrawlStartPages" -> launches: "{51653423-e62d-4ff7-894a-dabb2b8e21e2}"
-> {HKLM...CLSID} = "CrawlStartPages Task Handler"
\InProcServer32\(Default) = "C:\Windows\System32\srchadmin.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\SideShow
"GadgetManager" -> launches: "{FF87090D-4A9A-4f47-879B-29A80C355D61}"
-> {HKLM...CLSID} = "GadgetsManager Class"
\InProcServer32\(Default) = "C:\Windows\System32\AuxiliaryDisplayServices.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\SystemRestore
"SR" -> launches: "%windir%\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Tcpip
"IpAddressConflict1" -> launches: "rundll32 ndfapi.dll,NdfRunDllDuplicateIPOffendingSystem" [MS]
"IpAddressConflict2" -> launches: "rundll32 ndfapi.dll,NdfRunDllDuplicateIPDefendingSystem" [MS]
"WSHReset" -> (HIDDEN!) launches: "%systemroot%\system32\netsh.exe interface tcp set heuristic wsh=default" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework
"MsCtfMonitor" -> (HIDDEN!) launches: "{01575cfe-9a55-4003-a5e1-f38d1ebdcbe1}"
-> {HKLM...CLSID} = "MsCtfMonitor task handler"
\InProcServer32\(Default) = "C:\Windows\system32\MsCtfMonitor.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\UPnP
"UPnPHostConfig" -> launches: "sc.exe config upnphost start= auto" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\WDI
"ResolutionHost" -> (HIDDEN!) launches: "{900be39d-6be8-461a-bc4d-b0fa71f5ecb1}"
-> {HKLM...CLSID} = "DiagnosticInfrastructureCustomHandler"
\InProcServer32\(Default) = "C:\Windows\System32\wdi.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Windows Error Reporting
"QueueReporting" -> launches: "%windir%\system32\wermgr.exe -queuereporting" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Wired
"GatherWiredInfo" -> launches: "%windir%\system32\gatherWiredInfo.vbs" [null data]

C:\Windows\System32\Tasks\Microsoft\Windows\Wireless
"GatherWirelessInfo" -> launches: "%windir%\system32\gatherWirelessInfo.vbs" [null data]

descriptionMultiple Virus - Page 2 EmptyRe: Multiple Virus

more_horiz
Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\system32\NLAapi.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\system32\napinsp.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]
000000000005\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000006\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 26


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{0BF43445-2F28-4351-9252-17FE6E806AA0}" = "McAfee SiteAdvisor"
-> {HKLM...CLSID} = "McAfee SiteAdvisor"
\InProcServer32\(Default) = "C:\Program Files\SiteAdvisor\6145\SiteAdv.dll" ["McAfee, Inc."]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
"MenuText" = "Spybot - Search & Destroy Configuration"
"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
<> C:\WINDOWS\INF\IERESET.INF was not found!

HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\
<> "InPrivate" = "res://ieframe.dll/inprivate.htm" [MS]

descriptionMultiple Virus - Page 2 EmptyRe: Multiple Virus

more_horiz
All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):
---------------------------------------------------------------------------

Agere Modem Call Progress Audio, AgereModemAudio, "C:\Windows\system32\agrsmsvc.exe" ["Agere Systems"]
AMD External Events Utility, AMD External Events Utility, "C:\Windows\system32\atiesrxx.exe" ["AMD"]
Application Layer Gateway Service, ALG, "C:\Windows\System32\alg.exe" [MS]
Ati External Event Utility, Ati External Event Utility, "C:\Windows\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Certificate Propagation, CertPropSvc, "C:\Windows\system32\svchost.exe -k netsvcs" {"C:\Windows\System32\certprop.dll" [MS]}
CNG Key Isolation, KeyIso, "C:\Windows\system32\lsass.exe" [MS]
COM+ System Application, COMSysApp, "C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}" [MS]
Computer Browser, Browser, "C:\Windows\System32\svchost.exe -k netsvcs" {"C:\Windows\System32\browser.dll" [MS]}
ConfigFree Service, ConfigFree Service, ""C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe"" ["TOSHIBA CORPORATION"]
DFS Replication, DFSR, "C:\Windows\system32\DFSR.exe" [MS]
Diagnostic Service Host, WdiServiceHost, "C:\Windows\System32\svchost.exe -k wdisvc" {"C:\Windows\system32\wdi.dll" [MS]}
Distributed Transaction Coordinator, MSDTC, "C:\Windows\System32\msdtc.exe" [MS]
Extensible Authentication Protocol, EapHost, "C:\Windows\System32\svchost.exe -k netsvcs" {"C:\Windows\System32\eapsvc.dll" [MS]}
Health Key and Certificate Management, hkmsvc, "C:\Windows\System32\svchost.exe -k netsvcs" {"C:\Windows\system32\kmsvc.dll" [MS]}
Human Interface Device Access, hidserv, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\system32\hidserv.dll" [MS]}
InstallDriver Table Manager, IDriverT, ""C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe"" ["Macrovision Corporation"]
Interactive Services Detection, UI0Detect, "C:\Windows\system32\UI0Detect.exe" [MS]
Internet Connection Sharing (ICS), SharedAccess, "C:\Windows\System32\svchost.exe -k netsvcs" {"C:\Windows\System32\ipnathlp.dll" [MS]}
Jumpstart Wifi Protected Setup, jswpsapi, "C:\Program Files\Jumpstart\jswpsapi.exe" [file not found]
Link-Layer Topology Discovery Mapper, lltdsvc, "C:\Windows\System32\svchost.exe -k LocalService" {"C:\Windows\System32\lltdsvc.dll" [MS]}
McAfee Network Agent, McNASvc, ""c:\program files\common files\mcafee\mna\mcnasvc.exe"" ["McAfee, Inc."]
McAfee Personal Firewall Service, MpfService, ""C:\Program Files\McAfee\MPF\MPFSrv.exe"" ["McAfee, Inc."]
McAfee Proxy Service, McProxy, "c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe" ["McAfee, Inc."]
McAfee Real-time Scanner, McShield, "C:\Program Files\McAfee\VirusScan\McShield.exe" ["McAfee, Inc."]
McAfee Scanner, McODS, "C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe" [null data]
McAfee Services, mcmscsvc, "C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe" ["McAfee, Inc."]
McAfee SpamKiller Service, MSK80Service, ""C:\Program Files\McAfee\MSK\MskSrver.exe"" ["McAfee, Inc."]
McAfee SystemGuards, McSysmon, "C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe" ["McAfee, Inc."]
Microsoft .NET Framework NGEN v2.0.50727_X86, clr_optimization_v2.0.50727_32, "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe" [MS]
Microsoft iSCSI Initiator Service, MSiSCSI, "C:\Windows\system32\svchost.exe -k netsvcs" {"C:\Windows\system32\iscsiexe.dll" [MS]}
Microsoft Office Diagnostics Service, odserv, ""C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE"" [MS]
Nero BackItUp Scheduler 3, Nero BackItUp Scheduler 3, "C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe" ["Nero AG"]
Net.Tcp Port Sharing Service, NetTcpPortSharing, ""C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"" [MS]
Netlogon, Netlogon, "C:\Windows\system32\lsass.exe" [MS]
Network Access Protection Agent, napagent, "C:\Windows\System32\svchost.exe -k NetworkService" {"C:\Windows\system32\qagentRT.dll" [MS]}
NMIndexingService, NMIndexingService, ""C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe"" ["Nero AG"]
Office Source Engine, ose, ""C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"" [MS]
Parental Controls, WPCSvc, "C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted" {"C:\Windows\System32\wpcsvc.dll" [MS]}
PC Tools Auxiliary Service, sdAuxService, "C:\Program Files\Spyware Doctor\pctsAuxs.exe" ["PC Tools"]
PC Tools Security Service, sdCoreService, "C:\Program Files\Spyware Doctor\pctsSvc.exe" ["PC Tools"]
Peer Name Resolution Protocol, PNRPsvc, "C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted" {"C:\Windows\system32\p2psvc.dll" [MS]}
Peer Networking Grouping, p2psvc, "C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted" {"C:\Windows\system32\p2psvc.dll" [MS]}
Peer Networking Identity Manager, p2pimsvc, "C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted" {"C:\Windows\system32\p2psvc.dll" [MS]}
Performance Logs & Alerts, pla, "C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork" {"C:\Windows\system32\pla.dll" [MS]}
pinger, pinger, "C:\TOSHIBA\IVP\ISM\pinger.exe" [null data]
PnP-X IP Bus Enumerator, IPBusEnum, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\system32\ipbusenum.dll" [MS]}
PNRP Machine Name Publication Service, PNRPAutoReg, "C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted" {"C:\Windows\system32\p2psvc.dll" [MS]}
Problem Reports and Solutions Control Panel Support, wercplsupport, "C:\Windows\System32\svchost.exe -k netsvcs" {"C:\Windows\System32\wercplsupport.dll" [MS]}
Quality Windows Audio Video Experience, QWAVE, "C:\Windows\system32\svchost.exe -k LocalService" {"C:\Windows\system32\qwave.dll" [MS]}
Remote Access Auto Connection Manager, RasAuto, "C:\Windows\system32\svchost.exe -k netsvcs" {"C:\Windows\System32\rasauto.dll" [MS]}
Remote Procedure Call (RPC) Locator, RpcLocator, "C:\Windows\system32\locator.exe" [MS]
Remote Registry, RemoteRegistry, "C:\Windows\system32\svchost.exe -k regsvc" {"C:\Windows\system32\regsvc.dll" [MS]}
Routing and Remote Access, RemoteAccess, "C:\Windows\system32\svchost.exe -k netsvcs" {"C:\Windows\System32\mprdim.dll" [MS]}
SBSD Security Center Service, SBSDWSCService, "C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe" ["Safer Networking Ltd."]
Secure Socket Tunneling Protocol Service, SstpSvc, "C:\Windows\system32\svchost.exe -k LocalService" {"C:\Windows\system32\sstpsvc.dll" [MS]}
SiteAdvisor Service, SiteAdvisor Service, "C:\Program Files\SiteAdvisor\6145\SAService.exe" ["McAfee, Inc."]
SL UI Notification Service, SLUINotify, "C:\Windows\system32\svchost.exe -k LocalService" {"C:\Windows\system32\SLUINotify.dll" [MS]}
Smart Card, SCardSvr, "C:\Windows\system32\svchost.exe -k LocalService" {"C:\Windows\System32\SCardSvr.dll" [MS]}
Smart Card Removal Policy, SCPolicySvc, "C:\Windows\system32\svchost.exe -k netsvcs" {"C:\Windows\System32\certprop.dll" [MS]}
SmartFaceVWatchSrv, SmartFaceVWatchSrv, ""C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe"" ["Toshiba"]
SNMP Trap, SNMPTRAP, "C:\Windows\System32\snmptrap.exe" [MS]
Swupdtmr, Swupdtmr, "c:\TOSHIBA\IVP\swupdate\swupdtmr.exe" [null data]
Terminal Services Configuration, SessionEnv, "C:\Windows\System32\svchost.exe -k netsvcs" {"C:\Windows\system32\sessenv.dll" [MS]}
TOSHIBA Navi Support Service, TNaviSrv, "C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe" ["TOSHIBA Corporation"]
TOSHIBA Optical Disc Drive Service, TODDSrv, "C:\Windows\system32\TODDSrv.exe" ["TOSHIBA Corporation"]
TOSHIBA Power Saver, TosCoSrv, ""C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe"" ["TOSHIBA Corporation"]
TOSHIBA SMART Log Service, TOSHIBA SMART Log Service, ""C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe"" ["TOSHIBA Corporation"]
TPM Base Services, TBS, "C:\Windows\System32\svchost.exe -k LocalService" {"C:\Windows\System32\tbssvc.dll" [MS]}
Ulead Burning Helper, UleadBurningHelper, "C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe" ["Ulead Systems, Inc."]
Virtual Disk, vds, "C:\Windows\System32\vds.exe" [MS]
Windows Backup, SDRSVC, "C:\Windows\system32\svchost.exe -k SDRSVC" {"C:\Windows\System32\SDRSVC.dll" [MS]}
Windows CardSpace, idsvc, ""C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"" [MS]
Windows Color System, WcsPlugInService, "C:\Windows\system32\svchost.exe -k wcssvc" {"C:\Windows\System32\WcsPlugInService.dll" [MS]}
Windows Connect Now - Config Registrar, wcncsvc, "C:\Windows\System32\svchost.exe -k LocalService" {"C:\Windows\System32\wcncsvc.dll" [MS]}
Windows Driver Foundation - User-mode Driver Framework, wudfsvc, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\WUDFSvc.dll" [MS]}
Windows Event Collector, Wecsvc, "C:\Windows\system32\svchost.exe -k NetworkService" {"C:\Windows\system32\wecsvc.dll" [MS]}
Windows Image Acquisition (WIA), stisvc, "C:\Windows\system32\svchost.exe -k imgsvc" {"C:\Windows\System32\wiaservc.dll" [MS]}
Windows Installer, msiserver, "C:\Windows\system32\msiexec /V" [MS]
Windows Live ID Sign-in Assistant, wlidsvc, ""C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE"" [MS]
Windows Media Center Extender Service, Mcx2Svc, "C:\Windows\system32\svchost.exe -k LocalService" {"C:\Windows\system32\Mcx2Svc.dll" [MS]}
Windows Media Center Receiver Service, ehRecvr, "C:\Windows\ehome\ehRecvr.exe" [MS]
Windows Media Center Scheduler Service, ehSched, "C:\Windows\ehome\ehsched.exe" [MS]
Windows Media Center Service Launcher, ehstart, "C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork" {"C:\Windows\ehome\ehstart.dll" [MS]}
Windows Media Player Network Sharing Service, WMPNetworkSvc, ""C:\Program Files\Windows Media Player\wmpnetwk.exe"" [MS]
Windows Presentation Foundation Font Cache 3.0.0.0, FontCache3.0.0.0, "C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe" [MS]
Windows Remote Management (WS-Management), WinRM, "C:\Windows\System32\svchost.exe -k NetworkService" {"C:\Windows\system32\WsmSvc.dll" [MS]}
Wired AutoConfig, dot3svc, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\dot3svc.dll" [MS]}
WLAN AutoConfig, Wlansvc, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\wlansvc.dll" [MS]}
WMI Performance Adapter, wmiApSrv, "C:\Windows\system32\wbem\WmiApSrv.exe" [MS]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
PCL hpz3l054\Driver = "hpz3l054.dll" ["Hewlett-Packard Company"]


---------- (launch time: 2009-09-01 18:10:19)
<>: Suspicious data at a malware launch point.
<>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 100 seconds, including 9 seconds for message boxes)





//sorry for all the posts, it was long.

descriptionMultiple Virus - Page 2 EmptyGEYEKR

more_horiz
A quick add that PCtools found (its trial so it won't let me delete them).
It wasnt in scan mode either it just popped up that it found them. and I can't find them in the specified folder to delete manually.


(HIGH) Backdoor.Tidserv (2 infections)

...file:

c:\windows\system32\geyekrhpptxniw.dat
c:\windows\system32\geyekrnjsqrbbm.dat

Last edited by justyn on 2nd September 2009, 7:27 am; edited 1 time in total

descriptionMultiple Virus - Page 2 EmptyRe: Multiple Virus

more_horiz

  • Download combofix from here
    Link 1
    Link 2
1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to svchost as follows:

Multiple Virus - Page 2 CF_download_FF

Multiple Virus - Page 2 2aflf5z

3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

  • See HERE for how to disable your AV.
  • Double click on svchost.exe.
  • Follow the prompts. NOTE:
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall.

descriptionMultiple Virus - Page 2 EmptyRe: Multiple Virus

more_horiz
well it opens loads the blue bar and nothing happens after it closes. There is a new process in Task manager named sed.cfxxe, which I assume is combofix. It remains at 60 K memory and will not produce a log, I did not click or move mouse anywhere while it ran.

descriptionMultiple Virus - Page 2 EmptyRe: Multiple Virus

more_horiz
I ran GMER and here are the result, before the malware clsoed it 10 minutes in! >.<:

GMER 1.0.15.15077 [gzwoy4u6.exe] - http://www.gmer.net
Rootkit scan 2009-09-01 20:26:39
Windows 6.0.6002 Service Pack 2


---- System - GMER 1.0.15 ----

Code 85FCF6C8 ZwEnumerateKey
Code 85FD4EB8 ZwFlushInstructionCache
Code 85FD15DE ZwSaveKey
Code 85FCF6FE ZwSaveKeyEx
Code 85FD1615 IofCallDriver
Code 85FD4DB6 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 81E7D912 5 Bytes JMP 85FD161A
.text ntkrnlpa.exe!IofCompleteRequest 81E7D97F 5 Bytes JMP 85FD4DBB
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 81FE8EF5 5 Bytes JMP 85FD4EBC
PAGE ntkrnlpa.exe!ZwEnumerateKey 820360BA 5 Bytes JMP 85FCF6CC
PAGE ntkrnlpa.exe!ZwSaveKey 8208B969 5 Bytes JMP 85FD15E2
PAGE ntkrnlpa.exe!ZwSaveKeyEx 8208BB07 5 Bytes JMP 85FCF702
? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Java\jre6\bin\java.exe[404] USER32.dll!GetParent + 11F 770391C9 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Program Files\Java\jre6\bin\java.exe[404] GDI32.dll!GetObjectA + C5 76D08726 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Program Files\Java\jre6\bin\java.exe[404] GDI32.dll!GdiIsPlayMetafileDC + D4 76D10D68 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\system32\wininit.exe[456] USER32.dll!GetParent + 11F 770391C9 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\system32\wininit.exe[456] GDI32.dll!GetObjectA + C5 76D08726 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\system32\wininit.exe[456] GDI32.dll!GdiIsPlayMetafileDC + D4 76D10D68 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\system32\winlogon.exe[484] ntdll.dll!LdrLoadDll 77339390 5 Bytes JMP 001B000A
.text C:\Windows\system32\services.exe[532] USER32.dll!GetParent + 11F 770391C9 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\system32\services.exe[532] GDI32.dll!GetObjectA + C5 76D08726 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\system32\services.exe[532] GDI32.dll!GdiIsPlayMetafileDC + D4 76D10D68 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\system32\lsm.exe[552] ntdll.dll!LdrLoadDll 77339390 5 Bytes JMP 0036000A
.text C:\Windows\system32\svchost.exe[708] USER32.dll!GetParent + 11F 770391C9 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\system32\svchost.exe[708] GDI32.dll!GetObjectA + C5 76D08726 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\system32\svchost.exe[708] GDI32.dll!GdiIsPlayMetafileDC + D4 76D10D68 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\system32\svchost.exe[780] USER32.dll!GetParent + 11F 770391C9 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\system32\svchost.exe[780] GDI32.dll!GetObjectA + C5 76D08726 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\system32\svchost.exe[780] GDI32.dll!GdiIsPlayMetafileDC + D4 76D10D68 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\System32\svchost.exe[944] USER32.dll!GetParent + 11F 770391C9 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\System32\svchost.exe[944] GDI32.dll!GetObjectA + C5 76D08726 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\System32\svchost.exe[944] GDI32.dll!GdiIsPlayMetafileDC + D4 76D10D68 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\system32\svchost.exe[968] USER32.dll!GetParent + 11F 770391C9 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\system32\svchost.exe[968] GDI32.dll!GetObjectA + C5 76D08726 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\system32\svchost.exe[968] GDI32.dll!GdiIsPlayMetafileDC + D4 76D10D68 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\System32\svchost.exe[1008] USER32.dll!GetParent + 11F 770391C9 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\System32\svchost.exe[1008] GDI32.dll!GetObjectA + C5 76D08726 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\System32\svchost.exe[1008] GDI32.dll!GdiIsPlayMetafileDC + D4 76D10D68 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\system32\svchost.exe[1112] USER32.dll!GetParent + 11F 770391C9 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\system32\svchost.exe[1112] GDI32.dll!GetObjectA + C5 76D08726 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\system32\svchost.exe[1112] GDI32.dll!GdiIsPlayMetafileDC + D4 76D10D68 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\system32\svchost.exe[1132] ntdll.dll!LdrLoadDll 77339390 5 Bytes JMP 000C000A
.text C:\Users\Justyn\AppData\Local\Temp\jkos-Justyn\binaries\ScanningProcess.exe[1248] ntdll.dll!LdrLoadDll 77339390 5 Bytes JMP 003D000A
.text C:\Windows\system32\Taskmgr.exe[1260] ntdll.dll!LdrLoadDll 77339390 5 Bytes JMP 001F000A
.text C:\Windows\system32\svchost.exe[1284] USER32.dll!GetParent + 11F 770391C9 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\system32\svchost.exe[1284] GDI32.dll!GetObjectA + C5

descriptionMultiple Virus - Page 2 EmptyRe: Multiple Virus

more_horiz
.text C:\Windows\system32\svchost.exe[1284] GDI32.dll!GdiIsPlayMetafileDC + D4 76D10D68 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[1380] USER32.dll!GetParent + 11F 770391C9 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[1380] GDI32.dll!GetObjectA + C5 76D08726 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[1380] GDI32.dll!GdiIsPlayMetafileDC + D4 76D10D68 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\system32\svchost.exe[1444] USER32.dll!GetParent + 11F 770391C9 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\system32\svchost.exe[1444] GDI32.dll!GetObjectA + C5 76D08726 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\system32\svchost.exe[1444] GDI32.dll!GdiIsPlayMetafileDC + D4 76D10D68 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\Explorer.EXE[1944] GDI32.dll!GetObjectA + C5 76D08726 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\Explorer.EXE[1944] GDI32.dll!GdiIsPlayMetafileDC + D4 76D10D68 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Windows\Explorer.EXE[1944] USER32.dll!GetParent + 11F 770391C9 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2152] USER32.dll!GetParent + 11F 770391C9 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2152] GDI32.dll!GetObjectA + C5 76D08726 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2152] GDI32.dll!GdiIsPlayMetafileDC + D4 76D10D68 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2300] USER32.dll!CreateWindowExW 77031305 5 Bytes JMP 7332D3AC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2300] USER32.dll!GetParent + 11F 770391C9 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2300] USER32.dll!DialogBoxIndirectParamW 77052EF5 5 Bytes JMP 73423C10 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2300] USER32.dll!DialogBoxParamA 77068152 5 Bytes JMP 73423BAD C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2300] USER32.dll!DialogBoxIndirectParamA 7706847D 5 Bytes JMP 73423C73 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2300] USER32.dll!MessageBoxIndirectA 7707D4D9 5 Bytes JMP 73423B42 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2300] USER32.dll!MessageBoxIndirectW 7707D5D3 1 Byte [E9]
.text C:\Program Files\Internet Explorer\iexplore.exe[2300] USER32.dll!MessageBoxIndirectW 7707D5D3 5 Bytes JMP 73423AD7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2300] USER32.dll!MessageBoxExA 7707D639 5 Bytes JMP 73423A75 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2300] USER32.dll!MessageBoxExW 7707D65D 5 Bytes JMP 73423A13 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2300] GDI32.dll!GetObjectA + C5 76D08726 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2300] GDI32.dll!GdiIsPlayMetafileDC + D4 76D10D68 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2652] USER32.dll!SetWindowsHookExW 770287AD 5 Bytes JMP 73329521 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2652] USER32.dll!CallNextHookEx 77028E3B 5 Bytes JMP 7331CB69 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2652] USER32.dll!UnhookWindowsHookEx 770298DB 5 Bytes JMP 732943F6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2652] USER32.dll!CreateWindowExW 77031305 5 Bytes JMP 7332D3AC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2652] USER32.dll!GetParent + 11F 770391C9 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2652] USER32.dll!DialogBoxIndirectParamW 77052EF5 5 Bytes JMP 73423C10 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2652] USER32.dll!DialogBoxParamA 77068152 5 Bytes JMP 73423BAD C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2652] USER32.dll!DialogBoxIndirectParamA 7706847D 5 Bytes JMP 73423C73 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2652] USER32.dll!MessageBoxIndirectA 7707D4D9 5 Bytes JMP 73423B42 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2652] USER32.dll!MessageBoxIndirectW 7707D5D3 1 Byte [E9]
.text C:\Program Files\Internet Explorer\iexplore.exe[2652] USER32.dll!MessageBoxIndirectW 7707D5D3 5 Bytes JMP 73423AD7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2652] USER32.dll!MessageBoxExA 7707D639 5 Bytes JMP 73423A75 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2652] USER32.dll!MessageBoxExW 7707D65D 5 Bytes JMP 73423A13 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2652] GDI32.dll!GetObjectA + C5 76D08726 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2652] GDI32.dll!GdiIsPlayMetafileDC + D4 76D10D68 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2652] ole32.dll!OleLoadFromStream 76B01E12 5 Bytes JMP 73423F78 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2652] ole32.dll!CoCreateInstance 76B39EA6 5 Bytes JMP 7332D408 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[2856] ntdll.dll!LdrLoadDll 77339390 5 Bytes JMP 003C000A
.text C:\PROGRA~1\Java\jre6\bin\jp2launcher.exe[2916] ntdll.dll!LdrLoadDll 77339390 5 Bytes JMP 002A000A
.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[2956] ntdll.dll!LdrLoadDll 77339390 5 Bytes JMP 003E000A
.text C:\Users\Justyn\AppData\Local\Temp\jkos-Justyn\binaries\ScanningProcess.exe[3700] ntdll.dll!LdrLoadDll 77339390 5 Bytes JMP 003D000A
.text C:\Users\Justyn\Desktop\gzwoy4u6.exe[3824] ntdll.dll!LdrLoadDll 77339390 5 Bytes JMP 0038000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4012] USER32.dll!SetWindowsHookExW 770287AD 5 Bytes JMP 73329521 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4012] USER32.dll!CallNextHookEx 77028E3B 5 Bytes JMP 7331CB69 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4012] USER32.dll!UnhookWindowsHookEx 770298DB 5 Bytes JMP 732943F6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4012] USER32.dll!CreateWindowExW 77031305 5 Bytes JMP 7332D3AC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4012] USER32.dll!GetParent + 11F 770391C9 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[4012] USER32.dll!DialogBoxIndirectParamW 77052EF5 5 Bytes JMP 73423C10 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4012] USER32.dll!DialogBoxParamA 77068152 5 Bytes JMP 73423BAD C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4012] USER32.dll!DialogBoxIndirectParamA 7706847D 5 Bytes JMP 73423C73 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4012] USER32.dll!MessageBoxIndirectA 7707D4D9 5 Bytes JMP 73423B42 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4012] USER32.dll!MessageBoxIndirectW 7707D5D3 1 Byte [E9]
.text C:\Program Files\Internet Explorer\iexplore.exe[4012] USER32.dll!MessageBoxIndirectW 7707D5D3 5 Bytes JMP 73423AD7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4012] USER32.dll!MessageBoxExA 7707D639 5 Bytes JMP 73423A75 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4012] USER32.dll!MessageBoxExW 7707D65D 5 Bytes JMP 73423A13 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4012] GDI32.dll!GetObjectA + C5 76D08726 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[4012] GDI32.dll!GdiIsPlayMetafileDC + D4 76D10D68 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\34143FE3.x86.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[4012] ole32.dll!OleLoadFromStream 76B01E12 5 Bytes JMP 73423F78 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4012] ole32.dll!CoCreateInstance 76B39EA6 5 Bytes JMP 7332D408 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

descriptionMultiple Virus - Page 2 EmptyRe: Multiple Virus

more_horiz
---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Java\jre6\bin\java.exe[404] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Program Files\Java\jre6\bin\java.exe[404] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Windows\system32\wininit.exe[456] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Windows\system32\wininit.exe[456] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Windows\system32\services.exe[532] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Windows\system32\services.exe[532] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Windows\system32\svchost.exe[708] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Windows\system32\svchost.exe[708] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Windows\system32\svchost.exe[780] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Windows\system32\svchost.exe[780] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Windows\System32\svchost.exe[944] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Windows\System32\svchost.exe[944] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Windows\system32\svchost.exe[968] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Windows\system32\svchost.exe[968] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Windows\System32\svchost.exe[1008] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Windows\System32\svchost.exe[1008] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Windows\system32\svchost.exe[1112] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Windows\system32\svchost.exe[1112] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Windows\system32\svchost.exe[1284] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Windows\system32\svchost.exe[1284] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Program Files\McAfee\MPF\MPFSrv.exe[1380] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Program Files\McAfee\MPF\MPFSrv.exe[1380] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Windows\system32\svchost.exe[1444] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Windows\system32\svchost.exe[1444] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Windows\Explorer.EXE[1944] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [740E7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1944] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7413A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1944] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [740EBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1944] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [740DF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1944] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [740E75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1944] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [740DE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1944] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74118395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1944] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [740EDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1944] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [740DFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1944] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [740DFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1944] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [740D71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1944] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7416CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1944] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7410C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1944] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [740DD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1944] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [740D6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1944] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [740D687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1944] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [740E2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1944] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Windows\Explorer.EXE[1944] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[2152] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[2152] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Program Files\Internet Explorer\iexplore.exe[2300] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Program Files\Internet Explorer\iexplore.exe[2300] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Program Files\Internet Explorer\iexplore.exe[2652] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Program Files\Internet Explorer\iexplore.exe[2652] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Program Files\Internet Explorer\iexplore.exe[4012] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\34143FE3.x86.dll
IAT C:\Program Files\Internet Explorer\iexplore.exe[4012] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\34143FE3.x86.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

descriptionMultiple Virus - Page 2 EmptyRe: Multiple Virus

more_horiz
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\34143FE3.x86.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\java.exe [404] 0x35670000
Library \\?\globalroot\Device\__max++>\34143FE3.x86.dll (*** hidden *** ) @ C:\Windows\system32\wininit.exe [456] 0x35670000
Library \\?\globalroot\Device\__max++>\34143FE3.x86.dll (*** hidden *** ) @ C:\Windows\system32\services.exe [532] 0x35670000
Library \\?\globalroot\Device\__max++>\34143FE3.x86.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [708] 0x35670000
Library \\?\globalroot\Device\__max++>\34143FE3.x86.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [780] 0x35670000
Library \\?\globalroot\Device\__max++>\34143FE3.x86.dll (*** hidden *** ) @ C:\Windows\System32\svchost.exe [944] 0x35670000
Library \\?\globalroot\Device\__max++>\34143FE3.x86.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [968] 0x35670000
Library \\?\globalroot\Device\__max++>\34143FE3.x86.dll (*** hidden *** ) @ C:\Windows\System32\svchost.exe [1008] 0x35670000
Library \\?\globalroot\Device\__max++>\34143FE3.x86.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1112] 0x35670000
Library \\?\globalroot\Device\__max++>\34143FE3.x86.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1284] 0x35670000
Library \\?\globalroot\Device\__max++>\34143FE3.x86.dll (*** hidden *** ) @ C:\Program Files\McAfee\MPF\MPFSrv.exe [1380] 0x35670000
Library \\?\globalroot\Device\__max++>\34143FE3.x86.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1444] 0x35670000
Library \\?\globalroot\Device\__max++>\34143FE3.x86.dll (*** hidden *** ) @ C:\Windows\Explorer.EXE [1944] 0x35670000
Library \\?\globalroot\Device\__max++>\34143FE3.x86.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [2152] 0x35670000
Library \\?\globalroot\Device\__max++>\34143FE3.x86.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [2300] 0x35670000
Library \\?\globalroot\Device\__max++>\34143FE3.x86.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [2652] 0x35670000
Library \\?\globalroot\Device\__max++>\34143FE3.x86.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [4012] 0x35670000

---- Services - GMER 1.0.15 ----

Service C:\Windows\system32\drivers\geyekrbndqupbe.sys (*** hidden *** ) [SYSTEM] geyekrntqvoxie <-- ROOTKIT !!!

descriptionMultiple Virus - Page 2 EmptyRe: Multiple Virus

more_horiz
---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\geyekrntqvoxie (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrntqvoxie@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrntqvoxie@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrntqvoxie@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrntqvoxie@imagepath \systemroot\system32\drivers\geyekrbndqupbe.sys
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrntqvoxie\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrntqvoxie\main@aid 10200
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrntqvoxie\main@sid 3
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrntqvoxie\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrntqvoxie\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrntqvoxie\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrntqvoxie\main\injector@* geyekrwsp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrntqvoxie\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrntqvoxie\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrntqvoxie\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrbndqupbe.sys
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrntqvoxie\modules@geyekrcmd.dll \systemroot\system32\geyekrvibpvqwk.dll
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrntqvoxie\modules@geyekrlog.dat \systemroot\system32\geyekrnjsqrbbm.dat
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrntqvoxie\modules@geyekrwsp.dll \systemroot\system32\geyekrpjyjtred.dll
Reg HKLM\SYSTEM\ControlSet001\Services\geyekrntqvoxie\modules@geyekr.dat \systemroot\system32\geyekrhpptxniw.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrntqvoxie
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrntqvoxie@start 4
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrntqvoxie@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrntqvoxie@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrntqvoxie@imagepath \systemroot\system32\drivers\geyekrbndqupbe.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrntqvoxie\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrntqvoxie\main@aid 10200
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrntqvoxie\main@sid 3
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrntqvoxie\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrntqvoxie\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrntqvoxie\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrntqvoxie\main\injector@* geyekrwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrntqvoxie\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrntqvoxie\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrntqvoxie\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrbndqupbe.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrntqvoxie\modules@geyekrcmd.dll \systemroot\system32\geyekrvibpvqwk.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrntqvoxie\modules@geyekrlog.dat \systemroot\system32\geyekrnjsqrbbm.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrntqvoxie\modules@geyekrwsp.dll \systemroot\system32\geyekrpjyjtred.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrntqvoxie\modules@geyekr.dat \systemroot\system32\geyekrhpptxniw.dat
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrntqvoxie (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrntqvoxie@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrntqvoxie@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrntqvoxie@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrntqvoxie@imagepath \systemroot\system32\drivers\geyekrbndqupbe.sys
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrntqvoxie\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrntqvoxie\main@aid 10200
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrntqvoxie\main@sid 3
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrntqvoxie\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrntqvoxie\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrntqvoxie\main\injector@* geyekrwsp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrntqvoxie\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrntqvoxie\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrntqvoxie\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrbndqupbe.sys
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrntqvoxie\modules@geyekrcmd.dll \systemroot\system32\geyekrvibpvqwk.dll
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrntqvoxie\modules@geyekrlog.dat \systemroot\system32\geyekrnjsqrbbm.dat
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrntqvoxie\modules@geyekrwsp.dll \systemroot\system32\geyekrpjyjtred.dll
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrntqvoxie\modules@geyekr.dat \systemroot\system32\geyekrhpptxniw.dat
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrntqvoxie (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrntqvoxie@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrntqvoxie@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrntqvoxie@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrntqvoxie@imagepath \systemroot\system32\drivers\geyekrbndqupbe.sys
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrntqvoxie\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrntqvoxie\main@aid 10200
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrntqvoxie\main@sid 3
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrntqvoxie\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrntqvoxie\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrntqvoxie\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrntqvoxie\main\injector@* geyekrwsp.dll
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrntqvoxie\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrntqvoxie\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrntqvoxie\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrbndqupbe.sys
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrntqvoxie\modules@geyekrcmd.dll \systemroot\system32\geyekrvibpvqwk.dll
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrntqvoxie\modules@geyekrlog.dat \systemroot\system32\geyekrnjsqrbbm.dat
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrntqvoxie\modules@geyekrwsp.dll \systemroot\system32\geyekrpjyjtred.dll
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrntqvoxie\modules@geyekr.dat \systemroot\system32\geyekrhpptxniw.dat

descriptionMultiple Virus - Page 2 EmptyRe: Multiple Virus

more_horiz
That was as far as the log got until it autoclosed Sad tearing


I ran each checkbox of GMER 1 by 1 and found out it scans all without closing except for files. Once it searches for files it autocloses and sets ownership to everyone as denied access. Which I take back by making my user the owner of the file but it does it again if i scan files.

descriptionMultiple Virus - Page 2 EmptyRe: Multiple Virus

more_horiz
Disabled the Geyekrntqvoxie service in GMER, did not delete yet, Now in Normal mode but scanners still get shut down. Really want help on getting rid of this ASAP.

tried gmer again but the services reenable themselves automatically..
this is so annoying i was soo close to reformatting but I will wait 1 more hour or so if I can, I really need to access some things but will not type passwords til I am 100% safe... And unlesss I can fully scan without the malware closing the app I will not feel safe.

I know I am infected still cause we have not accomplished anything, but I posted the logs I could get.

descriptionMultiple Virus - Page 2 EmptyRe: Multiple Virus

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum