Thread: Need Help - Many Processes not Loading at StartUp.
View Single Post
Old 05-09-2007, 04:38 PM   #8 (permalink)
Starjock
Registered User
 
Join Date: May 2007
Location: Phoenix, Arizona
Posts: 11
OS: Windows XP Media Center 2005


Re: Need Help - Many Processes not Loading at StartUp.
I ran your latest list of programs and had no problem with them. My computer still operates as when I first posted - same problems.

Below are logs you requested.

BlackLight:
05/09/07 14:10:27 [Info]: BlackLight Engine 1.0.61 initialized
05/09/07 14:10:27 [Info]: OS: 5.1 build 2600 (Service Pack 2)
05/09/07 14:10:27 [Note]: 7019 4
05/09/07 14:10:27 [Note]: 7005 0
05/09/07 14:10:38 [Note]: 7006 0
05/09/07 14:10:38 [Note]: 7011 2020
05/09/07 14:10:38 [Note]: 7026 0
05/09/07 14:10:38 [Note]: 7026 0
05/09/07 14:10:42 [Note]: FSRAW library version 1.7.1021
05/09/07 14:36:39 [Note]: 7007 0

------------------------------------------------------------------
GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-05-09 15:03:35
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys ZwProtectVirtualMemory
Code \SystemRoot\system32\drivers\mfehidk.sys ZwTerminateProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwUnmapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys ZwYieldExecution
Code \SystemRoot\system32\drivers\mfehidk.sys NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys NtMapViewOfSection

---- Kernel code sections - GMER 1.0.12 ----

.text ntkrnlpa.exe!ZwYieldExecution 8050189C 7 Bytes JMP B3CD353D \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!NtCreateFile 8056D3CA 5 Bytes JMP B3CD34FF \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!NtMapViewOfSection 805A6206 7 Bytes JMP B3CD3553 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A701C 5 Bytes JMP B3CD3569 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805AC78E 7 Bytes JMP B3CD3513 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwCreateProcess 805C5F8E 5 Bytes JMP B3CD3529 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntkrnlpa.exe!ZwTerminateProcess 805C776C 5 Bytes JMP B3CD34EB \SystemRoot\system32\drivers\mfehidk.sys
? C:\WINDOWS\system32\DRIVERS\update.sys

---- User code sections - GMER 1.0.12 ----

.text C:\WINDOWS\system32\svchost.exe[208] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00C50FE5
.text C:\WINDOWS\system32\svchost.exe[208] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00C5003B
.text C:\WINDOWS\system32\svchost.exe[208] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00C5002A
.text C:\WINDOWS\system32\svchost.exe[208] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00C50F46
.text C:\WINDOWS\system32\svchost.exe[208] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00C50F61
.text C:\WINDOWS\system32\svchost.exe[208] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00C50F83
.text C:\WINDOWS\system32\svchost.exe[208] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00C50073
.text C:\WINDOWS\system32\svchost.exe[208] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00C50056
.text C:\WINDOWS\system32\svchost.exe[208] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00C50EFC
.text C:\WINDOWS\system32\svchost.exe[208] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00C50095
.text C:\WINDOWS\system32\svchost.exe[208] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00C50EE1
.text C:\WINDOWS\system32\svchost.exe[208] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00C50F72
.text C:\WINDOWS\system32\svchost.exe[208] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00C50FCA
.text C:\WINDOWS\system32\svchost.exe[208] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00C50F35
.text C:\WINDOWS\system32\svchost.exe[208] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00C50F9E
.text C:\WINDOWS\system32\svchost.exe[208] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00C50FB9
.text C:\WINDOWS\system32\svchost.exe[208] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00C50084
.text C:\WINDOWS\system32\svchost.exe[208] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00C4005B
.text C:\WINDOWS\system32\svchost.exe[208] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00C40FCA
.text C:\WINDOWS\system32\svchost.exe[208] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00C40036
.text C:\WINDOWS\system32\svchost.exe[208] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00C4001B
.text C:\WINDOWS\system32\svchost.exe[208] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00C40FDB
.text C:\WINDOWS\system32\svchost.exe[208] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00C4007D
.text C:\WINDOWS\system32\svchost.exe[208] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00C4000A
.text C:\WINDOWS\system32\svchost.exe[208] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00C4006C
.text C:\WINDOWS\system32\svchost.exe[208] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00C20000
.text C:\WINDOWS\system32\services.exe[1196] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00E60FEF
.text C:\WINDOWS\system32\services.exe[1196] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00E60F66
.text C:\WINDOWS\system32\services.exe[1196] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00E60F81
.text C:\WINDOWS\system32\services.exe[1196] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00E6005B
.text C:\WINDOWS\system32\services.exe[1196] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00E6004A
.text C:\WINDOWS\system32\services.exe[1196] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00E60FB9
.text C:\WINDOWS\system32\services.exe[1196] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00E60F33
.text C:\WINDOWS\system32\services.exe[1196] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00E60F44
.text C:\WINDOWS\system32\services.exe[1196] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00E600A7
.text C:\WINDOWS\system32\services.exe[1196] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00E60F0E
.text C:\WINDOWS\system32\services.exe[1196] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00E60EFD
.text C:\WINDOWS\system32\services.exe[1196] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00E60FA8
.text C:\WINDOWS\system32\services.exe[1196] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00E60FD4
.text C:\WINDOWS\system32\services.exe[1196] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00E60F55
.text C:\WINDOWS\system32\services.exe[1196] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00E60025
.text C:\WINDOWS\system32\services.exe[1196] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00E60000
.text C:\WINDOWS\system32\services.exe[1196] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00E60096
.text C:\WINDOWS\system32\services.exe[1196] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 0099002C
.text C:\WINDOWS\system32\services.exe[1196] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00990058
.text C:\WINDOWS\system32\services.exe[1196] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00990FE5
.text C:\WINDOWS\system32\services.exe[1196] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 0099001B
.text C:\WINDOWS\system32\services.exe[1196] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00990FA5
.text C:\WINDOWS\system32\services.exe[1196] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00990FB6
.text C:\WINDOWS\system32\services.exe[1196] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 0099000A
.text C:\WINDOWS\system32\services.exe[1196] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 0099003D
.text C:\WINDOWS\system32\services.exe[1196] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00960FEF
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00C10000
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00C10F6D
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00C10F7E
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00C10FA5
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00C10062
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00C10FCA
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00C10F2E
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00C10F3F
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00C100B6
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00C100A5
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00C100C7
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00C10047
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00C1001B
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00C10F5C
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00C10036
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00C10FDB
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00C10F1D
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00C00025
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00C0005B
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00C00FDE
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00C00FEF
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00C00F9E
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00C00040
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00C0000A
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00C00FB9
.text C:\WINDOWS\system32\svchost.exe[1396] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 007E0000
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 007E00B5
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 007E009A
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 007E0073
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 007E0062
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 007E0036
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 007E0F74
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 007E00C6
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 007E00E8
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 007E0F4F
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 007E0F34
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 007E0047
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 007E0FE5
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 007E0F9B
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 007E0011
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 007E0FC0
.text C:\WINDOWS\system32\svchost.exe[1504] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 007E00D7
.text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 007D0FD4
.text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 007D0062
.text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 007D0025
.text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 007D000A
.text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 007D0FA5
.text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 007D0051
.text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 007D0FE5
.text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 007D0036
.text C:\WINDOWS\system32\svchost.exe[1504] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 007B0000
.text C:\WINDOWS\system32\svchost.exe[1640] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 0085000A
.text C:\WINDOWS\system32\svchost.exe[1640] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00850F57
.text C:\WINDOWS\system32\svchost.exe[1640] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00850F68
.text C:\WINDOWS\system32\svchost.exe[1640] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00850F79
.text C:\WINDOWS\system32\svchost.exe[1640] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00850036
.text C:\WINDOWS\system32\svchost.exe[1640] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00850FB9
.text C:\WINDOWS\system32\svchost.exe[1640] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00850F29
.text C:\WINDOWS\system32\svchost.exe[1640] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00850071
.text C:\WINDOWS\system32\svchost.exe[1640] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 008500B1
.text C:\WINDOWS\system32\svchost.exe[1640] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00850F0E
.text C:\WINDOWS\system32\svchost.exe[1640] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 008500C2
.text C:\WINDOWS\system32\svchost.exe[1640] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00850F94
.text C:\WINDOWS\system32\svchost.exe[1640] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00850FE5
.text C:\WINDOWS\system32\svchost.exe[1640] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00850F46
.text C:\WINDOWS\system32\svchost.exe[1640] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00850FCA
.text C:\WINDOWS\system32\svchost.exe[1640] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 0085001B
.text C:\WINDOWS\system32\svchost.exe[1640] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00850082
.text C:\WINDOWS\system32\svchost.exe[1640] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 006E0FB9
.text C:\WINDOWS\system32\svchost.exe[1640] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 006E0F94
.text C:\WINDOWS\system32\svchost.exe[1640] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 006E000A
.text C:\WINDOWS\system32\svchost.exe[1640] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 006E0FD4
.text C:\WINDOWS\system32\svchost.exe[1640] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 006E0051
.text C:\WINDOWS\system32\svchost.exe[1640] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 006E0036
.text C:\WINDOWS\system32\svchost.exe[1640] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 006E0FE5
.text C:\WINDOWS\system32\svchost.exe[1640] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 006E0025
.text C:\WINDOWS\system32\svchost.exe[1640] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 006B0FE5
.text C:\WINDOWS\system32\svchost.exe[1640] WININET.dll!InternetOpenA 771CC859 5 Bytes JMP 006C0000
.text C:\WINDOWS\system32\svchost.exe[1640] WININET.dll!InternetOpenW 771CCE91 5 Bytes JMP 006C0025
.text C:\WINDOWS\system32\svchost.exe[1640] WININET.dll!InternetOpenUrlA 771D06CD 5 Bytes JMP 006C0FEF
.text C:\WINDOWS\system32\svchost.exe[1640] WININET.dll!InternetOpenUrlW 7721A881 5 Bytes JMP 006C004A
.text C:\WINDOWS\explorer.exe[2020] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00B90000
.text C:\WINDOWS\explorer.exe[2020] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00B90051
.text C:\WINDOWS\explorer.exe[2020] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00B90F5C
.text C:\WINDOWS\explorer.exe[2020] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00B90F83
.text C:\WINDOWS\explorer.exe[2020] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00B90040
.text C:\WINDOWS\explorer.exe[2020] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00B90FAF
.text C:\WINDOWS\explorer.exe[2020] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00B90F41
.text C:\WINDOWS\explorer.exe[2020] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00B90089
.text C:\WINDOWS\explorer.exe[2020] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00B90F0B
.text C:\WINDOWS\explorer.exe[2020] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00B90F26
.text C:\WINDOWS\explorer.exe[2020] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00B900BF
.text C:\WINDOWS\explorer.exe[2020] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00B90F94
.text C:\WINDOWS\explorer.exe[2020] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00B90011
.text C:\WINDOWS\explorer.exe[2020] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00B9006C
.text C:\WINDOWS\explorer.exe[2020] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00B90FCA
.text C:\WINDOWS\explorer.exe[2020] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00B90FDB
.text C:\WINDOWS\explorer.exe[2020] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00B900A4
.text C:\WINDOWS\explorer.exe[2020] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00B80025
.text C:\WINDOWS\explorer.exe[2020] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00B80F9E
.text C:\WINDOWS\explorer.exe[2020] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00B8000A
.text C:\WINDOWS\explorer.exe[2020] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00B80FD4
.text C:\WINDOWS\explorer.exe[2020] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00B80FB9
.text C:\WINDOWS\explorer.exe[2020] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00B80051
.text C:\WINDOWS\explorer.exe[2020] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00B80FE5
.text C:\WINDOWS\explorer.exe[2020] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00B80040
.text C:\WINDOWS\explorer.exe[2020] WININET.dll!InternetOpenA 771CC859 5 Bytes JMP 00B60FEF
.text C:\WINDOWS\explorer.exe[2020] WININET.dll!InternetOpenW 771CCE91 5 Bytes JMP 00B60FDE
.text C:\WINDOWS\explorer.exe[2020] WININET.dll!InternetOpenUrlA 771D06CD 5 Bytes JMP 00B60014
.text C:\WINDOWS\explorer.exe[2020] WININET.dll!InternetOpenUrlW 7721A881 5 Bytes JMP 00B60025
.text C:\WINDOWS\explorer.exe[2020] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 011E0FEF

---- Registry - GMER 1.0.12 ----

Reg \Registry\USER\S-1-5-21-453546596-1854136969-3205899074-1005\Software\Google\NavClient\1.1\History@"More Information Mobile Mass Pay Money Market ATM/Debit Card Referrals About Us Accounts Fees Privacy Plus Card Security Center Contact Us User Agreement Developers Shops About SSL Certificates Copyright ? 1999-2006 PayPal. All rights reserved. Information about FDIC pass-through insurance" 0x2D 0x35 0x31 0x45

---- EOF - GMER 1.0.12 ----

----------------------------------------------------------------------
ComboFix:

"RICH" - 2007-05-08 23:16:56 Service Pack 2 [SAFE MODE]
ComboFix 07-05.07.3.V - Running from: "C:\Documents and Settings\RICH\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\RICH\Desktop.\internet explorer.lnk
C:\WINDOWS\system32\bszip.dll


((((((((((((((((((((((((((((((( Files Created from 2007-04-08 to 2007-05-08 ))))))))))))))))))))))))))))))))))


2007-05-08 01:01 <DIR> d-------- C:\DOCUME~1\RICH\DoctorWeb
2007-05-01 23:25 22,080 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-05-01 23:25 20,544 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2007-05-01 23:25 144,960 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-05-01 23:25 <DIR> d-------- C:\Program Files\Webroot
2007-05-01 23:23 <DIR> d-------- C:\DOCUME~1\RICH\APPLIC~1\Webroot
2007-04-20 11:56 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-04-20 11:56 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-04-20 11:56 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-04-20 11:56 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-04-20 11:56 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-04-20 11:56 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2007-04-20 11:55 <DIR> d-------- C:\Program Files\McAfee
2007-04-20 11:55 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-04-20 11:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-04-14 18:30 <DIR> d-------- C:\Program Files\Chessmaster 8000
2007-04-09 14:51 <DIR> d-------- C:\Program Files\DellSupport


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-06 06:42:37 -------- d-----w C:\Program Files\CBLIGHT
2007-05-03 08:47:20 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-05-02 06:23:18 -------- d-----w C:\DOCUME~1\RICH\APPLIC~1.\Webroot
2007-04-29 09:34:06 -------- d-----w C:\Program Files\Napster
2007-04-26 19:16:43 -------- d-----w C:\DOCUME~1\RICH\APPLIC~1.\Iomega Automatic Backup Pro
2007-04-25 08:58:43 -------- d-----w C:\Program Files\On2 Technologies
2007-04-20 19:07:03 -------- d-----w C:\Program Files\McAfee.com
2007-04-09 22:02:33 -------- d--h--w C:\DOCUME~1\RICH\APPLIC~1.\Gtek
2007-04-03 07:07:15 -------- d-----w C:\Program Files\Easiestutils
2007-04-01 06:56:56 -------- d-----w C:\DOCUME~1\RICH\APPLIC~1.\Opera
2007-03-30 02:46:18 1,054,448 ----a-w C:\Program Files\YouTubeFLVtoAVIconverterPro.exe
2007-03-19 19:52:07 76,978 ----a-w C:\WINDOWS\system32\nvModes.dat
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-17 02:01:32 -------- d-----w C:\Program Files\dvdSanta
2007-03-16 14:58:17 -------- d--h--r C:\DOCUME~1\RICH\APPLIC~1.\yahoo!
2007-03-10 19:18:55 -------- d-----w C:\DOCUME~1\RICH\APPLIC~1.\Azureus
2007-03-10 07:40:41 -------- d-----w C:\Program Files\NewsLeecher
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{02478D38-C3F9-4EFB-9B51-7695ECA05670}"="C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll"
"{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}"="C:\Program Files\Yahoo!\Common\yiesrvc.dll"
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"="C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll"
"{7DB2D5A0-7241-4E79-B68D-6309F01C5231}"="c:\program files\mcafee\virusscan\scriptcl.dll"
"{E5A1691B-D188-4419-AD02-90002030B8EE}"="C:\PROGRA~1\FlashFXP\IEFlash.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"Apoint"="\"C:\\Program Files\\Apoint\\Apoint.exe\""
"NvCplDaemon"="\"RUNDLL32.EXE\" C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="\"nwiz.exe\" /installquiet"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
@=""
"IntelWireless"="\"C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe\" /tf Intel PROSet/Wireless"
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"ISUSPM Startup"="\"C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe\" -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"DLPSP"="\"c:\\program files\\dell printers\\Additional Color Laser Software\\Status Monitor\\DLPSP.EXE\""
"DVDBitSet"="\"C:\\Program Files\\HP CD-DVD\\Umbrella\\DVDBitSet.exe\" /NOUI"
"DVDTray"="\"C:\\Program Files\\HP CD-DVD\\Umbrella\\DVDTray.exe"
"Share-to-Web Namespace Daemon"="\"C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe\""
"NWEReboot"=""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"PC Pitstop Optimize Scheduler"="\"C:\\Program Files\\PCPitstop\\Optimize\\PCPOptimize.exe\" -boot"
"Windows Media Connect 2"="\"C:\\Program Files\\Windows Media Connect 2\\WMCCFG.exe\" /StartQuiet"
"NeroFilterCheck"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe\""
"NapsterShell"="\"C:\\Program Files\\Napster\\napster.exe\" /systray"
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe\" /startintray"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"DellSupport"="\"C:\\Program Files\\DellSupport\\DSAgnt.exe\" /startup"
"Iomega Automatic Backup Pro"="\"C:\\Program Files\\Iomega\\Automatic Backup Pro\\LiveSystem.exe\" -s"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MCODS
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uniblue registry booster
C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe /S


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\0\0
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
DcomLaunch DcomLaunch\0TermService\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
QWAVE QWAVE\0\0
WudfServiceGroup WUDFSvc\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
Shell\AutoRun\command F:\LaunchU3.exe


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\McDefragTask.job
C:\WINDOWS\tasks\McQcTask.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-08 23:23:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Iomega Automatic Backup Pro = "C:\Program Files\Iomega\Automatic Backup Pro\LiveSystem.exe" -s?????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-08 23:24:35
C:\ComboFix-quarantined-files.txt ... 2007-05-08 23:24
-----------------------------------------------------------------------

Latest HiJack This will be in next post - it makes this message too long.

Thanks for your help. Please tell me what to do next and if you can, include a little dialogue on what your feel/opinion of the problem is so far and a prognosis, if you have any yet.

Rich in Phoenix
Starjock is offline