Jump to content
Sign in to follow this  
tavita86

HJT log (totour .exe problem)

Recommended Posts

HI guys wondering if anyone can help PLEASE!! when i turn my computer on a notice from Norton comes up sayin i have a trojan called totour.exe and then another one comes up sayin i cant delete it. then after that a virus or something must be sending junk mail from my computer cos i get HEAPS of messages from Norton saying that an email was not able to send (even though i havent opened any email software). I have included my HJT log below. any help would be greatly appreciated. Cheers

David

 

 

Logfile of HijackThis v1.99.1

Scan saved at 4:11:22 PM, on 3/28/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\system32\LXSUPMON.EXE

C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\DOCUME~1\david\LOCALS~1\Temp\dima.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\Program Files\Spyware Doctor\sdhelp.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Spyware Doctor\swdoctor.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.ozemail.com.au:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.1.1;192.168.1.2;<local>

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll

O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe

O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe

O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

O4 - HKLM\..\Run: [svcs: Dnscache] C:\DOCUME~1\david\LOCALS~1\Temp\dima.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [ParetoLogic Anti-Spyware] "C:\Program Files\ParetoLogic\Anti-Spyware\Pareto_AS.exe" -NM -hidesplash

O4 - HKCU\..\Run: [Khid] C:\Documents and Settings\david\Application Data\?icrosoft.NET\?ti2evxx.exe

O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1168502382953

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1168502364546

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows...ggPublisher.exe

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab53083.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: winlogin - Unknown owner - C:\WINDOWS\

Share this post


Link to post
Share on other sites

Totour.exe is part of Trojan.Net-MSNetAX, and is difficult to remove.

 

The trojan is responsible for hijacking the Windows Layered Service Provider chain, and allows a spyware author to access the networking services of a computer. Totour.exe appears to be the LSP installer.

 

~~~~

Please create a new folder on the Desktop, and name it SysClean

Download Sysclean Package (3.2MB) to the SysClean folder

http://www.trendmicro.com/download/dcs.asp

 

Next, go to:

http://www.trendmicro.com/download/pattern.asp

Download the Virus Pattern File (Official Pattern Release) 4.373.00 to the Desktop

Unzip lpt373.zip to show the file lpt$vpn.373

Move the lpt$vpn.373 to the SysClean folder created on the Desktop.

 

Reboot to Safe Mode :

-Restart your computer.

-When the machine first starts again, tap the F8 key before Windows starts

-You are presented with a Windows XP Advanced Options menu.

-Select the option for Safe Mode using the arrow keys.

-Press Enter to boot into Safe Mode.

 

Open the SysClean folder and double-click sysclean.com

(Lpt$vpn.373 and sysclean.com must be in the SysClean foder!)

Check: Automatically clean or delete detected files

Click: Scan

Once the scan is finished, press: View Log

Save the Sysclean log to post in your reply. (The Trend Micro System Cleaner log is also contained in the SysClean folder.)

 

~~~~

Restart Windows normally.

 

~~~~

Next, please download ComboFix (by sUBs) from one of the following links:

NOTE: In the event you already have ComboFix, this is a new version!!

 

http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

 

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

 

Save it to the Desktop.

Double-click combofix.exe and follow the prompts.

 

CAUTION: Do not mouse-click ComboFix's window while it is running.

It may cause it to stall.

 

When finished, it produces a log.

 

Please provide the contents of the sysclean.log, and the ComboFix log in your reply.

Edited by Aaflac

Share this post


Link to post
Share on other sites

Hi Aaflac thanks for the reply

Just one question

when i go to download the file "Virus Pattern File (Official Pattern Release) 4.373.00" there is only the file "Official Pattern Release 4.375.00" there. Do I download that one?

Thanks

David

Share this post


Link to post
Share on other sites

Hi Aaflac thanks for the reply

Just one question

when i go to download the file "Virus Pattern File (Official Pattern Release) 4.373.00" there is only the file "Official Pattern Release 4.375.00" there. Do I download that one?

Thanks

David

 

Not to but in, but YES.... and follow AaFlac's instructions...

Share this post


Link to post
Share on other sites

Thanks, wademan!

 

tavita86, it is now showing as:

 

Virus Pattern Files / Cleanup Templates

The Virus pattern file protects customers against viruses.

The Virus cleanup template automatically removes the virus from the customer's system.

 

Virus Pattern File (Official Pattern Release) - 4.377.00 <-- This is what you need!

Edited by Aaflac

Share this post


Link to post
Share on other sites

Hye guys Thanks alot for the help. I followed all your steps Aaflac. When i loged into my computer again Nortaon still detected totour.exe although my computer seems to have stopped sending junk mail (as i am not getting any messages from norton sayin they have blocked emails sent from my computer). The sysclean log and combo fix log is below. Once again thanks for the help.

 

SYSCLEAN.LOG

 

 

 

/--------------------------------------------------------------\

| Trend Micro System Cleaner |

| Copyright 2006, Trend Micro, Inc. |

| http://www.antivirus.com |

\--------------------------------------------------------------/

 

 

2007-03-30, 15:38:27, Auto-clean mode specified.

2007-03-30, 15:38:27, Running scanner "C:\Documents and Settings\david\Desktop\Sysclean\TSC.BIN"...

2007-03-30, 15:43:02, Scanner "C:\Documents and Settings\david\Desktop\Sysclean\TSC.BIN" has finished running.

2007-03-30, 15:43:02, TSC Log:

 

Damage Cleanup Engine (DCE) 5.0(Build 1107)

Windows XP(Build 2600: Service Pack 2)

 

Start time : Fri Mar 30 2007 15:38:27

 

Load Damage Cleanup Template (DCT) "C:\Documents and Settings\david\Desktop\Sysclean\tsc.ptn" (version 850) [success]

 

Complete time : Fri Mar 30 2007 15:43:02

Execute pattern count(3073), Virus found count(0), Virus clean count(0), Clean failed count(0)

 

2007-03-30, 15:43:28, An error was detected on "C:\Documents and Settings\david\Application Data\?icrosoft.NET\*.*": The filename, directory name, or volume label syntax is incorrect.

2007-03-30, 15:45:02, An error was detected on "C:\Program Files\Common Files\W?nSxS\*.*": The filename, directory name, or volume label syntax is incorrect.

2007-03-30, 15:45:02, An error was detected on "C:\Program Files\Common Files\??sks\*.*": The filename, directory name, or volume label syntax is incorrect.

2007-03-30, 15:45:34, An error was detected on "C:\System Volume Information\*.*": Access is denied.

2007-03-30, 15:47:33, An error was detected on "D:\System Volume Information\*.*": Access is denied.

2007-03-30, 16:24:14, Files Detected:

Copyright © 1990 - 2004 Trend Micro Inc.

Report Date : 3/30/2007 15:47:34

VSAPI Engine Version : 8.000-1001

VSCANTM Version : 1.1-1001

Virus Pattern Version : 377 (170414 Patterns) (2007/03/29) (437700)

Command Line: C:\Documents and Settings\david\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\david\Desktop\Sysclean

 

C:\Documents and Settings\david\Local Settings\Temporary Internet Files\Content.IE5\412745AV\swp[1].exe [TROJ_Generic]

C:\Documents and Settings\david\Local Settings\Temporary Internet Files\Content.IE5\A4QXN940\inserv[1].exe [TROJ_AGENT.VAW]

C:\Documents and Settings\david\Local Settings\Temporary Internet Files\Content.IE5\TLM3KHQR\winlogon[1].exe [TROJ_AGENT.VAV]

C:\RECYCLER\NPROTECT\00287051.exe [TROJ_AGENT.VAV]

C:\WINDOWS\inserv.exe [TROJ_AGENT.VAW]

C:\WINDOWS\system32\dxdlg32.exe [TROJ_Generic]

46675 files have been read.

46675 files have been checked.

40808 files have been scanned.

75824 files have been scanned. (including files in archived)

6 files containing viruses.

Found 6 viruses totally.

Maybe 0 viruses totally.

Stop At : 3/30/2007 16:24:14

---------*---------*---------*---------*---------*---------*---------*---------*

2007-03-30, 16:24:14, Files Clean:

Copyright © 1990 - 2004 Trend Micro Inc.

Report Date : 3/30/2007 15:47:34

VSAPI Engine Version : 8.000-1001

VSCANTM Version : 1.1-1001

Virus Pattern Version : 377 (170414 Patterns) (2007/03/29) (437700)

Command Line: C:\Documents and Settings\david\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\david\Desktop\Sysclean

 

Success Clean [ TROJ_Generic]( 1) from C:\Documents and Settings\david\Local Settings\Temporary Internet Files\Content.IE5\412745AV\swp[1].exe

Success Clean [ TROJ_AGENT.VAW]( 1) from C:\Documents and Settings\david\Local Settings\Temporary Internet Files\Content.IE5\A4QXN940\inserv[1].exe

Success Clean [ TROJ_AGENT.VAV]( 1) from C:\Documents and Settings\david\Local Settings\Temporary Internet Files\Content.IE5\TLM3KHQR\winlogon[1].exe

Success Clean [ TROJ_AGENT.VAV]( 1) from C:\RECYCLER\NPROTECT\00287051.exe

Success Clean [ TROJ_AGENT.VAW]( 1) from C:\WINDOWS\inserv.exe

Success Clean [ TROJ_Generic]( 1) from C:\WINDOWS\system32\dxdlg32.exe

46675 files have been read.

46675 files have been checked.

40808 files have been scanned.

75824 files have been scanned. (including files in archived)

6 files containing viruses.

Found 6 viruses totally.

Maybe 0 viruses totally.

Stop At : 3/30/2007 16:24:14 36 minutes 32 seconds (2191.47 seconds) has elapsed.

 

---------*---------*---------*---------*---------*---------*---------*---------*

2007-03-30, 16:24:14, Clean Fail:

Copyright © 1990 - 2004 Trend Micro Inc.

Report Date : 3/30/2007 15:47:34

VSAPI Engine Version : 8.000-1001

VSCANTM Version : 1.1-1001

Virus Pattern Version : 377 (170414 Patterns) (2007/03/29) (437700)

Command Line: C:\Documents and Settings\david\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\david\Desktop\Sysclean

 

46675 files have been read.

46675 files have been checked.

40808 files have been scanned.

75824 files have been scanned. (including files in archived)

6 files containing viruses.

Found 6 viruses totally.

Maybe 0 viruses totally.

Stop At : 3/30/2007 16:24:14 36 minutes 32 seconds (2191.47 seconds) has elapsed.

 

---------*---------*---------*---------*---------*---------*---------*---------*

2007-03-30, 16:24:14, Scanner "C:\Documents and Settings\david\Desktop\Sysclean\VSCANTM.BIN" has finished running.

2007-03-30, 16:34:13, Files Detected:

Copyright © 1990 - 2004 Trend Micro Inc.

Report Date : 3/30/2007 16:24:14

VSAPI Engine Version : 8.000-1001

VSCANTM Version : 1.1-1001

Virus Pattern Version : 377 (170414 Patterns) (2007/03/29) (437700)

Command Line: C:\Documents and Settings\david\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\Documents and Settings\david\Desktop\Sysclean

 

D:\RECYCLER\NPROTECT\00000354.ZIP (1/1 Viruses Found)

21721 files have been read.

21721 files have been checked.

19638 files have been scanned.

23079 files have been scanned. (including files in archived)

2 files containing viruses.

Found 2 viruses totally.

Maybe 0 viruses totally.

Stop At : 3/30/2007 16:34:13

---------*---------*---------*---------*---------*---------*---------*---------*

2007-03-30, 16:34:13, Files Clean:

Copyright © 1990 - 2004 Trend Micro Inc.

Report Date : 3/30/2007 16:24:14

VSAPI Engine Version : 8.000-1001

VSCANTM Version : 1.1-1001

Virus Pattern Version : 377 (170414 Patterns) (2007/03/29) (437700)

Command Line: C:\Documents and Settings\david\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\Documents and Settings\david\Desktop\Sysclean

 

Success Clean [ WORM_GAOBOT.DF]( 1) from D:\RECYCLER\NPROTECT\00000354.ZIP,(Setup.exe)

21721 files have been read.

21721 files have been checked.

19638 files have been scanned.

23079 files have been scanned. (including files in archived)

2 files containing viruses.

Found 2 viruses totally.

Maybe 0 viruses totally.

Stop At : 3/30/2007 16:34:13 9 minutes 50 seconds (590.53 seconds) has elapsed.

 

---------*---------*---------*---------*---------*---------*---------*---------*

2007-03-30, 16:34:13, Clean Fail:

Copyright © 1990 - 2004 Trend Micro Inc.

Report Date : 3/30/2007 16:24:14

VSAPI Engine Version : 8.000-1001

VSCANTM Version : 1.1-1001

Virus Pattern Version : 377 (170414 Patterns) (2007/03/29) (437700)

Command Line: C:\Documents and Settings\david\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\Documents and Settings\david\Desktop\Sysclean

 

21721 files have been read.

21721 files have been checked.

19638 files have been scanned.

23079 files have been scanned. (including files in archived)

2 files containing viruses.

Found 2 viruses totally.

Maybe 0 viruses totally.

Stop At : 3/30/2007 16:34:13 9 minutes 50 seconds (590.53 seconds) has elapsed.

 

---------*---------*---------*---------*---------*---------*---------*---------*

2007-03-30, 16:34:13, Scanner "C:\Documents and Settings\david\Desktop\Sysclean\VSCANTM.BIN" has finished running.

 

 

 

 

COMBOFIX.TXT

 

 

"david" - 07-03-30 16:56:44 Service Pack 2

ComboFix 07-03-27.4.2 - Running from: "C:\Documents and Settings\david\Desktop"

 

 

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\WINDOWS\system32\KB95842.log

C:\Program Files\Common Files\{38D84~1\Activate.exe

C:\Program Files\Common Files\{38D84~1\toolbardll.lzma

C:\WINDOWS\system32\jbhook.dll

C:\WINDOWS\system32\jbloader.dll

C:\WINDOWS\msvbs32.dll

C:\WINDOWS\pc.exe

C:\Program Files\Common Files\{38D84~1

C:\Program Files\Common Files\{E8D84~1

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\qoobox\purity\DOCUME~1

C:\qoobox\purity\DOCUME~1\david

C:\qoobox\purity\DOCUME~1\david\APPLIC~1

C:\qoobox\purity\DOCUME~1\david\APPLIC~1\from.txt

C:\qoobox\purity\DOCUME~1\david\APPLIC~1\ICROSO~1.NET

C:\qoobox\purity\Program Files\Common Files\SKS~1

C:\qoobox\purity\Program Files\Common Files\WNSXS~1

C:\qoobox\purity\Program Files\Common Files\SKS~1\??sks

C:\qoobox\purity\Program Files\Common Files\SKS~1\??sks\ctxad-504.0000

 

 

((((((((((((((((((((((((((((((( Files Created from 2007-02-28 to 2007-03-30 ))))))))))))))))))))))))))))))))))

 

 

2007-03-30 15:36 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT

2007-03-28 12:49 61 --a------ C:\WINDOWS\winmoprp.dll

2007-03-28 12:48 61 --a------ C:\WINDOWS\msscds32.dll

2007-03-22 12:41 <DIR> d-------- C:\Program Files\mIRC

2007-03-18 17:53 <DIR> d-------- C:\DOCUME~1\david\Phone Browser

2007-03-18 17:53 <DIR> d-------- C:\DOCUME~1\david\APPLIC~1\DataLayer

2007-03-11 15:58 <DIR> d-------- C:\DOCUME~1\david\APPLIC~1\Nokia Multimedia Player

2007-03-11 15:57 <DIR> d-------- C:\DOCUME~1\david\APPLIC~1\Nokia

2007-03-11 15:55 <DIR> d-------- C:\Program Files\DIFX

2007-03-11 15:54 <DIR> d-------- C:\Program Files\Common Files\Nokia

2007-03-11 15:53 8,704 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys

2007-03-11 15:53 50,688 --a------ C:\WINDOWS\system32\nmwcdcls.dll

2007-03-11 15:53 4,608 --a------ C:\WINDOWS\system32\nmwcdlog.dll

2007-03-11 15:53 30,720 --a------ C:\WINDOWS\system32\nmwcdcocls.dll

2007-03-11 15:53 13,312 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys

2007-03-11 15:53 13,312 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys

2007-03-11 15:53 127,488 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys

2007-03-11 15:53 <DIR> d-------- C:\Program Files\Nokia

2007-03-11 15:53 <DIR> d-------- C:\Program Files\Common Files\PCSuite

2007-03-11 15:53 <DIR> d-------- C:\DOCUME~1\david\APPLIC~1\PC Suite

2007-03-11 15:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PC Suite

2007-03-11 15:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Downloaded Installations

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

2007-03-30 17:03 -------- d-------- C:\Program Files\Common Files\symantec shared

2007-03-28 16:10 3350 --ahs---- C:\WINDOWS\system32\kgygaavl.sys

2007-03-28 16:04 -------- d-------- C:\Program Files\daemon tools

2007-03-28 14:07 -------- d-------- C:\Program Files\spyware doctor

2007-03-28 13:43 -------- d-------- C:\Program Files\symantec

2007-03-28 12:47 281348 --a------ C:\WINDOWS\system32\drivers\ndis.sys

2007-03-25 19:07 1104874 --a------ C:\DOCUME~1\david\APPLIC~1\nmm-metadata.db

2007-03-21 17:42 -------- d-------- C:\Program Files\blaze media pro

2007-03-10 23:15 -------- d-------- C:\DOCUME~1\david\APPLIC~1\limewire

2007-02-26 18:40 -------- d-------- C:\Program Files\tansee ipod transfer

2007-02-23 18:43 -------- d-------- C:\Program Files\norton systemworks

2007-01-30 17:24 -------- d--h----- C:\Program Files\installshield installation information

2007-01-04 15:48 0 --a------ C:\WINDOWS\system32\wwww.exe

2006-12-17 17:12 125 ---hs---- C:\DOCUME~1\david\APPLIC~1\.zreglib

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

"ParetoLogic Anti-Spyware"="\"C:\\Program Files\\ParetoLogic\\Anti-Spyware\\Pareto_AS.exe\" -NM -hidesplash"

"Khid"="C:\\Documents and Settings\\david\\Application Data\\?icrosoft.NET\\?ti2evxx.exe"

"PcSync"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"SoundMan"="SOUNDMAN.EXE"

"ccApp"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"

"ccRegVfy"="C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe"

"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"

"PrinTray"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\2\\printray.exe"

"LXSUPMON"="C:\\WINDOWS\\system32\\LXSUPMON.EXE RUN"

"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"

"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

"PCSuiteTrayApplication"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\LaunchApplication.exe -startup"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]

"Installed"="1"

"NoChange"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="ehtray"

"hkey"="HKLM"

"command"="C:\\WINDOWS\\ehome\\ehtray.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="NeroCheck"

"hkey"="HKLM"

"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"=""

"hkey"="HKLM"

"command"=""

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RaidTool]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="raid_tool"

"hkey"="HKLM"

"command"="C:\\Program Files\\VIA\\RAID\\raid_tool.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="VTTimer"

"hkey"="HKLM"

"command"="VTTimer.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="VTtrayp"

"hkey"="HKLM"

"command"="VTtrayp.exe"

"inimapping"="0"

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{51C55F9E-C308-4c95-89AB-8858D8AFD819}"="ParetoLogic Anti-Spyware"

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"Spyware Doctor"=""

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\

63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\

6d,73,73,74,79,6c,65,73,00

"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\

73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]

HTTPFilter REG_MULTI_SZ HTTPFilter\0\0

LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0

NetworkService REG_MULTI_SZ DnsCache\0\0

DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

rpcss REG_MULTI_SZ RpcSs\0\0

imgsvc REG_MULTI_SZ StiSvc\0\0

termsvcs REG_MULTI_SZ TermService\0\0

Usnsvc REG_MULTI_SZ usnsvc\0\0

 

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_MCHINJDRV

 

 

Contents of the 'Scheduled Tasks' folder

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job

C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job

C:\WINDOWS\tasks\ParetoLogic Anti-Spyware.job

C:\WINDOWS\tasks\Symantec NetDetect.job

 

 

********************************************************************

 

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006

http://www.gmer.net

 

scanning hidden processes ...

 

scanning hidden services ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

 

********************************************************************

 

Completion time: 07-03-30 17:06:24

Share this post


Link to post
Share on other sites

Ok just to make a correction from wat i said in my previous post. i still am getting messages from norton saying they blocked emails beiong sent from my computer.

Cheers

David

Share this post


Link to post
Share on other sites

We need to find out if there is also a Rootkit involved.

 

Please download GMER.zip (450kB) to the Desktop:

http://gmer.net/files.php

Right click the zipped file and select: Extract all

Follow the Extracton Wizard prompts

 

Start the program by double clicking: GMER.exe

If a security warning appears, allow the program to run

If GMER detects rootkit activity, you are prompted to scan immediately

Click Yes to begin the scan

 

If you are not prompted to Scan:

In the Rootkit tab, make sure all the boxes on the right of the screen are checked, except for "Show All"

Then, click the Scan button.

 

Once the scan is done, click: Copy.

 

====

Please provide the contents of the GMER report in your reply.

Share this post


Link to post
Share on other sites

Hey

here is my gmer report

i couldnt fit the whole report into one post (too many characters) so i have spread the report out thrut he next 3 posts. hope this helps

cheers

David

 

GMER 1.0.12.12086 - http://www.gmer.net

Rootkit scan 2007-03-31 00:59:29

Windows 5.1.2600 Service Pack 2

 

 

---- System - GMER 1.0.12 ----

 

SSDT 841170A8 ZwConnectPort

SSDT sptd.sys ZwCreateKey

SSDT sptd.sys ZwEnumerateKey

SSDT sptd.sys ZwEnumerateValueKey

SSDT sptd.sys ZwOpenKey

SSDT sptd.sys ZwQueryKey

SSDT sptd.sys ZwQueryValueKey

SSDT sptd.sys ZwSetValueKey

 

---- Kernel code sections - GMER 1.0.12 ----

 

? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.

? C:\WINDOWS\System32\Drivers\SPTD4749.SYS The process cannot access the file because it is being used by another process.

? C:\WINDOWS\system32\drivers\NDIS.sys The process cannot access the file because it is being used by another process.

? C:\WINDOWS\System32\Drivers\dtscsi.sys The process cannot access the file because it is being used by another process.

? C:\WINDOWS\TEMP\mc21.tmp The system cannot find the file specified.

 

---- User code sections - GMER 1.0.12 ----

 

.text C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE[564] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]

.text C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE[564] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]

.text C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE[564] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A

.text C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE[564] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A

.text C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE[564] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A

.text C:\WINDOWS\system32\csrss.exe[684] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]

.text C:\WINDOWS\system32\csrss.exe[684] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]

.text C:\WINDOWS\system32\csrss.exe[684] KERNEL32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A

.text C:\WINDOWS\system32\csrss.exe[684] KERNEL32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A

.text C:\WINDOWS\system32\csrss.exe[684] KERNEL32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A

.text C:\WINDOWS\system32\winlogon.exe[708] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]

.text C:\WINDOWS\system32\winlogon.exe[708] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]

.text C:\WINDOWS\system32\winlogon.exe[708] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A

.text C:\WINDOWS\system32\winlogon.exe[708] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A

.text C:\WINDOWS\system32\winlogon.exe[708] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A

.text C:\WINDOWS\system32\services.exe[764] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]

.text C:\WINDOWS\system32\services.exe[764] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]

.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A

.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A

.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A

.text C:\WINDOWS\system32\lsass.exe[776] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]

.text C:\WINDOWS\system32\lsass.exe[776] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]

.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A

.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A

.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A

.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[824] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]

.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[824] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]

.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[824] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A

.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[824] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A

.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[824] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A

.text C:\WINDOWS\system32\svchost.exe[928] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]

.text C:\WINDOWS\system32\svchost.exe[928] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]

.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A

.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A

.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A

.text C:\WINDOWS\soundman.exe[952] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]

.text C:\WINDOWS\soundman.exe[952] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]

.text C:\WINDOWS\soundman.exe[952] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A

.text C:\WINDOWS\soundman.exe[952] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A

.text C:\WINDOWS\soundman.exe[952] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A

.text C:\WINDOWS\system32\svchost.exe[1012] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]

.text C:\WINDOWS\system32\svchost.exe[1012] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]

.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A

.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A

.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A

.text C:\WINDOWS\system32\LXSUPMON.EXE[1080] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]

.text C:\WINDOWS\system32\LXSUPMON.EXE[1080] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]

.text C:\WINDOWS\system32\LXSUPMON.EXE[1080] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A

.text C:\WINDOWS\system32\LXSUPMON.EXE[1080] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A

.text C:\WINDOWS\system32\LXSUPMON.EXE[1080] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A

.text C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe[1088] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]

.text C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe[1088] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]

.text C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe[1088] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A

.text C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe[1088] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A

.text C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe[1088] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A

.text C:\WINDOWS\system32\svchost.exe[1104] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]

.text C:\WINDOWS\system32\svchost.exe[1104] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]

.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A

.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A

.text C:\WINDOWS\system32\svchost.exe[1104] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A

.text C:\Program Files\iTunes\iTunesHelper.exe[1132] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]

.text C:\Program Files\iTunes\iTunesHelper.exe[1132] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]

.text C:\Program Files\iTunes\iTunesHelper.exe[1132] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A

.text C:\Program Files\iTunes\iTunesHelper.exe[1132] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A

.text C:\Program Files\iTunes\iTunesHelper.exe[1132] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A

.text C:\WINDOWS\system32\svchost.exe[1156] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]

.text C:\WINDOWS\system32\svchost.exe[1156] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]

.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A

.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A

.text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A

.text C:\WINDOWS\system32\ctfmon.exe[1204] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]

.text C:\WINDOWS\system32\ctfmon.exe[1204] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]

.text C:\WINDOWS\system32\ctfmon.exe[1204] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A

.text C:\WINDOWS\system32\ctfmon.exe[1204] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A

.text C:\WINDOWS\system32\ctfmon.exe[1204] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A

.text C:\WINDOWS\ehome\ehRecvr.exe[1312] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]

.text C:\WINDOWS\ehome\ehRecvr.exe[1312] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]

.text C:\WINDOWS\ehome\ehRecvr.exe[1312] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A

.text C:\WINDOWS\ehome\ehRecvr.exe[1312] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A

.text C:\WINDOWS\ehome\ehRecvr.exe[1312] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A

.text C:\WINDOWS\system32\svchost.exe[1388] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]

.text C:\WINDOWS\system32\svchost.exe[1388] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]

.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A

.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A

.text C:\WINDOWS\system32\svchost.exe[1388] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A

.text C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe[1432] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]

.text C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe[1432] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]

.text C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe[1432] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A

.text C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe[1432] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A

.text C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe[1432] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A

.text C:\WINDOWS\explorer.exe[1524] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]

.text C:\WINDOWS\explorer.exe[1524] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]

.text C:\WINDOWS\explorer.exe[1524] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A

.text C:\WINDOWS\explorer.exe[1524] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A

.text C:\WINDOWS\explorer.exe[1524] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A

.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1624] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]

.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1624] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]

.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1624] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A

.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1624] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A

.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1624] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A

.text C:\WINDOWS\system32\LexBceS.exe[1744] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]

.text C:\WINDOWS\system32\LexBceS.exe[1744] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]

.text C:\WINDOWS\system32\LexBceS.exe[1744] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A

.text C:\WINDOWS\system32\LexBceS.exe[1744] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A

.text C:\WINDOWS\system32\LexBceS.exe[1744] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A

.text C:\WINDOWS\system32\spoolsv.exe[1772] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]

.text C:\WINDOWS\system32\spoolsv.exe[1772] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]

.text C:\WINDOWS\system32\spoolsv.exe[1772] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A

.text C:\WINDOWS\system32\spoolsv.exe[1772] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A

.text C:\WINDOWS\system32\spoolsv.exe[1772] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A

.text C:\WINDOWS\system32\Lexpps.exe[1816] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]

.text C:\WINDOWS\system32\Lexpps.exe[1816] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]

.text C:\WINDOWS\system32\Lexpps.exe[1816] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A

.text C:\WINDOWS\system32\Lexpps.exe[1816] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A

.text C:\WINDOWS\system32\Lexpps.exe[1816] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A

.text C:\WINDOWS\ehome\ehSched.exe[1936] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]

.text C:\WINDOWS\ehome\ehSched.exe[1936] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]

.text C:\WINDOWS\ehome\ehSched.exe[1936] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A

.text C:\WINDOWS\ehome\ehSched.exe[1936] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A

.text C:\WINDOWS\ehome\ehSched.exe[1936] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1992] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1992] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1992] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1992] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A

.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1992] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A

.text C:\PROGRA~1\NORTON~1\SPEEDD~1\NOPDB.EXE[2100] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]

.text C:\PROGRA~1\NORTON~1\SPEEDD~1\NOPDB.EXE[2100] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]

.text C:\PROGRA~1\NORTON~1\SPEEDD~1\NOPDB.EXE[2100] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A

.text C:\PROGRA~1\NORTON~1\SPEEDD~1\NOPDB.EXE[2100] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A

.text C:\PROGRA~1\NORTON~1\SPEEDD~1\NOPDB.EXE[2100] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A

.text C:\WINDOWS\system32\svchost.exe[2144] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]

.text C:\WINDOWS\system32\svchost.exe[2144] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]

.text C:\WINDOWS\system32\svchost.exe[2144] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A

.text C:\WINDOWS\system32\svchost.exe[2144] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A

.text C:\WINDOWS\system32\svchost.exe[2144] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A

.text C:\Documents and Settings\david\Desktop\gmer\gmer.exe[2208] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]

.text C:\Documents and Settings\david\Desktop\gmer\gmer.exe[2208] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]

.text C:\Documents and Settings\david\Desktop\gmer\gmer.exe[2208] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A

.text C:\Documents and Settings\david\Desktop\gmer\gmer.exe[2208] kernel32

Share this post


Link to post
Share on other sites

845A5808

Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 845A5808

Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CREATE 8422A628

Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CLOSE 8422A628

Device \FileSystem\Fastfat \FatCdrom IRP_MJ_READ 8422A628

Device \FileSystem\Fastfat \FatCdrom IRP_MJ_WRITE 8422A628

Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_INFORMATION 8422A628

Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_INFORMATION 8422A628

Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_EA 8422A628

Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_EA 8422A628

Device \FileSystem\Fastfat \FatCdrom IRP_MJ_FLUSH_BUFFERS 8422A628

Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_VOLUME_INFORMATION 8422A628

Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_VOLUME_INFORMATION 8422A628

Device \FileSystem\Fastfat \FatCdrom IRP_MJ_DIRECTORY_CONTROL 8422A628

Device \FileSystem\Fastfat \FatCdrom IRP_MJ_FILE_SYSTEM_CONTROL 8422A628

Device \FileSystem\Fastfat \FatCdrom IRP_MJ_DEVICE_CONTROL 8422A628

Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SHUTDOWN 8422A628

Device \FileSystem\Fastfat \FatCdrom IRP_MJ_LOCK_CONTROL 8422A628

Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CLEANUP 8422A628

Device \FileSystem\Fastfat \FatCdrom IRP_MJ_PNP 8422A628

Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CREATE 845A50E8

Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CLOSE 845A50E8

Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_READ 845A50E8

Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_WRITE 845A50E8

Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_FLUSH_BUFFERS 845A50E8

Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_DEVICE_CONTROL 845A50E8

Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_INTERNAL_DEVICE_CONTROL 845A50E8

Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SHUTDOWN 845A50E8

Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_POWER 845A50E8

Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SYSTEM_CONTROL 845A50E8

Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_PNP 845A50E8

Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CREATE 845A50E8

Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CLOSE 845A50E8

Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_READ 845A50E8

Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_WRITE 845A50E8

Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_FLUSH_BUFFERS 845A50E8

Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_DEVICE_CONTROL 845A50E8

Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_INTERNAL_DEVICE_CONTROL 845A50E8

Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SHUTDOWN 845A50E8

Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_POWER 845A50E8

Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SYSTEM_CONTROL 845A50E8

Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_PNP 845A50E8

Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CREATE 845A50E8

Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CLOSE 845A50E8

Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_READ 845A50E8

Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_WRITE 845A50E8

Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_FLUSH_BUFFERS 845A50E8

Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_DEVICE_CONTROL 845A50E8

Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_INTERNAL_DEVICE_CONTROL 845A50E8

Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SHUTDOWN 845A50E8

Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_POWER 845A50E8

Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SYSTEM_CONTROL 845A50E8

Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_PNP 845A50E8

Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CREATE 845A50E8

Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CLOSE 845A50E8

Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_READ 845A50E8

Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_WRITE 845A50E8

Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_FLUSH_BUFFERS 845A50E8

Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_DEVICE_CONTROL 845A50E8

Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_INTERNAL_DEVICE_CONTROL 845A50E8

Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SHUTDOWN 845A50E8

Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_POWER 845A50E8

Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SYSTEM_CONTROL 845A50E8

Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_PNP 845A50E8

Device \Driver\00000043 \Device\00000047 IRP_MJ_POWER [F73F0F68] sptd.sys

Device \Driver\00000043 \Device\00000047 IRP_MJ_SYSTEM_CONTROL [F7405A70] sptd.sys

Device \Driver\00000043 \Device\00000047 IRP_MJ_PNP [F73FE728] sptd.sys

Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 845CDA58

Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ 845CDA58

Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE 845CDA58

Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS 845CDA58

Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL 845CDA58

Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL 845CDA58

Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN 845CDA58

Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP 845CDA58

Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER 845CDA58

Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SYSTEM_CONTROL 845CDA58

Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_PNP 845CDA58

Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE 845CDA58

Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_READ 845CDA58

Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_WRITE 845CDA58

Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_FLUSH_BUFFERS 845CDA58

Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_DEVICE_CONTROL 845CDA58

Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_INTERNAL_DEVICE_CONTROL 845CDA58

Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SHUTDOWN 845CDA58

Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CLEANUP 845CDA58

Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_POWER 845CDA58

Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SYSTEM_CONTROL 845CDA58

Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_PNP 845CDA58

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 843360E8

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 843360E8

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 843360E8

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 843360E8

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 843360E8

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 843360E8

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 843360E8

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 843360E8

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 843360E8

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 843360E8

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 843360E8

Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE 8421B578

Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE_NAMED_PIPE 8421B578

Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CLOSE 8421B578

Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_READ 8421B578

Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_WRITE 8421B578

Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_INFORMATION 8421B578

Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_INFORMATION 8421B578

Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_EA 8421B578

Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_EA 8421B578

Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_FLUSH_BUFFERS 8421B578

Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_VOLUME_INFORMATION 8421B578

Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_VOLUME_INFORMATION 8421B578

Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DIRECTORY_CONTROL 8421B578

Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_FILE_SYSTEM_CONTROL 8421B578

Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DEVICE_CONTROL 8421B578

Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_INTERNAL_DEVICE_CONTROL 8421B578

Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SHUTDOWN 8421B578

Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_LOCK_CONTROL 8421B578

Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CLEANUP 8421B578

Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE_MAILSLOT 8421B578

Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_SECURITY 8421B578

Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_SECURITY 8421B578

Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_POWER 8421B578

Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SYSTEM_CONTROL 8421B578

Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DEVICE_CHANGE 8421B578

Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_QUOTA 8421B578

Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_QUOTA 8421B578

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 843360E8

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE 843360E8

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ 843360E8

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 843360E8

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 843360E8

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 843360E8

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 843360E8

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 843360E8

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 843360E8

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 843360E8

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 843360E8

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE 843360E8

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CLOSE 843360E8

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_READ 843360E8

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_WRITE 843360E8

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_FLUSH_BUFFERS 843360E8

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DEVICE_CONTROL 843360E8

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_INTERNAL_DEVICE_CONTROL 843360E8

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SHUTDOWN 843360E8

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_POWER 843360E8

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SYSTEM_CONTROL 843360E8

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_PNP 843360E8

Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CREATE 842485A8

Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLOSE 842485A8

Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_DEVICE_CONTROL 842485A8

Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_INTERNAL_DEVICE_CONTROL 842485A8

Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLEANUP 842485A8

Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_PNP 842485A8

Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CREATE 842485A8

Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLOSE 842485A8

Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_DEVICE_CONTROL 842485A8

Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_INTERNAL_DEVICE_CONTROL 842485A8

Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLEANUP 842485A8

Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_PNP 842485A8

Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_CREATE 845A5A

Share this post


Link to post
Share on other sites

843880E8

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_SECURITY 843880E8

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_POWER 843880E8

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SYSTEM_CONTROL 843880E8

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CHANGE 843880E8

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_QUOTA 843880E8

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_QUOTA 843880E8

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP 843880E8

Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE 843880E8

Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_NAMED_PIPE 843880E8

Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLOSE 843880E8

Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 843880E8

Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_WRITE 843880E8

Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_INFORMATION 843880E8

Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_INFORMATION 843880E8

Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_EA 843880E8

Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_EA 843880E8

Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FLUSH_BUFFERS 843880E8

Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_VOLUME_INFORMATION 843880E8

Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_VOLUME_INFORMATION 843880E8

Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DIRECTORY_CONTROL 843880E8

Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FILE_SYSTEM_CONTROL 843880E8

Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CONTROL 843880E8

Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_INTERNAL_DEVICE_CONTROL 843880E8

Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SHUTDOWN 843880E8

Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_LOCK_CONTROL 843880E8

Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLEANUP 843880E8

Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_MAILSLOT 843880E8

Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_SECURITY 843880E8

Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_SECURITY 843880E8

Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_POWER 843880E8

Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SYSTEM_CONTROL 843880E8

Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CHANGE 843880E8

Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_QUOTA 843880E8

Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_QUOTA 843880E8

Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP 843880E8

Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CREATE 83FF4518

Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CREATE_NAMED_PIPE 83FF4518

Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CLOSE 83FF4518

Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_READ 83FF4518

Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_WRITE 83FF4518

Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_INFORMATION 83FF4518

Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_SET_INFORMATION 83FF4518

Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_FLUSH_BUFFERS 83FF4518

Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_VOLUME_INFORMATION 83FF4518

Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_DIRECTORY_CONTROL 83FF4518

Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_FILE_SYSTEM_CONTROL 83FF4518

Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CLEANUP 83FF4518

Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_SECURITY 83FF4518

Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_SET_SECURITY 83FF4518

Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CREATE 845CDA58

Device \Driver\Ftdisk \Device\FtControl IRP_MJ_READ 845CDA58

Device \Driver\Ftdisk \Device\FtControl IRP_MJ_WRITE 845CDA58

Device \Driver\Ftdisk \Device\FtControl IRP_MJ_FLUSH_BUFFERS 845CDA58

Device \Driver\Ftdisk \Device\FtControl IRP_MJ_DEVICE_CONTROL 845CDA58

Device \Driver\Ftdisk \Device\FtControl IRP_MJ_INTERNAL_DEVICE_CONTROL 845CDA58

Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SHUTDOWN 845CDA58

Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CLEANUP 845CDA58

Device \Driver\Ftdisk \Device\FtControl IRP_MJ_POWER 845CDA58

Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SYSTEM_CONTROL 845CDA58

Device \Driver\Ftdisk \Device\FtControl IRP_MJ_PNP 845CDA58

Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CREATE 841E30E8

Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CLOSE 841E30E8

Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_READ 841E30E8

Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_WRITE 841E30E8

Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_QUERY_INFORMATION 841E30E8

Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_SET_INFORMATION 841E30E8

Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_QUERY_VOLUME_INFORMATION 841E30E8

Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_DIRECTORY_CONTROL 841E30E8

Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_FILE_SYSTEM_CONTROL 841E30E8

Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CLEANUP 841E30E8

Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CREATE_MAILSLOT 841E30E8

Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_QUERY_SECURITY 841E30E8

Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_SET_SECURITY 841E30E8

Device \Driver\viamraid \Device\Scsi\viamraid1 IRP_MJ_CREATE 845A5C78

Device \Driver\viamraid \Device\Scsi\viamraid1 IRP_MJ_CLOSE 845A5C78

Device \Driver\viamraid \Device\Scsi\viamraid1 IRP_MJ_DEVICE_CONTROL 845A5C78

Device \Driver\viamraid \Device\Scsi\viamraid1 IRP_MJ_INTERNAL_DEVICE_CONTROL 845A5C78

Device \Driver\viamraid \Device\Scsi\viamraid1 IRP_MJ_POWER 845A5C78

Device \Driver\viamraid \Device\Scsi\viamraid1 IRP_MJ_SYSTEM_CONTROL 845A5C78

Device \Driver\viamraid \Device\Scsi\viamraid1 IRP_MJ_PNP 845A5C78

Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_CREATE 843C36C0

Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_CLOSE 843C36C0

Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_DEVICE_CONTROL 843C36C0

Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_INTERNAL_DEVICE_CONTROL 843C36C0

Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_POWER 843C36C0

Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_SYSTEM_CONTROL 843C36C0

Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_PNP 843C36C0

Device \Driver\dtscsi \Device\Scsi\dtscsi1Port3Path0Target0Lun0 IRP_MJ_CREATE 843C36C0

Device \Driver\dtscsi \Device\Scsi\dtscsi1Port3Path0Target0Lun0 IRP_MJ_CLOSE 843C36C0

Device \Driver\dtscsi \Device\Scsi\dtscsi1Port3Path0Target0Lun0 IRP_MJ_DEVICE_CONTROL 843C36C0

Device \Driver\dtscsi \Device\Scsi\dtscsi1Port3Path0Target0Lun0 IRP_MJ_INTERNAL_DEVICE_CONTROL 843C36C0

Device \Driver\dtscsi \Device\Scsi\dtscsi1Port3Path0Target0Lun0 IRP_MJ_POWER 843C36C0

Device \Driver\dtscsi \Device\Scsi\dtscsi1Port3Path0Target0Lun0 IRP_MJ_SYSTEM_CONTROL 843C36C0

Device \Driver\dtscsi \Device\Scsi\dtscsi1Port3Path0Target0Lun0 IRP_MJ_PNP 843C36C0

Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE 8422A628

Device \FileSystem\Fastfat \Fat IRP_MJ_CLOSE 8422A628

Device \FileSystem\Fastfat \Fat IRP_MJ_READ 8422A628

Device \FileSystem\Fastfat \Fat IRP_MJ_WRITE 8422A628

Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION 8422A628

Device \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION 8422A628

Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA 8422A628

Device \FileSystem\Fastfat \Fat IRP_MJ_SET_EA 8422A628

Device \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS 8422A628

Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION 8422A628

Device \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION 8422A628

Device \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL 8422A628

Device \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL 8422A628

Device \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL 8422A628

Device \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN 8422A628

Device \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL 8422A628

Device \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP 8422A628

Device \FileSystem\Fastfat \Fat IRP_MJ_PNP 8422A628

Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE 840942B8

Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLOSE 840942B8

Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ 840942B8

Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_INFORMATION 840942B8

Device \FileSystem\Cdfs \Cdfs IRP_MJ_SET_INFORMATION 840942B8

Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_VOLUME_INFORMATION 840942B8

Device \FileSystem\Cdfs \Cdfs IRP_MJ_DIRECTORY_CONTROL 840942B8

Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL 840942B8

Device \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL 840942B8

Device \FileSystem\Cdfs \Cdfs IRP_MJ_SHUTDOWN 840942B8

Device \FileSystem\Cdfs \Cdfs IRP_MJ_LOCK_CONTROL 840942B8

Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLEANUP 840942B8

Device \FileSystem\Cdfs \Cdfs IRP_MJ_PNP 840942B8

 

---- Files - GMER 1.0.12 ----

 

ADS C:\Documents and Settings\david\Local Settings\Application Data\Microsoft\Messenger\mataio90@hotmail.com\SharingMetadata\eleni_loves_ya@hotmail.com\DFSR\Staging\CS{210515E9-8829-0C11-06DA-3C48AE70A05C}\01\11-{210515E9-8829-0C11-06DA-3C48AE70A05C}-v1-{E4A6DFD2-34C1-4971-97F4-6B6435EAB51B}-v11-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

ADS C:\Documents and Settings\david\Local Settings\Application Data\Microsoft\Messenger\naughty_sporty_sophie@hotmail.com\SharingMetadata\alexb_2233@hotmail.com\DFSR\Staging\CS{996F4B94-AC6C-FFA9-00E0-BD2A9D6F8FC2}\01\10-{996F4B94-AC6C-FFA9-00E0-BD2A9D6F8FC2}-v1-{FA34268B-7F77-4997-B6FA-979210DDC45F}-v10-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

ADS C:\Documents and Settings\david\Local Settings\Application Data\Microsoft\Messenger\samoansweety@hotmail.com\SharingMetadata\ewalina89@hotmail.com\DFSR\Staging\CS{42893528-3194-2204-0F43-08622A590128}\01\10-{42893528-3194-2204-0F43-08622A590128}-v1-{45524374-CF53-4630-AF89-A13FFAAD670E}-v10-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

ADS C:\Documents and Settings\david\Local Settings\Application Data\Microsoft\Messenger\samoansweety@hotmail.com\SharingMetadata\ewalina89@hotmail.com\DFSR\Staging\CS{42893528-3194-2204-0F43-08622A590128}\16\16-{45524374-CF53-4630-AF89-A13FFAAD670E}-v16-{45524374-CF53-4630-AF89-A13FFAAD670E}-v16-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1

ADS C:\Documents and Settings\david\Local Settings\Application Data\Microsoft\Messenger\samoansweety@hotmail.com\SharingMetadata\ewalina89@hotmail.com\DFSR\Staging\CS{42893528-3194-2204-0F43-08622A590128}\16\16-{45524374-CF53-4630-AF89-A13FFAAD670E}-v16-{45524374-CF53-4630-AF89-A13FFAAD670E}-v16-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

ADS C:\Documents and Settings\david\Local Settings\Application Data\Microsoft\Messenger\samoansweety@hotmail.com\SharingMetadata\ewalina89@hotmail.com\DFSR\Staging\CS{42893528-3194-2204-0F43-08622A590128}\17\17-{45524374-CF53-4630-AF89-A13FFAAD670E}-v17-{45524374-CF53-4630-AF89-A13FFAAD670E}-v17-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1

ADS C:\Documents and Settings\david\Local Settings\Application Data\Microsoft\Messenger\samoansweety@hotmail.com\SharingMetadata\ewalina89@hotmail.com\DFSR\Staging\CS{42893528-3194-2204-0F43-08622A590128}\17\17-{45524374-CF53-4630-AF89-A13FFAAD670E}-v17-{45524374-CF53-4630-AF89-A13FFAAD670E}-v17-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

ADS C:\Documents and Settings\david\Local Settings\Application Data\Microsoft\Messenger\samoansweety@hotmail.com\SharingMetadata\ewalina89@hotmail.com\DFSR\Staging\CS{42893528-3194-2204-0F43-08622A590128}\28\28-{45524374-CF53-4630-AF89-A13FFAAD670E}-v28-{45524374-CF53-4630-AF89-A13FFAAD670E}-v28-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1

ADS C:\Documents and Settings\david\Local Settings\Application Data\Microsoft\Messenger\samoansweety@hotmail.com\SharingMetadata\ewalina89@hotmail.com\DFSR\Staging\CS{42893528-3194-2204-0F43-08622A590128}\28\28-{45524374-CF53-4630-AF89-A13FFAAD670E}-v28-{45524374-CF53-4630-AF89-A13FFAAD670E}-v28-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

ADS C:\Documents and Settings\david\Local Settings\Application Data\Microsoft\Messenger\samoansweety@hotmail.com\SharingMetadata\ewalina89@hotmail.com\DFSR\Staging\CS{42893528-3194-2204-0F43-08622A590128}\29\29-{45524374-CF53-4630-AF89-A13FFAAD670E}-v29-{45524374-CF53-4630-AF89-A13FFAAD670E}-v29-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1

ADS C:\Documents and Settings\david\Local Settings\Application Data\Microsoft\Messenger\samoansweety@hotmail.com\SharingMetadata\ewalina89@hotmail.com\DFSR\Staging\CS{42893528-3194-2204-0F43-08622A590128}\29\29-{45524374-CF53-4630-AF89-A13FFAAD670E}-v29-{45524374-CF53-4630-AF89-A13FFAAD670E}-v29-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

ADS C:\Documents and Settings\david\Local Settings\Application Data\Microsoft\Messenger\samoansweety@hotmail.com\SharingMetadata\ewalina89@hotmail.com\DFSR\Staging\CS{42893528-3194-2204-0F43-08622A590128}\30\30-{45524374-CF53-4630-AF89-A13FFAAD670E}-v30-{45524374-CF53-4630-AF89-A13FFAAD670E}-v30-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1

ADS C:\Documents and Settings\david\Local Settings\Application Data\Microsoft\Messenger\samoansweety@hotmail.com\SharingMetadata\ewalina89@hotmail.com\DFSR\Staging\CS{42893528-3194-2204-0F43-08622A590128}\30\30-{45524374-CF53-4630-AF89-A13FFAAD670E}-v30-{45524374-CF53-4630-AF89-A13FFAAD670E}-v30-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

ADS C:\Documents and Settings\david\Local Settings\Application Data\Microsoft\Messenger\samoansweety@hotmail.com\SharingMetadata\ewalina89@hotmail.com\DFSR\Staging\CS{42893528-3194-2204-0F43-08622A590128}\31\31-{45524374-CF53-4630-AF89-A13FFAAD670E}-v31-{45524374-CF53-4630-AF89-A13FFAAD670E}-v31-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1

ADS C:\Documents and Settings\david\Local Settings\Application Data\Microsoft\Messenger\samoansweety@hotmail.com\SharingMetadata\ewalina89@hotmail.com\DFSR\Staging\CS{42893528-3194-2204-0F43-08622A590128}\31\31-{45524374-CF53-4630-AF89-A13FFAAD670E}-v31-{45524374-CF53-4630-AF89-A13FFAAD670E}-v31-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

ADS C:\Documents and Settings\david\Local Settings\Application Data\Microsoft\Messenger\samoansweety@hotmail.com\SharingMetadata\ewalina89@hotmail.com\DFSR\Staging\CS{42893528-3194-2204-0F43-08622A590128}\32\32-{45524374-CF53-4630-AF89-A13FFAAD670E}-v32-{45524374-CF53-4630-AF89-A13FFAAD670E}-v32-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1

ADS C:\Documents and Settings\david\Local Settings\Application Data\Microsoft\Messenger\samoansweety@hotmail.com\SharingMetadata\ewalina89@hotmail.com\DFSR\Staging\CS{42893528-3194-2204-0F43-08622A590128}\32\32-{45524374-CF53-4630-AF89-A13FFAAD670E}-v32-{45524374-CF53-4630-AF89-A13FFAAD670E}-v32-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

ADS C:\Documents and Settings\david\Local Settings\Application Data\Microsoft\Messenger\samoansweety@hotmail.com\SharingMetadata\ewalina89@hotmail.com\DFSR\Staging\CS{42893528-3194-2204-0F43-08622A590128}\33\33-{45524374-CF53-4630-AF89-A13FFAAD670E}-v33-{45524374-CF53-4630-AF89-A13FFAAD670E}-v33-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1

ADS C:\Documents and Settings\david\Local Settings\Application Data\Microsoft\Messenger\samoansweety@hotmail.com\SharingMetadata\ewalina89@hotmail.com\DFSR\Staging\CS{42893528-3194-2204-0F43-08622A590128}\33\33-{45524374-CF53-4630-AF89-A13FFAAD670E}-v33-{45524374-CF53-4630-AF89-A13FFAAD670E}-v33-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

ADS C:\Documents and Settings\david\Local Settings\Application Data\Microsoft\Messenger\samoansweety@hotmail.com\SharingMetadata\ewalina89@hotmail.com\DFSR\Staging\CS{42893528-3194-2204-0F43-08622A590128}\43\43-{45524374-CF53-4630-AF89-A13FFAAD670E}-v43-{45524374-CF53-4630-AF89-A13FFAAD670E}-v43-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1

ADS C:\Documents and Settings\david\Local Settings\Application Data\Microsoft\Messenger\samoansweety@hotmail.com\SharingMetadata\ewalina89@hotmail.com\DFSR\Staging\CS{42893528-3194-2204-0F43-08622A590128}\43\43-{45524374-CF53-4630-AF89-A13FFAAD670E}-v43-{45524374-CF53-4630-AF89-A13FFAAD670E}-v43-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

ADS C:\Documents and Settings\david\Local Settings\Application Data\Microsoft\Messenger\samoansweety@hotmail.com\SharingMetadata\ewalina89@hotmail.com\DFSR\Staging\CS{42893528-3194-2204-0F43-08622A590128}\45\45-{45524374-CF53-4630-AF89-A13FFAAD670E}-v45-{45524374-CF53-4630-AF89-A13FFAAD670E}-v45-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1

ADS C:\Documents and Settings\david\Local Settings\Application Data\Microsoft\Messenger\samoansweety@hotmail.com\SharingMetadata\ewalina89@hotmail.com\DFSR\Staging\CS{42893528-3194-2204-0F43-08622A590128}\45\45-{45524374-CF53-4630-AF89-A13FFAAD670E}-v45-{45524374-CF53-4630-AF89-A13FFAAD670E}-v45-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

ADS C:\Documents and Settings\david\Local Settings\Application Data\Microsoft\Messenger\tavita86@hotmail.com\SharingMetadata\checkup_on_it@hotmail.com\DFSR\Staging\CS{C4744820-F95C-AB8A-374A-A3740D4906DD}\01\26-{C4744820-F95C-AB8A-374A-A3740D4906DD}-v1-{C147DDCF-E4D4-4D78-9763-30ED6F6617AA}-v26-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

ADS C:\Documents and Settings\david\Local Settings\Application Data\Microsoft\Messenger\tavita86@hotmail.com\SharingMetadata\ewalina89@hotmail.com\DFSR\Staging\CS{60B60993-4B29-6586-DE46-0A2EC4A7741D}\01\15-{60B60993-4B29-6586-DE46-0A2EC4A7741D}-v1-{C147DDCF-E4D4-4D78-9763-30ED6F6617AA}-v15-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

ADS C:\Documents and Settings\david\Local Settings\Application Data\Microsoft\Messenger\tavita86@hotmail.com\SharingMetadata\ewalina89@hotmail.com\DFSR\Staging\CS{60B60993-4B29-6586-DE46-0A2EC4A7741D}\16\16-{C147DDCF-E4D4-4D78-9763-30ED6F6617AA}-v16-{C147DDCF-E4D4-4D78-9763-30ED6F6617AA}-v16-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1

ADS C:\Documents and Settings\david\Local Settings\Application Data\Microsoft\Messenger\tavita86@hotmail.com\SharingMetadata\ewalina89@hotmail.com\DFSR\Staging\CS{60B60993-4B29-6586-DE46-0A2EC4A7741D}\16\16-{C147DDCF-E4D4-4D78-9763-30ED6F6617AA}-v16-{C147DDCF-E4D4-4D78-9763-30ED6F6617AA}-v16-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2

ADS C:\Documents and Settings\david\Local Settings\Application Data\Microsoft\Messenger\tavita86@hotmail.com\SharingMetadata\ewalina89@hotmail.com\DFSR\Staging\CS{60B60993-4B29-6586-DE46-0A2EC4A7741D}\16\16-{C147DDCF-E4D4-4D78-9763-30ED6F6617AA}-v16-{C147DDCF-E4D4-4D78-9763-30ED6F6617AA}-v16-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

ADS C:\Documents and Settings\david\Local Settings\Application Data\Microsoft\Messenger\tavita86@hotmail.com\SharingMetadata\ewalina89@hotmail.com\DFSR\Staging\CS{60B60993-4B29-6586-DE46-0A2EC4A7741D}\17\17-{C147DDCF-E4D4-4D78-9763-30ED6F6617AA}-v17-{C147DDCF-E4D4-4D78-9763-30ED6F6617AA}-v17-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1

ADS C:\Documents and Settings\david\Local Settings\Application Data\Microsoft\Messenger\tavita86@hotmail.com\SharingMetadata\ewalina89@hotmail.com\DFSR\Staging\CS{60B60993-4B29-6586-DE46-0A2EC4A7741D}\17\17-{C147DDCF-E4D4-4D78-9763-30ED6F6617AA}-v17-{C147DDCF-E4D4-4D78-9763-30ED6F6617AA}-v17-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2

ADS C:\Documents and Settings\david\Local Settings\Application Data\Microsoft\Messenger\tavita86@hotmail.com\SharingMetadata\ewalina89@hotmail.com\DFSR\Staging\CS{60B60993-4B29-6586-DE46-0A2EC4A7741D}\17\17-{C147DDCF-E4D4-4D78-9763-30ED6F6617AA}-v17-{C147DDCF-E4D4-4D78-9763-30ED6F6617AA}-v17-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

ADS C:\Documents and Settings\david\Local Settings\Application Data\Microsoft\Messenger\tavita86@hotmail.com\SharingMetadata\ewalina89@hotmail.com\DFSR\Staging\CS{60B60993-4B29-6586-DE46-0A2EC4A7741D}\18\15-{C147DDCF-E4D4-4D78-9763-30ED6F6617AA}-v18-{6F15C025-33CA-4E26-8A72-F290778FB368}-v15-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1

ADS C:\Documents and Settings\david\Local Settings\Application Data\Microsoft\Messenger\tavita86@hotmail.com\SharingMetadata\ewalina89@hotmail.com\DFSR\Staging\CS{60B60993-4B29-6586-DE46-0A2EC4A7741D}\18\15-{C147DDCF-E4D4-4D78-9763-30ED6F6617AA}-v18-{6F15C025-33CA-4E26-8A72-F290778FB368}-v15-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2

Share this post


Link to post
Share on other sites

The ComboFix log is identifying a file that may not be allowing Antispyware to run properly.

 

Please do the following:

 

Launch Notepad, (Start > Programs > Accessories > Notepad)

Copy/paste all the blue text below to it:

 

If exist ndis.txt del ndis.txt

Dir C:\WINDOWS\System32\drivers\ndis*.sys >> ndis.txt

Start ndis.txt

 

In Notepad, go to File (upper menu bar), and select: Save as

In the Save as prompt:

Save in: Desktop

File Name: ndis.bat

Save as Type: All files

Click: Save

Exit out of Notepad

 

Next, on the Desktop, double click on ndis.bat

 

Please post the report it produces in your reply.

Edited by Aaflac

Share this post


Link to post
Share on other sites

Hey

The report that it produced is below.

Cheers

David

 

 

Volume in drive C has no label.

Volume Serial Number is E8D8-432F

 

Directory of C:\WINDOWS\System32\drivers

 

03/28/2007 12:47 PM 281,348 ndis.sys

08/03/2004 11:10 PM 10,880 NdisIP.sys

08/18/2001 01:55 AM 9,600 ndistapi.sys

08/10/2004 04:32 PM 12,928 ndisuio.sys

08/04/2004 11:14 AM 91,776 ndiswan.sys

5 File(s) 406,532 bytes

0 Dir(s) 3,205,881,856 bytes free

Share this post


Link to post
Share on other sites

Need for you to rename a bogus file in C:\WINDOWS\System32\drivers, then copy a good file from C:\WINDOWS\SYSTEM32\dllcache to replace it, and then delete the bogus file.

 

It goes as follows:

 

Reboot to Safe Mode :

-Restart your computer.

-When the machine first starts again, tap the F8 key before Windows starts

-You are presented with a Windows XP Advanced Options menu.

-Select the option for Safe Mode using the arrow keys.

-Press Enter to boot into Safe Mode.

 

Go to Start > Run, copy/paste the following in the Open area:

C:\WINDOWS\SYSTEM32\drivers

Click: OK

 

Look for the file: ndis.sys

Right click and select: Properties

Confirm the size of ndis.sys as: 265,988 Bytes

Close out of ndis.sys Properties

 

If that is the size of the file, then:

Right-click ndis.sys

Select: Rename

Rename that file to ndis.sys.nuk

 

 

Next, once again go to Start > Run, copy/paste the following in the Open area:

C:\WINDOWS\SYSTEM32\dllcache

Click: OK

 

Look for the file: ndis.sys

Right-click ndis.sys

Select: Copy

Then paste the file to the following folder:

C:\WINDOWS\SYSTEM32\drivers

Click: OK

 

If you are able to do all of the above without any problems, then delete the following file:

C:\WINDOWS\SYSTEM32\drivers\ndis.sys.nuk

 

If you have problems at any stage, do not continue, and post back whatever you encountered.

 

~~~~

Once again, launch Notepad, (Start > Programs > Accessories > Notepad)

Copy/paste all the blue text below to it:

 

If exist ndis.txt del ndis.txt

Dir C:\WINDOWS\System32\drivers\ndis*.sys >> ndis.txt

Start ndis.txt

 

In Notepad, go to File (upper menu bar), and select: Save as

In the Save as prompt:

Save in: Desktop

File Name: ndis2.bat

Save as Type: All files

Click: Save

Exit out of Notepad.

 

Next, on the Desktop, double click on ndis2.bat

Please post the report it produces in your reply.

 

~~~~

Last, run ComboFix once again, and post its report.

Share this post


Link to post
Share on other sites

hey

the size of the file ndis.sys was NOT 265,988 bytes as u said it should be. The size of ndis.sys is as follows

 

Size: 274 KB (281,348 bytes)

 

Size on disk: 276 KB (282,624 bytes)

 

should i still proceed with your directions?

cheers

David

Share this post


Link to post
Share on other sites

Yes.

 

The file size of ndis.sys is normally 182,xxx Bytes for SP2.

 

The one the logs is showing is a little 'bloated'!

Share this post


Link to post
Share on other sites

Hey

here are the two reports

 

ndis2.txt:

 

Volume in drive C has no label.

Volume Serial Number is E8D8-432F

 

Directory of C:\WINDOWS\System32\drivers

 

08/04/2004 11:14 AM 182,912 ndis.sys

08/03/2004 11:10 PM 10,880 NdisIP.sys

08/18/2001 01:55 AM 9,600 ndistapi.sys

08/10/2004 04:32 PM 12,928 ndisuio.sys

08/04/2004 11:14 AM 91,776 ndiswan.sys

5 File(s) 308,096 bytes

0 Dir(s) 3,103,047,680 bytes free

 

 

 

ComboFix.txt:

 

"david" - 07-04-02 23:24:33 Service Pack 2

ComboFix 07-03-27.4.2 - Running from: "C:\Documents and Settings\david\Desktop"

 

 

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\qoobox\purity\DOCUME~1

C:\qoobox\purity\DOCUME~1\david

C:\qoobox\purity\DOCUME~1\david\APPLIC~1

C:\qoobox\purity\DOCUME~1\david\APPLIC~1\from.txt

C:\qoobox\purity\DOCUME~1\david\APPLIC~1\ICROSO~1.NET

C:\qoobox\purity\Program Files\Common Files\SKS~1

C:\qoobox\purity\Program Files\Common Files\WNSXS~1

C:\qoobox\purity\Program Files\Common Files\SKS~1\??sks

C:\qoobox\purity\Program Files\Common Files\SKS~1\??sks\ctxad-504.0000

 

 

((((((((((((((((((((((((((((((( Files Created from 2007-03-02 to 2007-04-02 ))))))))))))))))))))))))))))))))))

 

 

2007-04-02 23:18 182,912 --a------ C:\WINDOWS\system32\drivers\ndis.sys

2007-03-30 15:36 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT

2007-03-28 12:49 61 --a------ C:\WINDOWS\winmoprp.dll

2007-03-28 12:48 61 --a------ C:\WINDOWS\msscds32.dll

2007-03-22 12:41 <DIR> d-------- C:\Program Files\mIRC

2007-03-18 17:53 <DIR> d-------- C:\DOCUME~1\david\Phone Browser

2007-03-18 17:53 <DIR> d-------- C:\DOCUME~1\david\APPLIC~1\DataLayer

2007-03-11 15:58 <DIR> d-------- C:\DOCUME~1\david\APPLIC~1\Nokia Multimedia Player

2007-03-11 15:57 <DIR> d-------- C:\DOCUME~1\david\APPLIC~1\Nokia

2007-03-11 15:55 <DIR> d-------- C:\Program Files\DIFX

2007-03-11 15:54 <DIR> d-------- C:\Program Files\Common Files\Nokia

2007-03-11 15:53 8,704 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys

2007-03-11 15:53 50,688 --a------ C:\WINDOWS\system32\nmwcdcls.dll

2007-03-11 15:53 4,608 --a------ C:\WINDOWS\system32\nmwcdlog.dll

2007-03-11 15:53 30,720 --a------ C:\WINDOWS\system32\nmwcdcocls.dll

2007-03-11 15:53 13,312 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys

2007-03-11 15:53 13,312 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys

2007-03-11 15:53 127,488 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys

2007-03-11 15:53 <DIR> d-------- C:\Program Files\Nokia

2007-03-11 15:53 <DIR> d-------- C:\Program Files\Common Files\PCSuite

2007-03-11 15:53 <DIR> d-------- C:\DOCUME~1\david\APPLIC~1\PC Suite

2007-03-11 15:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PC Suite

2007-03-11 15:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Downloaded Installations

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

2007-04-02 23:23 -------- d-------- C:\Program Files\Common Files\symantec shared

2007-03-30 18:01 -------- d-------- C:\Program Files\norton systemworks

2007-03-28 16:10 3350 --ahs---- C:\WINDOWS\system32\kgygaavl.sys

2007-03-28 16:04 -------- d-------- C:\Program Files\daemon tools

2007-03-28 14:07 -------- d-------- C:\Program Files\spyware doctor

2007-03-28 13:43 -------- d-------- C:\Program Files\symantec

2007-03-25 19:07 1104874 --a------ C:\DOCUME~1\david\APPLIC~1\nmm-metadata.db

2007-02-26 18:40 -------- d-------- C:\Program Files\tansee ipod transfer

2007-01-04 15:48 0 --a------ C:\WINDOWS\system32\wwww.exe

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

"ParetoLogic Anti-Spyware"="\"C:\\Program Files\\ParetoLogic\\Anti-Spyware\\Pareto_AS.exe\" -NM -hidesplash"

"Khid"="C:\\Documents and Settings\\david\\Application Data\\?icrosoft.NET\\?ti2evxx.exe"

"PcSync"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"SoundMan"="SOUNDMAN.EXE"

"ccApp"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"

"ccRegVfy"="C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe"

"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"

"PrinTray"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\2\\printray.exe"

"LXSUPMON"="C:\\WINDOWS\\system32\\LXSUPMON.EXE RUN"

"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"

"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

"PCSuiteTrayApplication"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\LaunchApplication.exe -startup"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]

"Installed"="1"

"NoChange"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="ehtray"

"hkey"="HKLM"

"command"="C:\\WINDOWS\\ehome\\ehtray.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="NeroCheck"

"hkey"="HKLM"

"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"=""

"hkey"="HKLM"

"command"=""

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RaidTool]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="raid_tool"

"hkey"="HKLM"

"command"="C:\\Program Files\\VIA\\RAID\\raid_tool.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="VTTimer"

"hkey"="HKLM"

"command"="VTTimer.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="VTtrayp"

"hkey"="HKLM"

"command"="VTtrayp.exe"

"inimapping"="0"

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{51C55F9E-C308-4c95-89AB-8858D8AFD819}"="ParetoLogic Anti-Spyware"

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"Spyware Doctor"=""

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\

63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\

6d,73,73,74,79,6c,65,73,00

"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\

73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]

HTTPFilter REG_MULTI_SZ HTTPFilter\0\0

LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0

NetworkService REG_MULTI_SZ DnsCache\0\0

DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

rpcss REG_MULTI_SZ RpcSs\0\0

imgsvc REG_MULTI_SZ StiSvc\0\0

termsvcs REG_MULTI_SZ TermService\0\0

Usnsvc REG_MULTI_SZ usnsvc\0\0

 

 

 

Contents of the 'Scheduled Tasks' folder

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job

C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job

C:\WINDOWS\tasks\ParetoLogic Anti-Spyware.job

C:\WINDOWS\tasks\Symantec NetDetect.job

 

 

********************************************************************

 

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006

http://www.gmer.net

 

scanning hidden processes ...

 

scanning hidden services ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

 

********************************************************************

 

Completion time: 07-04-02 23:28:28

C:\ComboFix2.txt ... 07-03-30 17:19

Share this post


Link to post
Share on other sites

There is an entry that is not getting deleted by ComboFix.

 

To correctly identify the following (C:\Documents and Settings\david\Application Data\?icrosoft.NET\?ti2evxx.exe):

 

Please launch Notepad, (Start>Programs>Accessories>Notepad)

Copy/paste all the blue text below to it:

 

Dir “C:\Documents and Settings\david\Application Data\?icrosoft.NET\?ti2evxx.exe” /a h > files.txt

notepad files.txt

 

In Notepad, go to File (upper menu bar), and select: Save as

In the Save as prompt:

Save in: Desktop

File Name: IDfile.bat

Save as Type: All files

Click: Save

Exit out of Notepad.

 

Next, on the Desktop, double click on IDfile.bat

It opens Notepad with some text in it.

 

Please post the IDFile text in your response.

Share this post


Link to post
Share on other sites

Go to Start > Run, and place the following in the Open area:

 

C:\Documents and Settings\david\Application Data

 

Is there a ?icrosoft.NET folder in the Application Data directory?

(The question mark could be some type of code, or an M)

 

If so, does it containing a file that looks like:

?ti2evxx.exe

Share this post


Link to post
Share on other sites

Let's see if we can take it out this way:

 

Please go to Start > Settings > Control Panel, click Add or Remove Programs.

In the list of Currently Installed Programs, look for:

PurityScan by OIN

 

Anything you find with OIN or OuterInfo needs to go.

Click: Remove to uninstall

 

Then, search for and delete the following folder (bold):

C:\Program Files\PurityScan

 

If OIN or OuterInfo is not listed, download and run the OiUninstaller:

http://www.outerinfo.com/OiUninstaller.exe

 

Restart the computer.

 

~~~~

New development!

 

ComboFix has been updated to version 07-04-04.5, and it appears to target an infection on your computer.

 

Please remove the ComboFix program, and download the new version:

http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

 

Save it to the Desktop.

Double-click combofix.exe and follow the prompts.

 

CAUTION: Do not mouse-click ComboFix's window while it is running.

It may cause it to stall.

 

When finished, it produces a report.

 

Please provide the contents the ComboFix report in your reply.

 

====

Also download ComboScan to the Desktop.

Close all windows.

Double-click on comboscan.exe to run it, and follow the prompts.

The scan may take a minute.

When the scan is complete, a text file will open - ComboScan.txt

 

Extra Note: When running ComboScan, some firewalls may warn that sigcheck.exe is trying to access the Internet. Please allow sigcheck.exe to do so. Also, your Antivirus may flag ComboScan as suspicious. Please allow the ComboScan to run and don't let your Antivirus remove it. (If this happens, it may be better to temporary disable your Antivirus)

 

Also provide the ComboScan.txt in your reply.

Share this post


Link to post
Share on other sites
Sign in to follow this  

×