Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 19 of 19 Posts

·
Registered
Joined
·
13 Posts
Discussion Starter · #1 ·
I have the same problems as what some of the forum members have already posted. I have done some readup as well. My antivirus detects csrss.exe to be a virus and prompts me to delete it everytime i startup even though i have already done so. I suppose it's something to do with my registry then. I have dled HJT and here's the log. I believe this virus came together with the chinese free online cable tv that i downloaded. Pls advice.

Logfile of HijackThis v1.99.1
Scan saved at 3:17:20 AM, on 12/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\DRIVERS\WtSrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\csrss.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\conime.exe
C:\Documents and Settings\AAA\Desktop\W3XMapHack120E3.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [rundll32] C:\Program Files\Common Files\rundll32.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {0952E9A4-F4A0-4e36-A0B6-10DEFD96B60C} - C:\PROGRA~1\Transtar\TRANST~1.0\APPLIC~1\TransIE.dll
O9 - Extra 'Tools' menuitem: Show Transtar Help - {0952E9A4-F4A0-4e36-A0B6-10DEFD96B60C} - C:\PROGRA~1\Transtar\TRANST~1.0\APPLIC~1\TransIE.dll
O9 - Extra button: to Chinese - {1CC39F26-2D9D-41f9-AA6E-9A6DD0F935BB} - C:\PROGRA~1\Transtar\TRANST~1.0\APPLIC~1\TransIE.dll
O9 - Extra 'Tools' menuitem: to Chinese - {1CC39F26-2D9D-41f9-AA6E-9A6DD0F935BB} - C:\PROGRA~1\Transtar\TRANST~1.0\APPLIC~1\TransIE.dll
O9 - Extra button: to English - {34993F06-DBAD-43d8-85B8-227B15D23C3F} - C:\PROGRA~1\Transtar\TRANST~1.0\APPLIC~1\TransIE.dll
O9 - Extra 'Tools' menuitem: to English - {34993F06-DBAD-43d8-85B8-227B15D23C3F} - C:\PROGRA~1\Transtar\TRANST~1.0\APPLIC~1\TransIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: PowerWord - {9A687CA6-D585-4947-9ED9-BE96071F5CD9} - C:\Program Files\Kingsoft\Powerword 2003\XDictExB.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\aelupsvc32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aelupsvc32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2B866353-E598-4403-8E4D-B871AB30DC55} (Speed Class) - http://www.singnet.com.sg/technical/helptools/media/SpeedCtrl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142083003334
O18 - Protocol: dic - {C21F5C32-F57A-4A0D-8E0A-B672691C52D0} - C:\Program Files\Kingsoft\Powerword 2003\XDictExB.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\DRIVERS\WtSrv.exe
 

·
Retired Moderator and Malware Specialist
Joined
·
18,549 Posts
Hi, koolburn :)

Wedlcome to TSG.

csrss.exe is the least of your problems. Your computer is infected with a difficult to remove Rootkit. A Rootkit is a program that hides the malware.

First, Download LSPFix.exe to a convenient location. Do NOT run this program. This is only to be used if you lose Internet Access after removing the Rootkit.

Download ComboFix from Here or Here. to your Desktop.

Reboot to Safe mode:

Restart your computer and begin tapping the F8 key on your keyboard just before Windows starts to load. If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

Perform the following actions in Safe Mode.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
 

·
Registered
Joined
·
13 Posts
Discussion Starter · #3 ·
Here it is:

ComboFix
AAA - 06-12-29 3:51:13.78 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\AAA\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-11-29 to 2006-12-29 ))))))))))))))))))))))))))))))))))

2006-12-29 03:15 d-------- C:\HJT
2006-12-29 01:01 181,214 --a------ C:\Program Files\csrss.exe
2006-12-28 20:06 d-------- C:\Documents and Settings\AAA\Application Data\ATI
2006-12-28 19:55 516,096 --------- C:\WINDOWS\system32\ati2sgag.exe
2006-12-28 19:55 294,912 -ra------ C:\WINDOWS\system32\atiiiexx.dll
2006-12-28 19:54 d-------- C:\Program Files\ATI Technologies
2006-12-28 19:41 434,496 --a------ C:\WINDOWS\system32\ativvaxx.dll
2006-12-28 19:41 32,768 --a------ C:\WINDOWS\system32\ativtmxx.dll
2006-12-28 19:40 873,984 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys
2006-12-28 19:40 2,305,984 --a------ C:\WINDOWS\system32\ati3duag.dll
2006-12-26 21:46 d-------- C:\Documents and Settings\AAA\Application Data\WinPatrol
2006-12-26 21:45 d-------- C:\Program Files\BillP Studios
2006-12-19 22:15 d--hs---- C:\FOUND.019
2006-12-18 18:15 d--hs---- C:\FOUND.018
2006-12-14 00:27 d-------- C:\Documents and Settings\All Users\Application Data\RRToday
2006-12-14 00:26 716,597 --a------ C:\WINDOWS\today.exe
2006-12-09 18:15 d-------- C:\Program Files\Lavasoft
2006-12-09 18:15 d-------- C:\Documents and Settings\AAA\Application Data\Lavasoft
2006-12-07 03:29 178,180 --a------ C:\Program Files\Common Files\rundll32.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-12-27 10:59 3000000 --a------ C:\WINDOWS\system32\wmsetup.exe
2006-11-09 19:40 49152 --a------ C:\WINDOWS\IEXPL0RE.exe
2006-11-09 19:40 29184 --a------ C:\WINDOWS\system32\drivers\wsfit32.sys
2006-11-09 19:40 167936 --a------ C:\WINDOWS\system32\aelupsvc32.dll
2006-10-01 22:29 159568 --a------ C:\WINDOWS\~tmp7163.exe
2006-10-01 22:22 159568 --a------ C:\WINDOWS\~tmp7069.exe
2006-10-01 22:21 159568 --a------ C:\WINDOWS\~tmp6208.exe
2006-10-01 22:19 159568 --a------ C:\WINDOWS\~tmp1550.exe

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"IMJPMIG8.1"="C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
"MSPY2002"="C:\\WINDOWS\\System32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"rundll32"="C:\\Program Files\\Common Files\\rundll32.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,c2,01,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
@=""
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
@=""
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoControlPanel"=dword:00000000
"NoNetHood"=dword:00000000
"NoComputersNearMe"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=dword:00000000
"NoComputersNearMe"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll"

Completion time: 06-12-29 3:52:00.67
C:\ComboFix.txt ... 06-12-29 03:52

HJT
Logfile of HijackThis v1.99.1
Scan saved at 3:53:01 AM, on 12/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\conime.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [rundll32] C:\Program Files\Common Files\rundll32.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {0952E9A4-F4A0-4e36-A0B6-10DEFD96B60C} - C:\PROGRA~1\Transtar\TRANST~1.0\APPLIC~1\TransIE.dll
O9 - Extra 'Tools' menuitem: Show Transtar Help - {0952E9A4-F4A0-4e36-A0B6-10DEFD96B60C} - C:\PROGRA~1\Transtar\TRANST~1.0\APPLIC~1\TransIE.dll
O9 - Extra button: to Chinese - {1CC39F26-2D9D-41f9-AA6E-9A6DD0F935BB} - C:\PROGRA~1\Transtar\TRANST~1.0\APPLIC~1\TransIE.dll
O9 - Extra 'Tools' menuitem: to Chinese - {1CC39F26-2D9D-41f9-AA6E-9A6DD0F935BB} - C:\PROGRA~1\Transtar\TRANST~1.0\APPLIC~1\TransIE.dll
O9 - Extra button: to English - {34993F06-DBAD-43d8-85B8-227B15D23C3F} - C:\PROGRA~1\Transtar\TRANST~1.0\APPLIC~1\TransIE.dll
O9 - Extra 'Tools' menuitem: to English - {34993F06-DBAD-43d8-85B8-227B15D23C3F} - C:\PROGRA~1\Transtar\TRANST~1.0\APPLIC~1\TransIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: PowerWord - {9A687CA6-D585-4947-9ED9-BE96071F5CD9} - C:\Program Files\Kingsoft\Powerword 2003\XDictExB.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\aelupsvc32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aelupsvc32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2B866353-E598-4403-8E4D-B871AB30DC55} (Speed Class) - http://www.singnet.com.sg/technical/helptools/media/SpeedCtrl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142083003334
O18 - Protocol: dic - {C21F5C32-F57A-4A0D-8E0A-B672691C52D0} - C:\Program Files\Kingsoft\Powerword 2003\XDictExB.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\DRIVERS\WtSrv.exe
 

·
Retired Moderator and Malware Specialist
Joined
·
18,549 Posts
Hi, koolburn :)

Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
    • C:\WINDOWS\today.exe
  • Click on the submit button
  • Please post the results in your next reply.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [rundll32] C:\Program Files\Common Files\rundll32.exe

Now close all windows and browsers, other than HiJackThis, then click Fix Checked.

Close Hijackthis.

A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it.
  1. Run the LSPFix.exe that you have downloaded.
  2. Check the I know what I'm doing box.
  3. In the Keep box you should see one or more instances of aelupsvc32.dll.
  4. Select every instance of aelupsvc32.dll and move each one to the Remove box by clicking the >> button.
  5. When you are done click Finish>>.
1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\Program Files\csrss.exe
C:\Program Files\Common Files\rundll32.exe
C:\WINDOWS\IEXPL0RE.exe
C:\WINDOWS\system32\drivers\wsfit32.sys
C:\WINDOWS\system32\aelupsvc32.dll
C:\WINDOWS\~tmp7163.exe
C:\WINDOWS\~tmp7069.exe
C:\WINDOWS\~tmp6208.exe
C:\WINDOWS\~tmp1550.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log .

Note: "If you have one or more folders of the name FOUND.### where ### is a set of sequential numbers starting at 000, these are very likely the result of a CHKDSK operation which has found multiple folders (subdirectories) which it has attempted to recover. In general, these folders contain incomplete information and are not recoverable."

For me, this is usually an indication of bad sectors in the hard drive.
 

·
Registered
Joined
·
13 Posts
Discussion Starter · #5 ·
Hi, JSntgRvr :D

AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found W32/Hengbang.AF

VirusBuster
Found nothing
VBA32
Found P2P-Worm.Agent.1 (paranoid heuristics) (probable variant)


The Avenger didnt seem to work the first time, no txt file was created therefore repeat 2nd time.

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ksaywldv

*******************

Fatal error: integrity of Services key failed verification check! Security may be fatally compromised. Exiting immediately.

Could not open script file! Status: 0xc0000034 Abort!
//////////////////////////////////////////

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\tuxiryxb

*******************

Script file located at: \??\C:\WINDOWS\system32\vfktjteb.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\Program Files\csrss.exe deleted successfully.
File C:\Program Files\Common Files\rundll32.exe deleted successfully.

Could not delete file C:\WINDOWS\IEXPL0RE.exe
Deletion of file C:\WINDOWS\IEXPL0RE.exe failed!

Could not process line:
C:\WINDOWS\IEXPL0RE.exe
Status: 0xc0000022

Could not delete file C:\WINDOWS\system32\drivers\wsfit32.sys
Deletion of file C:\WINDOWS\system32\drivers\wsfit32.sys failed!

Could not process line:
C:\WINDOWS\system32\drivers\wsfit32.sys
Status: 0xc0000022

Could not delete file C:\WINDOWS\system32\aelupsvc32.dll
Deletion of file C:\WINDOWS\system32\aelupsvc32.dll failed!

Could not process line:
C:\WINDOWS\system32\aelupsvc32.dll
Status: 0xc0000022

File C:\WINDOWS\~tmp7163.exe deleted successfully.
File C:\WINDOWS\~tmp7069.exe deleted successfully.
File C:\WINDOWS\~tmp6208.exe deleted successfully.
File C:\WINDOWS\~tmp1550.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Logfile of HijackThis v1.99.1
Scan saved at 5:08:56 PM, on 12/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\System32\DRIVERS\WtSrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {0952E9A4-F4A0-4e36-A0B6-10DEFD96B60C} - C:\PROGRA~1\Transtar\TRANST~1.0\APPLIC~1\TransIE.dll
O9 - Extra 'Tools' menuitem: Show Transtar Help - {0952E9A4-F4A0-4e36-A0B6-10DEFD96B60C} - C:\PROGRA~1\Transtar\TRANST~1.0\APPLIC~1\TransIE.dll
O9 - Extra button: to Chinese - {1CC39F26-2D9D-41f9-AA6E-9A6DD0F935BB} - C:\PROGRA~1\Transtar\TRANST~1.0\APPLIC~1\TransIE.dll
O9 - Extra 'Tools' menuitem: to Chinese - {1CC39F26-2D9D-41f9-AA6E-9A6DD0F935BB} - C:\PROGRA~1\Transtar\TRANST~1.0\APPLIC~1\TransIE.dll
O9 - Extra button: to English - {34993F06-DBAD-43d8-85B8-227B15D23C3F} - C:\PROGRA~1\Transtar\TRANST~1.0\APPLIC~1\TransIE.dll
O9 - Extra 'Tools' menuitem: to English - {34993F06-DBAD-43d8-85B8-227B15D23C3F} - C:\PROGRA~1\Transtar\TRANST~1.0\APPLIC~1\TransIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: PowerWord - {9A687CA6-D585-4947-9ED9-BE96071F5CD9} - C:\Program Files\Kingsoft\Powerword 2003\XDictExB.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\aelupsvc32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aelupsvc32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2B866353-E598-4403-8E4D-B871AB30DC55} (Speed Class) - http://www.singnet.com.sg/technical/helptools/media/SpeedCtrl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142083003334
O18 - Protocol: dic - {C21F5C32-F57A-4A0D-8E0A-B672691C52D0} - C:\Program Files\Kingsoft\Powerword 2003\XDictExB.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\DRIVERS\WtSrv.exe
 

·
Retired Moderator and Malware Specialist
Joined
·
18,549 Posts
Hi, koolburn :)

We have a stuburn rootkit with an Access Denied code.

Create a Startup List
  • Open HiJackThis
  • Click on the "Config..." button on the bottom right
  • Click on the tab "Misc Tools"
  • Check off the 2 boxes next to the Box that says "Generate StartupList log"
  • Click on the button "Generate StartupList log"
  • Save the log will you will remember
  • Copy and past the StartupList from the notepad into your next post
 

·
Registered
Joined
·
13 Posts
Discussion Starter · #7 ·
StartupList report, 12/30/2006, 1:48:49 AM
StartupList version: 1.52.2
Started from : C:\HJT\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\WINDOWS\System32\DRIVERS\WtSrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\AAA\Desktop\W3XMapHack120E3.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\AAA\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cmaudio = RunDll32 cmicnfg.cpl,CMICtrlWnd
IMJPMIG8.1 = C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
MSPY2002 = C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
PHIME2002ASync = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
SunJavaUpdateSched = "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
ATICCC = "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - (no file) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
(no name) - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll - {9030D464-4C02-4ABF-8ECC-5164760863C6}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[{0000000A-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB

[{00000161-0000-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.microsoft.com/codecs/i386/msaudio.cab

[CKAVWebScan Object]
InProcServer32 = C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
CODEBASE = http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

[Speed Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\SpeedCtrl.dll
CODEBASE = http://www.singnet.com.sg/technical/helptools/media/SpeedCtrl.cab

[{3334504D-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/0/C/8/0C8EDFAB-30BC-4792-898E-2DABE27B2C4D/mp43dmo.CAB

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

[BDSCANONLINE Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\oscan8.ocx
CODEBASE = http://download.bitdefender.com/resources/scan8/oscan8.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\wuweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142083003334

[Java Plug-in 1.5.0_09]
InProcServer32 = C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab

[Java Plug-in 1.5.0_09]
InProcServer32 = C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab

[Java Plug-in 1.5.0_09]
InProcServer32 = C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\aelupsvc32.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\mswsock.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\rsvpsp.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\aelupsvc32.dll

--------------------------------------------------
 

·
Registered
Joined
·
13 Posts
Discussion Starter · #8 ·
Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
Ati HotKey Poller: %SystemRoot%\system32\Ati2evxx.exe (autostart)
ATI Smart: C:\WINDOWS\system32\ati2sgag.exe (autostart)
ati2mtag: system32\DRIVERS\ati2mtag.sys (manual start)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
C-Media WDM Audio Interface: system32\drivers\cmuda.sys (manual start)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
d347bus: System32\DRIVERS\d347bus.sys (system)
d347prt: System32\Drivers\d347prt.sys (system)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
FsVga: System32\DRIVERS\fsvga.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
gcjdjhga: system32\drivers\gcjdjhga.sys (system)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Hid to Joystick Port Enabler: System32\DRIVERS\hidgame.sys (manual start)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
IdeBusDr: System32\DRIVERS\IdeBusDr.sys (system)
Intel(R) Ultra ATA Controller: System32\DRIVERS\IdeChnDr.sys (system)
InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" (manual start)
iigfgheg: system32\drivers\iigfgheg.sys (system)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IntelIde: System32\DRIVERS\intelide.sys (system)
Intel Processor Driver: System32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Sony Ericsson 750 driver (WDM): System32\DRIVERS\k750bus.sys (manual start)
Sony Ericsson 750 USB WMC Modem Filter: System32\DRIVERS\k750mdfl.sys (manual start)
Sony Ericsson 750 USB WMC Modem Drivers: System32\DRIVERS\k750mdm.sys (manual start)
Sony Ericsson 750 USB WMC Device Management Drivers: System32\DRIVERS\k750mgmt.sys (manual start)
Sony Ericsson 750 USB WMC OBEX Interface Drivers: System32\DRIVERS\k750obex.sys (manual start)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBT: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Monitor Driver: system32\DRIVERS\NMnt.sys (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Realtek RTL8139/810X Family PCI Fast Ethernet NIC NT Driver: System32\DRIVERS\RTL8139.SYS (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{941B88BD-2082-432F-8CA3-43D8044EA306} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Serial Tablet Port Driver: "%SystemRoot%\System32\Drivers\Tablet2k.sys" (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Tablet Class Driver: System32\DRIVERS\TClass2k.sys (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINDOWS\System32\tlntsvr.exe (disabled)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
HID Tablet Port Driver: System32\DRIVERS\UCTblHid.sys (manual start)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
Motorola USB Modem Driver: System32\DRIVERS\usbser.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
Messenger Sharing USN Journal Reader service: C:\WINDOWS\system32\svchost.exe -k usnsvc (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
WinTab Service: %SystemRoot%\System32\DRIVERS\WtSrv.exe (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (system)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
wsfit32: system32\DRIVERS\wsfit32.sys (system)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 33,680 bytes
Report generated in 1.482 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
 

·
Retired Moderator and Malware Specialist
Joined
·
18,549 Posts
Hi, koolburn :)

1. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to unload:
gcjdjhga

Files to delete:
C:\Windows\system32\drivers\gcjdjhga.sys
C:\WINDOWS\system32\drivers\wsfit32.sys
C:\WINDOWS\system32\aelupsvc32.dll
C:\WINDOWS\IEXPL0RE.exe
C:\WINDOWS\today.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


2. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
3. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply .
 

·
Registered
Joined
·
13 Posts
Discussion Starter · #10 ·
Hi, JSntgRvr :D

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ggncywfv

*******************

Script file located at: \??\C:\WINDOWS\oiqtbelw.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver gcjdjhga unloaded successfully.


File C:\Windows\system32\drivers\gcjdjhga.sys not found!
Deletion of file C:\Windows\system32\drivers\gcjdjhga.sys failed!

Could not process line:
C:\Windows\system32\drivers\gcjdjhga.sys
Status: 0xc0000034



Could not delete file C:\WINDOWS\system32\drivers\wsfit32.sys
Deletion of file C:\WINDOWS\system32\drivers\wsfit32.sys failed!

Could not process line:
C:\WINDOWS\system32\drivers\wsfit32.sys
Status: 0xc0000022



Could not delete file C:\WINDOWS\system32\aelupsvc32.dll
Deletion of file C:\WINDOWS\system32\aelupsvc32.dll failed!

Could not process line:
C:\WINDOWS\system32\aelupsvc32.dll
Status: 0xc0000022



Could not delete file C:\WINDOWS\IEXPL0RE.exe
Deletion of file C:\WINDOWS\IEXPL0RE.exe failed!

Could not process line:
C:\WINDOWS\IEXPL0RE.exe
Status: 0xc0000022

File C:\WINDOWS\today.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
 

·
Retired Moderator and Malware Specialist
Joined
·
18,549 Posts
Hi, koolburn

Please download gmer rootkit detector from Here
  • Unzip it and double click the gmer.exe file
  • Select rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Press scan
  • When it has finished press save & post back the log it makes
  • Repeat the proces with the Autostarts tab and do the same there

Download and Save Blacklight to your desktop:

Double-click blbeta.exe then accept the agreement, leave [X]scan through Windows Explorer checked, click > scan then > next

You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"
 

·
Registered
Joined
·
13 Posts
Discussion Starter · #12 ·
Hi, JSntgRvr

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2006-12-30 07:29:08
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.12 ----

SSDT d347bus.sys ZwClose
SSDT d347bus.sys ZwCreateKey
SSDT d347bus.sys ZwCreatePagingFile
SSDT wsfit32.sys ZwDeleteKey
SSDT wsfit32.sys ZwDeleteValueKey
SSDT d347bus.sys ZwEnumerateKey
SSDT d347bus.sys ZwEnumerateValueKey
SSDT d347bus.sys ZwOpenKey
SSDT wsfit32.sys ZwOpenProcess
SSDT d347bus.sys ZwQueryKey
SSDT d347bus.sys ZwQueryValueKey
SSDT d347bus.sys ZwSetSystemPowerState
SSDT wsfit32.sys ZwSetValueKey

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Fastfat \FatCdrom IRP_MJ_READ 81B14E00
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_READ 818AD900
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 81819700
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_NAMED_PIPE 81819700
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 81819700
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 81819700
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 81819700
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_INFORMATION 81819700
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_INFORMATION 81819700
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_EA 81819700
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_EA 81819700
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 81819700
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_VOLUME_INFORMATION 81819700
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_VOLUME_INFORMATION 81819700
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DIRECTORY_CONTROL 81819700
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FILE_SYSTEM_CONTROL 81819700
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 81819700
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 81819700
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 81819700
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_LOCK_CONTROL 81819700
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLEANUP 81819700
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_MAILSLOT 81819700
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_SECURITY 81819700
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_SECURITY 81819700
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 81819700
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 81819700
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CHANGE 81819700
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_QUOTA 81819700
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_QUOTA 81819700
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 81819700
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_CREATE 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_CREATE_NAMED_PIPE 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_CLOSE 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_READ 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_WRITE 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_QUERY_INFORMATION 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_SET_INFORMATION 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_QUERY_EA 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_SET_EA 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_FLUSH_BUFFERS 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_QUERY_VOLUME_INFORMATION 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_SET_VOLUME_INFORMATION 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_DIRECTORY_CONTROL 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_FILE_SYSTEM_CONTROL 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_DEVICE_CONTROL 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_INTERNAL_DEVICE_CONTROL 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_SHUTDOWN 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_LOCK_CONTROL 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_CLEANUP 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_CREATE_MAILSLOT 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_QUERY_SECURITY 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_SET_SECURITY 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_POWER 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_SYSTEM_CONTROL 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_DEVICE_CHANGE 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_QUERY_QUOTA 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_SET_QUOTA 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_PNP 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_CREATE 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_CREATE_NAMED_PIPE 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_CLOSE 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_READ 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_WRITE 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_QUERY_INFORMATION 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_SET_INFORMATION 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_QUERY_EA 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_SET_EA 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_FLUSH_BUFFERS 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_QUERY_VOLUME_INFORMATION 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_SET_VOLUME_INFORMATION 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_DIRECTORY_CONTROL 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_FILE_SYSTEM_CONTROL 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_DEVICE_CONTROL 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_INTERNAL_DEVICE_CONTROL 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_SHUTDOWN 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_LOCK_CONTROL 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_CLEANUP 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_CREATE_MAILSLOT 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_QUERY_SECURITY 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_SET_SECURITY 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_POWER 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_SYSTEM_CONTROL 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_DEVICE_CHANGE 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_QUERY_QUOTA 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_SET_QUOTA 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T1L0 IRP_MJ_PNP 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_CREATE 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_CREATE_NAMED_PIPE 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_CLOSE 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_READ 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_WRITE 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_QUERY_INFORMATION 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_SET_INFORMATION 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_QUERY_EA 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_SET_EA 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_FLUSH_BUFFERS 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_QUERY_VOLUME_INFORMATION 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_SET_VOLUME_INFORMATION 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_DIRECTORY_CONTROL 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_FILE_SYSTEM_CONTROL 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_DEVICE_CONTROL 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_INTERNAL_DEVICE_CONTROL 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_SHUTDOWN 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_LOCK_CONTROL 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_CLEANUP 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_CREATE_MAILSLOT 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_QUERY_SECURITY 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_SET_SECURITY 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_POWER 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_SYSTEM_CONTROL 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_DEVICE_CHANGE 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_QUERY_QUOTA 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_SET_QUOTA 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_PNP 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_CREATE 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_CREATE_NAMED_PIPE 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_CLOSE 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_READ 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_WRITE 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_QUERY_INFORMATION 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_SET_INFORMATION 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_QUERY_EA 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_SET_EA 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_FLUSH_BUFFERS 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_QUERY_VOLUME_INFORMATION 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_SET_VOLUME_INFORMATION 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_DIRECTORY_CONTROL 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_FILE_SYSTEM_CONTROL 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_DEVICE_CONTROL 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_INTERNAL_DEVICE_CONTROL 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_SHUTDOWN 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_LOCK_CONTROL 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_CLEANUP 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_CREATE_MAILSLOT 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_QUERY_SECURITY 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_SET_SECURITY 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_POWER 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_SYSTEM_CONTROL 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_DEVICE_CHANGE 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_QUERY_QUOTA 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_SET_QUOTA 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_PNP 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_CREATE 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_CREATE_NAMED_PIPE 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_CLOSE 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_READ 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_WRITE 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_QUERY_INFORMATION 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_SET_INFORMATION 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_QUERY_EA 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_SET_EA 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_FLUSH_BUFFERS 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_QUERY_VOLUME_INFORMATION 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_SET_VOLUME_INFORMATION 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_DIRECTORY_CONTROL 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_FILE_SYSTEM_CONTROL 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_DEVICE_CONTROL 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_INTERNAL_DEVICE_CONTROL 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_SHUTDOWN 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_LOCK_CONTROL 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_CLEANUP 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_CREATE_MAILSLOT 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_QUERY_SECURITY 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_SET_SECURITY 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_POWER 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_SYSTEM_CONTROL 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_DEVICE_CHANGE 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_QUERY_QUOTA 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_SET_QUOTA 81B5B8B8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_PNP 81B5B8B8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 81819700
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_NAMED_PIPE 81819700
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE 81819700
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ 81819700
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 81819700
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_INFORMATION 81819700
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_INFORMATION 81819700
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_EA 81819700
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_EA 81819700
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 81819700
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_VOLUME_INFORMATION 81819700
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_VOLUME_INFORMATION 81819700
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DIRECTORY_CONTROL 81819700
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FILE_SYSTEM_CONTROL 81819700
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 81819700
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 81819700
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 81819700
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_LOCK_CONTROL 81819700
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLEANUP 81819700
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_MAILSLOT 81819700
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_SECURITY 81819700
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_SECURITY 81819700
 

·
Registered
Joined
·
13 Posts
Discussion Starter · #13 ·
Continuing,

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 81819700
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 81819700
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CHANGE 81819700
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_QUOTA 81819700
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_QUOTA 81819700
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 81819700
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE 81819700
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE_NAMED_PIPE 81819700
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CLOSE 81819700
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_READ 81819700
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_WRITE 81819700
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_INFORMATION 81819700
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_INFORMATION 81819700
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_EA 81819700
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_EA 81819700
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_FLUSH_BUFFERS 81819700
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_VOLUME_INFORMATION 81819700
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_VOLUME_INFORMATION 81819700
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DIRECTORY_CONTROL 81819700
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_FILE_SYSTEM_CONTROL 81819700
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DEVICE_CONTROL 81819700
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_INTERNAL_DEVICE_CONTROL 81819700
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SHUTDOWN 81819700
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_LOCK_CONTROL 81819700
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CLEANUP 81819700
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE_MAILSLOT 81819700
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_SECURITY 81819700
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_SECURITY 81819700
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_POWER 81819700
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SYSTEM_CONTROL 81819700
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DEVICE_CHANGE 81819700
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_QUOTA 81819700
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_QUOTA 81819700
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_PNP 81819700
Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_READ 81768FB0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 818AD3E0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 818AD3E0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_READ 818B51E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_READ 81B66EF0
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_CREATE 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_CREATE_NAMED_PIPE 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_CLOSE 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_READ 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_WRITE 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_QUERY_INFORMATION 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_SET_INFORMATION 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_QUERY_EA 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_SET_EA 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_FLUSH_BUFFERS 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_QUERY_VOLUME_INFORMATION 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_SET_VOLUME_INFORMATION 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_DIRECTORY_CONTROL 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_FILE_SYSTEM_CONTROL 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_DEVICE_CONTROL 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_INTERNAL_DEVICE_CONTROL 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_SHUTDOWN 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_LOCK_CONTROL 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_CLEANUP 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_CREATE_MAILSLOT 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_QUERY_SECURITY 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_SET_SECURITY 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_POWER 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_SYSTEM_CONTROL 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_DEVICE_CHANGE 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_QUERY_QUOTA 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_SET_QUOTA 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_PNP 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_CREATE 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_CREATE_NAMED_PIPE 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_CLOSE 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_READ 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_WRITE 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_QUERY_INFORMATION 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SET_INFORMATION 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_QUERY_EA 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SET_EA 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_FLUSH_BUFFERS 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_QUERY_VOLUME_INFORMATION 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SET_VOLUME_INFORMATION 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_DIRECTORY_CONTROL 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_FILE_SYSTEM_CONTROL 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_DEVICE_CONTROL 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_INTERNAL_DEVICE_CONTROL 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SHUTDOWN 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_LOCK_CONTROL 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_CLEANUP 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_CREATE_MAILSLOT 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_QUERY_SECURITY 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SET_SECURITY 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_POWER 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SYSTEM_CONTROL 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_DEVICE_CHANGE 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_QUERY_QUOTA 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SET_QUOTA 817949C8
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_PNP 817949C8
Device \FileSystem\Fastfat \Fat IRP_MJ_READ 81B14E00
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer IRP_MJ_READ 817D2FB0
Device \FileSystem\Fs_Rec \FileSystem\NtfsRecognizer IRP_MJ_READ 817D2FB0
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer IRP_MJ_READ 817D2FB0
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer IRP_MJ_READ 817D2FB0
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer IRP_MJ_READ 817D2FB0
Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ 8189E960

---- Modules - GMER 1.0.12 ----

Module ____________ F9936000

---- EOF - GMER 1.0.12 ----
 

·
Registered
Joined
·
13 Posts
Discussion Starter · #14 ·
GMER 1.0.12.12011 - http://www.gmer.net
Autostart scan 2006-12-30 07:34:01
Windows 5.1.2600 Service Pack 2

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\[email protected] = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\[email protected] = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\[email protected] = Ati2evxx.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
Ati HotKey [email protected] = %SystemRoot%\system32\Ati2evxx.exe
ATI Smart /*ATI Smart*/@ = C:\WINDOWS\system32\ati2sgag.exe
[email protected] = %SystemRoot%\system32\drivers\scsiport.sys
Spooler /*Print Spooler*/@ = %SystemRoot%\system32\spoolsv.exe
WinTabService /*WinTab Service*/@ = %SystemRoot%\System32\DRIVERS\WtSrv.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@CmaudioRunDll32 cmicnfg.cpl,CMICtrlWnd = RunDll32 cmicnfg.cpl,CMICtrlWnd
@IMJPMIG8.1C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32 = C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
@MSPY2002C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC = C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
@PHIME2002ASyncC:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
@PHIME2002AC:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
@SunJavaUpdateSched"C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" = "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
@TkBellExe"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
@ATIPTAC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
@ATICCC"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime = "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime

HKCU\Software\Microsoft\Windows\CurrentVersion\[email protected] = C:\WINDOWS\system32\ctfmon.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon Handler*/C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL = C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\Office10\msohev.dll = C:\Program Files\Microsoft Office\Office10\msohev.dll
@{47B92A27-8252-420D-9630-378EF61434D7} /*PowerWord ExplorerBar*/C:\Program Files\Kingsoft\Powerword 2003\XDictExB.dll = C:\Program Files\Kingsoft\Powerword 2003\XDictExB.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Program Files\WinRAR\rarext.dll = C:\Program Files\WinRAR\rarext.dll
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Program Files\Real\RealPlayer\rpshell.dll = C:\Program Files\Real\RealPlayer\rpshell.dll
@{73B24247-042E-4EF5-ADC2-42F62E6FD654} /*ICQ Lite Shell Extension*/(null) =
@{A5110426-177D-4e08-AB3F-785F10B4439C} /*Sony Ericsson File Manager*/C:\Program Files\Sony Ericsson\Mobile\File Manager\fmgrgui.dll = C:\Program Files\Sony Ericsson\Mobile\File Manager\fmgrgui.dll
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\System32\extmgr.dll = C:\WINDOWS\System32\extmgr.dll
@{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D} /*Messenger Sharing Folders*/C:\Program Files\MSN Messenger\fsshext.8.0.0812.00.dll = C:\Program Files\MSN Messenger\fsshext.8.0.0812.00.dll
@{5E2121EE-0300-11D4-8D3B-444553540000} /*Catalyst Context Menu extension*/C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll = C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\[email protected]{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
[email protected]{73B24247-042E-4EF5-ADC2-42F62E6FD654} =
[email protected]{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\[email protected]{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx = C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
@{53707962-6F74-2D53-2644-206D7942484F}C:\PROGRA~1\SPYBOT~1\SDHelper.dll = C:\PROGRA~1\SPYBOT~1\SDHelper.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll = C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
@{9030D464-4C02-4ABF-8ECC-5164760863C6}C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll = C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

HKLM\Software\Microsoft\Internet Explorer\Plugins\Extension\[email protected] = C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
@Start Pagehttp://www.singnet.com.sg/ = http://www.singnet.com.sg/

HKCU\Software\Microsoft\Internet Explorer\[email protected] Page = about:blank

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
[email protected] = C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
[email protected] = C:\Program Files\Kingsoft\Powerword 2003\XDictExB.dll
[email protected] = C:\WINDOWS\system32\msvidctl.dll
[email protected] = C:\WINDOWS\System32\itss.dll
[email protected] = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
[email protected] = %SystemRoot%\System32\inetcomm.dll
[email protected] = C:\WINDOWS\System32\itss.dll
[email protected] = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
[email protected] = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
[email protected] = C:\WINDOWS\system32\msvidctl.dll
[email protected] = C:\WINDOWS\System32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\ >>>
[email protected] = C:\WINDOWS\system32\aelupsvc32.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\[email protected] = C:\WINDOWS\system32\aelupsvc32.dll

C:\Documents and Settings\All Users\Start Menu\Programs\Startup >>>
Microsoft Office.lnk = Microsoft Office.lnk
ATI CATALYST System Tray.lnk = ATI CATALYST System Tray.lnk

---- EOF - GMER 1.0.12 ----
 

·
Retired Moderator and Malware Specialist
Joined
·
18,549 Posts
Hi, koolburn :)

Lets try this again.

  1. Run the LSPFix.exe that you have just finished downloading.
  2. Check the I know what I'm doing box.
  3. In the Keep box you should see one or more instances of aelupsvc32.dll.
  4. Select every instance of aelupsvc32.dll and move each one to the Remove box by clicking the >> button.
  5. When you are done click Finish>>.
1. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to unload:
wsfit32

Files to delete:
C:\WINDOWS\system32\drivers\wsfit32.sys
C:\WINDOWS\IEXPL0RE.exe
C:\WINDOWS\system32\aelupsvc32.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


2. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
3. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log .
 

·
Retired Moderator and Malware Specialist
Joined
·
18,549 Posts
Hi, koolburn :)

I received your PM. Please post a fresh Hijackthis for review.

Is this a desktop or a notebook? What's the brand of the Compuer?
 

·
Registered
Joined
·
13 Posts
Discussion Starter · #18 ·
Hi, JSntgRvr

This is a diy desktop.

Logfile of HijackThis v1.99.1
Scan saved at 8:26:54 AM, on 12/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ftp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Isaac\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.singnet.com.sg:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://10.0.0.138;http://192.168.1.1;http://speedtouch.lan;<local>
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
 

·
Retired Moderator and Malware Specialist
Joined
·
18,549 Posts
Hi, koolburn :)

After reformatting the rootkit has dissapeared. There is no signs of any other malware in the computer.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Now close all windows and browsers, other than HiJackThis, then click Fix Checked.

Close Hijackthis.

In regard to Antivirus software, Node32 has received good reviews. Stay away from Norton and McAfee as they are resources hogs.

Free Antivirus are available:

AVG FREE

AVIRA

AVAST

Activevirusshield

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  1. Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  2. AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  3. SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  4. SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  5. IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  6. CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  7. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  8. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  9. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

Click Here for some advise from our security Experts.

In regard to your CD_ROM, if after re-format you still experiencing issues, then it is the CD_ROM that has gone bad. How were you able to format and reload?

Let me kow if I can be of further help.
 
1 - 19 of 19 Posts
Status
Not open for further replies.
Top