Jump to content


Photo

Problem with services.exe


  • This topic is locked This topic is locked
23 replies to this topic

#1 dark998

dark998

    Member

  • Full Member
  • Pip
  • 46 posts

Posted 06 June 2007 - 11:49 PM

Some days ago i was attacked by adware. I ran a hijackthis scan and removed some entries with tools i had from previous attacks. However one problem still remains, the services.exe process constantly reaches 100% CPU usage, my internet speed is slowed down, and the PC is rebooting randomly (either instantly or with a countdown).

I have performed full system scans with AVG Anti-Spyware 7.5 and Dr Web CureIt. Both detected and deleted threats, but the problem still persists.

Here is my hijackthis log


Logfile of HijackThis v1.99.1
Scan saved at 11:46:25 p.m., on 06/06/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\DAEMON Tools\daemon.exe
C:\Archivos de programa\Trend Micro\Internet Security 2007\pccguide.exe
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\ARCHIV~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Archivos de programa\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\Archivos de programa\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Archivos de programa\Apache Group\Apache2\bin\Apache.exe
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\ARCHIV~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Archivos de programa\Apache Group\Apache2\bin\Apache.exe
C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\ARCHIV~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\ARCHIV~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\ARCHIV~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\System32\ZipToA.exe
C:\ARCHIV~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\Archivos de programa\internet explorer\iexplore.exe
C:\Documents and Settings\Propietario\Escritorio\programs\hijackthis3\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ATLAS Translation Bar - {3C6301ED-0F78-4AF2-8150-D9C052361A8E} - C:\Archivos de programa\ATLAS V11\ATLIECP.DLL
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARCHIV~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\ARCHIV~1\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar2.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\ARCHIV~1\FlashGet\fgiebar.dll
O3 - Toolbar: ATLAS Translation Bar - {3C6301ED-0F78-4AF2-8150-D9C052361A8E} - C:\Archivos de programa\ATLAS V11\ATLIECP.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARCHIV~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar2.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Archivos de programa\Winamp\winampa.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Archivos de programa\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Archivos de programa\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Archivos de programa\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Archivos de programa\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Archivos de programa\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\PROPIE~1\CONFIG~1\Temp\{D6F61A91-D9EA-4CAE-8E25-C4EC563DD2A1}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x000a"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Archivos de programa\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\ARCHIV~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE
O4 - HKCU\..\Run: [OE] "C:\Archivos de programa\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: FinishSetup.lnk = C:\Archivos de programa\Iomega\Common\FinishSetup.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Archivos de programa\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Archivos de programa\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Translate by ATLAS - C:\Archivos de programa\ATLAS V11\Atlscript.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: ATLAS Translation - {B7707A72-4355-11D4-82BD-00000EBBEF8D} - C:\Archivos de programa\ATLAS V11\Atlscript.html
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\ARCHIV~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\ARCHIV~1\FlashGet\flashget.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=67633
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Archivos de programa\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\System32\IomegaAccess.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\ARCHIV~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Proteccion frente a spyware de Trend Micro (PcScnSrv) - Trend Micro Inc. - C:\ARCHIV~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\ARCHIV~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\ARCHIV~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\ARCHIV~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\System32\ZipToA.exe

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,520 posts

Posted 09 June 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 aczechgurl

aczechgurl

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 5,577 posts

Posted 17 June 2007 - 01:55 PM

Welcome to the forum :wave:

I apologize for the delay getting to you, the helpers here are all volunteers and we have been very busy here lately.


Do you happen to remember what AVG-AS and Dr Web found?

Your HijackThis log look pretty clean to me so what they found may give me an idea where else to look.
<!--fonto:Century Gothic--><span style="font-family:Century Gothic"><!--/fonto-->
<!--sizeo:2--><span style="font-size:10pt;line-height:100%"><!--/sizeo--><!--coloro:purple--><span style="color:purple"><!--/coloro--><b>Aczechgurl</b><!--colorc--></span><!--/colorc--><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

<!--sizeo:1--><span style="font-size:8pt;line-height:100%"><!--/sizeo--><!--fonto:Arial--><span style="font-family:Arial"><!--/fonto-->

Please consider <a href="http://flyinghamster...om/support-us/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Supporting SWI</b><!--colorc--></span><!--/colorc--></a>'s fight against Malware.

Member of <a href="http://asap.maddoktor2.com/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>ASAP</b><!--colorc--></span><!--/colorc--></a> (Alliance of Security Analysis Professionals)

Fight back <a href="http://www.malwareco...mplaints.info/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Malware Complaints</b><!--colorc--></span><!--/colorc--></a><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

#4 dark998

dark998

    Member

  • Full Member
  • Pip
  • 46 posts

Posted 19 June 2007 - 02:28 AM

Thanks, though im not really new to the forums.


About my problem, i couldnt save the report with DrWeb CureIt because the program hanged out when the scan finished, so i couldnt click any button at all.

With AVG i didnt saved a report, but the files it found were added to the quarantine. A screenshot of them would be useful?

Also, i posted that i had a slowed down internet speed, that only happpened once (the day i posted the log). Since then my speed is ok, but i still have the problem with the random reboots and with services.exe taking 100% CPU usage frequently. Apparently that program is sending data to the web, because when i turn on the firewall of my antivirus, i get spammed with the message "an unknown program is trying to access Internet."

#5 aczechgurl

aczechgurl

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 5,577 posts

Posted 19 June 2007 - 09:42 PM

If you have access to a place you can upload the screen shot go ahead and post the link otherwise just let me know.
<!--fonto:Century Gothic--><span style="font-family:Century Gothic"><!--/fonto-->
<!--sizeo:2--><span style="font-size:10pt;line-height:100%"><!--/sizeo--><!--coloro:purple--><span style="color:purple"><!--/coloro--><b>Aczechgurl</b><!--colorc--></span><!--/colorc--><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

<!--sizeo:1--><span style="font-size:8pt;line-height:100%"><!--/sizeo--><!--fonto:Arial--><span style="font-family:Arial"><!--/fonto-->

Please consider <a href="http://flyinghamster...om/support-us/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Supporting SWI</b><!--colorc--></span><!--/colorc--></a>'s fight against Malware.

Member of <a href="http://asap.maddoktor2.com/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>ASAP</b><!--colorc--></span><!--/colorc--></a> (Alliance of Security Analysis Professionals)

Fight back <a href="http://www.malwareco...mplaints.info/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Malware Complaints</b><!--colorc--></span><!--/colorc--></a><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

#6 dark998

dark998

    Member

  • Full Member
  • Pip
  • 46 posts

Posted 20 June 2007 - 07:53 PM

The files should be the most recent ones (those with the 06/06/2007 date).


http://i3.photobucke...ark998/AVG1.jpg

http://i3.photobucke...ark998/AVG2.jpg

#7 aczechgurl

aczechgurl

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 5,577 posts

Posted 21 June 2007 - 08:57 PM

[*]Please download Smitfraudfix .
  • If you have previously downloaded Smitfraudfix, please delete that version and download the new one.
  • Then double click Smitfraudfix.exe.
  • Select option #1 - Search by typing 1 and press "Enter"
  • a text file will appear, which lists infected files (if present, after a few minutes).
  • Please copy/paste the content of that report into your next reply.

<!--fonto:Century Gothic--><span style="font-family:Century Gothic"><!--/fonto-->
<!--sizeo:2--><span style="font-size:10pt;line-height:100%"><!--/sizeo--><!--coloro:purple--><span style="color:purple"><!--/coloro--><b>Aczechgurl</b><!--colorc--></span><!--/colorc--><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

<!--sizeo:1--><span style="font-size:8pt;line-height:100%"><!--/sizeo--><!--fonto:Arial--><span style="font-family:Arial"><!--/fonto-->

Please consider <a href="http://flyinghamster...om/support-us/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Supporting SWI</b><!--colorc--></span><!--/colorc--></a>'s fight against Malware.

Member of <a href="http://asap.maddoktor2.com/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>ASAP</b><!--colorc--></span><!--/colorc--></a> (Alliance of Security Analysis Professionals)

Fight back <a href="http://www.malwareco...mplaints.info/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Malware Complaints</b><!--colorc--></span><!--/colorc--></a><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

#8 dark998

dark998

    Member

  • Full Member
  • Pip
  • 46 posts

Posted 22 June 2007 - 02:13 AM

SmitFraudFix v2.195

Scan done at 2:10:42.00, 22/06/2007
Run from C:\Documents and Settings\Propietario\Escritorio\data\noCD Patch\images\images 30\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

ササササササササササササササササササササササササ Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\DAEMON Tools\daemon.exe
C:\Archivos de programa\Trend Micro\Internet Security 2007\pccguide.exe
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\ARCHIV~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Archivos de programa\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\Archivos de programa\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Archivos de programa\Apache Group\Apache2\bin\Apache.exe
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Archivos de programa\Apache Group\Apache2\bin\Apache.exe
C:\ARCHIV~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\ARCHIV~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\ARCHIV~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\ARCHIV~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\System32\ZipToA.exe
C:\ARCHIV~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\Archivos de programa\internet explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\conime.exe

ササササササササササササササササササササササササ hosts


ササササササササササササササササササササササササ C:\


ササササササササササササササササササササササササ C:\WINDOWS


ササササササササササササササササササササササササ C:\WINDOWS\system


ササササササササササササササササササササササササ C:\WINDOWS\Web


ササササササササササササササササササササササササ C:\WINDOWS\system32


ササササササササササササササササササササササササ C:\Documents and Settings\Propietario


ササササササササササササササササササササササササ C:\Documents and Settings\Propietario\Application Data


ササササササササササササササササササササササササ Start Menu


ササササササササササササササササササササササササ C:\DOCUME~1\PROPIE~1\FAVORI~1


ササササササササササササササササササササササササ Desktop


ササササササササササササササササササササササササ C:\Archivos de programa


ササササササササササササササササササササササササ Corrupted keys


ササササササササササササササササササササササササ Desktop Components



ササササササササササササササササササササササササ Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


ササササササササササササササササササササササササ AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


ササササササササササササササササササササササササ Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


ササササササササササササササササササササササササ Rustock



ササササササササササササササササササササササササ DNS

Description: Conexion de red PRO/100 VE de Intel® - Minipuerto del administrador de paquetes
DNS Server Search Order: 192.168.1.254

HKLM\SYSTEM\CCS\Services\Tcpip\..\{5CAD673F-D2D1-4BDD-A300-582FF32EEC47}: NameServer=ーj
HKLM\SYSTEM\CCS\Services\Tcpip\..\{A7D17042-F493-49B8-9D1B-83031727D974}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\..\{A7D17042-F493-49B8-9D1B-83031727D974}: NameServer=ーj


ササササササササササササササササササササササササ Scanning for wininet.dll infection


ササササササササササササササササササササササササ End

#9 aczechgurl

aczechgurl

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 5,577 posts

Posted 22 June 2007 - 07:15 PM

Nothing bad in that log.

I have a question. I see from you HijackThis log that you have Iomega software loaded, do you have media in the drive or is it empty?
<!--fonto:Century Gothic--><span style="font-family:Century Gothic"><!--/fonto-->
<!--sizeo:2--><span style="font-size:10pt;line-height:100%"><!--/sizeo--><!--coloro:purple--><span style="color:purple"><!--/coloro--><b>Aczechgurl</b><!--colorc--></span><!--/colorc--><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

<!--sizeo:1--><span style="font-size:8pt;line-height:100%"><!--/sizeo--><!--fonto:Arial--><span style="font-family:Arial"><!--/fonto-->

Please consider <a href="http://flyinghamster...om/support-us/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Supporting SWI</b><!--colorc--></span><!--/colorc--></a>'s fight against Malware.

Member of <a href="http://asap.maddoktor2.com/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>ASAP</b><!--colorc--></span><!--/colorc--></a> (Alliance of Security Analysis Professionals)

Fight back <a href="http://www.malwareco...mplaints.info/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Malware Complaints</b><!--colorc--></span><!--/colorc--></a><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

#10 dark998

dark998

    Member

  • Full Member
  • Pip
  • 46 posts

Posted 22 June 2007 - 08:06 PM

Well , i have some zip disks with data, but none of them was in the drive at the moment i ran hijack this or the other scans.

Edited by dark998, 22 June 2007 - 08:35 PM.


#11 aczechgurl

aczechgurl

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 5,577 posts

Posted 22 June 2007 - 08:48 PM

If you put one in the drive does the high cpu utilization with services.exe go away?
<!--fonto:Century Gothic--><span style="font-family:Century Gothic"><!--/fonto-->
<!--sizeo:2--><span style="font-size:10pt;line-height:100%"><!--/sizeo--><!--coloro:purple--><span style="color:purple"><!--/coloro--><b>Aczechgurl</b><!--colorc--></span><!--/colorc--><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

<!--sizeo:1--><span style="font-size:8pt;line-height:100%"><!--/sizeo--><!--fonto:Arial--><span style="font-family:Arial"><!--/fonto-->

Please consider <a href="http://flyinghamster...om/support-us/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Supporting SWI</b><!--colorc--></span><!--/colorc--></a>'s fight against Malware.

Member of <a href="http://asap.maddoktor2.com/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>ASAP</b><!--colorc--></span><!--/colorc--></a> (Alliance of Security Analysis Professionals)

Fight back <a href="http://www.malwareco...mplaints.info/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Malware Complaints</b><!--colorc--></span><!--/colorc--></a><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

#12 dark998

dark998

    Member

  • Full Member
  • Pip
  • 46 posts

Posted 23 June 2007 - 11:17 AM

No, leaving the zip drive empty doesnt make a difference.


However, i have noticed that randomly the problem seems to disappear (services.exe doesnt use 100% CPU for X amount of time). But it returns after a while, along with the random restarts (those are very random as well, sometimes it doesnt restart in the whole day, others it happens one or two times through the day).

#13 aczechgurl

aczechgurl

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 5,577 posts

Posted 24 June 2007 - 06:51 PM

Actually I was more interested in what happened when you put media in the drive. I found a similar case where the Iomega driver would send the services.exe utiliazation thru the roof when the drive was empty.

* Download GMER from here:
http://www.gmer.net/gmer.zip

Unzip it and start GMER.exe
Click the rootkit-tab and click scan.

Once done, click the Copy button.
This will copy the results to clipboard.
Paste the results in your next reply.

Do not browse or do other things with the computer while gmer is running.
<!--fonto:Century Gothic--><span style="font-family:Century Gothic"><!--/fonto-->
<!--sizeo:2--><span style="font-size:10pt;line-height:100%"><!--/sizeo--><!--coloro:purple--><span style="color:purple"><!--/coloro--><b>Aczechgurl</b><!--colorc--></span><!--/colorc--><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

<!--sizeo:1--><span style="font-size:8pt;line-height:100%"><!--/sizeo--><!--fonto:Arial--><span style="font-family:Arial"><!--/fonto-->

Please consider <a href="http://flyinghamster...om/support-us/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Supporting SWI</b><!--colorc--></span><!--/colorc--></a>'s fight against Malware.

Member of <a href="http://asap.maddoktor2.com/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>ASAP</b><!--colorc--></span><!--/colorc--></a> (Alliance of Security Analysis Professionals)

Fight back <a href="http://www.malwareco...mplaints.info/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Malware Complaints</b><!--colorc--></span><!--/colorc--></a><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

#14 dark998

dark998

    Member

  • Full Member
  • Pip
  • 46 posts

Posted 24 June 2007 - 08:20 PM

GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-06-24 20:18:15
Windows 5.1.2600 Service Pack 1


---- System - GMER 1.0.12 ----

SSDT \SystemRoot\System32\DRIVERS\tm_mbd_c.sys ZwClose
SSDT \SystemRoot\System32\DRIVERS\tm_mbd_c.sys ZwConnectPort
SSDT sptd.sys ZwCreateKey
SSDT \SystemRoot\System32\DRIVERS\tm_mbd_c.sys ZwCreateProcess
SSDT \SystemRoot\System32\DRIVERS\tm_mbd_c.sys ZwCreateProcessEx
SSDT \??\C:\WINDOWS\system32\windev-462d-5743.sys ZwEnumerateKey <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\system32\windev-462d-5743.sys ZwEnumerateValueKey <-- ROOTKIT !!!
SSDT sptd.sys ZwOpenKey
SSDT \SystemRoot\System32\DRIVERS\tm_mbd_c.sys ZwOpenProcess
SSDT \??\C:\WINDOWS\system32\windev-462d-5743.sys ZwQueryDirectoryFile <-- ROOTKIT !!!
SSDT sptd.sys ZwQueryKey
SSDT sptd.sys ZwQueryValueKey
SSDT \SystemRoot\System32\DRIVERS\tm_mbd_c.sys ZwRequestWaitReplyPort
SSDT sptd.sys ZwSetValueKey
SSDT \??\C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess
SSDT \SystemRoot\System32\DRIVERS\tm_mbd_c.sys ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!KeInitializeInterrupt + B67 804DA23C 1 Byte [ 06 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 170 805025EC 4 Bytes [ E0, AC, FB, F2 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 188 80502604 4 Bytes [ B0, AF, FB, F2 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1B0 8050262C 4 Bytes [ B0, E0, 3F, F8 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1C8 80502644 8 Bytes [ 10, A3, FB, F2, E0, A5, FB, ... ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 228 805026A4 4 Bytes [ 44, B9, 9C, F2 ]
.text ...
? C:\WINDOWS\system32\drivers\sptd.sys El proceso no tiene acceso al archivo porque esta siendo utilizado por otro proceso.
.text USBPORT.SYS!DllUnload F752CF88 5 Bytes JMP 82C8A960
? C:\WINDOWS\System32\Drivers\vaxscsi.sys El proceso no tiene acceso al archivo porque esta siendo utilizado por otro proceso.
? System32\Drivers\aubpj9e0.SYS El sistema no puede hallar el archivo especificado.

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 82FD81D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 82FD81D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 82FD81D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 82FD81D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 82FD81D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 82FD81D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 82FD81D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 82FD81D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 82FD81D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 82FD81D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 82FD81D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 82FD81D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 82FD81D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 82FD81D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 82FD81D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 82FD81D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 82FD81D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 82FD81D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 82FD81D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 82FD81D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 82FD81D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 82FD81D8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_CREATE 82C891D8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_CLOSE 82C891D8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_DEVICE_CONTROL 82C891D8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL 82C891D8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_POWER 82C891D8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_SYSTEM_CONTROL 82C891D8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_PNP 82C891D8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_CREATE 82C891D8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_CLOSE 82C891D8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_DEVICE_CONTROL 82C891D8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL 82C891D8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_POWER 82C891D8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_SYSTEM_CONTROL 82C891D8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_PNP 82C891D8
Device \Driver\00000061 \Device\00000055 IRP_MJ_POWER [F840CD74] sptd.sys
Device \Driver\00000061 \Device\00000055 IRP_MJ_SYSTEM_CONTROL [F84262A2] sptd.sys
Device \Driver\00000061 \Device\00000055 IRP_MJ_PNP [F8427228] sptd.sys
Device \Driver\00000061 \Device\00000056 IRP_MJ_POWER [F840CD74] sptd.sys
Device \Driver\00000061 \Device\00000056 IRP_MJ_SYSTEM_CONTROL [F84262A2] sptd.sys
Device \Driver\00000061 \Device\00000056 IRP_MJ_PNP [F8427228] sptd.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SYSTEM_CONTROL 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_PNP 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_READ 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_WRITE 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_FLUSH_BUFFERS 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_DEVICE_CONTROL 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_INTERNAL_DEVICE_CONTROL 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SHUTDOWN 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CLEANUP 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_POWER 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SYSTEM_CONTROL 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_PNP 82F681D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 82D03980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 82D03980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 82D03980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 82D03980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 82D03980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 82D03980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 82D03980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 82D03980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 82D03980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 82D03980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 82D03980
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 82D03980
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE 82D03980
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ 82D03980
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 82D03980
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 82D03980
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 82D03980
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 82D03980
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 82D03980
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 82D03980
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 82D03980
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 82D03980
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE 82D03980
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CLOSE 82D03980
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_READ 82D03980
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_WRITE 82D03980
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_FLUSH_BUFFERS 82D03980
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DEVICE_CONTROL 82D03980
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_INTERNAL_DEVICE_CONTROL 82D03980
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SHUTDOWN 82D03980
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_POWER 82D03980
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SYSTEM_CONTROL 82D03980
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_PNP 82D03980
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_CREATE 82D03980
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_CLOSE 82D03980
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_READ 82D03980
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_WRITE 82D03980
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_FLUSH_BUFFERS 82D03980
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_DEVICE_CONTROL 82D03980
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_INTERNAL_DEVICE_CONTROL 82D03980
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_SHUTDOWN 82D03980
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_POWER 82D03980
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_SYSTEM_CONTROL 82D03980
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_PNP 82D03980
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CREATE 82BB2580
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLOSE 82BB2580
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_DEVICE_CONTROL 82BB2580
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_INTERNAL_DEVICE_CONTROL 82BB2580
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLEANUP 82BB2580
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_PNP 82BB2580
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CREATE 82BB2580
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLOSE 82BB2580
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_DEVICE_CONTROL 82BB2580
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_INTERNAL_DEVICE_CONTROL 82BB2580
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLEANUP 82BB2580
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_PNP 82BB2580
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_CREATE 82C891D8
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_CLOSE 82C891D8
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_DEVICE_CONTROL 82C891D8
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL 82C891D8
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_POWER 82C891D8
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_SYSTEM_CONTROL 82C891D8
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_PNP 82C891D8
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_CREATE 82C891D8
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_CLOSE 82C891D8
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_DEVICE_CONTROL 82C891D8
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL 82C891D8
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_POWER 82C891D8
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_SYSTEM_CONTROL 82C891D8
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_PNP 82C891D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_NAMED_PIPE 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLOSE 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_WRITE 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_INFORMATION 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_INFORMATION 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_EA 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_EA 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FLUSH_BUFFERS 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_VOLUME_INFORMATION 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_VOLUME_INFORMATION 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DIRECTORY_CONTROL 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FILE_SYSTEM_CONTROL 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CONTROL 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_INTERNAL_DEVICE_CONTROL 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SHUTDOWN 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_LOCK_CONTROL 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLEANUP 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_MAILSLOT 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_SECURITY 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_SECURITY 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_POWER 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SYSTEM_CONTROL 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CHANGE 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_QUOTA 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_QUOTA 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_NAMED_PIPE 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLOSE 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_WRITE 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_INFORMATION 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_INFORMATION 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_EA 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_EA 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FLUSH_BUFFERS 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_VOLUME_INFORMATION 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_VOLUME_INFORMATION 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DIRECTORY_CONTROL 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FILE_SYSTEM_CONTROL 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CONTROL 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_INTERNAL_DEVICE_CONTROL 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SHUTDOWN 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_LOCK_CONTROL 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLEANUP 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_MAILSLOT 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_SECURITY 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_SECURITY 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_POWER 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SYSTEM_CONTROL 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CHANGE 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_QUOTA 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_QUOTA 82BB1980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP 82BB1980
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CREATE 82F681D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_READ 82F681D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_WRITE 82F681D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_FLUSH_BUFFERS 82F681D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_DEVICE_CONTROL 82F681D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_INTERNAL_DEVICE_CONTROL 82F681D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SHUTDOWN 82F681D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CLEANUP 82F681D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_POWER 82F681D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SYSTEM_CONTROL 82F681D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_PNP 82F681D8
Device \Driver\NetBT \Device\NetBT_Tcpip_{A7D17042-F493-49B8-9D1B-83031727D974} IRP_MJ_CREATE 82BB2580
Device \Driver\NetBT \Device\NetBT_Tcpip_{A7D17042-F493-49B8-9D1B-83031727D974} IRP_MJ_CLOSE 82BB2580
Device \Driver\NetBT \Device\NetBT_Tcpip_{A7D17042-F493-49B8-9D1B-83031727D974} IRP_MJ_DEVICE_CONTROL 82BB2580
Device \Driver\NetBT \Device\NetBT_Tcpip_{A7D17042-F493-49B8-9D1B-83031727D974} IRP_MJ_INTERNAL_DEVICE_CONTROL 82BB2580
Device \Driver\NetBT \Device\NetBT_Tcpip_{A7D17042-F493-49B8-9D1B-83031727D974} IRP_MJ_CLEANUP 82BB2580
Device \Driver\NetBT \Device\NetBT_Tcpip_{A7D17042-F493-49B8-9D1B-83031727D974} IRP_MJ_PNP 82BB2580
Device \Driver\tmtdi \Device\tmtdi IRP_MJ_DEVICE_CONTROL [F29CB7A0] windev-462d-5743.sys
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1 IRP_MJ_CREATE 82DDF640
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1 IRP_MJ_CLOSE 82DDF640
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1 IRP_MJ_DEVICE_CONTROL 82DDF640
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1 IRP_MJ_INTERNAL_DEVICE_CONTROL 82DDF640
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1 IRP_MJ_POWER 82DDF640
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1 IRP_MJ_SYSTEM_CONTROL 82DDF640
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1 IRP_MJ_PNP 82DDF640
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1Port3Path0Target0Lun0 IRP_MJ_CREATE 82DDF640
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1Port3Path0Target0Lun0 IRP_MJ_CLOSE 82DDF640
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1Port3Path0Target0Lun0 IRP_MJ_DEVICE_CONTROL 82DDF640
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1Port3Path0Target0Lun0 IRP_MJ_INTERNAL_DEVICE_CONTROL 82DDF640
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1Port3Path0Target0Lun0 IRP_MJ_POWER 82DDF640
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1Port3Path0Target0Lun0 IRP_MJ_SYSTEM_CONTROL 82DDF640
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1Port3Path0Target0Lun0 IRP_MJ_PNP 82DDF640
Device \Driver\aubpj9e0 \Device\Scsi\aubpj9e01Port2Path0Target0Lun0 IRP_MJ_CREATE 82BE6460
Device \Driver\aubpj9e0 \Device\Scsi\aubpj9e01Port2Path0Target0Lun0 IRP_MJ_CLOSE 82BE6460
Device \Driver\aubpj9e0 \Device\Scsi\aubpj9e01Port2Path0Target0Lun0 IRP_MJ_DEVICE_CONTROL 82BE6460
Device \Driver\aubpj9e0 \Device\Scsi\aubpj9e01Port2Path0Target0Lun0 IRP_MJ_INTERNAL_DEVICE_CONTROL 82BE6460
Device \Driver\aubpj9e0 \Device\Scsi\aubpj9e01Port2Path0Target0Lun0 IRP_MJ_POWER 82BE6460
Device \Driver\aubpj9e0 \Device\Scsi\aubpj9e01Port2Path0Target0Lun0 IRP_MJ_SYSTEM_CONTROL 82BE6460
Device \Driver\aubpj9e0 \Device\Scsi\aubpj9e01Port2Path0Target0Lun0 IRP_MJ_PNP 82BE6460
Device \Driver\aubpj9e0 \Device\Scsi\aubpj9e01 IRP_MJ_CREATE 82BE6460
Device \Driver\aubpj9e0 \Device\Scsi\aubpj9e01 IRP_MJ_CLOSE 82BE6460
Device \Driver\aubpj9e0 \Device\Scsi\aubpj9e01 IRP_MJ_DEVICE_CONTROL 82BE6460
Device \Driver\aubpj9e0 \Device\Scsi\aubpj9e01 IRP_MJ_INTERNAL_DEVICE_CONTROL 82BE6460
Device \Driver\aubpj9e0 \Device\Scsi\aubpj9e01 IRP_MJ_POWER 82BE6460
Device \Driver\aubpj9e0 \Device\Scsi\aubpj9e01 IRP_MJ_SYSTEM_CONTROL 82BE6460
Device \Driver\aubpj9e0 \Device\Scsi\aubpj9e01 IRP_MJ_PNP 82BE6460
Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE 8234D980
Device \FileSystem\Fastfat \Fat IRP_MJ_CLOSE 8234D980
Device \FileSystem\Fastfat \Fat IRP_MJ_READ 8234D980
Device \FileSystem\Fastfat \Fat IRP_MJ_WRITE 8234D980
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION 8234D980
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION 8234D980
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA 8234D980
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_EA 8234D980
Device \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS 8234D980
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION 8234D980
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION 8234D980
Device \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL 8234D980
Device \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL 8234D980
Device \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL 8234D980
Device \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN 8234D980
Device \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL 8234D980
Device \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP 8234D980
Device \FileSystem\Fastfat \Fat IRP_MJ_PNP 8234D980
Device \FileSystem\Fastfat \Fat FastIoCheckIfPossible F240B9C6
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE 82DBA958
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLOSE 82DBA958
Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ 82DBA958
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_INFORMATION 82DBA958
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SET_INFORMATION 82DBA958
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_VOLUME_INFORMATION 82DBA958
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DIRECTORY_CONTROL 82DBA958
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL 82DBA958
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL 82DBA958
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SHUTDOWN 82DBA958
Device \FileSystem\Cdfs \Cdfs IRP_MJ_LOCK_CONTROL 82DBA958
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLEANUP 82DBA958
Device \FileSystem\Cdfs \Cdfs IRP_MJ_PNP 82DBA958

---- Services - GMER 1.0.12 ----

Service C:\WINDOWS\system32\windev-462d-5743.sys (*** hidden *** ) [AUTO] windev-462d-5743 <-- ROOTKIT !!!

---- Registry - GMER 1.0.12 ----

Reg \Registry\MACHINE\SOFTWARE\TrendMicro\PC-cillin\15\ScanInfo@LastScanFile C:\WINDOWS\system32\windev-peers.ini
Reg \Registry\MACHINE\SOFTWARE\TrendMicro\PC-cillin\15\ScanInfo@LastDetectTime 1182735435
Reg \Registry\MACHINE\SOFTWARE\TrendMicro\PC-cillin\15\SpyManualScan@RatioCompleteScan 40
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINDEV-111F-A88
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINDEV-111F-A88@NextInstance 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINDEV-462D-5743
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINDEV-462D-5743@NextInstance 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINDEV-462D-5743\0000@DeviceDesc windev-462d-5743
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINDEV-462D-5743\0000\Control@ActiveService windev-462d-5743
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINDEV-462D-5743\0000@DeviceDesc windev-462d-5743
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINDEV-462D-5743@NextInstance 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINDEV-4834-229B
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINDEV-4834-229B@NextInstance 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINDEV-4FCE-638F
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINDEV-4FCE-638F@NextInstance 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\windev-462d-5743
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\windev-462d-5743@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\windev-462d-5743@Start 2
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\windev-462d-5743@ErrorControl 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\windev-462d-5743@ImagePath \??\C:\WINDOWS\system32\windev-462d-5743.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\windev-462d-5743@DisplayName windev-462d-5743
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\windev-462d-5743@ImagePath \??\C:\WINDOWS\system32\windev-462d-5743.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\windev-462d-5743@DisplayName windev-462d-5743
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\windev-462d-5743@ImagePath \??\C:\WINDOWS\system32\windev-462d-5743.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\windev-462d-5743@DisplayName windev-462d-5743
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\windev-462d-5743@ImagePath \??\C:\WINDOWS\system32\windev-462d-5743.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\windev-462d-5743@DisplayName windev-462d-5743
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_WINDEV-111F-A88
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_WINDEV-111F-A88@NextInstance 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_WINDEV-462D-5743
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_WINDEV-462D-5743@NextInstance 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_WINDEV-462D-5743\0000@DeviceDesc windev-462d-5743
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_WINDEV-462D-5743@NextInstance 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_WINDEV-4834-229B
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_WINDEV-4834-229B@NextInstance 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_WINDEV-4FCE-638F
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_WINDEV-4FCE-638F@NextInstance 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\windev-462d-5743
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\windev-462d-5743@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\windev-462d-5743@Start 2
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\windev-462d-5743@ErrorControl 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\windev-462d-5743@ImagePath \??\C:\WINDOWS\system32\windev-462d-5743.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\windev-462d-5743@DisplayName windev-462d-5743
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\windev-462d-5743@ImagePath \??\C:\WINDOWS\system32\windev-462d-5743.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\windev-462d-5743@DisplayName windev-462d-5743
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\windev-462d-5743@ImagePath \??\C:\WINDOWS\system32\windev-462d-5743.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\windev-462d-5743@DisplayName windev-462d-5743
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-111F-A88
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-111F-A88@NextInstance 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-462D-5743
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-462D-5743@NextInstance 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-462D-5743\0000@DeviceDesc windev-462d-5743
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-462D-5743\0000\Control@ActiveService windev-462d-5743
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-462D-5743\0000@DeviceDesc windev-462d-5743
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-462D-5743@NextInstance 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-4834-229B
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-4834-229B@NextInstance 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-4FCE-638F
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-4FCE-638F@NextInstance 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-462d-5743
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-462d-5743@Type 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-462d-5743@Start 2
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-462d-5743@ErrorControl 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-462d-5743@ImagePath \??\C:\WINDOWS\system32\windev-462d-5743.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-462d-5743@DisplayName windev-462d-5743
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-462d-5743@ImagePath \??\C:\WINDOWS\system32\windev-462d-5743.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-462d-5743@DisplayName windev-462d-5743
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-462d-5743@ImagePath \??\C:\WINDOWS\system32\windev-462d-5743.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-462d-5743@DisplayName windev-462d-5743
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-462d-5743@ImagePath \??\C:\WINDOWS\system32\windev-462d-5743.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-462d-5743@DisplayName windev-462d-5743

---- Files - GMER 1.0.12 ----

File C:\WINDOWS\SYSTEM32\windev-462d-5743.sys <-- ROOTKIT !!!
File C:\WINDOWS\SYSTEM32\windev-peers.ini

---- EOF - GMER 1.0.12 ----

#15 aczechgurl

aczechgurl

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 5,577 posts

Posted 25 June 2007 - 06:45 AM

I will study this log later today and get back with you, but in the mean time, can you translate this for me?
El proceso no tiene acceso al archivo porque esta siendo utilizado por otro proceso.
I have a general idea what it says, but just want to make sure.
<!--fonto:Century Gothic--><span style="font-family:Century Gothic"><!--/fonto-->
<!--sizeo:2--><span style="font-size:10pt;line-height:100%"><!--/sizeo--><!--coloro:purple--><span style="color:purple"><!--/coloro--><b>Aczechgurl</b><!--colorc--></span><!--/colorc--><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

<!--sizeo:1--><span style="font-size:8pt;line-height:100%"><!--/sizeo--><!--fonto:Arial--><span style="font-family:Arial"><!--/fonto-->

Please consider <a href="http://flyinghamster...om/support-us/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Supporting SWI</b><!--colorc--></span><!--/colorc--></a>'s fight against Malware.

Member of <a href="http://asap.maddoktor2.com/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>ASAP</b><!--colorc--></span><!--/colorc--></a> (Alliance of Security Analysis Professionals)

Fight back <a href="http://www.malwareco...mplaints.info/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Malware Complaints</b><!--colorc--></span><!--/colorc--></a><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

#16 dark998

dark998

    Member

  • Full Member
  • Pip
  • 46 posts

Posted 25 June 2007 - 10:34 AM

It means something like "The process doesnt has access to the file because the file its being used by another process"

#17 aczechgurl

aczechgurl

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 5,577 posts

Posted 25 June 2007 - 09:47 PM

I think we may have found the cause of your problems.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press the F8 key
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
Please download ComboFix by sUBs:

NOTE: In the event you already have ComboFix, this is a new version that I need you to download.
  • Save it to your desktop.
  • Double-click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Save it to a convienent place.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Please reply with the following.
1. Sdfix log
2. Combofix log
3. A fresh HijackThis log
<!--fonto:Century Gothic--><span style="font-family:Century Gothic"><!--/fonto-->
<!--sizeo:2--><span style="font-size:10pt;line-height:100%"><!--/sizeo--><!--coloro:purple--><span style="color:purple"><!--/coloro--><b>Aczechgurl</b><!--colorc--></span><!--/colorc--><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

<!--sizeo:1--><span style="font-size:8pt;line-height:100%"><!--/sizeo--><!--fonto:Arial--><span style="font-family:Arial"><!--/fonto-->

Please consider <a href="http://flyinghamster...om/support-us/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Supporting SWI</b><!--colorc--></span><!--/colorc--></a>'s fight against Malware.

Member of <a href="http://asap.maddoktor2.com/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>ASAP</b><!--colorc--></span><!--/colorc--></a> (Alliance of Security Analysis Professionals)

Fight back <a href="http://www.malwareco...mplaints.info/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Malware Complaints</b><!--colorc--></span><!--/colorc--></a><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

#18 dark998

dark998

    Member

  • Full Member
  • Pip
  • 46 posts

Posted 26 June 2007 - 01:06 AM

SDFix: Version 1.88

Run by Propietario on 26/06/2007 at 12:06 a.m.

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
msgegh
ntio256
ntldr.sys
wincom32
windev-462d-5743

ImagePath:
\??\C:\WINDOWS\System32\drivers\msgegh.sys
\??\C:\WINDOWS\system32\ntio256.sys
\??\C:\ntldr.sys
\??\C:\WINDOWS\System32\wincom32.sys
\??\C:\WINDOWS\system32\windev-462d-5743.sys

msgegh - Deleted
ntio256 - Deleted
ntldr.sys - Deleted
wincom32 - Deleted
windev-462d-5743 - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\system32\windev-462d-5743.sys - Deleted
C:\WINDOWS\system32\i - Deleted
C:\WINDOWS\system32\RunOnce.t__ - Deleted
C:\WINDOWS\system32\RunOnce.tm_ - Deleted
C:\WINDOWS\system32\svcp.csv - Deleted
C:\WINDOWS\system32\TFTP1368 - Deleted
C:\WINDOWS\system32\TFTP3936 - Deleted
C:\WINDOWS\system32\windev-peers.ini - Deleted



Removing Temp Files...

ADS Check:

Checking C:\WINDOWS
C:\WINDOWS
No streams found.

Checking C:\WINDOWS\system32
C:\WINDOWS\system32
No streams found.

Checking C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Checking C:\WINDOWS\system32\ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\System32\\vxgame3.exe"="C:\\WINDOWS\\System32\\vxgame3.exe:*:ENABLED:0"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Listing Files with Hidden Attributes:

C:\Archivos de programa\FlashGet\Skin\HV\[HentaiPanic.com] Cloth X Close[HCG][CATEAR]\Cloth。チClose(・ッ・愰`・ケ。チ・ッ・愰`・ケ)。ォ・ワ・ッ、ャ、ッ、」。ォ、。」ソ。ォ\Thumbs.db
C:\Archivos de programa\FlashGet\Skin\HV\[JimBond007@HongFire.com] KateiKyoushi no Onee-san\[JimBond007@HongFire.com] KateiKyoushi no Onee-san\Thumbs.db
C:\Archivos de programa\FlashGet\Skin\HV\[JimBond007@HongFire.com] Kimi ga Nozomu Eien\[JimBond007@HongFire.com] Kimi ga Nozomu Eien SFD\[JimBond007@HongFire.com] Kimi ga Nozomu Eien SFD\Thumbs.db
C:\Archivos de programa\FlashGet\Skin\HV\[JimBond007@HongFire.com]Fate Hollow Ataraxia HCG\[JimBond007@HongFire.com]Fate Hollow Ataraxia HCG\Thumbs.db
C:\Archivos de programa\FlashGet\Skin\HV\[JimBond007@HongFire.com]Fate Hollow Ataraxia HCG\[JimBond007@HongFire.com]Fate Hollow Ataraxia HCG\Another\Thumbs.db
C:\Archivos de programa\FlashGet\Skin\HV\[JimBond007@HongFire.com]Fate Hollow Ataraxia HCG\[JimBond007@HongFire.com]Fate Hollow Ataraxia HCG\Hollow Ataraxia\Thumbs.db
C:\Archivos de programa\FlashGet\Skin\HV\[JimBond007@HongFire.com]Fate Hollow Ataraxia HCG\[JimBond007@HongFire.com]Fate Hollow Ataraxia HCG\Wallpaper\Thumbs.db
C:\Archivos de programa\Enterbrain\RPGXP\System\Graphics.exe
C:\Documents and Settings\Propietario\Mis documentos\RPGXP\Proyecto 3\Graphics.exe
C:\Documents and Settings\Propietario\Escritorio\Propiedad de\Aldo\Tareas Prepa\4o Semestre\~WRL0001.tmp
C:\Documents and Settings\Propietario\Escritorio\Propiedad de\Aldo\Tareas Prepa\4o Semestre\~WRL0003.tmp

Listing User Accounts:


Administrador Asistente de ayuda Invitado
Propietario SUPPORT_388945a0 SUPPORT_fddfa904
Se ha completado el comando correctamente.


Finished



"Propietario" - 2007-06-26 0:45:38 - ComboFix 07-06-25.3 - Service Pack 1 NTFS


((((((((((((((((((((((((( Files Created from 2007-05-26 to 2007-06-26 )))))))))))))))))))))))))))))))


2007-06-26 00:44 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-22 02:10 4,422 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-06-11 23:05 <DIR> d-------- C:\Archivos de programa\CDCheck
2007-06-11 17:42 <DIR> d-------- C:\Archivos de programa\GetData
2007-06-11 11:58 8 --a------ C:\AseliaCfg.dat
2007-05-31 00:40 281,600 --a------ C:\WINDOWS\SYSTEM32\drivers\TM_CFW.sys
2007-05-31 00:40 101,888 --a------ C:\WINDOWS\SYSTEM32\drivers\tm_mbd_c.sys
2007-05-31 00:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATOSD~1\Trend Micro
2007-05-27 12:06 <DIR> d-------- C:\Archivos de programa\BIGBANG BEAT 1st Impression


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-26 05:30:27 1,632 ----a-w C:\WINDOWS\system32\d3d8caps.dat
2007-06-25 08:44:44 -------- d---a-w C:\Archivos de programa\FlashGet
2007-06-25 05:20:10 -------- d-----w C:\Archivos de programa\Screenshot Pilot
2007-06-22 16:24:21 -------- d-----w C:\Archivos de programa\AlphaZIP
2007-06-21 23:52:12 -------- d-----w C:\Archivos de programa\Zoom Player
2007-06-18 22:59:54 -------- d-----w C:\Archivos de programa\NetBattle
2007-06-15 08:46:51 -------- d--h--w C:\Archivos de programa\InstallShield Installation Information
2007-06-07 00:19:30 -------- d-----w C:\Archivos de programa\Ace Utilities
2007-06-07 00:19:17 -------- d-----w C:\Archivos de programa\1st Audio Splitter Extractor
2007-06-06 09:07:59 -------- d-----w C:\Archivos de programa\OGPlanet
2007-06-05 03:16:46 -------- d-----w C:\DOCUME~1\PROPIE~1\DATOSD~1\MegauploadToolbar
2007-06-01 02:55:34 1,744 ----a-w C:\WINDOWS\system32\d3d9caps.dat
2007-05-31 07:21:18 -------- d-----w C:\Archivos de programa\Trend Micro
2007-05-30 12:10:42 10,872 ----a-w C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-28 17:50:39 -------- d-----w C:\DOCUME~1\PROPIE~1\DATOSD~1\uTorrent
2007-05-28 17:46:33 -------- d-----w C:\Archivos de programa\Winamp
2007-05-28 17:36:28 -------- d-----w C:\Archivos de programa\foobar2000
2007-05-25 03:55:47 -------- d-----w C:\Archivos de programa\Prodigy Infinitum
2007-05-23 18:45:03 -------- d-----w C:\Archivos de programa\th10tr
2007-05-22 02:06:39 -------- d-----w C:\Archivos de programa\Asistente Prodigy
2007-05-16 19:09:19 -------- d-----w C:\Archivos de programa\Werk
2007-05-12 18:01:46 -------- d-----w C:\Archivos de programa\まわるめいどさんをねみぎ体験版2
2007-05-06 16:21:56 51,770 ----a-w C:\WINDOWS\system32\perfc00A.dat
2007-05-06 16:21:56 363,318 ----a-w C:\WINDOWS\system32\perfh00A.dat
2007-05-04 06:04:19 -------- d-----w C:\Archivos de programa\Badongo
2007-05-02 19:47:48 2,368 ----a-w C:\WINDOWS\system32\STEC3.sys
2007-04-28 08:56:10 -------- d-----w C:\Archivos de programa\eMule
2007-04-08 03:10:00 58,904 ----a-w C:\WINDOWS\system32\azipcontmn.dll
2007-04-05 00:55:00 261,480 ----a-w C:\WINDOWS\system32\xactengine2_7.dll
2007-04-05 00:53:42 81,768 ----a-w C:\WINDOWS\system32\xinput1_3.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 01:56]
{3C6301ED-0F78-4AF2-8150-D9C052361A8E}=C:\Archivos de programa\ATLAS V11\ATLIECP.DLL [2004-05-26 15:54]
{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}=C:\ARCHIV~1\MEGAUP~1\MEGAUP~1.DLL [2006-10-31 00:55]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll [2006-10-12 03:25]
{A5366673-E8CA-11D3-9CD9-0090271D075B}=C:\ARCHIV~1\FlashGet\jccatch.dll [2002-01-16 19:12]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\archivos de programa\google\googletoolbar2.dll [2007-01-19 23:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="C:\Archivos de programa\Winamp\winampa.exe" []
"S3TRAY2"="S3tray2.exe" [2001-10-03 22:06 C:\WINDOWS\SYSTEM32\S3tray2.exe]
"Microsoft Works Update Detection"="C:\Archivos de programa\Microsoft Works\WkDetect.exe" []
"Microsoft Works Portfolio"="C:\Archivos de programa\Microsoft Works\WksSb.exe" [2006-11-10 16:53]
"Iomega Startup Options"="C:\Archivos de programa\Iomega\Common\ImgStart.exe" []
"Iomega Drive Icons"="C:\Archivos de programa\Iomega\DriveIcons\ImgIcon.exe" []
"DAEMON Tools"="C:\Archivos de programa\DAEMON Tools\daemon.exe" [2006-11-12 04:48]
"NvCplDaemon"="NvQTwk" []
"pccguide.exe"="C:\Archivos de programa\Trend Micro\Internet Security 2007\pccguide.exe" [2006-09-29 21:52]
"LanzarL2007"="C:\DOCUME~1\PROPIE~1\CONFIG~1\Temp\{D6F61A91-D9EA-4CAE-8E25-C4EC563DD2A1}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" []
"!AVG Anti-Spyware"="C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-14 11:19]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Archivos de programa\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe" []
"PopUpStopperFreeEdition"="C:\ARCHIV~1\PANICW~1\POP-UP~1\PSFree.exe" [2003-04-29 10:40]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" []
"OE"="C:\Archivos de programa\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe" [2006-09-26 22:52]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="C:\Archivos de programa\ewido anti-malware\shellhook.dll" [2004-09-30 06:21]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 06:29]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]


Contents of the 'Scheduled Tasks' folder
2005-10-31 04:00:01 C:\WINDOWS\tasks\Aviso de suscripcion a un ISP 1.job
2005-11-02 05:00:00 C:\WINDOWS\tasks\Aviso de suscripcion a un ISP 2.job
2005-11-05 05:45:00 C:\WINDOWS\tasks\Aviso de suscripcion a un ISP 3.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-26 00:58:19
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-26 1:00:17
C:\ComboFix2.txt ... 2007-01-30 14:51

--- E O F ---




Logfile of HijackThis v1.99.1
Scan saved at 01:02:50 a.m., on 26/06/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Apache Group\Apache2\bin\Apache.exe
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\mysql\bin\mysqld-nt.exe
C:\Archivos de programa\Apache Group\Apache2\bin\Apache.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\ARCHIV~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\ARCHIV~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\ARCHIV~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\ARCHIV~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\System32\ZipToA.exe
C:\ARCHIV~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\ARCHIV~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Archivos de programa\DAEMON Tools\daemon.exe
C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\ARCHIV~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Archivos de programa\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\Archivos de programa\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\WINDOWS\System32\conime.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Propietario\Escritorio\programs\hijackthis3\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ATLAS Translation Bar - {3C6301ED-0F78-4AF2-8150-D9C052361A8E} - C:\Archivos de programa\ATLAS V11\ATLIECP.DLL
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARCHIV~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\ARCHIV~1\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar2.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\ARCHIV~1\FlashGet\fgiebar.dll
O3 - Toolbar: ATLAS Translation Bar - {3C6301ED-0F78-4AF2-8150-D9C052361A8E} - C:\Archivos de programa\ATLAS V11\ATLIECP.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARCHIV~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar2.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Archivos de programa\Winamp\winampa.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Archivos de programa\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Archivos de programa\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Archivos de programa\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Archivos de programa\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Archivos de programa\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\PROPIE~1\CONFIG~1\Temp\{D6F61A91-D9EA-4CAE-8E25-C4EC563DD2A1}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x000a"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Archivos de programa\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\ARCHIV~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE
O4 - HKCU\..\Run: [OE] "C:\Archivos de programa\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: FinishSetup.lnk = C:\Archivos de programa\Iomega\Common\FinishSetup.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Archivos de programa\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Archivos de programa\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Translate by ATLAS - C:\Archivos de programa\ATLAS V11\Atlscript.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: ATLAS Translation - {B7707A72-4355-11D4-82BD-00000EBBEF8D} - C:\Archivos de programa\ATLAS V11\Atlscript.html
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\ARCHIV~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\ARCHIV~1\FlashGet\flashget.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=67633
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Archivos de programa\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\System32\IomegaAccess.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\ARCHIV~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Proteccion frente a spyware de Trend Micro (PcScnSrv) - Trend Micro Inc. - C:\ARCHIV~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Archivos de programa\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\ARCHIV~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\ARCHIV~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\ARCHIV~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\System32\ZipToA.exe

#19 aczechgurl

aczechgurl

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 5,577 posts

Posted 26 June 2007 - 10:15 PM

[*]Open notepad and copy and paste the all the text inside the following code box into it:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\System32\\vxgame3.exe"=-
  • Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files".
  • Then please go to the desktop and double-click on fix.reg, click Yes to merge it with the registry.
[*]Delete the following files if present:C:\AseliaCfg.dat
C:\WINDOWS\system32\d3d8caps.dat
C:\WINDOWS\system32\d3d9caps.dat
Please reboot and post a new gmer log.
<!--fonto:Century Gothic--><span style="font-family:Century Gothic"><!--/fonto-->
<!--sizeo:2--><span style="font-size:10pt;line-height:100%"><!--/sizeo--><!--coloro:purple--><span style="color:purple"><!--/coloro--><b>Aczechgurl</b><!--colorc--></span><!--/colorc--><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

<!--sizeo:1--><span style="font-size:8pt;line-height:100%"><!--/sizeo--><!--fonto:Arial--><span style="font-family:Arial"><!--/fonto-->

Please consider <a href="http://flyinghamster...om/support-us/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Supporting SWI</b><!--colorc--></span><!--/colorc--></a>'s fight against Malware.

Member of <a href="http://asap.maddoktor2.com/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>ASAP</b><!--colorc--></span><!--/colorc--></a> (Alliance of Security Analysis Professionals)

Fight back <a href="http://www.malwareco...mplaints.info/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Malware Complaints</b><!--colorc--></span><!--/colorc--></a><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

#20 dark998

dark998

    Member

  • Full Member
  • Pip
  • 46 posts

Posted 27 June 2007 - 12:58 AM

GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-06-27 00:54:55
Windows 5.1.2600 Service Pack 1


---- System - GMER 1.0.12 ----

SSDT \SystemRoot\System32\DRIVERS\tm_mbd_c.sys ZwClose
SSDT \SystemRoot\System32\DRIVERS\tm_mbd_c.sys ZwConnectPort
SSDT sptd.sys ZwCreateKey
SSDT \SystemRoot\System32\DRIVERS\tm_mbd_c.sys ZwCreateProcess
SSDT \SystemRoot\System32\DRIVERS\tm_mbd_c.sys ZwCreateProcessEx
SSDT sptd.sys ZwEnumerateKey
SSDT sptd.sys ZwEnumerateValueKey
SSDT sptd.sys ZwOpenKey
SSDT \SystemRoot\System32\DRIVERS\tm_mbd_c.sys ZwOpenProcess
SSDT sptd.sys ZwQueryKey
SSDT sptd.sys ZwQueryValueKey
SSDT \SystemRoot\System32\DRIVERS\tm_mbd_c.sys ZwRequestWaitReplyPort
SSDT sptd.sys ZwSetValueKey
SSDT \??\C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess
SSDT \SystemRoot\System32\DRIVERS\tm_mbd_c.sys ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!KeInitializeInterrupt + B67 804DA23C 1 Byte [ 06 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 170 805025EC 4 Bytes [ E0, DC, 05, F3 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 188 80502604 4 Bytes [ B0, DF, 05, F3 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1B0 8050262C 4 Bytes [ B0, E0, 3F, F8 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1C8 80502644 8 Bytes [ 10, D3, 05, F3, E0, D5, 05, ... ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 228 805026A4 4 Bytes [ 4C, 38, 40, F8 ]
.text ...
? C:\WINDOWS\system32\drivers\sptd.sys El proceso no tiene acceso al archivo porque esta siendo utilizado por otro proceso.
.text USBPORT.SYS!DllUnload F7583F88 5 Bytes JMP 82DD56D8
? C:\WINDOWS\System32\Drivers\vaxscsi.sys El proceso no tiene acceso al archivo porque esta siendo utilizado por otro proceso.
? System32\Drivers\a69b7l1q.SYS El sistema no puede hallar el archivo especificado.

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 82F661D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 82F661D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 82F661D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 82F661D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 82F661D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 82F661D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 82F661D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 82F661D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 82F661D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 82F661D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 82F661D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 82F661D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 82F661D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 82F661D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 82F661D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 82F661D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 82F661D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 82F661D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 82F661D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 82F661D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 82F661D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 82F661D8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_CREATE 82C9D980
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_CLOSE 82C9D980
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_DEVICE_CONTROL 82C9D980
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL 82C9D980
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_POWER 82C9D980
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_SYSTEM_CONTROL 82C9D980
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_PNP 82C9D980
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_CREATE 82C9D980
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_CLOSE 82C9D980
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_DEVICE_CONTROL 82C9D980
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL 82C9D980
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_POWER 82C9D980
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_SYSTEM_CONTROL 82C9D980
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_PNP 82C9D980
Device \Driver\00000061 \Device\00000053 IRP_MJ_POWER [F840CD74] sptd.sys
Device \Driver\00000061 \Device\00000053 IRP_MJ_SYSTEM_CONTROL [F84262A2] sptd.sys
Device \Driver\00000061 \Device\00000053 IRP_MJ_PNP [F8427228] sptd.sys
Device \Driver\00000061 \Device\00000054 IRP_MJ_POWER [F840CD74] sptd.sys
Device \Driver\00000061 \Device\00000054 IRP_MJ_SYSTEM_CONTROL [F84262A2] sptd.sys
Device \Driver\00000061 \Device\00000054 IRP_MJ_PNP [F8427228] sptd.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 82FDB1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ 82FDB1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE 82FDB1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS 82FDB1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL 82FDB1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL 82FDB1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN 82FDB1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP 82FDB1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER 82FDB1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SYSTEM_CONTROL 82FDB1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_PNP 82FDB1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE 82FDB1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_READ 82FDB1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_WRITE 82FDB1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_FLUSH_BUFFERS 82FDB1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_DEVICE_CONTROL 82FDB1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_INTERNAL_DEVICE_CONTROL 82FDB1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SHUTDOWN 82FDB1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CLEANUP 82FDB1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_POWER 82FDB1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SYSTEM_CONTROL 82FDB1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_PNP 82FDB1D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 82DE7980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 82DE7980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 82DE7980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 82DE7980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 82DE7980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 82DE7980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 82DE7980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 82DE7980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 82DE7980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 82DE7980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 82DE7980
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 82DE7980
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE 82DE7980
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ 82DE7980
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 82DE7980
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 82DE7980
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 82DE7980
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 82DE7980
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 82DE7980
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 82DE7980
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 82DE7980
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 82DE7980
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE 82DE7980
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CLOSE 82DE7980
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_READ 82DE7980
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_WRITE 82DE7980
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_FLUSH_BUFFERS 82DE7980
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DEVICE_CONTROL 82DE7980
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_INTERNAL_DEVICE_CONTROL 82DE7980
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SHUTDOWN 82DE7980
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_POWER 82DE7980
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SYSTEM_CONTROL 82DE7980
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_PNP 82DE7980
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_CREATE 82DE7980
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_CLOSE 82DE7980
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_READ 82DE7980
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_WRITE 82DE7980
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_FLUSH_BUFFERS 82DE7980
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_DEVICE_CONTROL 82DE7980
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_INTERNAL_DEVICE_CONTROL 82DE7980
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_SHUTDOWN 82DE7980
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_POWER 82DE7980
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_SYSTEM_CONTROL 82DE7980
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_PNP 82DE7980
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CREATE 82C1C980
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLOSE 82C1C980
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_DEVICE_CONTROL 82C1C980
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_INTERNAL_DEVICE_CONTROL 82C1C980
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLEANUP 82C1C980
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_PNP 82C1C980
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CREATE 82C1C980
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLOSE 82C1C980
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_DEVICE_CONTROL 82C1C980
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_INTERNAL_DEVICE_CONTROL 82C1C980
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLEANUP 82C1C980
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_PNP 82C1C980
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_CREATE 82C9D980
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_CLOSE 82C9D980
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_DEVICE_CONTROL 82C9D980
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL 82C9D980
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_POWER 82C9D980
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_SYSTEM_CONTROL 82C9D980
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_PNP 82C9D980
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_CREATE 82C9D980
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_CLOSE 82C9D980
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_DEVICE_CONTROL 82C9D980
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL 82C9D980
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_POWER 82C9D980
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_SYSTEM_CONTROL 82C9D980
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_PNP 82C9D980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_NAMED_PIPE 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLOSE 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_WRITE 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_INFORMATION 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_INFORMATION 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_EA 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_EA 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FLUSH_BUFFERS 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_VOLUME_INFORMATION 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_VOLUME_INFORMATION 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DIRECTORY_CONTROL 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FILE_SYSTEM_CONTROL 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CONTROL 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_INTERNAL_DEVICE_CONTROL 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SHUTDOWN 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_LOCK_CONTROL 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLEANUP 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_MAILSLOT 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_SECURITY 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_SECURITY 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_POWER 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SYSTEM_CONTROL 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CHANGE 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_QUOTA 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_QUOTA 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_NAMED_PIPE 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLOSE 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_WRITE 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_INFORMATION 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_INFORMATION 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_EA 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_EA 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FLUSH_BUFFERS 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_VOLUME_INFORMATION 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_VOLUME_INFORMATION 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DIRECTORY_CONTROL 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FILE_SYSTEM_CONTROL 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CONTROL 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_INTERNAL_DEVICE_CONTROL 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SHUTDOWN 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_LOCK_CONTROL 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLEANUP 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_MAILSLOT 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_SECURITY 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_SECURITY 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_POWER 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SYSTEM_CONTROL 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CHANGE 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_QUOTA 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_QUOTA 82C3F1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP 82C3F1D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CREATE 82FDB1D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_READ 82FDB1D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_WRITE 82FDB1D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_FLUSH_BUFFERS 82FDB1D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_DEVICE_CONTROL 82FDB1D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_INTERNAL_DEVICE_CONTROL 82FDB1D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SHUTDOWN 82FDB1D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CLEANUP 82FDB1D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_POWER 82FDB1D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SYSTEM_CONTROL 82FDB1D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_PNP 82FDB1D8
Device \Driver\NetBT \Device\NetBT_Tcpip_{A7D17042-F493-49B8-9D1B-83031727D974} IRP_MJ_CREATE 82C1C980
Device \Driver\NetBT \Device\NetBT_Tcpip_{A7D17042-F493-49B8-9D1B-83031727D974} IRP_MJ_CLOSE 82C1C980
Device \Driver\NetBT \Device\NetBT_Tcpip_{A7D17042-F493-49B8-9D1B-83031727D974} IRP_MJ_DEVICE_CONTROL 82C1C980
Device \Driver\NetBT \Device\NetBT_Tcpip_{A7D17042-F493-49B8-9D1B-83031727D974} IRP_MJ_INTERNAL_DEVICE_CONTROL 82C1C980
Device \Driver\NetBT \Device\NetBT_Tcpip_{A7D17042-F493-49B8-9D1B-83031727D974} IRP_MJ_CLEANUP 82C1C980
Device \Driver\NetBT \Device\NetBT_Tcpip_{A7D17042-F493-49B8-9D1B-83031727D974} IRP_MJ_PNP 82C1C980
Device \Driver\a69b7l1q \Device\Scsi\a69b7l1q1Port2Path0Target0Lun0 IRP_MJ_CREATE 82C701D8
Device \Driver\a69b7l1q \Device\Scsi\a69b7l1q1Port2Path0Target0Lun0 IRP_MJ_CLOSE 82C701D8
Device \Driver\a69b7l1q \Device\Scsi\a69b7l1q1Port2Path0Target0Lun0 IRP_MJ_DEVICE_CONTROL 82C701D8
Device \Driver\a69b7l1q \Device\Scsi\a69b7l1q1Port2Path0Target0Lun0 IRP_MJ_INTERNAL_DEVICE_CONTROL 82C701D8
Device \Driver\a69b7l1q \Device\Scsi\a69b7l1q1Port2Path0Target0Lun0 IRP_MJ_POWER 82C701D8
Device \Driver\a69b7l1q \Device\Scsi\a69b7l1q1Port2Path0Target0Lun0 IRP_MJ_SYSTEM_CONTROL 82C701D8
Device \Driver\a69b7l1q \Device\Scsi\a69b7l1q1Port2Path0Target0Lun0 IRP_MJ_PNP 82C701D8
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1 IRP_MJ_CREATE 82C4A1D8
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1 IRP_MJ_CLOSE 82C4A1D8
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1 IRP_MJ_DEVICE_CONTROL 82C4A1D8
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1 IRP_MJ_INTERNAL_DEVICE_CONTROL 82C4A1D8
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1 IRP_MJ_POWER 82C4A1D8
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1 IRP_MJ_SYSTEM_CONTROL 82C4A1D8
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1 IRP_MJ_PNP 82C4A1D8
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1Port3Path0Target0Lun0 IRP_MJ_CREATE 82C4A1D8
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1Port3Path0Target0Lun0 IRP_MJ_CLOSE 82C4A1D8
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1Port3Path0Target0Lun0 IRP_MJ_DEVICE_CONTROL 82C4A1D8
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1Port3Path0Target0Lun0 IRP_MJ_INTERNAL_DEVICE_CONTROL 82C4A1D8
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1Port3Path0Target0Lun0 IRP_MJ_POWER 82C4A1D8
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1Port3Path0Target0Lun0 IRP_MJ_SYSTEM_CONTROL 82C4A1D8
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1Port3Path0Target0Lun0 IRP_MJ_PNP 82C4A1D8
Device \Driver\a69b7l1q \Device\Scsi\a69b7l1q1 IRP_MJ_CREATE 82C701D8
Device \Driver\a69b7l1q \Device\Scsi\a69b7l1q1 IRP_MJ_CLOSE 82C701D8
Device \Driver\a69b7l1q \Device\Scsi\a69b7l1q1 IRP_MJ_DEVICE_CONTROL 82C701D8
Device \Driver\a69b7l1q \Device\Scsi\a69b7l1q1 IRP_MJ_INTERNAL_DEVICE_CONTROL 82C701D8
Device \Driver\a69b7l1q \Device\Scsi\a69b7l1q1 IRP_MJ_POWER 82C701D8
Device \Driver\a69b7l1q \Device\Scsi\a69b7l1q1 IRP_MJ_SYSTEM_CONTROL 82C701D8
Device \Driver\a69b7l1q \Device\Scsi\a69b7l1q1 IRP_MJ_PNP 82C701D8
Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE 82311980
Device \FileSystem\Fastfat \Fat IRP_MJ_CLOSE 82311980
Device \FileSystem\Fastfat \Fat IRP_MJ_READ 82311980
Device \FileSystem\Fastfat \Fat IRP_MJ_WRITE 82311980
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION 82311980
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION 82311980
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA 82311980
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_EA 82311980
Device \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS 82311980
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION 82311980
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION 82311980
Device \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL 82311980
Device \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL 82311980
Device \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL 82311980
Device \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN 82311980
Device \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL 82311980
Device \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP 82311980
Device \FileSystem\Fastfat \Fat IRP_MJ_PNP 82311980
Device \FileSystem\Fastfat \Fat FastIoCheckIfPossible F250F9C6
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE 82BBF980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLOSE 82BBF980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ 82BBF980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_INFORMATION 82BBF980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SET_INFORMATION 82BBF980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_VOLUME_INFORMATION 82BBF980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DIRECTORY_CONTROL 82BBF980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL 82BBF980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL 82BBF980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SHUTDOWN 82BBF980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_LOCK_CONTROL 82BBF980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLEANUP 82BBF980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_PNP 82BBF980

---- EOF - GMER 1.0.12 ----

#21 aczechgurl

aczechgurl

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 5,577 posts

Posted 27 June 2007 - 05:56 PM

That looks better.

How is your computer running now?
<!--fonto:Century Gothic--><span style="font-family:Century Gothic"><!--/fonto-->
<!--sizeo:2--><span style="font-size:10pt;line-height:100%"><!--/sizeo--><!--coloro:purple--><span style="color:purple"><!--/coloro--><b>Aczechgurl</b><!--colorc--></span><!--/colorc--><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

<!--sizeo:1--><span style="font-size:8pt;line-height:100%"><!--/sizeo--><!--fonto:Arial--><span style="font-family:Arial"><!--/fonto-->

Please consider <a href="http://flyinghamster...om/support-us/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Supporting SWI</b><!--colorc--></span><!--/colorc--></a>'s fight against Malware.

Member of <a href="http://asap.maddoktor2.com/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>ASAP</b><!--colorc--></span><!--/colorc--></a> (Alliance of Security Analysis Professionals)

Fight back <a href="http://www.malwareco...mplaints.info/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Malware Complaints</b><!--colorc--></span><!--/colorc--></a><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

#22 dark998

dark998

    Member

  • Full Member
  • Pip
  • 46 posts

Posted 27 June 2007 - 10:48 PM

Since the second to last scan was running fine (before merging the fix.reg and deleting those files). No more random restarts and the services.exe is back to normal as well. Wow, you guys are true lifesavers, thanks for all the help.

#23 aczechgurl

aczechgurl

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 5,577 posts

Posted 28 June 2007 - 10:37 PM

You're Welcome :D

You should delete smitfraudfix, Combofix, Sdfix and Gmer now as the folders they created in C:\

Go to Start->All Programs->Accessories->System Tools->System Restore, when System Restore opens click Create A Restore Point then Next , Name it and press Create
Then go back to Start->All Programs->Accessories->System Tools->Diskcleanup, when Disk Cleanup opens goto the More Options Tab then press Clean Up on the System Restore area which removes all the restore points except the latest one which was just created.

Below I have included a couple recommendations for how to protect your computer in order to prevent future malware infections.

[*]Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows.
  • I suggest you visit this site often or you can turn on automatic updates. This is very critical for you since you only have sp1 you are much more vunerable. Please keep going back until all critical updates are done. If you have problems with the update let me know.
[*]Please make sure to run your antivirus software regularly, and to keep it up-to-date.If your subscription is expired let me know and I can recommend some alternatives.
[*]You are running an older version of java that could be a security risk.
  • Go to Start->Control Panel->Add/Remove programs and uninstall all versions of java.
  • Then download and install the new version from http://www.java.com
[*]Finally if you do not already have one, consider maintaining a firewall.[*]Please also read Tony Klein's excellent article: How I got Infected in the First Place
<!--fonto:Century Gothic--><span style="font-family:Century Gothic"><!--/fonto-->
<!--sizeo:2--><span style="font-size:10pt;line-height:100%"><!--/sizeo--><!--coloro:purple--><span style="color:purple"><!--/coloro--><b>Aczechgurl</b><!--colorc--></span><!--/colorc--><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

<!--sizeo:1--><span style="font-size:8pt;line-height:100%"><!--/sizeo--><!--fonto:Arial--><span style="font-family:Arial"><!--/fonto-->

Please consider <a href="http://flyinghamster...om/support-us/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Supporting SWI</b><!--colorc--></span><!--/colorc--></a>'s fight against Malware.

Member of <a href="http://asap.maddoktor2.com/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>ASAP</b><!--colorc--></span><!--/colorc--></a> (Alliance of Security Analysis Professionals)

Fight back <a href="http://www.malwareco...mplaints.info/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Malware Complaints</b><!--colorc--></span><!--/colorc--></a><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

#24 aczechgurl

aczechgurl

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 5,577 posts

Posted 01 July 2007 - 12:41 PM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
<!--fonto:Century Gothic--><span style="font-family:Century Gothic"><!--/fonto-->
<!--sizeo:2--><span style="font-size:10pt;line-height:100%"><!--/sizeo--><!--coloro:purple--><span style="color:purple"><!--/coloro--><b>Aczechgurl</b><!--colorc--></span><!--/colorc--><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

<!--sizeo:1--><span style="font-size:8pt;line-height:100%"><!--/sizeo--><!--fonto:Arial--><span style="font-family:Arial"><!--/fonto-->

Please consider <a href="http://flyinghamster...om/support-us/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Supporting SWI</b><!--colorc--></span><!--/colorc--></a>'s fight against Malware.

Member of <a href="http://asap.maddoktor2.com/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>ASAP</b><!--colorc--></span><!--/colorc--></a> (Alliance of Security Analysis Professionals)

Fight back <a href="http://www.malwareco...mplaints.info/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Malware Complaints</b><!--colorc--></span><!--/colorc--></a><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button