-
My PC shows signs of being a "zombie"
About five minutes after startup, my Avast! email scanner starts picking up hundreds of outgoing emails from many--and to many-- addresses. Additionally, Avast periodically mentions that it's found a number of infected files. I belive I've followed the sticky protocol correctly until this point, so here is my HJT log--help will be deeply appreciated:
Logfile of HijackThis v1.99.1
Scan saved at 1:46:13 PM, on 4/14/2007
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\windows\system32\drivers\uzcx.exe
C:\WINDOWS\system32\v7.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Documents and Settings\Eric\ie_updater.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\update83647438.exe
C:\Documents and Settings\Eric\Desktop\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo 960] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P22 "EPSON Stylus Photo 960" /O5 "LPT1:" /M "Stylus Photo 960"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [iut75] c:\windows\system32\drivers\uzcx.exe
O4 - HKLM\..\Run: [VaCtrls] v7
O4 - HKCU\..\Run: [EPSON Stylus Photo 960] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\system32\E_S2.tmp"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\mfpqhnoht.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mfpqhnoht.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mfpqhnoht.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mfpqhnoht.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mfpqhnoht.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mfpqhnoht.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mfpqhnoht.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mfpqhnoht.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mfpqhnoht.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mfpqhnoht.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mfpqhnoht.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mfpqhnoht.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mfpqhnoht.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mfpqhnoht.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ieupdater2 (Microsoft IEUpdater2) - Unknown owner - C:\Documents and Settings\Eric\ie_updater.exe
-
Security Expert-Emeritus
Hello and welcome aboard 
Nicely infected,, lets get started
Please print these instructions out, or save them to a notepad file, as you can't read them during the fix.
A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it:- Please download LSPFix from here.
- Run the LSPFix.exe that you have just finished downloading.
- Check the "I know what I'm doing" box.
- In the Keep box you should see one or more instances of mfpqhnoht.dll
- Select every instance of mfpqhnoht.dll and move each one to the Remove box by clicking the >> button.
- When you are done click Finish>>
======
Please download SDFix and save it to your desktop.
Double-click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
5) Choose your usual account.- Open the extracted SDFix folder and double-click RunThis.bat to start the script.
- Type Y to begin the cleanup process.
- It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to reboot.
- Press any key and it will restart the PC.
- When the PC reboots the tool will run again and complete the removal process -- when it displays Finished, press any key to end the script and load your desktop icons.
- Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum). - Please post back with the results along in your next REPLY.
=======
Finally...
Please download Combofix to your desktop:- Double-click combofix.exe & follow the prompts.
- When finished, it shall produce a log for you. Post that log in your next reply along with the SDFix results.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Hi there, stranger!
Proud Member of
ASAP since 2005.
-
Here's the SDFix log:
SDFix: Version 1.78
Run by Eric - Sun 04/15/2007 - 2:00:27.95
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\Eric\Desktop\SDFix
Safe Mode:
Checking Services:
Name:
Microsoft IEUpdater2
ntldr.sys
wincom32
ImagePath:
C:\Documents and Settings\Eric\ie_updater.exe /start
\??\C:\ntldr.sys
\??\C:\WINDOWS\system32\wincom32.sys
Microsoft IEUpdater2 - Deleted
ntldr.sys - Deleted
wincom32 - Deleted
Killing PID 212 'smss.exe'
Killing PID 284 'winlogon.exe'
Killing PID 284 'winlogon.exe'
Killing PID 284 'winlogon.exe'
("Killing PID 284 'winlogon.exe'" repeats here for hundreds of lines)
ndis.sys Infected!
Patched File copied to Backups Folder
Attempting to replace ndis.sys with original version...
Original ndis.sys Restored
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Below files will be copied to Backups folder then removed:
C:\CP1041.NLS - Deleted
C:\Documents and Settings\All Users\Documents\Settings\partnership.dll - Deleted
C:\Documents and Settings\Eric\Local Settings\Temp\1.dllb - Deleted
C:\Documents and Settings\Eric\Local Settings\Temp\2.dllb - Deleted
C:\Documents and Settings\Eric\Local Settings\Temp\5.dllb - Deleted
C:\Documents and Settings\Eric\Local Settings\Temp\6.dllb - Deleted
C:\Documents and Settings\Eric\Local Settings\Temp\7.dllb - Deleted
C:\WINDOWS\system32\3ti.exe.exe - Deleted
C:\WINDOWS\system32\pdp.exe.exe - Deleted
C:\Documents and Settings\Eric\ie_updater.exe - Deleted
C:\DOCUME~1\Eric\LOCALS~1\Temp\abc3000def.exe - Deleted
C:\DOCUME~1\Eric\LOCALS~1\Temp\hd43B.tmp - Deleted
C:\U.exe - Deleted
C:\WINDOWS\system32\dlh9jkd1q2.exe - Deleted
C:\WINDOWS\system32\dlh9jkd1q5.exe - Deleted
C:\WINDOWS\system32\dlh9jkd1q6.exe - Deleted
C:\WINDOWS\system32\dlh9jkd1q7.exe - Deleted
C:\WINDOWS\system32\dlh9jkd1q8.exe - Deleted
C:\WINDOWS\system32\RunOnce2.t__ - Deleted
C:\WINDOWS\system32\RunOnce2.tm_ - Deleted
C:\WINDOWS\system32\svcp.csv - Deleted
C:\WINDOWS\system32\v7.exe - Deleted
C:\WINDOWS\system32\vexga1me4t1.exe - Deleted
C:\WINDOWS\system32\vexga3me2.exe - Deleted
C:\WINDOWS\system32\vexga4me1.exe - Deleted
C:\WINDOWS\system32\vexga5me3.exe - Deleted
C:\WINDOWS\system32\wincom32.sys - Deleted
C:\WINDOWS\system32\winsub.xml - Deleted
C:\WINDOWS\xpupdate.exe - Deleted
Removing Temp Files
ADS Check:
Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.
Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.
Final Check:
Remaining Services:
------------------
Remaining Files:
---------------
Backups Folder: - C:\DOCUME~1\Eric\Desktop\SDFix\backups\backups.zip
Checking For Files with Hidden Attributes:
C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
Finished
-
...And this is the Combofix log (sorry for the stretching):
"Eric" - 07-04-15 2:10:44 Service Pack 2, v.2096
ComboFix 07-04-05.Rev3 - Running from: "C:\Documents and Settings\Eric\Desktop"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\kernels32.exe
C:\WINDOWS\system32\vexg4am1et2.exe
C:\WINDOWS\system32\vexg6ame4.exe
C:\WINDOWS\updater.exe
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\Program Files\bravesentry\BraveSentry.exe
C:\Program Files\bravesentry\BraveSentry.lic
C:\Program Files\bravesentry\BraveSentry0.bs
C:\Program Files\bravesentry\BraveSentry0.dll
C:\Program Files\bravesentry\BraveSentry1.bs
C:\Program Files\bravesentry\BraveSentry1.dll
C:\Program Files\bravesentry\BraveSentry2.dll
C:\Program Files\bravesentry\BraveSentry3.dll
C:\Program Files\bravesentry\Uninstall.exe
C:\Program Files\ipwindows\ipwins.dll
C:\Program Files\ipwindows\ipwins.exe
C:\Program Files\ipwindows\UnInstall.exe
C:\WINDOWS\system32\vx.tll
C:\WINDOWS\system32\config\system~1\applic~1\install.dat
C:\WINDOWS\system32\mfpqhnoht.dll
C:\WINDOWS\system32\qlzybaiog.dll
C:\Documents and Settings\All Users.\documents\settings
C:\Program Files\bravesentry
C:\Program Files\inetget2
C:\Program Files\ipwindows
C:\WINDOWS\system32\kdtvt.exe
((((((((((((((((((((((((((((((( Files Created from 2007-03-15 to 2007-04-15 ))))))))))))))))))))))))))))))))))
2007-04-14 14:23 24,064 --a------ C:\WINDOWS\system32\update38108312.exe
2007-04-14 14:23 14,336 --a------ C:\WINDOWS\system32\update02861444.exe
2007-04-14 14:12 24,064 --a------ C:\WINDOWS\system32\update04245256.exe
2007-04-14 14:11 139,008 --a------ C:\WINDOWS\system32\windev-45ed-4750.sys
2007-04-14 14:10 52,736 --a------ C:\DOCUME~1\Eric\protectwin.exe
2007-04-14 14:09 196,073 --a------ C:\DOCUME~1\Eric\moviesdvds1176.exe
2007-04-14 14:09 <DIR> d-------- C:\Program Files\MovieBox
2007-04-14 14:08 13,411 --a------ C:\WINDOWS\adv.194.exe
2007-04-14 14:07 39,225 --a------ C:\WINDOWS\system32\update72513345.exe
2007-04-14 14:06 24,064 --a------ C:\WINDOWS\system32\update45864519.exe
2007-04-14 14:06 14,336 --a------ C:\WINDOWS\system32\update23209606.exe
2007-04-14 13:56 39,225 --a------ C:\WINDOWS\system32\update58956977.exe
2007-04-14 13:50 39,225 --a------ C:\WINDOWS\system32\update03953493.exe
2007-04-14 13:50 14,336 --a------ C:\WINDOWS\system32\update95342169.exe
2007-04-14 13:45 52,736 --a------ C:\WINDOWS\system32\update83647438.exe
2007-04-14 13:45 14,336 --a------ C:\WINDOWS\system32\update79488011.exe
2007-04-14 00:58 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-04-14 00:49 39,225 --a------ C:\WINDOWS\system32\update62074855.exe
2007-04-14 00:49 14,336 --a------ C:\WINDOWS\system32\update06281259.exe
2007-04-13 12:33 24,064 --a------ C:\WINDOWS\system32\update04080293.exe
2007-04-13 10:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-04-13 10:03 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-04-13 09:46 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-13 09:46 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-13 09:46 <DIR> d-------- C:\DOCUME~1\Eric\APPLIC~1\Lavasoft
2007-04-13 05:16 445,440 --a------ C:\wmplayer.dll
2007-04-13 05:16 235,008 --a------ C:\WINDOWS\system32\update08719418.exe
2007-04-13 05:16 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-04-13 05:15 107,012 --a------ C:\WINDOWS\system32\update68731342.exe
2007-04-13 00:51 <DIR> d-------- C:\DOCUME~1\Eric\.housecall6.6
2007-04-12 15:12 13,824 --a------ C:\WINDOWS\system32\drivers\uzcx.exe
2007-04-12 15:12 11,264 --a------ C:\WINDOWS\abc1006def.exe
2007-04-07 04:56 <DIR> d-------- C:\Program Files\FirstClass
2007-04-07 04:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FirstClass
2007-03-15 09:08 101,438 --a------ C:\WINDOWS\b122.exe
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-04-13 11:05 -------- d-------- C:\Program Files\seekmo programs
2007-04-07 04:56 -------- d--h----- C:\Program Files\installshield installation information
2007-02-24 14:10 -------- d-------- C:\Program Files\java
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"EPSON Stylus Photo 960"="C:\\WINDOWS\\system32\\spool\\DRIVERS\\W32X86\\3\\E_S10IC2.EXE /A \"C:\\WINDOWS\\system32\\E_S2.tmp\""
"BitTorrent"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_9 -reboot 1"
"IpWins"="C:\\Program Files\\Ipwindows\\ipwins.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"EPSON Stylus Photo 960"="C:\\WINDOWS\\system32\\spool\\DRIVERS\\W32X86\\3\\E_S10IC2.EXE /P22 \"EPSON Stylus Photo 960\" /O5 \"LPT1:\" /M \"Stylus Photo 960\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SoundMan"="SOUNDMAN.EXE"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"iut75"="c:\\windows\\system32\\drivers\\uzcx.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
********************************************************************
catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net
scanning hidden processes ...
scanning hidden services ...
HKLM\SYSTEM\CurrentControlSet\Services\winmgmt45ed-4750
scanning hidden autostart entries ...
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
EPSON Stylus Photo 960 = C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\system32\E_S2.tmp"??????w???w???????????w???????w????H???????????????????????????????????????????????|????????????$?w???w???????w???w?????y?wH????????????????eU?)??w????\??????????????????
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
EPSON Stylus Photo 960 = C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\system32\E_S2.tmp"??????w???w???????????w???????w????H???????????????????????????????????????????????|????????????$?w???w???????w???w?????y?wH????????????????eU?)??w????\??????????????????
scanning hidden files ...
C:\WINDOWS\system32\windev-45ed-4750.sys 139264 bytes
C:\WINDOWS\system32\windev-peers.ini 16384 bytes
scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 2
********************************************************************
Completion time: 07-04-15 2:13:28
C:\ComboFix-quarantined-files.txt ... 07-04-15 02:13
-
Security Expert-Emeritus
Hi, lets continue
You can go ahead and delete SDFix; we might still need ComboFix though.
Please download AVG Anti-Spyware and save that file to your desktop.
This is a 30 day trial of the program- Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the setup program.
- Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
- On the main screen select the icon "Update" then select the "Update now" link.
- Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
- If you aren't able to finish the update within AVG Anti-Spyware for a reason or another, you can install the manual updates here.
- Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
- Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
- Under "Reports"
- Select "Automatically generate report after every scan"
- Un-select "Only if threats were found"
Close AVG Anti-Spyware, DO NOT run a scan just yet, we will shortly.
==
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning process:- Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
- Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
- AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following: - If you have any infections you will prompted, then select "Apply all actions"
- Next select the "Reports" icon at the top.
- Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
- Close AVG Anti-Spyware and reboot your system back into Normal Mode.
==
Please download GMER:- Unzip it and double-click GMER.exe
- Click the rootkit-tab and click scan.
- Once done, click Copy.
- This will copy the results to clipboard.
- Paste the results in your next reply, along with the AVG Anti-Spyware results.
Hi there, stranger!
Proud Member of
ASAP since 2005.
-
AVG Scan log:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 4:30:16 AM 4/16/2007
+ Scan result:
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0030485.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\WINDOWS\system32\update08719418.exe -> Adware.BHO : Cleaned with backup (quarantined).
C:\wmplayer.dll -> Adware.BHO : Cleaned with backup (quarantined).
HKU\S-1-5-21-448539723-920026266-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5929CD6E-2062-44A4-B2C5-2C7E78FBAB38} -> Adware.Generic : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\Program Files\BraveSentry\BraveSentry0.bs.vir -> Adware.MrAntispy : Cleaned with backup (quarantined).
C:\WINDOWS\b122.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\Program Files\BraveSentry\BraveSentry.exe.vir -> Adware.SpySheriff : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033643.exe -> Adware.SpySheriff : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric\Desktop\SDFix\backups\backups.zip/backups/vexga5me3.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\WINDOWS\updater.exe.vir -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0032553.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033584.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033606.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033642.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric\Desktop\SDFix\backups\backups.zip/backups/1.dllb -> Downloader.Small : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\WINDOWS\system32\vexg6ame4.exe.vir -> Downloader.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0031543.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033641.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\update02861444.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\update06281259.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\update23209606.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\update79488011.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\update95342169.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric\Desktop\SDFix\backups\backups.zip/backups/vexga3me2.exe -> Downloader.Small.eip : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033582.exe -> Downloader.Small.eip : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033604.exe -> Downloader.Small.eip : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric\Desktop\SDFix\backups\backups.zip/backups/wincom32.sys -> Dropper.Agent.bbv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033585.sys -> Dropper.Agent.bbv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033607.sys -> Dropper.Agent.bbv : Cleaned with backup (quarantined).
C:\WINDOWS\system32\update68731342.exe -> Dropper.Agent.bfz : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric\Desktop\SDFix\backups\backups.zip/backups/v7.exe -> Hijacker.Agent.jb : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric\Local Settings\Temp\abc1006def.exe -> Hijacker.Agent.jb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP223\A0027421.exe -> Hijacker.Agent.jb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP223\A0027442.exe -> Hijacker.Agent.jb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033580.exe -> Hijacker.Agent.jb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033602.exe -> Hijacker.Agent.jb : Cleaned with backup (quarantined).
C:\WINDOWS\abc1006def.exe -> Hijacker.Agent.jb : Cleaned with backup (quarantined).
C:\WINDOWS\system32\v7.exe -> Hijacker.Agent.jb : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric\protectwin.exe -> Not-A-Virus.Hoax.Win32.Renos.hn : Cleaned with backup (quarantined).
C:\WINDOWS\system32\update83647438.exe -> Not-A-Virus.Hoax.Win32.Renos.hn : Cleaned with backup (quarantined).
C:\WINDOWS\system32\windev-45ed-4750.sys -> Not-A-Virus.SpamTool.Win32.Agent.af : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0031527.exe -> Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0032550.exe -> Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0032555.exe -> Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\WINDOWS\system32\update03953493.exe -> Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\WINDOWS\system32\update58956977.exe -> Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\WINDOWS\system32\update62074855.exe -> Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\WINDOWS\system32\update72513345.exe -> Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric\Desktop\SDFix\backups\backups.zip/backups/vexga4me1.exe -> Proxy.Xorpix.ar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0032548.exe -> Proxy.Xorpix.ar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033583.exe -> Proxy.Xorpix.ar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033605.exe -> Proxy.Xorpix.ar : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric\Desktop\SDFix\backups\backups.zip/backups/partnership.dll -> Proxy.Xorpix.bc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033599.dll -> Proxy.Xorpix.bc : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric\Cookies\eric@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Eric\Cookies\eric@www.abcsearch[1].txt -> TrackingCookie.Abcsearch : Cleaned.
C:\Documents and Settings\Eric\Cookies\eric@overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0031544.exe -> Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0032554.exe -> Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\update04080293.exe -> Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\update04245256.exe -> Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\update38108312.exe -> Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\update45864519.exe -> Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0031506.exe -> Trojan.Agent.bou : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric\Local Settings\Temporary Internet Files\Content.IE5\FZXZN14G\QMtsfzH_Pinch[1].exe -> Trojan.LdPinch.btv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0034661.exe -> Trojan.LdPinch.btv : Cleaned with backup (quarantined).
C:\WINDOWS\QMtsfzH_Pinch.exe -> Trojan.LdPinch.btv : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric\Desktop\SDFix\backups\backups.zip/backups/2.dllb -> Trojan.Tibs.r : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric\Desktop\SDFix\backups\backups.zip/backups/3ti.exe.exe -> Trojan.Tibs.r : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric\Desktop\SDFix\backups\backups.zip/backups/6.dllb -> Trojan.Tibs.r : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric\Desktop\SDFix\backups\backups.zip/backups/7.dllb -> Trojan.Tibs.r : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric\Desktop\SDFix\backups\backups.zip/backups/dlh9jkd1q2.exe -> Trojan.Tibs.r : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric\Desktop\SDFix\backups\backups.zip/backups/dlh9jkd1q6.exe -> Trojan.Tibs.r : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric\Desktop\SDFix\backups\backups.zip/backups/dlh9jkd1q7.exe -> Trojan.Tibs.r : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric\Desktop\SDFix\backups\backups.zip/backups/pdp.exe.exe -> Trojan.Tibs.r : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric\Desktop\SDFix\backups\backups.zip/backups/xpupdate.exe -> Trojan.Tibs.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033571.exe -> Trojan.Tibs.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033572.exe -> Trojan.Tibs.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033575.exe -> Trojan.Tibs.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033577.exe -> Trojan.Tibs.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033578.exe -> Trojan.Tibs.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033586.exe -> Trojan.Tibs.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033590.exe -> Trojan.Tibs.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033592.exe -> Trojan.Tibs.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033594.exe -> Trojan.Tibs.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033595.exe -> Trojan.Tibs.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033600.exe -> Trojan.Tibs.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033608.exe -> Trojan.Tibs.r : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\WINDOWS\system32\qlzybaiog.dll.vir -> Trojan.Vqten : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033654.dll -> Trojan.Vqten : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric\Desktop\SDFix\backups\backups.zip/backups/5.dllb -> Worm.Nuwar : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric\Desktop\SDFix\backups\backups.zip/backups/dlh9jkd1q5.exe -> Worm.Nuwar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033576.exe -> Worm.Nuwar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033593.exe -> Worm.Nuwar : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric\Desktop\SDFix\backups\backups.zip/backups/vexga1me4t1.exe -> Worm.Zhelatin.by : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033581.exe -> Worm.Zhelatin.by : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033603.exe -> Worm.Zhelatin.by : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0032552.exe -> Worm.Zhelatin.cv : Cleaned with backup (quarantined).
::Report end
-
...And GMER log:
GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-04-16 04:41:39
Windows 5.1.2600 Service Pack 2, v.2096
---- System - GMER 1.0.12 ----
SSDT sptd.sys ZwCreateKey
SSDT sptd.sys ZwEnumerateKey
SSDT sptd.sys ZwEnumerateValueKey
SSDT sptd.sys ZwOpenKey
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT sptd.sys ZwQueryKey
SSDT sptd.sys ZwQueryValueKey
SSDT sptd.sys ZwSetValueKey
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess
---- Kernel code sections - GMER 1.0.12 ----
.text ntoskrnl.exe!_allmul + D8 804E38BC 4 Bytes [ 3A, 3B, 54, F7 ]
.text ntoskrnl.exe!_allmul + 150 804E3934 4 Bytes [ 7E, 3C, 54, F7 ]
.text ntoskrnl.exe!_allmul + 158 804E393C 4 Bytes [ F6, 3F, 54, F7 ]
.text ntoskrnl.exe!_allmul + 210 804E39F4 4 Bytes [ 18, 3A, 54, F7 ]
.text ntoskrnl.exe!_allmul + 21C 804E3A00 4 Bytes [ AC, 78, D4, F7 ]
.text ...
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
? C:\WINDOWS\System32\Drivers\SPTD1805.SYS The process cannot access the file because it is being used by another process.
? C:\WINDOWS\System32\Drivers\dtscsi.sys The process cannot access the file because it is being used by another process.
? C:\WINDOWS\system32\DRIVERS\update.sys
---- Devices - GMER 1.0.12 ----
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 86F9BC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 86F9BC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 86F9BC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 86F9BC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 86F9BC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 86F9BC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 86F9BC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 86F9BC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 86F9BC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 86F9BC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 86F9BC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 86F9BC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 86F9BC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 86F9BC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 86F9BC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 86F9BC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 86F9BC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 86F9BC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 86F9BC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 86F9BC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 86F9BC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 86F9BC78
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CREATE 86F9C378
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CLOSE 86F9C378
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_READ 86F9C378
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_WRITE 86F9C378
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_FLUSH_BUFFERS 86F9C378
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_DEVICE_CONTROL 86F9C378
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_INTERNAL_DEVICE_CONTROL 86F9C378
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SHUTDOWN 86F9C378
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_POWER 86F9C378
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SYSTEM_CONTROL 86F9C378
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_PNP 86F9C378
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CREATE 86F9C378
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CLOSE 86F9C378
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_READ 86F9C378
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_WRITE 86F9C378
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_FLUSH_BUFFERS 86F9C378
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_DEVICE_CONTROL 86F9C378
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_INTERNAL_DEVICE_CONTROL 86F9C378
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SHUTDOWN 86F9C378
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_POWER 86F9C378
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SYSTEM_CONTROL 86F9C378
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_PNP 86F9C378
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CREATE 86F9C378
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CLOSE 86F9C378
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_READ 86F9C378
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_WRITE 86F9C378
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_FLUSH_BUFFERS 86F9C378
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_DEVICE_CONTROL 86F9C378
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_INTERNAL_DEVICE_CONTROL 86F9C378
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SHUTDOWN 86F9C378
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_POWER 86F9C378
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SYSTEM_CONTROL 86F9C378
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_PNP 86F9C378
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CREATE 86F9C378
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CLOSE 86F9C378
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_READ 86F9C378
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_WRITE 86F9C378
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_FLUSH_BUFFERS 86F9C378
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_DEVICE_CONTROL 86F9C378
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_INTERNAL_DEVICE_CONTROL 86F9C378
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SHUTDOWN 86F9C378
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_POWER 86F9C378
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SYSTEM_CONTROL 86F9C378
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_PNP 86F9C378
Device \Driver\00000047 \Device\00000046 IRP_MJ_POWER [F754AEA8] sptd.sys
Device \Driver\00000047 \Device\00000046 IRP_MJ_SYSTEM_CONTROL [F755EA70] sptd.sys
Device \Driver\00000047 \Device\00000046 IRP_MJ_PNP [F7557728] sptd.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 86F9C630
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ 86F9C630
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE 86F9C630
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS 86F9C630
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL 86F9C630
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL 86F9C630
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN 86F9C630
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP 86F9C630
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER 86F9C630
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SYSTEM_CONTROL 86F9C630
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_PNP 86F9C630
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 86D6DCF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 86D6DCF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 86D6DCF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 86D6DCF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 86D6DCF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 86D6DCF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 86D6DCF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 86D6DCF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 86D6DCF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 86D6DCF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 86D6DCF0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE_NAMED_PIPE 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CLOSE 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_READ 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_WRITE 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_INFORMATION 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_INFORMATION 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_EA 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_EA 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_FLUSH_BUFFERS 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_VOLUME_INFORMATION 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_VOLUME_INFORMATION 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DIRECTORY_CONTROL 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_FILE_SYSTEM_CONTROL 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DEVICE_CONTROL 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_INTERNAL_DEVICE_CONTROL 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SHUTDOWN 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_LOCK_CONTROL 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CLEANUP 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE_MAILSLOT 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_SECURITY 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_SECURITY 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_POWER 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SYSTEM_CONTROL 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DEVICE_CHANGE 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_QUOTA 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_QUOTA 86C16290
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 86D6DCF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE 86D6DCF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ 86D6DCF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 86D6DCF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 86D6DCF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 86D6DCF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 86D6DCF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN
-
GMER continued!:
86D6DCF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 86D6DCF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 86D6DCF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 86D6DCF0
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE 86D6DCF0
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CLOSE 86D6DCF0
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_READ 86D6DCF0
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_WRITE 86D6DCF0
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_FLUSH_BUFFERS 86D6DCF0
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DEVICE_CONTROL 86D6DCF0
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_INTERNAL_DEVICE_CONTROL 86D6DCF0
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SHUTDOWN 86D6DCF0
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_POWER 86D6DCF0
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SYSTEM_CONTROL 86D6DCF0
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_PNP 86D6DCF0
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CREATE 86CBD0E8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLOSE 86CBD0E8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_DEVICE_CONTROL 86CBD0E8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_INTERNAL_DEVICE_CONTROL 86CBD0E8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLEANUP 86CBD0E8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_PNP 86CBD0E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CREATE 86CBD0E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLOSE 86CBD0E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_DEVICE_CONTROL 86CBD0E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_INTERNAL_DEVICE_CONTROL 86CBD0E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLEANUP 86CBD0E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_PNP 86CBD0E8
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_CREATE 86F9BEB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_CLOSE 86F9BEB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_READ 86F9BEB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_WRITE 86F9BEB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_FLUSH_BUFFERS 86F9BEB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_DEVICE_CONTROL 86F9BEB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_INTERNAL_DEVICE_CONTROL 86F9BEB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_SHUTDOWN 86F9BEB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_POWER 86F9BEB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_SYSTEM_CONTROL 86F9BEB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_PNP 86F9BEB0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_NAMED_PIPE 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLOSE 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_WRITE 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_INFORMATION 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_INFORMATION 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_EA 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_EA 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FLUSH_BUFFERS 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_VOLUME_INFORMATION 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_VOLUME_INFORMATION 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DIRECTORY_CONTROL 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FILE_SYSTEM_CONTROL 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CONTROL 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_INTERNAL_DEVICE_CONTROL 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SHUTDOWN 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_LOCK_CONTROL 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLEANUP 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_MAILSLOT 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_SECURITY 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_SECURITY 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_POWER 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SYSTEM_CONTROL 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CHANGE 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_QUOTA 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_QUOTA 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP 86D12598
Device \Driver\NetBT \Device\NetBT_Tcpip_{41C3359F-60FE-4CAE-A35C-7AECB0D95019} IRP_MJ_CREATE 86CBD0E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{41C3359F-60FE-4CAE-A35C-7AECB0D95019} IRP_MJ_CLOSE 86CBD0E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{41C3359F-60FE-4CAE-A35C-7AECB0D95019} IRP_MJ_DEVICE_CONTROL 86CBD0E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{41C3359F-60FE-4CAE-A35C-7AECB0D95019} IRP_MJ_INTERNAL_DEVICE_CONTROL 86CBD0E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{41C3359F-60FE-4CAE-A35C-7AECB0D95019} IRP_MJ_CLEANUP 86CBD0E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{41C3359F-60FE-4CAE-A35C-7AECB0D95019} IRP_MJ_PNP 86CBD0E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_NAMED_PIPE 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLOSE 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_WRITE 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_INFORMATION 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_INFORMATION 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_EA 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_EA 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FLUSH_BUFFERS 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_VOLUME_INFORMATION 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_VOLUME_INFORMATION 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DIRECTORY_CONTROL 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FILE_SYSTEM_CONTROL 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CONTROL 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_INTERNAL_DEVICE_CONTROL 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SHUTDOWN 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_LOCK_CONTROL 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLEANUP 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_MAILSLOT 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_SECURITY 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_SECURITY 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_POWER 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SYSTEM_CONTROL 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CHANGE 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_QUOTA 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_QUOTA 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP 86D12598
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CREATE 86DB86A0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CREATE_NAMED_PIPE 86DB86A0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CLOSE 86DB86A0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_READ 86DB86A0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_WRITE 86DB86A0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_INFORMATION 86DB86A0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_SET_INFORMATION 86DB86A0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_FLUSH_BUFFERS 86DB86A0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_VOLUME_INFORMATION 86DB86A0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_DIRECTORY_CONTROL 86DB86A0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_FILE_SYSTEM_CONTROL 86DB86A0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CLEANUP 86DB86A0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_SECURITY 86DB86A0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_SET_SECURITY 86DB86A0
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CREATE 86F9C630
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_READ 86F9C630
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_WRITE 86F9C630
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_FLUSH_BUFFERS 86F9C630
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_DEVICE_CONTROL 86F9C630
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_INTERNAL_DEVICE_CONTROL 86F9C630
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SHUTDOWN 86F9C630
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CLEANUP 86F9C630
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_POWER 86F9C630
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SYSTEM_CONTROL 86F9C630
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_PNP 86F9C630
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CREATE 86CD70E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CLOSE 86CD70E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_READ 86CD70E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_WRITE 86CD70E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_QUERY_INFORMATION 86CD70E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_SET_INFORMATION 86CD70E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_QUERY_VOLUME_INFORMATION 86CD70E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_DIRECTORY_CONTROL 86CD70E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_FILE_SYSTEM_CONTROL 86CD70E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CLEANUP 86CD70E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CREATE_MAILSLOT 86CD70E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_QUERY_SECURITY 86CD70E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_SET_SECURITY 86CD70E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{7590B0A8-AF76-4E2B-876C-6B8898EA47A7} IRP_MJ_CREATE 86CBD0E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{7590B0A8-AF76-4E2B-876C-6B8898EA47A7} IRP_MJ_CLOSE 86CBD0E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{7590B0A8-AF76-4E2B-876C-6B8898EA47A7} IRP_MJ_DEVICE_CONTROL 86CBD0E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{7590B0A8-AF76-4E2B-876C-6B8898EA47A7} IRP_MJ_INTERNAL_DEVICE_CONTROL 86CBD0E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{7590B0A8-AF76-4E2B-876C-6B8898EA47A7} IRP_MJ_CLEANUP 86CBD0E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{7590B0A8-AF76-4E2B-876C-6B8898EA47A7} IRP_MJ_PNP 86CBD0E8
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 IRP_MJ_CREATE 86D3D5D0
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 IRP_MJ_CLOSE 86D3D5D0
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 IRP_MJ_DEVICE_CONTROL 86D3D5D0
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 IRP_MJ_INTERNAL_DEVICE_CONTROL 86D3D5D0
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 IRP_MJ_POWER 86D3D5D0
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 IRP_MJ_SYSTEM_CONTROL 86D3D5D0
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 IRP_MJ_PNP 86D3D5D0
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_CREATE 86D3D5D0
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_CLOSE 86D3D5D0
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_DEVICE_CONTROL 86D3D5D0
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_INTERNAL_DEVICE_CONTROL 86D3D5D0
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_POWER 86D3D5D0
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_SYSTEM_CONTROL 86D3D5D0
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_PNP 86D3D5D0
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE 86B5D540
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLOSE 86B5D540
Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ 86B5D540
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_INFORMATION 86B5D540
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SET_INFORMATION
-
The return of GMER continued:
86B5D540
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_VOLUME_INFORMATION 86B5D540
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DIRECTORY_CONTROL 86B5D540
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL 86B5D540
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL 86B5D540
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SHUTDOWN 86B5D540
Device \FileSystem\Cdfs \Cdfs IRP_MJ_LOCK_CONTROL 86B5D540
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLEANUP 86B5D540
Device \FileSystem\Cdfs \Cdfs IRP_MJ_PNP 86B5D540
---- EOF - GMER 1.0.12 ----
-
Security Expert-Emeritus
Please print these instructions out, or write them down, as you can't read them during the fix.
1. Please download The Avenger by Swandog46 to your Desktop.- Click on Avenger.zip to open the file
- Extract Avenger.exe to your desktop.
2. Copy all the text in bold contained in the quotebox below to a blank notepad file:
Drivers to unload:
windev-45ed-4750
Files to delete:
C:\WINDOWS\system32\windev-peers.ini
C:\WINDOWS\system32\drivers\uzcx.exe
C:\DOCUME~1\Eric\moviesdvds1176.exe
C:\WINDOWS\adv.194.exe
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.- Under "Script file to execute" choose "Input Script Manually".
- Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
- Paste the text copied to the notepad file into this window
- Click Done
- Now click on the Green Light to begin execution of the script
- Answer "Yes" twice when prompted.
The Avenger will automatically do the following:- Restarts your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
- On reboot, it briefly opens a black command window on your desktop, this is normal.
- After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
- The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste all the contents of avenger.txt into your reply along with a fresh HJT log by using AddReply.
Upload this -> C:\WINDOWS\System32\Drivers\SPTD1805.SYS to VirusTotal and post back results here, too
Last edited by Shaba; 2007-04-17 at 16:50.
Hi there, stranger!
Proud Member of
ASAP since 2005.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
