View Full Version : iexplore.exe works under system and HJT couldnt see it
hemlock00
2007-04-12, 22:39
hi guys.
whenever i start my computer iexplore.exe works under system. there was a lot of exes such as algs.exe spoolsvc.exe gvyfeq.exe and some random names exes coming under my system32 folder. i have a sygate personal firewall and it doesn't work now. i think it is blocked by some malware. here is my hjt log
Logfile of HijackThis v1.99.1
Scan saved at 20:24:22, on 12/04/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\csrss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\System32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
h:\program files\internet explorer\iexplore.exe
H:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\System32\alg.exe
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
H:\WINDOWS\runservice.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
H:\WINDOWS\System32\taskmgr.exe
H:\WINDOWS\System32\ctfmon.exe
F:\hijackthis\ogan.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - h:\program files\google\googletoolbar4.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - H:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: Stumble&Upon - {22D003CE-6952-46C5-80B9-D19B479620AB} - H:\WINDOWS\System32\s1939.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - H:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O8 - Extra context menu item: Download all with Free Download Manager - file://H:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://H:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://H:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Microsoft Excel'e Gö&nder - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon: &Blog This - res://H:\WINDOWS\System32\s1939.dll/blogimage
O9 - Extra button: Arastir - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: *.stumbleupon.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{076906E4-8FA8-4359-A04F-BF16F404E404}: NameServer = 85.255.116.151,85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{40C2DE37-E67D-413A-BDB1-28E4843CF41D}: NameServer = 85.255.116.151,85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{41C6D82A-159E-4006-8ED5-DA50DE458B80}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{49CC645E-1B8B-4750-BF99-969A10E1C080}: NameServer = 85.255.116.151,85.255.112.20
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.151 85.255.112.20
O17 - HKLM\System\CS1\Services\Tcpip\..\{076906E4-8FA8-4359-A04F-BF16F404E404}: NameServer = 85.255.116.151,85.255.112.20
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.151 85.255.112.20
O17 - HKLM\System\CS2\Services\Tcpip\..\{076906E4-8FA8-4359-A04F-BF16F404E404}: NameServer = 85.255.116.151,85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.151 85.255.112.20
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - Unknown owner - H:\WINDOWS\ATKKBService.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Unknown owner - H:\Program Files\Sygate\SPF\smc.exe
your help is needed. thanks
Hi hemlock00
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, make sure Run fixit is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads, post the text that will open (report.txt) and a new Hijackthis log in the forum please.
hemlock00
2007-04-13, 09:08
thank you Shaba.
here is fixwareout log.
Fixwareout Last edited 4/5/2007
Post this report in the forums please
...
»»»»»Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="cswfk.exe"
»»»»» System restarted
»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "xedocne" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "gib_ogol" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "repiwoh" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "llun" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "golmedi" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "23plhps" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "mgcppp" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "tesvaf" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "32refaselif" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "putesprpgd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "0mdm" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "1mdm" Deleted
....
»»»»» Misc files.
H:\WINDOWS\Help\SPAlert.chm Deleted
H:\WINDOWS\System32\drivers\zpmodemnt.sys Deleted
....
»»»»» Checking for older varients.
....
Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.
Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/
»»»»» Other
»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="\"H:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
hemlock00
2007-04-13, 09:09
and new HJT log
Logfile of HijackThis v1.99.1
Scan saved at 10:07:53, on 13/04/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\System32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Sygate\SPF\smc.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
H:\WINDOWS\runservice.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\notepad.exe
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
H:\Program Files\Mozilla Firefox\firefox.exe
H:\WINDOWS\System32\taskmgr.exe
F:\hijackthis\ogan.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - H:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: Stumble&Upon - {22D003CE-6952-46C5-80B9-D19B479620AB} - H:\WINDOWS\System32\s1939.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O8 - Extra context menu item: Download selected with Free Download Manager - file://H:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://H:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Microsoft Excel'e Gö&nder - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon: &Blog This - res://H:\WINDOWS\System32\s1939.dll/blogimage
O15 - Trusted Zone: *.stumbleupon.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{41C6D82A-159E-4006-8ED5-DA50DE458B80}: NameServer = 192.168.0.1
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - Unknown owner - H:\WINDOWS\ATKKBService.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - H:\Program Files\Sygate\SPF\smc.exe
Hi
Update AVG anti-spyware, don't scan yet
Boot in safe mode
Do a complete system scan with AVG a-s and save report
Re-run fixwareout
Post:
- a fresh HijackThis log
- AVG a-s report
- fixwareout report
hemlock00
2007-04-13, 10:55
sorry for delay.
here is AVG log
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 11:49:43 13/04/2007
+ Scan result:
Nothing found.
::Report end
fixvare
Fixwareout Last edited 4/5/2007
Post this report in the forums please
...
»»»»»Prerun check
»»»»» System restarted
»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....
Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.
Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/
»»»»» Other
»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="\"H:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
hemlock00
2007-04-13, 11:03
hijack
Logfile of HijackThis v1.99.1
Scan saved at 11:53:08, on 13/04/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\System32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Sygate\SPF\smc.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
H:\WINDOWS\runservice.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\notepad.exe
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
H:\Program Files\Mozilla Firefox\firefox.exe
H:\WINDOWS\System32\wuauclt.exe
F:\hijackthis\ogan.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - H:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: Stumble&Upon - {22D003CE-6952-46C5-80B9-D19B479620AB} - H:\WINDOWS\System32\s1939.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O8 - Extra context menu item: Download selected with Free Download Manager - file://H:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://H:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Microsoft Excel'e Gö&nder - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon: &Blog This - res://H:\WINDOWS\System32\s1939.dll/blogimage
O15 - Trusted Zone: *.stumbleupon.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{41C6D82A-159E-4006-8ED5-DA50DE458B80}: NameServer = 192.168.0.1
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - Unknown owner - H:\WINDOWS\ATKKBService.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - H:\Program Files\Sygate\SPF\smc.exe
it seems clear now but i tried panda active online scan before it founds some malware. and i used sdfix before we talked. when i ran cathme.bat it founds two hidden files. maybe i'm a bit paranoid so do you think my pc is safe now?
Hi
We can run some rootkit scan a bit later.
Next please run panda scan and post its log along with a fresh HijackThis log :)
hemlock00
2007-04-13, 15:32
results for panda active scan
Incident Status Location
Adware:adware/webattaker Not disinfected h:\windows\uniq
Potentially unwanted tool:Application/Processor Not disinfected C:\Downloads\SDFix.exe[SDFix\apps\Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Downloads\SmitfraudFix\Process.exe
Spyware:Cookie/Go Not disinfected H:\Documents and Settings\ogan\Application Data\Mozilla\Firefox\Profiles\tvz9nn9p.default\cookies.txt[.go.com/]
Potentially unwanted tool:Application/NirCmd.A Not disinfected H:\fixwareout\FindT\nircmd.exe
Potentially unwanted tool:Application/Processor Not disinfected H:\Program Files\Free Download Manager\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected H:\SDFix\apps\Process.exe
Hi
Delete this:
h:\windows\uniq
Empty Recycle Bin
Looking over your log, it seems you don't have any evidence of an anti-virus software.
Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:
1) Antivir PersonalEdition Classic (http://www.free-av.com/)- Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition (http://www.avast.com/eng/avast_4_home.html) - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition (http://free.grisoft.com/doc/1) - Free edition of the AVG anti-virus program for Windows.
It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.
* Download GMER from
here (http://www.gmer.net/gmer.zip):
Unzip it and start GMER.exe
Click the rootkit-tab and click scan.
Once done, click the Copy button.
This will copy the results to clipboard.
Paste the results in your next reply along with a fresh HijackThis log.
hemlock00
2007-04-13, 18:41
thanx again shaba for your effort and help.
here is gmer log .
it is very long. so if you want it as a another txt file i can give. i cant attach txt file because it's 116kb.
GMER 1.0.12.12086 - http://www.gmer.net
Rootkit scan 2007-04-13 19:32:18
Windows 5.1.2600 Service Pack 1
---- System - GMER 1.0.12 ----
SSDT \??\H:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwAllocateVirtualMemory
SSDT sptd.sys ZwCreateKey
SSDT \??\H:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwCreateThread
SSDT sptd.sys ZwEnumerateKey
SSDT sptd.sys ZwEnumerateValueKey
SSDT \??\H:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwMapViewOfSection
SSDT sptd.sys ZwOpenKey
SSDT \??\H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \??\H:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwProtectVirtualMemory
SSDT sptd.sys ZwQueryKey
SSDT sptd.sys ZwQueryValueKey
SSDT sptd.sys ZwSetValueKey
SSDT \??\H:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwShutdownSystem
SSDT \??\H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess
SSDT \??\H:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwWriteVirtualMemory
---- Kernel code sections - GMER 1.0.12 ----
.text ntoskrnl.exe!KeInitializeInterrupt + B67 804DA23C 1 Byte [ 06 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 150 805025CC 4 Bytes [ 30, 8B, 70, F8 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1B0 8050262C 4 Bytes [ B0, F0, 43, F8 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1E0 8050265C 4 Bytes [ F0, 86, 70, F8 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 228 805026A4 4 Bytes [ 4E, 48, 44, F8 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 230 805026AC 4 Bytes [ EE, 4B, 44, F8 ]
.text ...
? H:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload F7C32A80 5 Bytes JMP 823691B8
? System32\Drivers\a1hiaqsr.SYS The system cannot find the file specified.
.text tcpip.sys!IPTransmit + 93E AAEF16A2 6 Bytes CALL F827DE50 Teefer.sys
.text tcpip.sys!IPTransmit + A35E AAEFB0C2 6 Bytes CALL F827DE50 Teefer.sys
.text tcpip.sys!IPSetIPSecStatus + 53A AAF0586C 6 Bytes CALL F827DE50 Teefer.sys
.text wanarp.sys F767E0C1 7 Bytes CALL F827DFA0 Teefer.sys
.text ntdll.dll!NtClose 77F5B5C8 5 Bytes JMP 720342BA
.text ntdll.dll!NtCreateProcess 77F5B728 5 Bytes JMP 72034445
.text ntdll.dll!NtCreateProcessEx 77F5B738 5 Bytes JMP 72034329
.text ntdll.dll!NtCreateSection 77F5B758 5 Bytes JMP 720342D8
---- User code sections - GMER 1.0.12 ----
.text H:\Program Files\MSN Messenger\msnmsgr.exe[468] kernel32.dll!SetUnhandledExceptionFilter 77E7E5A1 9 Bytes JMP 004DE392 H:\Program Files\MSN Messenger\msnmsgr.exe
---- Devices - GMER 1.0.12 ----
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 823681D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 823681D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 823681D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 823681D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 823681D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 823681D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 823681D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 823681D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 823681D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 823681D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 823681D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 823681D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 823681D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 823681D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 823681D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 823681D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 823681D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 823681D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 823681D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 823681D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 823681D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 823681D8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CREATE 8207C1D8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CLOSE 8207C1D8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_READ 820AA33C
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_WRITE 8207C1D8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_INFORMATION 8207C1D8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_INFORMATION 8207C1D8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_EA 8207C1D8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_EA 8207C1D8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_FLUSH_BUFFERS 8207C1D8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_VOLUME_INFORMATION 8207C1D8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_VOLUME_INFORMATION 8207C1D8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_DIRECTORY_CONTROL 8207C1D8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_FILE_SYSTEM_CONTROL 8207C1D8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_DEVICE_CONTROL 8207C1D8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SHUTDOWN 8207C1D8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_LOCK_CONTROL 8207C1D8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CLEANUP 8207C1D8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_PNP 8207C1D8
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F8707220] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F8707480] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F87075A0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F87075D0] wpsdrvnt.sys
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_CREATE 823DD1D8
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_CLOSE 823DD1D8
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_DEVICE_CONTROL 823DD1D8
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL 823DD1D8
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_POWER 823DD1D8
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_SYSTEM_CONTROL 823DD1D8
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_PNP 823DD1D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CREATE 823DB1D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CLOSE 823DB1D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_READ 823DB1D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_WRITE 823DB1D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_FLUSH_BUFFERS 823DB1D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_DEVICE_CONTROL 823DB1D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_INTERNAL_DEVICE_CONTROL 823DB1D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SHUTDOWN 823DB1D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_POWER 823DB1D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SYSTEM_CONTROL 823DB1D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_PNP 823DB1D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CREATE 823DB1D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CLOSE 823DB1D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_READ 823DB1D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_WRITE 823DB1D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_FLUSH_BUFFERS 823DB1D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_DEVICE_CONTROL 823DB1D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_INTERNAL_DEVICE_CONTROL 823DB1D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SHUTDOWN 823DB1D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_POWER 823DB1D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SYSTEM_CONTROL 823DB1D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_PNP 823DB1D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CREATE 823DB1D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CLOSE 823DB1D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_READ 823DB1D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_WRITE 823DB1D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_FLUSH_BUFFERS 823DB1D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_DEVICE_CONTROL 823DB1D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_INTERNAL_DEVICE_CONTROL 823DB1D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SHUTDOWN 823DB1D8
hemlock00
2007-04-13, 18:42
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_POWER 823DB1D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SYSTEM_CONTROL 823DB1D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_PNP 823DB1D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CREATE 823DB1D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CLOSE 823DB1D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_READ 823DB1D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_WRITE 823DB1D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_FLUSH_BUFFERS 823DB1D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_DEVICE_CONTROL 823DB1D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_INTERNAL_DEVICE_CONTROL 823DB1D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SHUTDOWN 823DB1D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_POWER 823DB1D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SYSTEM_CONTROL 823DB1D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_PNP 823DB1D8
Device \Driver\usbohci \Device\USBPDO-1 IRP_MJ_CREATE 823DD1D8
Device \Driver\usbohci \Device\USBPDO-1 IRP_MJ_CLOSE 823DD1D8
Device \Driver\usbohci \Device\USBPDO-1 IRP_MJ_DEVICE_CONTROL 823DD1D8
Device \Driver\usbohci \Device\USBPDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL 823DD1D8
Device \Driver\usbohci \Device\USBPDO-1 IRP_MJ_POWER 823DD1D8
Device \Driver\usbohci \Device\USBPDO-1 IRP_MJ_SYSTEM_CONTROL 823DD1D8
Device \Driver\usbohci \Device\USBPDO-1 IRP_MJ_PNP 823DD1D8
Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_CREATE 82072310
Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_CLOSE 82072310
Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_DEVICE_CONTROL 82072310
Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_INTERNAL_DEVICE_CONTROL 82072310
Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_POWER 82072310
Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_SYSTEM_CONTROL 82072310
Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_PNP 82072310
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F8707220] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F8707480] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F87075A0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F87075D0] wpsdrvnt.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SYSTEM_CONTROL 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_PNP 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_READ 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_WRITE 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_FLUSH_BUFFERS 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_DEVICE_CONTROL 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_INTERNAL_DEVICE_CONTROL 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SHUTDOWN 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CLEANUP 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_POWER 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SYSTEM_CONTROL 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_PNP 8236B1D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_NAMED_PIPE 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_INFORMATION 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_INFORMATION 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_EA 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_EA 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_VOLUME_INFORMATION 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_VOLUME_INFORMATION 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DIRECTORY_CONTROL 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FILE_SYSTEM_CONTROL 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_LOCK_CONTROL 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLEANUP 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_MAILSLOT 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_SECURITY 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_SECURITY 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CHANGE 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_QUOTA 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_QUOTA 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 81F4B420
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_READ 81E81BA4
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_CREATE 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_READ 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_WRITE 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_FLUSH_BUFFERS 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_DEVICE_CONTROL 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_INTERNAL_DEVICE_CONTROL 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SHUTDOWN 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_CLEANUP 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_POWER 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SYSTEM_CONTROL 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_PNP 8236B1D8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_NAMED_PIPE 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_INFORMATION 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_INFORMATION 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_EA 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_EA 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_VOLUME_INFORMATION 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_VOLUME_INFORMATION 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DIRECTORY_CONTROL 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FILE_SYSTEM_CONTROL 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_LOCK_CONTROL 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLEANUP 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_MAILSLOT 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_SECURITY 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_SECURITY 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CHANGE 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_QUOTA 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_QUOTA 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 81F4B420
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_CREATE 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_CREATE_NAMED_PIPE 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_CLOSE 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_READ 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_WRITE 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_QUERY_INFORMATION 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_SET_INFORMATION 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_QUERY_EA 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_SET_EA 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_FLUSH_BUFFERS 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_QUERY_VOLUME_INFORMATION 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_SET_VOLUME_INFORMATION 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_DIRECTORY_CONTROL 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_FILE_SYSTEM_CONTROL 81EB1D20
Hi
You can also upload it to eg. Rapidshare (http://www.rapidshare.com) if you like and post a link here :)
hemlock00
2007-04-13, 18:48
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_DEVICE_CONTROL 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_INTERNAL_DEVICE_CONTROL 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_SHUTDOWN 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_LOCK_CONTROL 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_CLEANUP 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_CREATE_MAILSLOT 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_QUERY_SECURITY 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_SET_SECURITY 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_POWER 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_SYSTEM_CONTROL 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_DEVICE_CHANGE 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_QUERY_QUOTA 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_SET_QUOTA 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_PNP 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_NAMED_PIPE 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLOSE 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_READ 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_WRITE 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_INFORMATION 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_INFORMATION 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_EA 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_EA 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FLUSH_BUFFERS 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_VOLUME_INFORMATION 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_VOLUME_INFORMATION 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DIRECTORY_CONTROL 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FILE_SYSTEM_CONTROL 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CONTROL 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SHUTDOWN 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_LOCK_CONTROL 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLEANUP 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_MAILSLOT 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_SECURITY 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_SECURITY 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_POWER 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SYSTEM_CONTROL 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CHANGE 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_QUOTA 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_QUOTA 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_PNP 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CREATE 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CREATE_NAMED_PIPE 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CLOSE 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_READ 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_WRITE 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_INFORMATION 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_INFORMATION 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_EA 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_EA 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_FLUSH_BUFFERS 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_VOLUME_INFORMATION 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_VOLUME_INFORMATION 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_DIRECTORY_CONTROL 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_FILE_SYSTEM_CONTROL 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_DEVICE_CONTROL 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_INTERNAL_DEVICE_CONTROL 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SHUTDOWN 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_LOCK_CONTROL 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CLEANUP 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CREATE_MAILSLOT 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_SECURITY 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_SECURITY 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_POWER 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SYSTEM_CONTROL 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_DEVICE_CHANGE 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_QUOTA 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_QUOTA 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_PNP 81EB1D20
hemlock00
2007-04-13, 18:50
Hi
You can also upload it to eg. Rapidshare (http://www.rapidshare.com) if you like and post a link here :)
oh sure. i couldn't paste it correctly anyways. 20000 character is too hard to copy and paste.
http://rapidshare.com/files/25809249/gmer.txt.html
here is the link.
hemlock00
2007-04-13, 18:51
and new hjt log. i feel like i'm a spammer . :)
Logfile of HijackThis v1.99.1
Scan saved at 19:34:11, on 13/04/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\System32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Sygate\SPF\smc.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
H:\WINDOWS\runservice.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
H:\Program Files\Mozilla Firefox\firefox.exe
H:\WINDOWS\System32\ctfmon.exe
H:\Program Files\MSN Messenger\msnmsgr.exe
H:\Program Files\uTorrent\utorrent.exe
H:\PROGRA~1\FREEDO~1\fdm.exe
H:\WINDOWS\System32\taskmgr.exe
H:\WINDOWS\system32\notepad.exe
F:\hijackthis\ogan.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - H:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: Stumble&Upon - {22D003CE-6952-46C5-80B9-D19B479620AB} - H:\WINDOWS\System32\s1939.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O8 - Extra context menu item: Download selected with Free Download Manager - file://H:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://H:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Microsoft Excel'e Gö&nder - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon: &Blog This - res://H:\WINDOWS\System32\s1939.dll/blogimage
O15 - Trusted Zone: *.stumbleupon.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{41C6D82A-159E-4006-8ED5-DA50DE458B80}: NameServer = 192.168.0.1
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - Unknown owner - H:\WINDOWS\ATKKBService.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - H:\Program Files\Sygate\SPF\smc.exe
Hi
That gmer log is ok.
Any other problems? :)
hemlock00
2007-04-13, 20:02
it seems fine. again very big thanx Shaba.
Hi
Then you're clean!
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Looking over your log, it seems you don't have any evidence of an anti-virus software.
Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:
1) Antivir PersonalEdition Classic (http://www.free-av.com/)- Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition (http://www.avast.com/eng/avast_4_home.html) - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition (http://free.grisoft.com/doc/1) - Free edition of the AVG anti-virus program for Windows.
It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.
Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
You can find instructions on how to enable and reenable system restore here:
Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)
Reenable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
See this link for a listing of some online & their stand-alone antivirus programs:
Virus, Spyware, and Malware Protection and Removal Resources (http://www.bleepingcomputer.com/forums/topic405.html)
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls (http://www.bleepingcomputer.com/tutorials/tutorial60.html)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
A tutorial on installing & using this product can be found here:
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:
Instructions for - Spybot S & D and Ad-aware (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
Here are some additional utilities that will enhance your safety
IE/Spyad (http://www.spywarewarrior.com/uiuc/resource.htm) <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)
Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)
Happy surfing and stay clean!
Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.