PDA

View Full Version : My PC shows signs of being a "zombie"



eapers
2007-04-15, 11:50
About five minutes after startup, my Avast! email scanner starts picking up hundreds of outgoing emails from many--and to many-- addresses. Additionally, Avast periodically mentions that it's found a number of infected files. I belive I've followed the sticky protocol correctly until this point, so here is my HJT log--help will be deeply appreciated:

Logfile of HijackThis v1.99.1
Scan saved at 1:46:13 PM, on 4/14/2007
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\windows\system32\drivers\uzcx.exe
C:\WINDOWS\system32\v7.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Documents and Settings\Eric\ie_updater.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\update83647438.exe
C:\Documents and Settings\Eric\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo 960] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P22 "EPSON Stylus Photo 960" /O5 "LPT1:" /M "Stylus Photo 960"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [iut75] c:\windows\system32\drivers\uzcx.exe
O4 - HKLM\..\Run: [VaCtrls] v7
O4 - HKCU\..\Run: [EPSON Stylus Photo 960] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\system32\E_S2.tmp"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\mfpqhnoht.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mfpqhnoht.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mfpqhnoht.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mfpqhnoht.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mfpqhnoht.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mfpqhnoht.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mfpqhnoht.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mfpqhnoht.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mfpqhnoht.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mfpqhnoht.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mfpqhnoht.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mfpqhnoht.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mfpqhnoht.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mfpqhnoht.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ieupdater2 (Microsoft IEUpdater2) - Unknown owner - C:\Documents and Settings\Eric\ie_updater.exe

Rawe
2007-04-15, 15:23
Hello and welcome aboard :)

Nicely infected,, lets get started

Please print these instructions out, or save them to a notepad file, as you can't read them during the fix.

A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it:
Please download LSPFix from here (http://www.cexx.org/LSPFix.exe).
Run the LSPFix.exe that you have just finished downloading.
Check the "I know what I'm doing" box.
In the Keep box you should see one or more instances of mfpqhnoht.dll
Select every instance of mfpqhnoht.dll and move each one to the Remove box by clicking the >> button.
When you are done click Finish>>

======

Please download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your desktop.

Double-click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
5) Choose your usual account.
Open the extracted SDFix folder and double-click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to reboot.
Press any key and it will restart the PC.
When the PC reboots the tool will run again and complete the removal process -- when it displays Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Please post back with the results along in your next REPLY.


=======

Finally...

Please download Combofix (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your desktop:
Double-click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply along with the SDFix results.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

eapers
2007-04-16, 00:17
Here's the SDFix log:

SDFix: Version 1.78

Run by Eric - Sun 04/15/2007 - 2:00:27.95

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\Eric\Desktop\SDFix

Safe Mode:
Checking Services:

Name:
Microsoft IEUpdater2
ntldr.sys
wincom32

ImagePath:
C:\Documents and Settings\Eric\ie_updater.exe /start
\??\C:\ntldr.sys
\??\C:\WINDOWS\system32\wincom32.sys

Microsoft IEUpdater2 - Deleted
ntldr.sys - Deleted
wincom32 - Deleted

Killing PID 212 'smss.exe'
Killing PID 284 'winlogon.exe'
Killing PID 284 'winlogon.exe'
Killing PID 284 'winlogon.exe'
("Killing PID 284 'winlogon.exe'" repeats here for hundreds of lines)

ndis.sys Infected!

Patched File copied to Backups Folder
Attempting to replace ndis.sys with original version...

Original ndis.sys Restored


Restoring Windows Registry Values
Restoring Windows Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\CP1041.NLS - Deleted
C:\Documents and Settings\All Users\Documents\Settings\partnership.dll - Deleted
C:\Documents and Settings\Eric\Local Settings\Temp\1.dllb - Deleted
C:\Documents and Settings\Eric\Local Settings\Temp\2.dllb - Deleted
C:\Documents and Settings\Eric\Local Settings\Temp\5.dllb - Deleted
C:\Documents and Settings\Eric\Local Settings\Temp\6.dllb - Deleted
C:\Documents and Settings\Eric\Local Settings\Temp\7.dllb - Deleted
C:\WINDOWS\system32\3ti.exe.exe - Deleted
C:\WINDOWS\system32\pdp.exe.exe - Deleted
C:\Documents and Settings\Eric\ie_updater.exe - Deleted
C:\DOCUME~1\Eric\LOCALS~1\Temp\abc3000def.exe - Deleted
C:\DOCUME~1\Eric\LOCALS~1\Temp\hd43B.tmp - Deleted
C:\U.exe - Deleted
C:\WINDOWS\system32\dlh9jkd1q2.exe - Deleted
C:\WINDOWS\system32\dlh9jkd1q5.exe - Deleted
C:\WINDOWS\system32\dlh9jkd1q6.exe - Deleted
C:\WINDOWS\system32\dlh9jkd1q7.exe - Deleted
C:\WINDOWS\system32\dlh9jkd1q8.exe - Deleted
C:\WINDOWS\system32\RunOnce2.t__ - Deleted
C:\WINDOWS\system32\RunOnce2.tm_ - Deleted
C:\WINDOWS\system32\svcp.csv - Deleted
C:\WINDOWS\system32\v7.exe - Deleted
C:\WINDOWS\system32\vexga1me4t1.exe - Deleted
C:\WINDOWS\system32\vexga3me2.exe - Deleted
C:\WINDOWS\system32\vexga4me1.exe - Deleted
C:\WINDOWS\system32\vexga5me3.exe - Deleted
C:\WINDOWS\system32\wincom32.sys - Deleted
C:\WINDOWS\system32\winsub.xml - Deleted
C:\WINDOWS\xpupdate.exe - Deleted



Removing Temp Files

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------




Remaining Files:
---------------

Backups Folder: - C:\DOCUME~1\Eric\Desktop\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe

Finished

eapers
2007-04-16, 00:19
...And this is the Combofix log (sorry for the stretching):

"Eric" - 07-04-15 2:10:44 Service Pack 2, v.2096
ComboFix 07-04-05.Rev3 - Running from: "C:\Documents and Settings\Eric\Desktop"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\kernels32.exe
C:\WINDOWS\system32\vexg4am1et2.exe
C:\WINDOWS\system32\vexg6ame4.exe
C:\WINDOWS\updater.exe
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\Program Files\bravesentry\BraveSentry.exe
C:\Program Files\bravesentry\BraveSentry.lic
C:\Program Files\bravesentry\BraveSentry0.bs
C:\Program Files\bravesentry\BraveSentry0.dll
C:\Program Files\bravesentry\BraveSentry1.bs
C:\Program Files\bravesentry\BraveSentry1.dll
C:\Program Files\bravesentry\BraveSentry2.dll
C:\Program Files\bravesentry\BraveSentry3.dll
C:\Program Files\bravesentry\Uninstall.exe
C:\Program Files\ipwindows\ipwins.dll
C:\Program Files\ipwindows\ipwins.exe
C:\Program Files\ipwindows\UnInstall.exe
C:\WINDOWS\system32\vx.tll
C:\WINDOWS\system32\config\system~1\applic~1\install.dat
C:\WINDOWS\system32\mfpqhnoht.dll
C:\WINDOWS\system32\qlzybaiog.dll
C:\Documents and Settings\All Users.\documents\settings
C:\Program Files\bravesentry
C:\Program Files\inetget2
C:\Program Files\ipwindows
C:\WINDOWS\system32\kdtvt.exe


((((((((((((((((((((((((((((((( Files Created from 2007-03-15 to 2007-04-15 ))))))))))))))))))))))))))))))))))


2007-04-14 14:23 24,064 --a------ C:\WINDOWS\system32\update38108312.exe
2007-04-14 14:23 14,336 --a------ C:\WINDOWS\system32\update02861444.exe
2007-04-14 14:12 24,064 --a------ C:\WINDOWS\system32\update04245256.exe
2007-04-14 14:11 139,008 --a------ C:\WINDOWS\system32\windev-45ed-4750.sys
2007-04-14 14:10 52,736 --a------ C:\DOCUME~1\Eric\protectwin.exe
2007-04-14 14:09 196,073 --a------ C:\DOCUME~1\Eric\moviesdvds1176.exe
2007-04-14 14:09 <DIR> d-------- C:\Program Files\MovieBox
2007-04-14 14:08 13,411 --a------ C:\WINDOWS\adv.194.exe
2007-04-14 14:07 39,225 --a------ C:\WINDOWS\system32\update72513345.exe
2007-04-14 14:06 24,064 --a------ C:\WINDOWS\system32\update45864519.exe
2007-04-14 14:06 14,336 --a------ C:\WINDOWS\system32\update23209606.exe
2007-04-14 13:56 39,225 --a------ C:\WINDOWS\system32\update58956977.exe
2007-04-14 13:50 39,225 --a------ C:\WINDOWS\system32\update03953493.exe
2007-04-14 13:50 14,336 --a------ C:\WINDOWS\system32\update95342169.exe
2007-04-14 13:45 52,736 --a------ C:\WINDOWS\system32\update83647438.exe
2007-04-14 13:45 14,336 --a------ C:\WINDOWS\system32\update79488011.exe
2007-04-14 00:58 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-04-14 00:49 39,225 --a------ C:\WINDOWS\system32\update62074855.exe
2007-04-14 00:49 14,336 --a------ C:\WINDOWS\system32\update06281259.exe
2007-04-13 12:33 24,064 --a------ C:\WINDOWS\system32\update04080293.exe
2007-04-13 10:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-04-13 10:03 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-04-13 09:46 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-13 09:46 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-13 09:46 <DIR> d-------- C:\DOCUME~1\Eric\APPLIC~1\Lavasoft
2007-04-13 05:16 445,440 --a------ C:\wmplayer.dll
2007-04-13 05:16 235,008 --a------ C:\WINDOWS\system32\update08719418.exe
2007-04-13 05:16 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-04-13 05:15 107,012 --a------ C:\WINDOWS\system32\update68731342.exe
2007-04-13 00:51 <DIR> d-------- C:\DOCUME~1\Eric\.housecall6.6
2007-04-12 15:12 13,824 --a------ C:\WINDOWS\system32\drivers\uzcx.exe
2007-04-12 15:12 11,264 --a------ C:\WINDOWS\abc1006def.exe
2007-04-07 04:56 <DIR> d-------- C:\Program Files\FirstClass
2007-04-07 04:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FirstClass
2007-03-15 09:08 101,438 --a------ C:\WINDOWS\b122.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-13 11:05 -------- d-------- C:\Program Files\seekmo programs
2007-04-07 04:56 -------- d--h----- C:\Program Files\installshield installation information
2007-02-24 14:10 -------- d-------- C:\Program Files\java


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"EPSON Stylus Photo 960"="C:\\WINDOWS\\system32\\spool\\DRIVERS\\W32X86\\3\\E_S10IC2.EXE /A \"C:\\WINDOWS\\system32\\E_S2.tmp\""
"BitTorrent"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_9 -reboot 1"
"IpWins"="C:\\Program Files\\Ipwindows\\ipwins.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"EPSON Stylus Photo 960"="C:\\WINDOWS\\system32\\spool\\DRIVERS\\W32X86\\3\\E_S10IC2.EXE /P22 \"EPSON Stylus Photo 960\" /O5 \"LPT1:\" /M \"Stylus Photo 960\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SoundMan"="SOUNDMAN.EXE"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"iut75"="c:\\windows\\system32\\drivers\\uzcx.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

HKLM\SYSTEM\CurrentControlSet\Services\winmgmt45ed-4750

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
EPSON Stylus Photo 960 = C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\system32\E_S2.tmp"??????w???w???????????w???????w????H???????????????????????????????????????????????|????????????$?w???w???????w???w?????y?wH????????????????eU?)??w????\??????????????????
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
EPSON Stylus Photo 960 = C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\system32\E_S2.tmp"??????w???w???????????w???????w????H???????????????????????????????????????????????|????????????$?w???w???????w???w?????y?wH????????????????eU?)??w????\??????????????????

scanning hidden files ...

C:\WINDOWS\system32\windev-45ed-4750.sys 139264 bytes
C:\WINDOWS\system32\windev-peers.ini 16384 bytes

scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 2

********************************************************************

Completion time: 07-04-15 2:13:28
C:\ComboFix-quarantined-files.txt ... 07-04-15 02:13

Rawe
2007-04-16, 11:36
Hi, lets continue :)

You can go ahead and delete SDFix; we might still need ComboFix though.

Please download AVG Anti-Spyware (http://www.ewido.net/en/download/) and save that file to your desktop.
This is a 30 day trial of the program
Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the setup program.
Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
If you aren't able to finish the update within AVG Anti-Spyware for a reason or another, you can install the manual updates here (http://www.ewido.net/en/download/updates/).

Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Un-select "Only if threats were found"

Close AVG Anti-Spyware, DO NOT run a scan just yet, we will shortly.

==

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning process:
Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close AVG Anti-Spyware and reboot your system back into Normal Mode.

==

Please download GMER (http://www.majorgeeks.com/GMER_d5198.html):
Unzip it and double-click GMER.exe
Click the rootkit-tab and click scan.
Once done, click Copy.
This will copy the results to clipboard.
Paste the results in your next reply, along with the AVG Anti-Spyware results. :bigthumb:

eapers
2007-04-17, 02:41
AVG Scan log:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:30:16 AM 4/16/2007

+ Scan result:



C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0030485.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\WINDOWS\system32\update08719418.exe -> Adware.BHO : Cleaned with backup (quarantined).
C:\wmplayer.dll -> Adware.BHO : Cleaned with backup (quarantined).
HKU\S-1-5-21-448539723-920026266-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5929CD6E-2062-44A4-B2C5-2C7E78FBAB38} -> Adware.Generic : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\Program Files\BraveSentry\BraveSentry0.bs.vir -> Adware.MrAntispy : Cleaned with backup (quarantined).
C:\WINDOWS\b122.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\Program Files\BraveSentry\BraveSentry.exe.vir -> Adware.SpySheriff : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033643.exe -> Adware.SpySheriff : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric\Desktop\SDFix\backups\backups.zip/backups/vexga5me3.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\WINDOWS\updater.exe.vir -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0032553.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033584.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033606.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033642.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric\Desktop\SDFix\backups\backups.zip/backups/1.dllb -> Downloader.Small : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\WINDOWS\system32\vexg6ame4.exe.vir -> Downloader.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0031543.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033641.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\update02861444.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\update06281259.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\update23209606.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\update79488011.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\update95342169.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric\Desktop\SDFix\backups\backups.zip/backups/vexga3me2.exe -> Downloader.Small.eip : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033582.exe -> Downloader.Small.eip : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033604.exe -> Downloader.Small.eip : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric\Desktop\SDFix\backups\backups.zip/backups/wincom32.sys -> Dropper.Agent.bbv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033585.sys -> Dropper.Agent.bbv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033607.sys -> Dropper.Agent.bbv : Cleaned with backup (quarantined).
C:\WINDOWS\system32\update68731342.exe -> Dropper.Agent.bfz : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric\Desktop\SDFix\backups\backups.zip/backups/v7.exe -> Hijacker.Agent.jb : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric\Local Settings\Temp\abc1006def.exe -> Hijacker.Agent.jb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP223\A0027421.exe -> Hijacker.Agent.jb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP223\A0027442.exe -> Hijacker.Agent.jb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033580.exe -> Hijacker.Agent.jb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033602.exe -> Hijacker.Agent.jb : Cleaned with backup (quarantined).
C:\WINDOWS\abc1006def.exe -> Hijacker.Agent.jb : Cleaned with backup (quarantined).
C:\WINDOWS\system32\v7.exe -> Hijacker.Agent.jb : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric\protectwin.exe -> Not-A-Virus.Hoax.Win32.Renos.hn : Cleaned with backup (quarantined).
C:\WINDOWS\system32\update83647438.exe -> Not-A-Virus.Hoax.Win32.Renos.hn : Cleaned with backup (quarantined).
C:\WINDOWS\system32\windev-45ed-4750.sys -> Not-A-Virus.SpamTool.Win32.Agent.af : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0031527.exe -> Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0032550.exe -> Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0032555.exe -> Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\WINDOWS\system32\update03953493.exe -> Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\WINDOWS\system32\update58956977.exe -> Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\WINDOWS\system32\update62074855.exe -> Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\WINDOWS\system32\update72513345.exe -> Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric\Desktop\SDFix\backups\backups.zip/backups/vexga4me1.exe -> Proxy.Xorpix.ar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0032548.exe -> Proxy.Xorpix.ar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033583.exe -> Proxy.Xorpix.ar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033605.exe -> Proxy.Xorpix.ar : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric\Desktop\SDFix\backups\backups.zip/backups/partnership.dll -> Proxy.Xorpix.bc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033599.dll -> Proxy.Xorpix.bc : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric\Cookies\eric@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Eric\Cookies\eric@www.abcsearch[1].txt -> TrackingCookie.Abcsearch : Cleaned.
C:\Documents and Settings\Eric\Cookies\eric@overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0031544.exe -> Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0032554.exe -> Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\update04080293.exe -> Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\update04245256.exe -> Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\update38108312.exe -> Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\update45864519.exe -> Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0031506.exe -> Trojan.Agent.bou : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric\Local Settings\Temporary Internet Files\Content.IE5\FZXZN14G\QMtsfzH_Pinch[1].exe -> Trojan.LdPinch.btv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0034661.exe -> Trojan.LdPinch.btv : Cleaned with backup (quarantined).
C:\WINDOWS\QMtsfzH_Pinch.exe -> Trojan.LdPinch.btv : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric\Desktop\SDFix\backups\backups.zip/backups/2.dllb -> Trojan.Tibs.r : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric\Desktop\SDFix\backups\backups.zip/backups/3ti.exe.exe -> Trojan.Tibs.r : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric\Desktop\SDFix\backups\backups.zip/backups/6.dllb -> Trojan.Tibs.r : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric\Desktop\SDFix\backups\backups.zip/backups/7.dllb -> Trojan.Tibs.r : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric\Desktop\SDFix\backups\backups.zip/backups/dlh9jkd1q2.exe -> Trojan.Tibs.r : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric\Desktop\SDFix\backups\backups.zip/backups/dlh9jkd1q6.exe -> Trojan.Tibs.r : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric\Desktop\SDFix\backups\backups.zip/backups/dlh9jkd1q7.exe -> Trojan.Tibs.r : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric\Desktop\SDFix\backups\backups.zip/backups/pdp.exe.exe -> Trojan.Tibs.r : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric\Desktop\SDFix\backups\backups.zip/backups/xpupdate.exe -> Trojan.Tibs.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033571.exe -> Trojan.Tibs.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033572.exe -> Trojan.Tibs.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033575.exe -> Trojan.Tibs.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033577.exe -> Trojan.Tibs.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033578.exe -> Trojan.Tibs.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033586.exe -> Trojan.Tibs.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033590.exe -> Trojan.Tibs.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033592.exe -> Trojan.Tibs.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033594.exe -> Trojan.Tibs.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033595.exe -> Trojan.Tibs.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033600.exe -> Trojan.Tibs.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033608.exe -> Trojan.Tibs.r : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\WINDOWS\system32\qlzybaiog.dll.vir -> Trojan.Vqten : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033654.dll -> Trojan.Vqten : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric\Desktop\SDFix\backups\backups.zip/backups/5.dllb -> Worm.Nuwar : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric\Desktop\SDFix\backups\backups.zip/backups/dlh9jkd1q5.exe -> Worm.Nuwar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033576.exe -> Worm.Nuwar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033593.exe -> Worm.Nuwar : Cleaned with backup (quarantined).
C:\Documents and Settings\Eric\Desktop\SDFix\backups\backups.zip/backups/vexga1me4t1.exe -> Worm.Zhelatin.by : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033581.exe -> Worm.Zhelatin.by : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0033603.exe -> Worm.Zhelatin.by : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{98D6A63E-A335-4A91-B825-215F08A4BA9A}\RP225\A0032552.exe -> Worm.Zhelatin.cv : Cleaned with backup (quarantined).


::Report end

eapers
2007-04-17, 02:43
...And GMER log:

GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-04-16 04:41:39
Windows 5.1.2600 Service Pack 2, v.2096


---- System - GMER 1.0.12 ----

SSDT sptd.sys ZwCreateKey
SSDT sptd.sys ZwEnumerateKey
SSDT sptd.sys ZwEnumerateValueKey
SSDT sptd.sys ZwOpenKey
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT sptd.sys ZwQueryKey
SSDT sptd.sys ZwQueryValueKey
SSDT sptd.sys ZwSetValueKey
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!_allmul + D8 804E38BC 4 Bytes [ 3A, 3B, 54, F7 ]
.text ntoskrnl.exe!_allmul + 150 804E3934 4 Bytes [ 7E, 3C, 54, F7 ]
.text ntoskrnl.exe!_allmul + 158 804E393C 4 Bytes [ F6, 3F, 54, F7 ]
.text ntoskrnl.exe!_allmul + 210 804E39F4 4 Bytes [ 18, 3A, 54, F7 ]
.text ntoskrnl.exe!_allmul + 21C 804E3A00 4 Bytes [ AC, 78, D4, F7 ]
.text ...
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
? C:\WINDOWS\System32\Drivers\SPTD1805.SYS The process cannot access the file because it is being used by another process.
? C:\WINDOWS\System32\Drivers\dtscsi.sys The process cannot access the file because it is being used by another process.
? C:\WINDOWS\system32\DRIVERS\update.sys

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 86F9BC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 86F9BC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 86F9BC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 86F9BC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 86F9BC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 86F9BC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 86F9BC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 86F9BC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 86F9BC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 86F9BC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 86F9BC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 86F9BC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 86F9BC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 86F9BC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 86F9BC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 86F9BC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 86F9BC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 86F9BC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 86F9BC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 86F9BC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 86F9BC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 86F9BC78
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CREATE 86F9C378
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CLOSE 86F9C378
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_READ 86F9C378
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_WRITE 86F9C378
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_FLUSH_BUFFERS 86F9C378
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_DEVICE_CONTROL 86F9C378
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_INTERNAL_DEVICE_CONTROL 86F9C378
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SHUTDOWN 86F9C378
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_POWER 86F9C378
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SYSTEM_CONTROL 86F9C378
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_PNP 86F9C378
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CREATE 86F9C378
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CLOSE 86F9C378
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_READ 86F9C378
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_WRITE 86F9C378
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_FLUSH_BUFFERS 86F9C378
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_DEVICE_CONTROL 86F9C378
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_INTERNAL_DEVICE_CONTROL 86F9C378
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SHUTDOWN 86F9C378
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_POWER 86F9C378
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SYSTEM_CONTROL 86F9C378
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_PNP 86F9C378
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CREATE 86F9C378
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CLOSE 86F9C378
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_READ 86F9C378
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_WRITE 86F9C378
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_FLUSH_BUFFERS 86F9C378
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_DEVICE_CONTROL 86F9C378
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_INTERNAL_DEVICE_CONTROL 86F9C378
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SHUTDOWN 86F9C378
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_POWER 86F9C378
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SYSTEM_CONTROL 86F9C378
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_PNP 86F9C378
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CREATE 86F9C378
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CLOSE 86F9C378
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_READ 86F9C378
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_WRITE 86F9C378
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_FLUSH_BUFFERS 86F9C378
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_DEVICE_CONTROL 86F9C378
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_INTERNAL_DEVICE_CONTROL 86F9C378
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SHUTDOWN 86F9C378
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_POWER 86F9C378
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SYSTEM_CONTROL 86F9C378
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_PNP 86F9C378
Device \Driver\00000047 \Device\00000046 IRP_MJ_POWER [F754AEA8] sptd.sys
Device \Driver\00000047 \Device\00000046 IRP_MJ_SYSTEM_CONTROL [F755EA70] sptd.sys
Device \Driver\00000047 \Device\00000046 IRP_MJ_PNP [F7557728] sptd.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 86F9C630
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ 86F9C630
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE 86F9C630
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS 86F9C630
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL 86F9C630
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL 86F9C630
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN 86F9C630
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP 86F9C630
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER 86F9C630
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SYSTEM_CONTROL 86F9C630
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_PNP 86F9C630
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 86D6DCF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 86D6DCF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 86D6DCF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 86D6DCF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 86D6DCF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 86D6DCF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 86D6DCF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 86D6DCF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 86D6DCF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 86D6DCF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 86D6DCF0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE_NAMED_PIPE 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CLOSE 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_READ 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_WRITE 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_INFORMATION 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_INFORMATION 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_EA 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_EA 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_FLUSH_BUFFERS 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_VOLUME_INFORMATION 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_VOLUME_INFORMATION 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DIRECTORY_CONTROL 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_FILE_SYSTEM_CONTROL 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DEVICE_CONTROL 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_INTERNAL_DEVICE_CONTROL 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SHUTDOWN 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_LOCK_CONTROL 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CLEANUP 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE_MAILSLOT 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_SECURITY 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_SECURITY 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_POWER 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SYSTEM_CONTROL 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DEVICE_CHANGE 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_QUOTA 86C16290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_QUOTA 86C16290
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 86D6DCF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE 86D6DCF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ 86D6DCF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 86D6DCF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 86D6DCF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 86D6DCF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 86D6DCF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN

eapers
2007-04-17, 02:44
GMER continued!:

86D6DCF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 86D6DCF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 86D6DCF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 86D6DCF0
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE 86D6DCF0
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CLOSE 86D6DCF0
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_READ 86D6DCF0
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_WRITE 86D6DCF0
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_FLUSH_BUFFERS 86D6DCF0
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DEVICE_CONTROL 86D6DCF0
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_INTERNAL_DEVICE_CONTROL 86D6DCF0
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SHUTDOWN 86D6DCF0
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_POWER 86D6DCF0
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SYSTEM_CONTROL 86D6DCF0
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_PNP 86D6DCF0
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CREATE 86CBD0E8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLOSE 86CBD0E8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_DEVICE_CONTROL 86CBD0E8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_INTERNAL_DEVICE_CONTROL 86CBD0E8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLEANUP 86CBD0E8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_PNP 86CBD0E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CREATE 86CBD0E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLOSE 86CBD0E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_DEVICE_CONTROL 86CBD0E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_INTERNAL_DEVICE_CONTROL 86CBD0E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLEANUP 86CBD0E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_PNP 86CBD0E8
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_CREATE 86F9BEB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_CLOSE 86F9BEB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_READ 86F9BEB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_WRITE 86F9BEB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_FLUSH_BUFFERS 86F9BEB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_DEVICE_CONTROL 86F9BEB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_INTERNAL_DEVICE_CONTROL 86F9BEB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_SHUTDOWN 86F9BEB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_POWER 86F9BEB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_SYSTEM_CONTROL 86F9BEB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_PNP 86F9BEB0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_NAMED_PIPE 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLOSE 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_WRITE 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_INFORMATION 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_INFORMATION 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_EA 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_EA 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FLUSH_BUFFERS 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_VOLUME_INFORMATION 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_VOLUME_INFORMATION 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DIRECTORY_CONTROL 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FILE_SYSTEM_CONTROL 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CONTROL 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_INTERNAL_DEVICE_CONTROL 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SHUTDOWN 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_LOCK_CONTROL 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLEANUP 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_MAILSLOT 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_SECURITY 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_SECURITY 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_POWER 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SYSTEM_CONTROL 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CHANGE 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_QUOTA 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_QUOTA 86D12598
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP 86D12598
Device \Driver\NetBT \Device\NetBT_Tcpip_{41C3359F-60FE-4CAE-A35C-7AECB0D95019} IRP_MJ_CREATE 86CBD0E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{41C3359F-60FE-4CAE-A35C-7AECB0D95019} IRP_MJ_CLOSE 86CBD0E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{41C3359F-60FE-4CAE-A35C-7AECB0D95019} IRP_MJ_DEVICE_CONTROL 86CBD0E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{41C3359F-60FE-4CAE-A35C-7AECB0D95019} IRP_MJ_INTERNAL_DEVICE_CONTROL 86CBD0E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{41C3359F-60FE-4CAE-A35C-7AECB0D95019} IRP_MJ_CLEANUP 86CBD0E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{41C3359F-60FE-4CAE-A35C-7AECB0D95019} IRP_MJ_PNP 86CBD0E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_NAMED_PIPE 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLOSE 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_WRITE 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_INFORMATION 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_INFORMATION 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_EA 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_EA 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FLUSH_BUFFERS 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_VOLUME_INFORMATION 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_VOLUME_INFORMATION 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DIRECTORY_CONTROL 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FILE_SYSTEM_CONTROL 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CONTROL 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_INTERNAL_DEVICE_CONTROL 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SHUTDOWN 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_LOCK_CONTROL 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLEANUP 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_MAILSLOT 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_SECURITY 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_SECURITY 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_POWER 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SYSTEM_CONTROL 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CHANGE 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_QUOTA 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_QUOTA 86D12598
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP 86D12598
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CREATE 86DB86A0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CREATE_NAMED_PIPE 86DB86A0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CLOSE 86DB86A0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_READ 86DB86A0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_WRITE 86DB86A0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_INFORMATION 86DB86A0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_SET_INFORMATION 86DB86A0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_FLUSH_BUFFERS 86DB86A0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_VOLUME_INFORMATION 86DB86A0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_DIRECTORY_CONTROL 86DB86A0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_FILE_SYSTEM_CONTROL 86DB86A0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CLEANUP 86DB86A0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_SECURITY 86DB86A0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_SET_SECURITY 86DB86A0
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CREATE 86F9C630
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_READ 86F9C630
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_WRITE 86F9C630
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_FLUSH_BUFFERS 86F9C630
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_DEVICE_CONTROL 86F9C630
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_INTERNAL_DEVICE_CONTROL 86F9C630
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SHUTDOWN 86F9C630
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CLEANUP 86F9C630
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_POWER 86F9C630
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SYSTEM_CONTROL 86F9C630
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_PNP 86F9C630
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CREATE 86CD70E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CLOSE 86CD70E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_READ 86CD70E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_WRITE 86CD70E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_QUERY_INFORMATION 86CD70E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_SET_INFORMATION 86CD70E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_QUERY_VOLUME_INFORMATION 86CD70E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_DIRECTORY_CONTROL 86CD70E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_FILE_SYSTEM_CONTROL 86CD70E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CLEANUP 86CD70E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CREATE_MAILSLOT 86CD70E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_QUERY_SECURITY 86CD70E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_SET_SECURITY 86CD70E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{7590B0A8-AF76-4E2B-876C-6B8898EA47A7} IRP_MJ_CREATE 86CBD0E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{7590B0A8-AF76-4E2B-876C-6B8898EA47A7} IRP_MJ_CLOSE 86CBD0E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{7590B0A8-AF76-4E2B-876C-6B8898EA47A7} IRP_MJ_DEVICE_CONTROL 86CBD0E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{7590B0A8-AF76-4E2B-876C-6B8898EA47A7} IRP_MJ_INTERNAL_DEVICE_CONTROL 86CBD0E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{7590B0A8-AF76-4E2B-876C-6B8898EA47A7} IRP_MJ_CLEANUP 86CBD0E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{7590B0A8-AF76-4E2B-876C-6B8898EA47A7} IRP_MJ_PNP 86CBD0E8
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 IRP_MJ_CREATE 86D3D5D0
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 IRP_MJ_CLOSE 86D3D5D0
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 IRP_MJ_DEVICE_CONTROL 86D3D5D0
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 IRP_MJ_INTERNAL_DEVICE_CONTROL 86D3D5D0
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 IRP_MJ_POWER 86D3D5D0
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 IRP_MJ_SYSTEM_CONTROL 86D3D5D0
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 IRP_MJ_PNP 86D3D5D0
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_CREATE 86D3D5D0
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_CLOSE 86D3D5D0
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_DEVICE_CONTROL 86D3D5D0
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_INTERNAL_DEVICE_CONTROL 86D3D5D0
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_POWER 86D3D5D0
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_SYSTEM_CONTROL 86D3D5D0
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_PNP 86D3D5D0
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE 86B5D540
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLOSE 86B5D540
Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ 86B5D540
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_INFORMATION 86B5D540
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SET_INFORMATION

eapers
2007-04-17, 02:46
The return of GMER continued:

86B5D540
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_VOLUME_INFORMATION 86B5D540
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DIRECTORY_CONTROL 86B5D540
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL 86B5D540
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL 86B5D540
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SHUTDOWN 86B5D540
Device \FileSystem\Cdfs \Cdfs IRP_MJ_LOCK_CONTROL 86B5D540
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLEANUP 86B5D540
Device \FileSystem\Cdfs \Cdfs IRP_MJ_PNP 86B5D540

---- EOF - GMER 1.0.12 ----

Rawe
2007-04-17, 14:54
Please print these instructions out, or write them down, as you can't read them during the fix.

1. Please download The Avenger (http://swandog46.geekstogo.com/avenger.zip) by Swandog46 to your Desktop.
Click on Avenger.zip to open the file
Extract Avenger.exe to your desktop.

2. Copy all the text in bold contained in the quotebox below to a blank notepad file:


Drivers to unload:
windev-45ed-4750

Files to delete:
C:\WINDOWS\system32\windev-peers.ini
C:\WINDOWS\system32\drivers\uzcx.exe
C:\DOCUME~1\Eric\moviesdvds1176.exe
C:\WINDOWS\adv.194.exe


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to the notepad file into this window
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

The Avenger will automatically do the following:
Restarts your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it briefly opens a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste all the contents of avenger.txt into your reply along with a fresh HJT log by using AddReply. :)

Upload this -> C:\WINDOWS\System32\Drivers\SPTD1805.SYS to VirusTotal (http://www.virustotal.com/en/indexf.html) and post back results here, too :)

eapers
2007-04-18, 05:00
Avenger results:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\pcmrycea

*******************

Script file located at: \??\C:\WINDOWS\system32\eahmdraj.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver windev-45ed-4750 unloaded successfully.
File C:\WINDOWS\system32\windev-peers.ini deleted successfully.
File C:\WINDOWS\system32\drivers\uzcx.exe deleted successfully.
File C:\DOCUME~1\Eric\moviesdvds1176.exe deleted successfully.
File C:\WINDOWS\adv.194.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Fresh HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 6:58:05 AM, on 4/17/2007
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\v7.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\vwsrv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Eric\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo 960] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P22 "EPSON Stylus Photo 960" /O5 "LPT1:" /M "Stylus Photo 960"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [iut75] c:\windows\system32\drivers\uzcx.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [VaCtrls] v7
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: vwservice - Unknown owner - C:\WINDOWS\system32\vwsrv.exe






I copied and pasted "C:\WINDOWS\System32\Drivers\SPTD1805.SYS" into the search field at VirusTotal and then clicked "send". It said "0 bytes size received." Did I do something wrong?

Rawe
2007-04-18, 12:05
Hi again :)

Please run a scan with HijackThis and check the following objects for removal:

O4 - HKLM\..\Run: [iut75] c:\windows\system32\drivers\uzcx.exe
O4 - HKLM\..\Run: [VaCtrls] v7
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe

Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.

==

Please go to UploadMalware (http://www.uploadmalware.com/) to upload files for analysis.
Enter your username from this forum
Copy and paste the link to this thread
Paste the following filepath to the first box:
C:\WINDOWS\system32\vwsrv.exe
And this one to the second:
C:\WINDOWS\System32\Drivers\SPTD1805.SYS
In the comments, please mention that I asked you to upload these files.
Click on Send File.
Thank you!


==

Once that is done,

Please copy the following text in the quotebox below to a blank Notepad file. Make sure the filetype is set to "All Files" and save it as Removeservice.bat. to your desktop.


@echo off
sc stop vwservice
sc delete vwservice

Double-click on Removeservice.bat. A window will pop up and close. This is normal.

==

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
5) Choose your usual account.

Once in Safe Mode, please navigate to and delete the following file and folder if found:

C:\WINDOWS\system32\v7.exe
C:\Program Files\Ipwindows

Empty recycle bin. Reboot back into Normal mode.

==

Once you have done all this, please let me know how it went.

Also, please rerun ComboFix and post back with a fresh log from it :bigthumb:

eapers
2007-04-19, 07:21
Used HJT on three files, seemed to go smoothly.

Uploaded two files to UploadMalware as requested- vwsrv.exe was successfully uploaded, but SPTD1805.SYS gave a "0 Bytes, this did not work" message.

Ran removeservice.bat., started safe mode. Found the v7.exe file and deleted it, but did not find the Ipwindows folder. Emptied recycle bin and rebooted to run combofix. Log posted below:

"Eric" - 07-04-18 9:17:01 Service Pack 2, v.2096
ComboFix 07-04-05.Rev3 - Running from: "C:\Documents and Settings\Eric\Desktop"


((((((((((((((((((((((((((((((( Files Created from 2007-03-18 to 2007-04-18 ))))))))))))))))))))))))))))))))))


2007-04-17 06:55 <DIR> d-------- C:\avenger
2007-04-17 06:51 7,168 --a------ C:\WINDOWS\system32\vwsrv.exe
2007-04-17 06:51 11,264 --a------ C:\WINDOWS\abc1006def.exe
2007-04-16 04:57 3,893 --a------ C:\WINDOWS\loadadv605.exe
2007-04-16 03:47 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-14 14:09 <DIR> d-------- C:\Program Files\MovieBox
2007-04-14 00:58 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-04-13 10:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-04-13 10:03 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-04-13 09:46 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-13 09:46 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-13 09:46 <DIR> d-------- C:\DOCUME~1\Eric\APPLIC~1\Lavasoft
2007-04-13 05:16 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-04-13 00:51 <DIR> d-------- C:\DOCUME~1\Eric\.housecall6.6
2007-04-07 04:56 <DIR> d-------- C:\Program Files\FirstClass
2007-04-07 04:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FirstClass


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-14 00:47 94552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-14 00:47 85952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-14 00:45 23416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-14 00:44 43176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-14 00:43 26888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-14 00:42 90112 --a------ C:\WINDOWS\system32\avastss.scr
2007-04-13 11:05 -------- d-------- C:\Program Files\seekmo programs
2007-04-10 04:18 712832 --a------ C:\WINDOWS\system32\aswboot.exe
2007-04-07 04:56 -------- d--h----- C:\Program Files\installshield installation information
2007-02-24 14:10 -------- d-------- C:\Program Files\java


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"BitTorrent"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_9 -reboot 1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"EPSON Stylus Photo 960"="C:\\WINDOWS\\system32\\spool\\DRIVERS\\W32X86\\3\\E_S10IC2.EXE /P22 \"EPSON Stylus Photo 960\" /O5 \"LPT1:\" /M \"Stylus Photo 960\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SoundMan"="SOUNDMAN.EXE"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"VaCtrls"="v7"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-18 9:18:10
C:\ComboFix-quarantined-files.txt ... 07-04-18 09:18
C:\ComboFix2.txt ... 07-04-15 02:13

Rawe
2007-04-19, 20:21
Again, please print the instructions or save them to a notepad file for easier reference.

Please reboot into Safe Mode, navigate to and delete these files once in Safe Mode (if present):

C:\WINDOWS\system32\vwsrv.exe
C:\WINDOWS\abc1006def.exe
C:\WINDOWS\loadadv605.exe

Empty recycle bin again.

==

While in Safe Mode, please navigate to and find the following file:

C:\WINDOWS\System32\Drivers\SPTD1805.SYS

Now, please right-click on it and choose cut. Now, navigate to your C:\ - drive, right-click somewhere in the directory and choose paste.

If you cannot see it or find it, try with hidden files shown (go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files - option.)

==

Now reboot back into normal mode.

Once in regular Windows, please try again the following;

surf here http://virustotal.com

Then submit the following file C:\SPTD1805.SYS and paste back with the results. :)

Let me know how it went.

eapers
2007-04-20, 03:18
First three mentioned files successfully found in safe mode and deleted.

Moved and scanned SPTD1805. Results:

Complete scanning result of "SPTD1805.SYS", received in VirusTotal at 04.20.2007, 02:13:00 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.4.19.1 04.19.2007 no virus found
AntiVir 7.3.1.53 04.19.2007 no virus found
Authentium 4.93.8 04.18.2007 no virus found
Avast 4.7.981.0 04.19.2007 no virus found
AVG 7.5.0.464 04.19.2007 no virus found
BitDefender 7.2 04.20.2007 no virus found
CAT-QuickHeal 9.00 04.19.2007 no virus found
ClamAV devel-20070416 04.19.2007 no virus found
DrWeb 4.33 04.19.2007 no virus found
eSafe 7.0.15.0 04.19.2007 no virus found
eTrust-Vet 30.7.3579 04.19.2007 no virus found
Ewido 4.0 04.19.2007 no virus found
FileAdvisor 1 04.20.2007 No threat detected
Fortinet 2.85.0.0 04.19.2007 no virus found
F-Prot 4.3.2.48 04.18.2007 no virus found
F-Secure 6.70.13030.0 04.20.2007 no virus found
Ikarus T3.1.1.5 04.19.2007 no virus found
Kaspersky 4.0.2.24 04.20.2007 no virus found
McAfee 5013 04.19.2007 no virus found
Microsoft 1.2405 04.20.2007 no virus found
NOD32v2 2205 04.19.2007 no virus found
Norman 5.80.02 04.19.2007 no virus found
Panda 9.0.0.4 04.19.2007 no virus found
Prevx1 V2 04.20.2007 no virus found
Sophos 4.16.0 04.17.2007 no virus found
Sunbelt 2.2.907.0 04.19.2007 no virus found
Symantec 10 04.20.2007 no virus found
TheHacker 6.1.6.095 04.15.2007 no virus found
VBA32 3.11.3 04.19.2007 no virus found
VirusBuster 4.3.7:9 04.19.2007 no virus found
Webwasher-Gateway 6.0.1 04.19.2007 no virus found

Aditional Information
File size: 96512 bytes
MD5: 1997a6dfb465c816066a43c58a0d71c9
SHA1: bb615e41e135dacf6628748705735b6026c3e8b1
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=1997a6dfb465c816066a43c58a0d71c9

Rawe
2007-04-20, 18:44
Hows the system running right now? :)

Please go HERE (http://www.pandasoftware.com/products/activescan.htm) to run Panda's ActiveScan
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report.

==

Also, please download ComboScan (http://www.techsupportforum.com/sectools/Deckard/comboscan.exe) to your desktop.
Close all applications and windows.
Double-click on comboscan.exe to run it -- follow the prompts.
The scan may take a minute. When the scan is complete, a text file will open (ComboScan.txt), please copy & paste all of it's content here.

eapers
2007-04-23, 02:36
Computer seems to be running as good as new, although you'll probably have to tell me that's not yet the case :)

ActiveScan log:

Incident Status Location

Adware:Adware/Adsmart Not disinfected C:\avenger\backup.zip[avenger/adv.194.exe]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Eric\Cookies\eric@2o7[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Eric\Cookies\eric@atwola[1].txt
Adware:Adware/MovieBox Not disinfected C:\Program Files\MovieBox\Uninstall.exe
Adware:Adware/Zango Not disinfected C:\Program Files\Mozilla Firefox\plugins\npclntax.dll
Potentially unwanted tool:Application/MalwareAlarm Not disinfected C:\QooBox\Quarantine\Program Files\BraveSentry\BraveSentry0.dll.vir
Potentially unwanted tool:Application/MalwareAlarm Not disinfected C:\QooBox\Quarantine\Program Files\BraveSentry\BraveSentry1.dll.vir
Potentially unwanted tool:Application/BraveSentry Not disinfected C:\QooBox\Quarantine\Program Files\BraveSentry\BraveSentry2.dll.vir
Potentially unwanted tool:Application/BraveSentry Not disinfected C:\QooBox\Quarantine\Program Files\BraveSentry\BraveSentry3.dll.vir
Adware:Adware/BraveSentry Not disinfected C:\QooBox\Quarantine\Program Files\BraveSentry\Uninstall.exe.vir
Adware:Adware/Maxifiles Not disinfected C:\QooBox\Quarantine\Program Files\Ipwindows\ipwins.dll.vir
Adware:Adware/Maxifiles Not disinfected C:\QooBox\Quarantine\Program Files\Ipwindows\ipwins.exe.vir
Adware:Adware/Maxifiles Not disinfected C:\QooBox\Quarantine\Program Files\Ipwindows\UnInstall.exe.vir
Adware:Adware/Adsmart Not disinfected C:\QooBox\Quarantine\WINDOWS\system32\kernels32.exe.vir
Potentially unwanted tool:Application/Processor

ComboScan:
ComboScan v20070306.20 run by Eric on 2007-04-22 at 04:33:16
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created ComboScan Restore Point.


-- Last 5 Restore Point(s) --
68: 2007-04-22 11:33:24 UTC - RP229 - ComboScan Restore Point
67: 2007-04-21 22:34:54 UTC - RP228 - System Checkpoint
66: 2007-04-19 19:58:05 UTC - RP227 - System Checkpoint
65: 2007-04-18 16:50:57 UTC - RP226 - System Checkpoint
64: 2007-04-13 16:46:30 UTC - RP225 - Installed Ad-Aware SE Personal


-- First Restore Point --
1: 2007-01-20 09:28:52 UTC - RP162 - System Checkpoint


Performed disk cleanup.


-- HijackThis (run as Eric.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 4:33:30 AM, on 4/22/2007
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\Eric\Desktop\comboscan.exe
C:\DOCUME~1\Eric\Desktop\Eric.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo 960] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P22 "EPSON Stylus Photo 960" /O5 "LPT1:" /M "Stylus Photo 960"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [VaCtrls] v7
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe


-- HijackThis Fixed Entries (C:\DOCUME~1\Eric\Desktop\backups\) ----------------

backup-20070418-090430-140 O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
backup-20070418-090430-360 O4 - HKLM\..\Run: [VaCtrls] v7
backup-20070418-090430-567 O4 - HKLM\..\Run: [iut75] c:\windows\system32\drivers\uzcx.exe

-- File Associations -----------------------------------------------------------

.bat - batfile - "%1" %*
.chm - chm.file - "C:\WINDOWS\hh.exe" %1
.cmd - cmdfile - "%1" %*
.com - comfile - "%1" %*
.exe - exefile - "%1" %*
.hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
.inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1
.ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1
.js - JSFile - %SystemRoot%\System32\WScript.exe "%1" %*
.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
.pif - piffile - "%1" %*
.reg - regfile - regedit.exe "%1"
.scr - scrfile - "%1" /S
.txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

1R Aavmker4 (avast! Asynchronous Virus Monitor) - C:\WINDOWS\system32\drivers\aavmker4.sys
3R ALCXWDM (Service for Realtek AC97 Audio (WDM)) - C:\WINDOWS\system32\drivers\alcxwdm.sys
1R AmdK7 (AMD K7 Processor Driver) - C:\WINDOWS\system32\drivers\amdk7.sys
2R aswMon2 (avast! Standard Shield Support) - C:\WINDOWS\system32\drivers\aswmon2.sys
3R aswRdr - C:\WINDOWS\system32\drivers\aswRdr.sys
1R aswTdi (avast! Network Shield Support) - C:\WINDOWS\system32\drivers\aswTdi.sys
1R AVG Anti-Spyware Driver - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys
1R AvgAsCln (AVG Anti-Spyware Clean Driver) - C:\WINDOWS\system32\drivers\AvgAsCln.sys
3S dtscsi - C:\WINDOWS\system32\drivers\dtscsi.sys
3R Eplpdx02 - C:\WINDOWS\system32\drivers\EPLPDX02.SYS
3R FETNDIS (VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver) - C:\WINDOWS\system32\drivers\fetnd5.sys
3S gmer - C:\WINDOWS\system32\drivers\gmer.sys
3R HSFHWBS2 - C:\WINDOWS\system32\drivers\HSFBS2S2.sys
3R HSF_DP - C:\WINDOWS\system32\drivers\HSFDPSP2.sys
2R mdmxsdk - C:\WINDOWS\system32\drivers\mdmxsdk.sys
3R nv - C:\WINDOWS\system32\drivers\nv4_mini.sys
0R PxHelp20 - C:\WINDOWS\system32\drivers\PxHelp20.sys
0S sptd - C:\WINDOWS\system32\drivers\sptd.sys
3R usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver) - C:\WINDOWS\system32\drivers\usbehci.sys
3S USBSTOR (USB Mass Storage Driver) - C:\WINDOWS\system32\drivers\USBSTOR.SYS
3R winachsf - C:\WINDOWS\system32\drivers\HSFCXTS2.sys
1R WS2IFSL (Windows Socket 2.0 Non-IFS Service Provider Support Environment) - C:\WINDOWS\system32\drivers\ws2ifsl.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

2R aswUpdSv (avast! iAVS4 Control Service) - "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"
2R avast! Antivirus - "C:\Program Files\Alwil Software\Avast4\ashServ.exe"
3R avast! Mail Scanner - "C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service
3R avast! Web Scanner - "C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service
2R AVG Anti-Spyware Guard - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
2R EpsonBidirectionalService - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
2R EPSONStatusAgent2 (EPSON Printer Status Agent2) - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
3S IDriverT (InstallDriver Table Manager) - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
3S ose (Office Source Engine) - "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
3S SCardDrv (Smart Card Helper) - C:\WINDOWS\System32\SCardSvr.exe
2R UMWdf (Windows User Mode Driver Framework) - C:\WINDOWS\system32\wdfmgr.exe


-- Files created between 2007-03-22 and 2007-04-22 -----------------------------

2007-04-22 03:42:13 0 d-------- C:\WINDOWS\system32\ActiveScan<ACTIVE~1>
2007-04-22 03:42:11 0 d-------- C:\WINDOWS\LastGood
2007-04-17 06:55:25 0 d-------- C:\avenger
2007-04-16 04:35:14 80 --a------ C:\WINDOWS\gmer_uninstall.cmd<GMER_U~1.CMD>
2007-04-16 03:47:41 3968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-16 03:47:37 0 d-------- C:\Program Files\Grisoft
2007-04-15 01:50:54 0 d-------- C:\SDFix
2007-04-14 14:09:50 0 d-------- C:\Program Files\MovieBox
2007-04-14 00:58:46 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-04-13 10:45:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy<SPYBOT~1>
2007-04-13 10:03:47 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-04-13 09:46:37 0 d-------- C:\Documents and Settings\Eric\Application Data\Lavasoft
2007-04-13 09:46:31 0 d-------- C:\Program Files\Lavasoft
2007-04-13 09:46:17 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>
2007-04-13 05:16:39 0 d-------- C:\WINDOWS\system32\LogFiles
2007-04-13 00:51:45 0 d-------- C:\Documents and Settings\Eric\.housecall6.6<HOUSEC~1.6>
2007-04-07 04:56:46 0 d-------- C:\Program Files\FirstClass<FIRSTC~1>
2007-04-07 04:56:46 0 d-------- C:\Documents and Settings\All Users\Application Data\FirstClass<FIRSTC~1>


-- Find3M Report ---------------------------------------------------------------

2007-04-22 04:22:46 0 d-------- C:\Program Files\Winamp
2007-04-22 04:22:28 0 d-------- C:\Program Files\QuickTime<QUICKT~1>
2007-04-22 04:22:07 0 d-------- C:\Program Files\Mozilla Firefox<MOZILL~1>
2007-04-14 00:42:43 90112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-04-13 11:05:43 0 d-------- C:\Program Files\Seekmo Programs<SEEKMO~1>
2007-04-10 04:18:32 712832 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-04-07 04:56:45 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-04-06 10:02:34 0 d---s---- C:\Documents and Settings\Eric\Application Data\Microsoft<MICROS~1>
2007-02-24 14:10:24 0 d-------- C:\Program Files\Java
2007-02-03 16:30:05 96512 --a------ C:\sptd1805.sys


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"BitTorrent"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_9 -reboot 1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"EPSON Stylus Photo 960"="C:\\WINDOWS\\system32\\spool\\DRIVERS\\W32X86\\3\\E_S10IC2.EXE /P22 \"EPSON Stylus Photo 960\" /O5 \"LPT1:\" /M \"Stylus Photo 960\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SoundMan"="SOUNDMAN.EXE"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"VaCtrls"="v7"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

eapers
2007-04-23, 02:37
...continued:




[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



-- End of ComboScan: finished at 2007-04-22 at 04:33:47 ------------------------

Rawe
2007-04-23, 17:15
Uninstall the following entry if found under Add/Remove Programs list:

MovieBox

Now, please delete the following folder and file if found (if you are unable to delete them, please try again in Safe Mode):

C:\Program Files\MovieBox
C:\Program Files\Mozilla Firefox\plugins\npclntax.dll

Please copy the following text in the quotebox below to a blank notepad file. Make sure the filetype is set to "All Files" and save it as Fixit.reg to your desktop.


REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"VaCtrls"=-
Now double-click on the Fixit.reg on your desktop and allow it to merge with registry by clicking YES on the prompt.

==

Now you can go ahead and move sptd1805.sys back to it's original directory..

Locate C:\sptd1805.sys, right-click the file, choose cut and navigate to

C:\WINDOWS\System32\drivers

Right-click on the folder screen and choose to paste the file there.

==

Updating Java and Clearing Cache
Go to Start > Control Panel double-click on the Software icon > Add/Remove Programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
It should have next icon next to it: http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.jpg
Select it and click Remove.

Now please install the Java Runtime Environment (JRE) 6 manually..
Note to reboot the computer after updating:

http://java.sun.com/javase/downloads/index.jsp (http://java.sun.com/javase/downloads/index.jsp)

After the reboot, go back into the Control Panel and double-click the Java Icon.
Under Temporary Internet Files, click the Delete Files button.
There are three options in the window to clear the cache - Leave ALL 3 Checked

Downloaded Applets
Downloaded Applications
Other Files

Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Java Control Panel.



===

Post one more HijackThis log please :)

eapers
2007-04-24, 03:37
Here 'tis

Logfile of HijackThis v1.99.1
Scan saved at 5:37:52 AM, on 4/23/2007
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Eric\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo 960] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P22 "EPSON Stylus Photo 960" /O5 "LPT1:" /M "Stylus Photo 960"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

Rawe
2007-04-24, 09:09
Looks good :bigthumb:

Please read here how to clear old restore points and create a new one (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx).

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Here's some tips for future to prevent spyware:

Detect and Remove Programs:
How to use Ad-Aware to remove Spyware (http://www.bleepingcomputer.com/forums/?showtutorial=48) <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
How to use Spybot to remove Spyware (http://www.bleepingcomputer.com/forums/?showtutorial=43) <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
Spywareblaster (http://www.javacoolsoftware.com/spywareblaster.html) <= SpywareBlaster will prevent spyware from being installed. (My favourite)
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Other necessary Programs:
AntiVirus Program <= An AntiVirus program is a must! Whether it is a free version like AVG (http://www.grisoft.com/) or Anti-Vir (http://www.free-av.com/), or a shareware version like Norton or Kaspersky, this is a must have. (Note to only use 1 at-the-time)
Firewall <= A firewall (http://www.google.com/search?hl=en&lr=&q=define%3Afirewall&btnG=Search) is definitely a must have. Two good free versions are Kerio Personal Firewall (http://www.kerio.com/us/kpf_download.html) and ZoneLabs (http://www.zonelabs.com/store/content/home.jsp). (Note to only use 1 at-the-time)
More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox (http://www.mozilla.com/).
And also see TonyKlein's good advice:
So how did I get infected in the first place? (http://castlecops.com/postlite7736-.html)

eapers
2007-04-25, 10:37
Thank you so much!!!

I'll do my damndest to secure my PC and never have to come back for advice again.

Once more, thank you.