PDA

View Full Version : Trojan. Don't know what happened!



demonic_angel
2007-05-16, 06:53
Hi, I'm obviously new here. anyways, I'll cut to the chase. I was downloading a few movies, coming back from basketball with my cousin. Then I see AVG saying that I have a trojan. I press move to vault, and another one popped out. Then AVG died, said that the internal virus database is incorrect. It was auto downloaded this morning. I don't know if this has anything to do with it, but my msn messenger is completely dead.

I tried to fix this myself, before I posted this, so somethings will probably be screwed up.

Here's the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 19:54, on 2005-05-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\NMSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
D:\Program Files\BitComet\BitComet.exe
D:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\HI JACK!\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [upxdnd] C:\WINDOWS\upxdnd.exe
O4 - HKLM\..\Run: [mppds] C:\WINDOWS\mppds.exe
O4 - HKLM\..\Run: [cmdbcs] C:\WINDOWS\cmdbcs.exe
O4 - HKLM\..\Run: [msccrt] C:\WINDOWS\msccrt.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA6560] command /c del "C:\WINDOWS\system32\winform.dll_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7668] cmd /c del "C:\WINDOWS\system32\winform.dll_tobedeleted_old"
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye
O4 - HKCU\..\Run: [BitComet] "D:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [Veoh] "D:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [4qzjcxud] C:\DOCUME~1\DARREL~1\LOCALS~1\Temp\c0nime.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB3387] command /c del "C:\WINDOWS\system32\winform.dll_tobedeleted_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9897] cmd /c del "C:\WINDOWS\system32\winform.dll_tobedeleted_old"
O4 - Startup: taskmgr.lnk = C:\WINDOWS\system32\taskmgr.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe


and I dunno how to do a log on online scanners. Don't know any, either. except Housecall. Sorry about that.

demonic_angel
2007-05-16, 18:02
sorry for double posting, but I found that it's something called Win32:OnLineGames-CO [Trj (this is from avast) I'm not sure if this will help

demonic_angel
2007-05-19, 06:34
update on the virus:

Avast! detected this whenever I go to "My Computer" and double click on my hard drives. Then this pops up.

File Name: C:\WINDOWS\system32\5EBCE570.DLL\[NsPack]
Malware Name: Win32:Agent-GPD [Trj]
Malware type: Trojan Horse

shelf life
2007-05-20, 02:02
hi demonic_angel,

you have some stuff i've never seen in a hjt log. we can try this: first we will use hjt in safe mode, then get a download. ok?
i would use this computer as little as possible until its alittle cleaner. if you have a cable modem i would pull the plug on it when not in use.

i am going to hold off on some items because it looks like you did a hjt scan after using spybot but had not rebooted yet??
----------------------------------
we will do all this in safe mode, so i would copy/paste the rest of this into notepad and save it somewhere so you can read it in safe mode. to reach safe mode you would tap the f8 key during a computer restart. chose the first option: safe mode.
------------------------------------
once in safe mode:

scan with HJT, put a checkmark beside the items below, close all windows and click fix checked.

O4 - HKLM\..\Run: [upxdnd] C:\WINDOWS\upxdnd.exe
O4 - HKLM\..\Run: [mppds] C:\WINDOWS\mppds.exe
O4 - HKLM\..\Run: [cmdbcs] C:\WINDOWS\cmdbcs.exe
O4 - HKLM\..\Run: [msccrt] cmdbcs.exe\msccrt.exe


O4 - HKCU\..\Run: [4qzjcxud] C:\DOCUME~1\DARREL~1\LOCALS~1\Temp\c0nime.exe

O4 - Startup: taskmgr.lnk = C:\WINDOWS\system32\taskmgr.exe
-----------------------------------
look here: C:\Windows and see if you can find and delete these files:
upxdnd.exe
mppds.exe
cmdbcs.exe
msccrt.exe

------------------------------------
still in safe mode do this:

using explorer(right click on start>explore) drill down to these >>> you want to delete whats >inside< the folder, not the folder itself<< delete what you can

C:\Windows\Temp\ (at the top you can use: Edit>select all File>delete

C:\Documents and Settings\-Your Profile-\Local Settings\Temporary Internet Files\ (will dump all your cached internet content including cookies)

C:\Documents and Settings\-Your Profile-\Local Settings\Temp\

C:\Documents and Settings\-Any other users Profile-\Local Settings\Temporary Internet Files\

C:\Documents and Settings\-Any other users Profile-\Local Settings\Temp\
--------------------------------
reboot normally: first stop:
download, install, update and do a scan with one of these (not both)

avg antispyware:
http://free.grisoft.com/freeweb.php/doc/20/lng/us/tpl/v5

superantispyware:
http://www.superantispyware.com/
------------------------------
reboot computer once, rescan and post a new hjt log.

shelf life

demonic_angel
2007-05-20, 10:22
Thanks for replying; I've been anxious for some help.

I followed what you told me to do.

Here's the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 00:18, on 2005-05-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\NMSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
D:\Program Files\BitComet\BitComet.exe
D:\Program Files\Veoh Networks\Veoh\VeohClient.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\SpywareGuard\sgmain.exe
D:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\HI JACK!\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - d:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye
O4 - HKCU\..\Run: [BitComet] "D:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [Veoh] "D:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: D428BA68 - Unknown owner - C:\WINDOWS\system32\8C4ED30.EXE (file missing)
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


When I rebooted my computer, avast! detected
O23 - Service: D428BA68 - Unknown owner - C:\WINDOWS\system32\8C4ED30.EXE (file missing)

and I pressed heal. when I rebooted again, avast! didn't pick up 8C4ED30.EXE.

shelf life
2007-05-20, 18:01
hi demonic_angel,

good. looks better already. you only need one antivirus, two isnt better than one in this case. i would remove one via the add/remove programs panel. after the uninstall reboot computer once if your not prompted to do so.

for that service you can do this just to check.

go to start>run and type in--> services.msc,<--in the list of services that comes up, under the name column look for D428BA68

right click on it and select properties. under the general tab:
make sure that the service status is: Stopped
and the Startup type is: disabled

next: look here:C:\WINDOWS\system32
and delete 8C4ED30.EXE if found.

may have to show all files first:
xp:
Set Windows to show Hidden files and folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
----------------------------
dont keep bitcomet running all the time. i have some filesharing tips posted at my website:
http://security-central.us/SafeHex/file_sharing.htm

after the above, rescan and post another hjt log.

shelf life

demonic_angel
2007-05-20, 22:01
Okay thanks. I tried booting up my computer this morning bnut it wouldn't get past the windows loading screen. so I just used safe mode with networking. Anyways, here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 11:59, on 2005-05-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HI JACK!\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - d:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye
O4 - HKCU\..\Run: [BitComet] "D:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [Veoh] "D:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: D428BA68 - Unknown owner - C:\WINDOWS\system32\8C4ED30.EXE (file missing)
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanls again. The file missing came back again =/

shelf life
2007-05-21, 01:10
hi demonic_angel,

before you use hjt, disable spyware guard, and superantispyware if running so they dont interfere with hjt.

Right click the running icon of Spywareguard in the system tray to open the program. Then go to Menu, File, and choose Exit. It will automatically restart at next boot.
superantispyware: exit using the icon by the clock
-----------------------------------------

scan with HJT, put a checkmark beside the items below, close all windows and click fix checked.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O23 - Service: D428BA68 - Unknown owner - C:\WINDOWS\system32\8C4ED30.EXE (file missing)

did you find it(8C4ED30.EXE) in the system32 dir?
you still have two antivirus?
------------------------------
shelf life

demonic_angel
2007-05-21, 03:50
I did everything you told me to do in safe mode because I can't start up windows normally. So now basically, I have no antivirus running atm.

demonic_angel
2007-05-21, 03:51
sorry for double posting, forgot to mention that I did, in fact, find that file in the system32 folder.

demonic_angel
2007-05-21, 03:58
Here's the updated log:

Logfile of HijackThis v1.99.1
Scan saved at 17:56, on 2005-05-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HI JACK!\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - d:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye
O4 - HKCU\..\Run: [BitComet] "D:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [Veoh] "D:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe

Thanks once again

demonic_angel
2007-05-21, 08:32
Back with more news: I managed to (seemingly) get rid of some parts. However...the rest still persists to harrass me. It somehow keeps changing the date on my system to 2005, and that screws up things on my computer, like msn.

Here's the updated HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 22:29, on 2007-05-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
D:\Program Files\QuickTime\qttask.exe
C:\Program Files\Eset\nod32kui.exe
C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HI JACK!\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - d:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe"
O4 - HKLM\..\Run: [AVPSrv] C:\WINDOWS\AVPSrv.exe
O4 - HKLM\..\Run: [mppds] C:\WINDOWS\mppds.exe
O4 - HKLM\..\Run: [cmdbcs] C:\WINDOWS\cmdbcs.exe
O4 - HKLM\..\Run: [msccrt] C:\WINDOWS\msccrt.exe
O4 - HKLM\..\Run: [upxdnd] C:\WINDOWS\upxdnd.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye
O4 - HKCU\..\Run: [BitComet] "D:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [Veoh] "D:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [8u3] C:\DOCUME~1\DARREL~1\LOCALS~1\Temp\c0nime.exe
O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

demonic_angel
2007-05-21, 21:19
Another update. I ran housecall, managed to fix the date change thing. Uninstalled my spyware things, installed adware se pro and nod32. Nod32 detects C:\rising.exe everytime I double click on a hard drive.

Here's the up to date HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:17:18 AM, on 2005-05-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
D:\Program Files\QuickTime\qttask.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Nero\Nero 7\Nero Vision\NeroVision.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HI JACK!\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [AVPSrv] C:\WINDOWS\AVPSrv.exe
O4 - HKLM\..\Run: [mppds] C:\WINDOWS\mppds.exe
O4 - HKLM\..\Run: [cmdbcs] C:\WINDOWS\cmdbcs.exe
O4 - HKLM\..\Run: [msccrt] C:\WINDOWS\msccrt.exe
O4 - HKLM\..\Run: [upxdnd] C:\WINDOWS\upxdnd.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BitComet] "D:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [Veoh] "D:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [8u3] C:\DOCUME~1\DARREL~1\LOCALS~1\Temp\c0nime.exe
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: D428BA68 - Unknown owner - C:\WINDOWS\system32\8C4ED30.EXE (file missing)
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

shelf life
2007-05-22, 04:43
hi demonic_angel,

not good. remember these from page one? there back. were you able to find and delete them? lets try it again.

scan with HJT, put a checkmark beside the items below, close all windows and click fix checked.

O4 - HKLM\..\Run: [mppds] C:\WINDOWS\mppds.exe
O4 - HKLM\..\Run: [cmdbcs] C:\WINDOWS\cmdbcs.exe
O4 - HKLM\..\Run: [msccrt] C:\WINDOWS\msccrt.exe
O4 - HKLM\..\Run: [upxdnd] C:\WINDOWS\upxdnd.exe
-------------------------------
i would copy/paste the rest of this into notepad and save it somewhere so you can read it in safe mode. to reach safe mode you would tap the f8 key during a computer restart. look for each of these .exe in the C:\windows dir and delete them if found:

C:\WINDOWS\mppds.exe
C:\WINDOWS\cmdbcs.exe
C:\WINDOWS\msccrt.exe
C:\WINDOWS\upxdnd.exe

next do this:in safe mode
using explorer(right click on start>explore) drill down to these >>> you want to delete whats >inside< the folder, not the folder itself<< delete what you can

C:\Windows\Temp\ (at the top you can use: Edit>select all File>delete

C:\Documents and Settings\-Your Profile-\Local Settings\Temporary Internet Files\ (will dump all your cached internet content including cookies)

C:\Documents and Settings\-Your Profile-\Local Settings\Temp\

C:\Documents and Settings\-Any other users Profile-\Local Settings\Temporary Internet Files\

C:\Documents and Settings\-Any other users Profile-\Local Settings\Temp\
-----------------------
still in safe mode run super antispyware and NOD32.

reboot normally, rescan and post anew hjt log.

shelf life

demonic_angel
2007-05-22, 08:06
Okay, I tried that, did all the scanning in safe mode

Here's the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:59:50 PM, on 2007-05-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
D:\Program Files\QuickTime\qttask.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\NMSSvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HI JACK!\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [AVPSrv] C:\WINDOWS\AVPSrv.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BitComet] "D:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [Veoh] "D:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [8u3] C:\DOCUME~1\DARREL~1\LOCALS~1\Temp\c0nime.exe
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: D428BA68 - Unknown owner - C:\WINDOWS\system32\8C4ED30.EXE (file missing)
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

End of report

Thanks again

shelf life
2007-05-22, 13:09
hi demonic_angel,

you said you found and deleted this service, right?

D428BA68 - Unknown owner - C:\WINDOWS\system32\8C4ED30.EXE
-------------------------------------------
scan with HJT, put a checkmark beside the items below, close all windows and click fix checked.

O4 - HKCU\..\Run: [8u3] C:\DOCUME~1\DARREL~1\LOCALS~1\Temp\c0nime.exe

next look in c:\documents and settings\darrel\local settings\temp and delete this .exe:
c0nime.exe

if it gives you problems boot into safe mode to do it. if you cant find it, might have to show all files like this:
xp:
Set Windows to show Hidden files and folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

download atf cleaner:by Atribune.

http://www.atribune.org/ccount/click.php?id=1


Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

* Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

* Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
--------------------------------------
reboot once and rescan and post a new hjt log for me.

shelf life

demonic_angel
2007-05-22, 18:24
I couldn't manually find the c0nime file. Maybe it's because I used HJT to remove it. I rebooted and everything seems to be fine and dandy.

Heres the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:18:49 AM, on 2007-05-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
D:\Program Files\QuickTime\qttask.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
D:\Program Files\BitComet\BitComet.exe
D:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\WINDOWS\system32\NMSSvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HI JACK!\scanner.exe.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\MSN Messenger\usnsvc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [AVPSrv] C:\WINDOWS\AVPSrv.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BitComet] "D:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [Veoh] "D:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

Looks like the nasty buggers are gone. Not sure.

demonic_angel
2007-05-22, 18:36
nevermind they come back once I click on a drive

shelf life
2007-05-23, 00:53
hi,


nevermind they come back once I click on a drive

what came back? all those 04's?

post another hjt log. reboot first before the hjt scan-- unless youve done a reboot already.

i wouldnt keep bitcomet running all the time,by running i mean downloading or uploading all the time. it looks like it set to start with windows.

shelf life

demonic_angel
2007-05-23, 03:05
I had removed it before I rebooted. After loading windows, I scanned again, and the 04 files were back. I just removed them again, scanned with antivirus, and rebooted. Scanned again, they're gone. One problem though. Now, when I double click c or d drive, it goes to a select program menu.

Here's the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 4:57:20 PM, on 2007-05-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\NMSSvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
D:\Program Files\QuickTime\qttask.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\HI JACK!\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [AVPSrv] C:\WINDOWS\AVPSrv.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)

End of report

The file: O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
was the program I used to scan. I tried googling rising.exe, and it gave me two english sites, and the rest were chinese. I can't read chinese, so yeah.

Thanks again

demonic_angel
2007-05-24, 09:51
This guy has the same problems I do, basically same files, found this on google.

http://translate.google.com/translate?hl=en&sl=zh-CN&u=http://bbs.360safe.com/viewthread.php%3Ftid%3D194281&sa=X&oi=translate&resnum=6&ct=result&prev=/search%3Fq%3DAvPSrv.exe%26hl%3Den

I can't understand what they're saying...not very good with computers. Not sure if it helps (I don't know what to do! I'm getting desperate.

HJT log is still the same, no matter what I do. I can't find the files manually, even if I put folder options to show hidden files:

Logfile of HijackThis v1.99.1
Scan saved at 11:51:14 PM, on 2007-05-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\NMSSvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\ESET\nod32kui.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Last.fm\LastFM.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HI JACK!\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVPSrv] C:\WINDOWS\AVPSrv.exe
O4 - HKLM\..\Run: [mppds] C:\WINDOWS\mppds.exe
O4 - HKLM\..\Run: [cmdbcs] C:\WINDOWS\cmdbcs.exe
O4 - HKLM\..\Run: [msccrt] C:\WINDOWS\msccrt.exe
O4 - HKLM\..\Run: [upxdnd] C:\WINDOWS\upxdnd.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye
O4 - HKCU\..\Run: [Veoh] "D:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [BitComet] "D:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [8u3] C:\DOCUME~1\DARREL~1\LOCALS~1\Temp\c0nime.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

shelf life
2007-05-25, 04:59
hi,

i saw that link. looks like they ran some software to remove it. never heard of that software--360 safe.exe its also a "newer" trojan.
its also a password stealing trojan, i would be very careful about using any passwords online. most trojans also fetch more trojans so i would use the computer as little as possible. if you have a cable modem, unplug it when off the internet. we can try avenger to remove some of the files and do some online scans afterwards:
---------------------------------------

Download The Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens, copy,then paste the following bold text:

Files to delete:
C:\WINDOWS\AVPSrv.exe
C:\WINDOWS\mppds.exe
C:\WINDOWS\msccrt.exe
C:\WINDOWS\upxdnd.exe


Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt.
Reboot,post a new Hijack This log as well please.

first stop:
Panda ActiveScan

http://www.pandasoftware.com/products/activescan.htm

* Once you are on the Panda site click the Scan your PC button
* A new window will open...click the Check Now button
* Enter your Country
* Enter your State/Province
* Enter your e-mail address and click send (use a fake e-mail)
* Select either Home User or Company
* Click the big Scan Now button
* If it wants to install an ActiveX component allow it
* It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
* When download is complete, click on My Computer to start the scan
* When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
------------------------------
eTrust online scanner:
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

help link for eTrust:
http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?areaid=54&CID=52109&ID=
-------------------------
afterwards: post a new hjt log, the avenger report and the panda report.

shelf life

demonic_angel
2007-05-25, 17:33
The scan for avenger says it can't find the files, but everytime I run adwatch, they come up. Hijack this doesn't pick them up till then, either.

Avenger Log

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\edmdlqnq

*******************

Script file located at: \??\C:\Documents and Settings\oahajmki.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\AVPSrv.exe not found!
Deletion of file C:\WINDOWS\AVPSrv.exe failed!

Could not process line:
C:\WINDOWS\AVPSrv.exe
Status: 0xc0000034



File C:\WINDOWS\mppds.exe not found!
Deletion of file C:\WINDOWS\mppds.exe failed!

Could not process line:
C:\WINDOWS\mppds.exe
Status: 0xc0000034



File C:\WINDOWS\msccrt.exe not found!
Deletion of file C:\WINDOWS\msccrt.exe failed!

Could not process line:
C:\WINDOWS\msccrt.exe
Status: 0xc0000034



File C:\WINDOWS\upxdnd.exe not found!
Deletion of file C:\WINDOWS\upxdnd.exe failed!

Could not process line:
C:\WINDOWS\upxdnd.exe
Status: 0xc0000034



File C:\DOCUME~1\DARREL~1\LOCALS~1\Temp\c0nime.exe not found!
Deletion of file C:\DOCUME~1\DARREL~1\LOCALS~1\Temp\c0nime.exe failed!

Could not process line:
C:\DOCUME~1\DARREL~1\LOCALS~1\Temp\c0nime.exe
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.
_________________________________________________________________

HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 11:07:36 PM, on 2007-05-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\NMSSvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
D:\Program Files\BitComet\BitComet.exe
C:\Program Files\ESET\nod32kui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\HI JACK!\scanner.exe.exe
C:\Program Files\MSN Messenger\usnsvc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [BitComet] "D:\Program Files\BitComet\BitComet.exe" /tray
O4 - Global Startup: NOD32 Control Center.lnk = C:\Program Files\ESET\nod32kui.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
_________________________________________________________________

Panda ActiveScan log:

Incident Status Location

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\ComboFix\nircmd.cfexe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\ComboFix\nircmd.exe
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Darrell Lau\Cookies\darrell lau@burstnet[2].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Downloads\ComboFix.exe[ComboFixT\nircmd.exe]
Adware:Adware/WebSearch Not disinfected C:\Program Files\HI JACK!\backups\backup-20070427-220035-403.dll
Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Program Files\HI JACK!\oldbackups\backup-20060616-213155-625-PowerReg SchedulerV2.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\RECYCLER\S-1-5-21-1715567821-1383384898-1957994488-1010\Dc25.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\RECYCLER\S-1-5-21-1715567821-1383384898-1957994488-1010\Dc28\nircmd.exe
Spyware:Cookie/Azjmp Not disinfected C:\WINDOWS\system32\config\systemprofile\Cookies\system@azjmp[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\WINDOWS\system32\config\systemprofile\Cookies\system@ccbill[2].txt
Spyware:Cookie/Xiti Not disinfected C:\WINDOWS\system32\config\systemprofile\Cookies\system@xiti[1].txt
Virus:Trj/Lineage.DTB Disinfected C:\WINDOWS\system32\k11166598841.exe
Virus:Trj/Lineage.DTB Disinfected C:\WINDOWS\system32\k11166598852.exe
Virus:Trj/Lineage.DTB Disinfected C:\WINDOWS\system32\k11166598906.exe
Virus:Trj/Lineage.DTB Disinfected C:\WINDOWS\system32\k11797180011.exe
Virus:Trj/Lineage.DTB Disinfected C:\WINDOWS\system32\k11797180032.exe
Virus:Trj/Lineage.DTB Disinfected C:\WINDOWS\system32\k11797180076.exe
Virus:Trj/Lineage.DTB Disinfected C:\WINDOWS\system32\nwizhx2.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
Adware:Adware/SAHAgent Not disinfected D:\WINDOWS\INF\payload.inf
Potentially unwanted tool:Application/PRScheduler Not disinfected D:\WINDOWS\Start Menu\Programs\StartUp\PowerReg SchedulerV2.exe
Adware:Adware/WUpd Not disinfected D:\WINDOWS\Downloaded Program Files\WinadX.inf
Dialer:Dialer.B Not disinfected D:\WINDOWS\Downloaded Program Files\ia.inf
Dialer:Dialer.B Not disinfected D:\WINDOWS\Downloaded Program Files\EGAUTH_pack.inf
Dialer:Dialer.HOI Not disinfected D:\WINDOWS\Downloaded Program Files\ActiveSecurity.INF
Spyware:Spyware/BetterInet Not disinfected D:\WINDOWS\Downloaded Program Files\turbo.inf
Virus:Trj/Downloader.QV Disinfected D:\WINDOWS\Downloaded Program Files\vxiewer.inf
Spyware:Cookie/BurstBeacon Not disinfected D:\WINDOWS\Cookies\darrell@www.burstbeacon[1].txt
Spyware:Cookie/BurstNet Not disinfected D:\WINDOWS\Cookies\darrell@burstnet[2].txt
Spyware:Spyware/New.net Not disinfected D:\WINDOWS\NDNuninstall6_10.exe
Spyware:Spyware/New.net Not disinfected D:\WINDOWS\NDNuninstall6_22.exe

shelf life
2007-05-27, 00:21
hi demonic_angel,

is your Nod32 antivirus up to date?

this wasnt in the lines for avenger to delete lets get rid of this first then use avenger again:
9Deletion of file C:\DOCUME~1\DARREL~1\LOCALS~1\Temp\c0nime.exe failed!)

so lets try this, i think we did this before we used avenger-- we will use hjt in safe mode-- then run avenger.

make sure files are set to show first:
FOr XP: on the desktop double click my computer,go to tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok
-------------------------------------
might want to copy/paste this into notepad and save it so you can read it in safe mode.

boot computer into safe mode, by tapping the f8 key during a computer restart. chose first option: safe mode

scan with HJT, put a checkmark beside the items below, close all windows and click fix checked.

O4 - HKLM\..\Run: [AVPSrv] C:\WINDOWS\AVPSrv.exe
O4 - HKLM\..\Run: [mppds] C:\WINDOWS\mppds.exe
O4 - HKLM\..\Run: [cmdbcs] C:\WINDOWS\cmdbcs.exe
O4 - HKLM\..\Run: [msccrt] C:\WINDOWS\msccrt.exe
O4 - HKLM\..\Run: [upxdnd] C:\WINDOWS\upxdnd.exe

O4 - HKCU\..\Run: [8u3] C:\DOCUME~1\DARREL~1\LOCALS~1\Temp\c0nime.exe
-------------------------------------
next:
Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens, copy,then paste the following bold text:

Files to delete:
C:\WINDOWS\AVPSrv.exe
C:\WINDOWS\mppds.exe
C:\WINDOWS\msccrt.exe
C:\WINDOWS\upxdnd.exe
C:\WINDOWS\mcdbcs.exe
C:\documents and settings\Darrel\Local Settings\Temp\c0nime.exe


Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.
avenger will boot you back to windows

Post the Avenger output.txt, which you can find at C:\Avenger\.txt.

shelf life

demonic_angel
2007-05-27, 01:09
For some reason, Avenger can't make a zip file

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Error: could not create zip file.
Error code: 1813


//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\hrdgrgae

*******************

Script file located at: \??\C:\uqfjcbfj.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\AVPSrv.exe not found!
Deletion of file C:\WINDOWS\AVPSrv.exe failed!

Could not process line:
C:\WINDOWS\AVPSrv.exe
Status: 0xc0000034



File C:\WINDOWS\mppds.exe not found!
Deletion of file C:\WINDOWS\mppds.exe failed!

Could not process line:
C:\WINDOWS\mppds.exe
Status: 0xc0000034



File C:\WINDOWS\msccrt.exe not found!
Deletion of file C:\WINDOWS\msccrt.exe failed!

Could not process line:
C:\WINDOWS\msccrt.exe
Status: 0xc0000034



File C:\WINDOWS\upxdnd.exe not found!
Deletion of file C:\WINDOWS\upxdnd.exe failed!

Could not process line:
C:\WINDOWS\upxdnd.exe
Status: 0xc0000034



File C:\WINDOWS\mcdbcs.exe not found!
Deletion of file C:\WINDOWS\mcdbcs.exe failed!

Could not process line:
C:\WINDOWS\mcdbcs.exe
Status: 0xc0000034



Could not open file C:\documents and settings\Darrel\Local Settings\Temp\c0nime.exe for deletion
Deletion of file C:\documents and settings\Darrel\Local Settings\Temp\c0nime.exe failed!

Could not process line:
C:\documents and settings\Darrel\Local Settings\Temp\c0nime.exe
Status: 0xc000003a


Completed script processing.

*******************

Finished! Terminate.//////////////////////////////////////////


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\rsayhwpl

*******************

Script file located at: \??\C:\WINDOWS\gylmhins.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\AVPSrv.exe not found!
Deletion of file C:\WINDOWS\AVPSrv.exe failed!

Could not process line:
C:\WINDOWS\AVPSrv.exe
Status: 0xc0000034



File C:\WINDOWS\mppds.exe not found!
Deletion of file C:\WINDOWS\mppds.exe failed!

Could not process line:
C:\WINDOWS\mppds.exe
Status: 0xc0000034



File C:\WINDOWS\msccrt.exe not found!
Deletion of file C:\WINDOWS\msccrt.exe failed!

Could not process line:
C:\WINDOWS\msccrt.exe
Status: 0xc0000034



File C:\WINDOWS\upxdnd.exe not found!
Deletion of file C:\WINDOWS\upxdnd.exe failed!

Could not process line:
C:\WINDOWS\upxdnd.exe
Status: 0xc0000034



File C:\WINDOWS\mcdbcs.exe not found!
Deletion of file C:\WINDOWS\mcdbcs.exe failed!

Could not process line:
C:\WINDOWS\mcdbcs.exe
Status: 0xc0000034



Could not open file C:\documents and settings\Darrel\Local Settings\Temp\c0nime.exe for deletion
Deletion of file C:\documents and settings\Darrel\Local Settings\Temp\c0nime.exe failed!

Could not process line:
C:\documents and settings\Darrel\Local Settings\Temp\c0nime.exe
Status: 0xc000003a


Completed script processing.

*******************

Finished! Terminate.

shelf life
2007-05-28, 02:19
hi demonic_angel,

avenger couldnt find the files. dont know what to make of that. we can try pocket killbox. in any case i would use this computer as little as possible unitl its cleaned up.

Download Pocket KillBox from here:
http://www.atribune.org/downloads/KillBox.exe
-----------------------------------
might want ot copy paste this into notepad and save it so you can read it in safe mode.

boot computer into safe mode like before-- once in safe mode:

start killbox.exe

Select the options: delete on reboot

copy paste this line into the field Full Path of File to Delete

C:\documents and settings\Darrel\Local Settings\Temp\c0nime.exe

then click the button with a white X on red background

When asked if you would like to Reboot,>>> select No.

Once again, in Full Path of File to Delete, copy and paste the following one at a time, clicking no to reboot prompts:

C:\WINDOWS\AVPSrv.exe
C:\WINDOWS\mppds.exe
C:\WINDOWS\msccrt.exe
C:\WINDOWS\upxdnd.exe

when you've copy/pasted the last file on the list

Press the button with a red circle and a white X.
When asked to Reboot this time>>>>select Yes.
-------------------------------------------------------
rescan and post a new hjt log. is your antivirus (nod32) up to date?

shelf life

demonic_angel
2007-05-28, 04:49
I have a theory. I scanned through with online scanners, used Nod32, spybot, ad-wareSE professional, and used HJT. I went through the registry but I couldn't find the registry keys. I can't find the files manually, either. So I'm thinking that the files are actually gone, but only the registry keys are left. I talked this through with my uncle, who owns a computer company. Only thing that works against this is that whenever I double click c:\ or d:\, it brings me to the menu that asks you to select a program to open it with.

In anycase, here's the HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 6:44:32 PM, on 2007-05-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\internet explorer\iexplore.exe
D:\Program Files\BitComet\BitComet.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\HI JACK!\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [AVPSrv] C:\WINDOWS\AVPSrv.exe
O4 - HKLM\..\Run: [mppds] C:\WINDOWS\mppds.exe
O4 - HKLM\..\Run: [cmdbcs] C:\WINDOWS\cmdbcs.exe
O4 - HKLM\..\Run: [msccrt] C:\WINDOWS\msccrt.exe
O4 - HKLM\..\Run: [upxdnd] C:\WINDOWS\upxdnd.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [BitComet] "D:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [Veoh] "D:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [8u3] C:\DOCUME~1\DARREL~1\LOCALS~1\Temp\c0nime.exe
O4 - Global Startup: NOD32 Control Center.lnk = C:\Program Files\ESET\nod32kui.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

End of report

Thanks once again

shelf life
2007-05-29, 06:30
hi demonic_angel,

i dont think the hard drive problem is related to the hjt problem. we can come back to it.
those 04 entries are taken from startup locations in the registry. normally hjt can delete them. sometimes having real time protection running like spybots tea timer or avg guard can interfere with the "fix" but we did it in safe mode so no real time protection would be running.

the fact that you or avenger cant find the files is good but i dont know why there still showing in the log.
lets try one more download:

download Gmer to desktop:

http://www.gmer.net/

unzip it and click the icon to run, select the Rootkit tab and click the scan button.
after the scan select the copy button, start notepad and paste the log in notepad. name and save the txt file somewhere and post it in next reply.

shelf life

demonic_angel
2007-05-29, 09:06
Heres the log:

GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-05-28 22:58:58
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT sptd.sys ZwCreateKey
SSDT sptd.sys ZwEnumerateKey
SSDT sptd.sys ZwEnumerateValueKey
SSDT sptd.sys ZwOpenKey
SSDT sptd.sys ZwQueryKey
SSDT sptd.sys ZwQueryValueKey
SSDT sptd.sys ZwSetValueKey

---- Kernel code sections - GMER 1.0.12 ----

? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload F735B62C 5 Bytes JMP 818F77A0
? System32\Drivers\ab5ftspx.SYS The system cannot find the file specified.
? C:\WINDOWS\system32\DRIVERS\update.sys

---- User code sections - GMER 1.0.12 ----

.text C:\Program Files\MSN Messenger\msnmsgr.exe[2148] kernel32.dll!LoadResource 7C80A065 7 Bytes JMP 27001B70 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[2148] kernel32.dll!FindResourceExW 7C80AB10 7 Bytes JMP 27001AE0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[2148] kernel32.dll!FindResourceW 7C80BA56 7 Bytes JMP 27001A60 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[2148] kernel32.dll!SizeofResource 7C80BAF1 7 Bytes JMP 27001C20 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[2148] kernel32.dll!LockResource 7C80C6CF 2 Bytes JMP 27001CD0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[2148] kernel32.dll!LockResource + 3 7C80C6D2 2 Bytes [ 7F, AA ]
.text C:\Program Files\MSN Messenger\msnmsgr.exe[2148] kernel32.dll!SetUnhandledExceptionFilter 7C810386 5 Bytes JMP 004DE392 C:\Program Files\MSN Messenger\msnmsgr.exe
.text C:\Program Files\MSN Messenger\msnmsgr.exe[2148] kernel32.dll!CreateEventA 7C81E4BD 5 Bytes JMP 27001840 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[2148] ADVAPI32.dll!CryptDeriveKey 77DEA685 7 Bytes JMP 27001000 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[2148] ADVAPI32.dll!CryptDecrypt 77DEA7B1 2 Bytes JMP 27001050 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[2148] ADVAPI32.dll!CryptDecrypt + 3 77DEA7B4 4 Bytes [ 21, AF, CC, CC ]
.text C:\Program Files\MSN Messenger\msnmsgr.exe[2148] USER32.dll!PeekMessageW 77D49278 5 Bytes JMP 27003A20 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[2148] USER32.dll!CreateWindowExW 77D51AD5 5 Bytes JMP 27003330 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[2148] USER32.dll!SetWindowRgn 77D51DE0 7 Bytes JMP 27004D80 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[2148] USER32.dll!CreateDialogParamW 77D6629F 5 Bytes JMP 27004E20 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[2148] USER32.dll!SetWindowPlacement 77D6FBEA 5 Bytes JMP 27004CA0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[2148] USER32.dll!MessageBoxIndirectW 77D960B7 5 Bytes JMP 27004F80 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[2148] USER32.dll!TrackPopupMenuEx 77D9CAFE 5 Bytes JMP 270041F0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[2148] WS2_32.dll!send 71AB428A 5 Bytes JMP 27009150 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[2148] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 27008F40 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[2148] WS2_32.dll!recv 71AB615A 5 Bytes JMP 27008DB0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[2148] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 270092D0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[2148] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 270094E0 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[2148] SHELL32.dll!Shell_NotifyIconW 7CA37CE1 5 Bytes JMP 27002B10 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[2148] ole32.dll!CoInitializeEx 774F42F3 5 Bytes JMP 27001D30 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[2148] ole32.dll!CoRegisterClassObject 77541BFC 5 Bytes JMP 27001E30 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[2148] WININET.dll!HttpOpenRequestA 771C4AC5 5 Bytes JMP 27007D00 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[2148] WININET.dll!InternetCloseHandle 771C61DC 1 Byte [ E9 ]
.text C:\Program Files\MSN Messenger\msnmsgr.exe[2148] WININET.dll!InternetCloseHandle + 2 771C61DE 3 Bytes [ 1D, E4, AF ]
.text C:\Program Files\MSN Messenger\msnmsgr.exe[2148] WININET.dll!HttpSendRequestA 771C76B8 5 Bytes JMP 27007F30 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[2148] WININET.dll!InternetReadFile 771C9555 5 Bytes JMP 27007E60 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll

demonic_angel
2007-05-29, 09:07
Log continued

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 823661E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 823661E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 823661E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 823661E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 823661E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 823661E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 823661E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 823661E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 823661E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 823661E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 823661E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 823661E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 823661E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 823661E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 823661E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 823661E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 823661E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 823661E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 823661E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 823661E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 823661E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 823661E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CREATE 817111E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CLOSE 817111E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_READ 817111E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_WRITE 817111E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_INFORMATION 817111E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_INFORMATION 817111E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_EA 817111E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_EA 817111E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_FLUSH_BUFFERS 817111E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_VOLUME_INFORMATION 817111E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_VOLUME_INFORMATION 817111E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_DIRECTORY_CONTROL 817111E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_FILE_SYSTEM_CONTROL 817111E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_DEVICE_CONTROL 817111E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SHUTDOWN 817111E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_LOCK_CONTROL 817111E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CLEANUP 817111E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_PNP 817111E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{38E5B0CE-B755-40EC-99C3-CAB8DB94C0D6} IRP_MJ_CREATE 818EE610
Device \Driver\NetBT \Device\NetBT_Tcpip_{38E5B0CE-B755-40EC-99C3-CAB8DB94C0D6} IRP_MJ_CLOSE 818EE610
Device \Driver\NetBT \Device\NetBT_Tcpip_{38E5B0CE-B755-40EC-99C3-CAB8DB94C0D6} IRP_MJ_DEVICE_CONTROL 818EE610
Device \Driver\NetBT \Device\NetBT_Tcpip_{38E5B0CE-B755-40EC-99C3-CAB8DB94C0D6} IRP_MJ_INTERNAL_DEVICE_CONTROL 818EE610
Device \Driver\NetBT \Device\NetBT_Tcpip_{38E5B0CE-B755-40EC-99C3-CAB8DB94C0D6} IRP_MJ_CLEANUP 818EE610
Device \Driver\NetBT \Device\NetBT_Tcpip_{38E5B0CE-B755-40EC-99C3-CAB8DB94C0D6} IRP_MJ_PNP 818EE610
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_CREATE 819AE1E8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_CLOSE

demonic_angel
2007-05-29, 09:08
Log continued

Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_DEVICE_CONTROL 819AE1E8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL 819AE1E8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_POWER 819AE1E8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_SYSTEM_CONTROL 819AE1E8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_PNP 819AE1E8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_CREATE 819AE1E8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_CLOSE 819AE1E8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_DEVICE_CONTROL 819AE1E8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL 819AE1E8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_POWER 819AE1E8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_SYSTEM_CONTROL 819AE1E8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_PNP 819AE1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CREATE 823681E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CLOSE 823681E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_READ 823681E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_WRITE 823681E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_FLUSH_BUFFERS 823681E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_DEVICE_CONTROL 823681E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_INTERNAL_DEVICE_CONTROL 823681E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SHUTDOWN 823681E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_POWER 823681E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SYSTEM_CONTROL 823681E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_PNP 823681E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CREATE 823681E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CLOSE 823681E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_READ 823681E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_WRITE 823681E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_FLUSH_BUFFERS 823681E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_DEVICE_CONTROL 823681E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_INTERNAL_DEVICE_CONTROL 823681E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SHUTDOWN 823681E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_POWER 823681E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SYSTEM_CONTROL 823681E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_PNP 823681E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CREATE 823681E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CLOSE 823681E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_READ

demonic_angel
2007-05-29, 09:09
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_WRITE 823681E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_FLUSH_BUFFERS 823681E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_DEVICE_CONTROL 823681E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_INTERNAL_DEVICE_CONTROL 823681E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SHUTDOWN 823681E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_POWER 823681E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SYSTEM_CONTROL 823681E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_PNP 823681E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CREATE 823681E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CLOSE 823681E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_READ 823681E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_WRITE 823681E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_FLUSH_BUFFERS 823681E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_DEVICE_CONTROL 823681E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_INTERNAL_DEVICE_CONTROL 823681E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SHUTDOWN 823681E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_POWER 823681E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SYSTEM_CONTROL 823681E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_PNP 823681E8
Device \Driver\PCI_NTPNP2400 \Device\00000048 IRP_MJ_CREATE [F8467F18] sptd.sys
Device \Driver\PCI_NTPNP2400 \Device\00000048 IRP_MJ_CREATE_NAMED_PIPE [F8467F18] sptd.sys
Device \Driver\PCI_NTPNP2400 \Device\00000048 IRP_MJ_CLOSE [F8467F18] sptd.sys
Device \Driver\PCI_NTPNP2400 \Device\00000048 IRP_MJ_READ [F8467F18] sptd.sys
Device \Driver\PCI_NTPNP2400 \Device\00000048 IRP_MJ_WRITE [F8467F18] sptd.sys
Device \Driver\PCI_NTPNP2400 \Device\00000048 IRP_MJ_QUERY_INFORMATION [F8467F18] sptd.sys
Device \Driver\PCI_NTPNP2400 \Device\00000048 IRP_MJ_SET_INFORMATION [F8467F18] sptd.sys
Device \Driver\PCI_NTPNP2400 \Device\00000048 IRP_MJ_QUERY_EA [F8467F18] sptd.sys
Device \Driver\PCI_NTPNP2400 \Device\00000048 IRP_MJ_SET_EA [F8467F18] sptd.sys
Device \Driver\PCI_NTPNP2400 \Device\00000048 IRP_MJ_FLUSH_BUFFERS [F8467F18] sptd.sys
Device \Driver\PCI_NTPNP2400 \Device\00000048 IRP_MJ_QUERY_VOLUME_INFORMATION [F8467F18] sptd.sys
Device \Driver\PCI_NTPNP2400 \Device\00000048 IRP_MJ_SET_VOLUME_INFORMATION [F8467F18] sptd.sys
Device \Driver\PCI_NTPNP2400 \Device\00000048 IRP_MJ_DIRECTORY_CONTROL [F8467F18] sptd.sys
Device \Driver\PCI_NTPNP2400 \Device\00000048 IRP_MJ_FILE_SYSTEM_CONTROL [F8467F18] sptd.sys
Device \Driver\PCI_NTPNP2400 \Device\00000048 IRP_MJ_DEVICE_CONTROL [F8467F18] sptd.sys
Device \Driver\PCI_NTPNP2400 \Device\00000048 IRP_MJ_INTERNAL_DEVICE_CONTROL [F8467F18] sptd.sys
Device \Driver\PCI_NTPNP2400 \Device\00000048 IRP_MJ_SHUTDOWN [F8467F18] sptd.sys
Device \Driver\PCI_NTPNP2400 \Device\00000048 IRP_MJ_LOCK_CONTROL [F8467F18] sptd.sys
Device \Driver\PCI_NTPNP2400 \Device\00000048 IRP_MJ_CLEANUP [F8467F18] sptd.sys
Device \Driver\PCI_NTPNP2400 \Device\00000048 IRP_MJ_CREATE_MAILSLOT [F8467F18] sptd.sys
Device \Driver\PCI_NTPNP2400 \Device\00000048 IRP_MJ_QUERY_SECURIT

demonic_angel
2007-05-29, 09:58
Device \Driver\PCI_NTPNP2400 \Device\00000048 IRP_MJ_SET_SECURITY [F8467F18] sptd.sys
Device \Driver\PCI_NTPNP2400 \Device\00000048 IRP_MJ_POWER [F8449DB8] sptd.sys
Device \Driver\PCI_NTPNP2400 \Device\00000048 IRP_MJ_SYSTEM_CONTROL [F8464344] sptd.sys
Device \Driver\PCI_NTPNP2400 \Device\00000048 IRP_MJ_DEVICE_CHANGE [F8467F18] sptd.sys
Device \Driver\PCI_NTPNP2400 \Device\00000048 IRP_MJ_QUERY_QUOTA [F8467F18] sptd.sys
Device \Driver\PCI_NTPNP2400 \Device\00000048 IRP_MJ_SET_QUOTA [F8467F18] sptd.sys
Device \Driver\PCI_NTPNP2400 \Device\00000048 IRP_MJ_PNP [F84652D0] sptd.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 823D81E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ 823D81E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE 823D81E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS 823D81E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL 823D81E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL 823D81E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN 823D81E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP 823D81E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER 823D81E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SYSTEM_CONTROL 823D81E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_PNP 823D81E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE 823D81E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_READ 823D81E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_WRITE 823D81E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_FLUSH_BUFFERS 823D81E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_DEVICE_CONTROL 823D81E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_INTERNAL_DEVICE_CONTROL 823D81E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SHUTDOWN 823D81E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CLEANUP 823D81E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_POWER 823D81E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SYSTEM_CONTROL 823D81E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_PNP 823D81E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 819D2980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 819D2980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 819D2980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 819D2980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 819D2980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 819D2980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 819D2980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 819D2980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 819D2980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 819D2980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP

demonic_angel
2007-05-29, 10:00
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 819D2980
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE 819D2980
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ 819D2980
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 819D2980
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 819D2980
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 819D2980
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 819D2980
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 819D2980
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 819D2980
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 819D2980
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 819D2980
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_CREATE 823671E8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_CLOSE 823671E8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_DEVICE_CONTROL 823671E8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_INTERNAL_DEVICE_CONTROL 823671E8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_POWER 823671E8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_SYSTEM_CONTROL 823671E8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP1T0L0 IRP_MJ_PNP 823671E8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_CREATE 823671E8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_CLOSE 823671E8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_DEVICE_CONTROL 823671E8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_INTERNAL_DEVICE_CONTROL 823671E8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_POWER 823671E8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_SYSTEM_CONTROL 823671E8
Device \Driver\IdeChnDr \Device\Ide\IdeDeviceP0T0L0 IRP_MJ_PNP 823671E8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_CREATE 823671E8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_CLOSE 823671E8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_DEVICE_CONTROL 823671E8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_INTERNAL_DEVICE_CONTROL 823671E8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_POWER 823671E8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_SYSTEM_CONTROL 823671E8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr0 IRP_MJ_PNP

demonic_angel
2007-05-29, 10:00
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_CREATE 823671E8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_CLOSE 823671E8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_DEVICE_CONTROL 823671E8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_INTERNAL_DEVICE_CONTROL 823671E8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_POWER 823671E8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_SYSTEM_CONTROL 823671E8
Device \Driver\IdeChnDr \Device\Ide\IdeChnDr1 IRP_MJ_PNP 823671E8
Device \Driver\usbstor \Device\00000073 IRP_MJ_CREATE 817E83C0
Device \Driver\usbstor \Device\00000073 IRP_MJ_CLOSE 817E83C0
Device \Driver\usbstor \Device\00000073 IRP_MJ_READ 817E83C0
Device \Driver\usbstor \Device\00000073 IRP_MJ_WRITE 817E83C0
Device \Driver\usbstor \Device\00000073 IRP_MJ_DEVICE_CONTROL 817E83C0
Device \Driver\usbstor \Device\00000073 IRP_MJ_INTERNAL_DEVICE_CONTROL 817E83C0
Device \Driver\usbstor \Device\00000073 IRP_MJ_POWER 817E83C0
Device \Driver\usbstor \Device\00000073 IRP_MJ_SYSTEM_CONTROL 817E83C0
Device \Driver\usbstor \Device\00000073 IRP_MJ_PNP 817E83C0
Device \Driver\usbstor \Device\00000077 IRP_MJ_CREATE 817E83C0
Device \Driver\usbstor \Device\00000077 IRP_MJ_CLOSE 817E83C0
Device \Driver\usbstor \Device\00000077 IRP_MJ_READ 817E83C0
Device \Driver\usbstor \Device\00000077 IRP_MJ_WRITE 817E83C0
Device \Driver\usbstor \Device\00000077 IRP_MJ_DEVICE_CONTROL 817E83C0
Device \Driver\usbstor \Device\00000077 IRP_MJ_INTERNAL_DEVICE_CONTROL 817E83C0
Device \Driver\usbstor \Device\00000077 IRP_MJ_POWER 817E83C0
Device \Driver\usbstor \Device\00000077 IRP_MJ_SYSTEM_CONTROL 817E83C0
Device \Driver\usbstor \Device\00000077 IRP_MJ_PNP 817E83C0
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CREATE 818EE610
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLOSE 818EE610
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_DEVICE_CONTROL 818EE610
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_INTERNAL_DEVICE_CONTROL 818EE610
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLEANUP 818EE610
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_PNP 818EE610
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CREATE 818EE610
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLOSE 818EE610
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_DEVICE_CONTROL 818EE610
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_INTERNAL_DEVICE_CONTROL 818EE610
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLEANUP 818EE610
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_PNP 818EE610
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_CREATE 819AE1E8
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_CLOSE 819AE1E8
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_DEVICE_CONTROL 819AE1E8
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL 819AE1E8
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_POWER

demonic_angel
2007-05-29, 10:01
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_SYSTEM_CONTROL 819AE1E8
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_PNP 819AE1E8
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_CREATE 819AE1E8
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_CLOSE 819AE1E8
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_DEVICE_CONTROL 819AE1E8
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL 819AE1E8
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_POWER 819AE1E8
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_SYSTEM_CONTROL 819AE1E8
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_PNP 819AE1E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE 8179D558
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_NAMED_PIPE 8179D558
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLOSE 8179D558
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 8179D558
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_WRITE 8179D558
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_INFORMATION 8179D558
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_INFORMATION 8179D558
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_EA 8179D558
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_EA 8179D558
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FLUSH_BUFFERS 8179D558
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_VOLUME_INFORMATION 8179D558
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_VOLUME_INFORMATION 8179D558
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DIRECTORY_CONTROL 8179D558
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FILE_SYSTEM_CONTROL 8179D558
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CONTROL 8179D558
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_INTERNAL_DEVICE_CONTROL 8179D558
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SHUTDOWN 8179D558
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_LOCK_CONTROL 8179D558
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLEANUP 8179D558
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_MAILSLOT 8179D558
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_SECURITY 8179D558
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_SECURITY 8179D558
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_POWER 8179D558
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SYSTEM_CONTROL 8179D558
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CHANGE 8179D558
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_QUOTA 8179D558
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_QUOTA 8179D558
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP 8179D558
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE 8179D558
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_NAMED_PIPE 8179D558
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLOSE 8179D558
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 8179D558
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_WRITE 8179D558
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_INFORMATION 8179D558
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_INFORMATION

demonic_angel
2007-05-29, 10:02
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_EA 8179D558
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_EA 8179D558
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FLUSH_BUFFERS 8179D558
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_VOLUME_INFORMATION 8179D558
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_VOLUME_INFORMATION 8179D558
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DIRECTORY_CONTROL 8179D558
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FILE_SYSTEM_CONTROL 8179D558
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CONTROL 8179D558
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_INTERNAL_DEVICE_CONTROL 8179D558
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SHUTDOWN 8179D558
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_LOCK_CONTROL 8179D558
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLEANUP 8179D558
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_MAILSLOT 8179D558
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_SECURITY 8179D558
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_SECURITY 8179D558
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_POWER 8179D558
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SYSTEM_CONTROL 8179D558
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CHANGE 8179D558
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_QUOTA 8179D558
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_QUOTA 8179D558
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP 8179D558
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CREATE 823D81E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_READ 823D81E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_WRITE 823D81E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_FLUSH_BUFFERS 823D81E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_DEVICE_CONTROL 823D81E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_INTERNAL_DEVICE_CONTROL 823D81E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SHUTDOWN 823D81E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CLEANUP 823D81E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_POWER 823D81E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SYSTEM_CONTROL 823D81E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_PNP 823D81E8
Device \Driver\ab5ftspx \Device\Scsi\ab5ftspx1Port2Path0Target0Lun0 IRP_MJ_CREATE 819AA5F8

demonic_angel
2007-05-29, 10:03
Device \Driver\ab5ftspx \Device\Scsi\ab5ftspx1Port2Path0Target0Lun0 IRP_MJ_CLOSE 819AA5F8
Device \Driver\ab5ftspx \Device\Scsi\ab5ftspx1Port2Path0Target0Lun0 IRP_MJ_DEVICE_CONTROL 819AA5F8
Device \Driver\ab5ftspx \Device\Scsi\ab5ftspx1Port2Path0Target0Lun0 IRP_MJ_INTERNAL_DEVICE_CONTROL 819AA5F8
Device \Driver\ab5ftspx \Device\Scsi\ab5ftspx1Port2Path0Target0Lun0 IRP_MJ_POWER 819AA5F8
Device \Driver\ab5ftspx \Device\Scsi\ab5ftspx1Port2Path0Target0Lun0 IRP_MJ_SYSTEM_CONTROL 819AA5F8
Device \Driver\ab5ftspx \Device\Scsi\ab5ftspx1Port2Path0Target0Lun0 IRP_MJ_PNP 819AA5F8
Device \Driver\ab5ftspx \Device\Scsi\ab5ftspx1 IRP_MJ_CREATE 819AA5F8
Device \Driver\ab5ftspx \Device\Scsi\ab5ftspx1 IRP_MJ_CLOSE 819AA5F8
Device \Driver\ab5ftspx \Device\Scsi\ab5ftspx1 IRP_MJ_DEVICE_CONTROL 819AA5F8
Device \Driver\ab5ftspx \Device\Scsi\ab5ftspx1 IRP_MJ_INTERNAL_DEVICE_CONTROL 819AA5F8
Device \Driver\ab5ftspx \Device\Scsi\ab5ftspx1 IRP_MJ_POWER 819AA5F8
Device \Driver\ab5ftspx \Device\Scsi\ab5ftspx1 IRP_MJ_SYSTEM_CONTROL 819AA5F8
Device \Driver\ab5ftspx \Device\Scsi\ab5ftspx1 IRP_MJ_PNP 819AA5F8
Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE 817111E8
Device \FileSystem\Fastfat \Fat IRP_MJ_CLOSE 817111E8
Device \FileSystem\Fastfat \Fat IRP_MJ_READ 817111E8
Device \FileSystem\Fastfat \Fat IRP_MJ_WRITE 817111E8
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION 817111E8
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION 817111E8
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA 817111E8
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_EA 817111E8
Device \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS 817111E8
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION 817111E8
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION 817111E8
Device \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL 817111E8
Device \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL 817111E8
Device \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL 817111E8
Device \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN 817111E8

demonic_angel
2007-05-29, 10:04
Device \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL 817111E8
Device \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP 817111E8
Device \FileSystem\Fastfat \Fat IRP_MJ_PNP 817111E8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE 81796980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLOSE 81796980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ 81796980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_INFORMATION 81796980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SET_INFORMATION 81796980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_VOLUME_INFORMATION 81796980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DIRECTORY_CONTROL 81796980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL 81796980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL 81796980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SHUTDOWN 81796980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_LOCK_CONTROL 81796980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLEANUP 81796980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_PNP 81796980

---- Registry - GMER 1.0.12 ----

Reg \Registry\USER\S-1-5-21-1715567821-1383384898-1957994488-1010\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BCC21211-533D-F660-06FF-12C4F84F2776}@dbemkcogpjelleolamkojpffggfmeebggdlhcjde 0x6B 0x61 0x63 0x61 ...

demonic_angel
2007-05-29, 10:05
---- Files - GMER 1.0.12 ----

ADS C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Messenger\endless.apathy@hotmail.com\SharingMetadata\avamirdragniz@hotmail.com\DFSR\Staging\CS{5B3346AE-74A7-2834-C194-CCFF3B285739}\01\10-{5B3346AE-74A7-2834-C194-CCFF3B285739}-v1-{DB61AE25-E9E5-4569-B0D4-848C2DAEF89B}-v10-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Messenger\endless.apathy@hotmail.com\SharingMetadata\avamirdragniz@hotmail.com\DFSR\Staging\CS{5B3346AE-74A7-2834-C194-CCFF3B285739}\46\484-{5B2D37B6-8090-4AC3-8F00-3FB36CF92005}-v246-{5B2D37B6-8090-4AC3-8F00-3FB36CF92005}-v484-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Messenger\endless.apathy@hotmail.com\SharingMetadata\avamirdragniz@hotmail.com\DFSR\Staging\CS{5B3346AE-74A7-2834-C194-CCFF3B285739}\46\484-{5B2D37B6-8090-4AC3-8F00-3FB36CF92005}-v246-{5B2D37B6-8090-4AC3-8F00-3FB36CF92005}-v484-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
ADS C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Messenger\endless.apathy@hotmail.com\SharingMetadata\avamirdragniz@hotmail.com\DFSR\Staging\CS{5B3346AE-74A7-2834-C194-CCFF3B285739}\46\484-{5B2D37B6-8090-4AC3-8F00-3FB36CF92005}-v246-{5B2D37B6-8090-4AC3-8F00-3FB36CF92005}-v484-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Messenger\endless.apathy@hotmail.com\SharingMetadata\avamirdragniz@hotmail.com\DFSR\Staging\CS{5B3346AE-74A7-2834-C194-CCFF3B285739}\47\485-{5B2D37B6-8090-4AC3-8F00-3FB36CF92005}-v247-{5B2D37B6-8090-4AC3-8F00-3FB36CF92005}-v485-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Messenger\endless.apathy@hotmail.com\SharingMetadata\avamirdragniz@hotmail.com\DFSR\Staging\CS{5B3346AE-74A7-2834-C194-CCFF3B285739}\47\485-{5B2D37B6-8090-4AC3-8F00-3FB36CF92005}-v247-{5B2D37B6-8090-4AC3-8F00-3FB36CF92005}-v485-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
ADS C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Messenger\endless.apathy@hotmail.com\SharingMetadata\avamirdragniz@hotmail.com\DFSR\Staging\CS{5B3346AE-74A7-2834-C194-CCFF3B285739}\47\485-{5B2D37B6-8090-4AC3-8F00-3FB36CF92005}-v247-{5B2D37B6-8090-4AC3-8F00-3FB36CF92005}-v485-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Messenger\endless.apathy@hotmail.com\SharingMetadata\avamirdragniz@hotmail.com\DFSR\Staging\CS{5B3346AE-74A7-2834-C194-CCFF3B285739}\48\486-{5B2D37B6-8090-4AC3-8F00-3FB36CF92005}-v248-{5B2D37B6-8090-4AC3-8F00-3FB36CF92005}-v486-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Messenger\endless.apathy@hotmail.com\SharingMetadata\avamirdragniz@hotmail.com\DFSR\Staging\CS{5B3346AE-74A7-2834-C194-CCFF3B285739}\48\486-{5B2D37B6-8090-4AC3-8F00-3FB36CF92005}-v248-{5B2D37B6-8090-4AC3-8F00-3FB36CF92005}-v486-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
ADS C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Messenger\endless.apathy@hotmail.com\SharingMetadata\avamirdragniz@hotmail.com\DFSR\Staging\CS{5B3346AE-74A7-2834-C194-CCFF3B285739}\48\486-{5B2D37B6-8090-4AC3-8F00-3FB36CF92005}-v248-{5B2D37B6-8090-4AC3-8F00-3FB36CF92005}-v486-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Messenger\endless.apathy@hotmail.com\SharingMetadata\its_mc_b@hotmail.com\DFSR\Staging\CS{75850324-99AD-A68A-E102-BC24BFA481AD}\01\11-{75850324-99AD-A68A-E102-BC24BFA481AD}-v1-{DB61AE25-E9E5-4569-B0D4-848C2DAEF89B}-v11-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Messenger\endless.apathy@hotmail.com\SharingMetadata\melodywaltz@hotmail.com\DFSR\Staging\CS{5E6B2254-C622-7734-4C7C-AB05A93B7997}\01\13-{5E6B2254-C622-7734-4C7C-AB05A93B7997}-v1-{DB61AE25-E9E5-4569-B0D4-848C2DAEF89B}-v13-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Messenger\endless.apathy@hotmail.com\SharingMetadata\melodywaltz@hotmail.com\DFSR\Staging\CS{5E6B2254-C622-7734-4C7C-AB05A93B7997}\14\14-{DB61AE25-E9E5-4569-B0D4-848C2DAEF89B}-v14-{DB61AE25-E9E5-4569-B0D4-848C2DAEF89B}-v14-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Messenger\endless.apathy@hotmail.com\SharingMetadata\melodywaltz@hotmail.com\DFSR\Staging\CS{5E6B2254-C622-7734-4C7C-AB05A93B7997}\14\14-{DB61AE25-E9E5-4569-B0D4-848C2DAEF89B}-v14-{DB61AE25-E9E5-4569-B0D4-848C2DAEF89B}-v14-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
ADS C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Messenger\endless.apathy@hotmail.com\SharingMetadata\melodywaltz@hotmail.com\DFSR\Staging\CS{5E6B2254-C622-7734-4C7C-AB05A93B7997}\14\14-{DB61AE25-E9E5-4569-B0D4-848C2DAEF89B}-v14-{DB61AE25-E9E5-4569-B0D4-848C2DAEF89B}-v14-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Messenger\eternal_lasting_love@hotmail.com\SharingMetadata\avamirdragniz@hotmail.com\DFSR\Staging\CS{B7FD78BC-99BF-3907-5F63-E306B387BADA}\01\593-{B7FD78BC-99BF-3907-5F63-E306B387BADA}-v1-{07A55DCD-B0F6-49EF-A519-CF9E5FDEA37E}-v593-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Messenger\eternal_lasting_love@hotmail.com\SharingMetadata\avamirdragniz@hotmail.com\DFSR\Staging\CS{B7FD78BC-99BF-3907-5F63-E306B387BADA}\42\488-{5B2D37B6-8090-4AC3-8F00-3FB36CF92005}-v242-{5B2D37B6-8090-4AC3-8F00-3FB36CF92005}-v488-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Messenger\eternal_lasting_love@hotmail.com\SharingMetadata\avamirdragniz@hotmail.com\DFSR\Staging\CS{B7FD78BC-99BF-3907-5F63-E306B387BADA}\42\488-{5B2D37B6-8090-4AC3-8F00-3FB36CF92005}-v242-{5B2D37B6-8090-4AC3-8F00-3FB36CF92005}-v488-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
ADS C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Messenger\eternal_lasting_love@hotmail.com\SharingMetadata\avamirdragniz@hotmail.com\DFSR\Staging\CS{B7FD78BC-99BF-3907-5F63-E306B387BADA}\42\488-{5B2D37B6-8090-4AC3-8F00-3FB36CF92005}-v242-{5B2D37B6-8090-4AC3-8F00-3FB36CF92005}-v488-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Messenger\eternal_lasting_love@hotmail.com\SharingMetadata\avamirdragniz@hotmail.com\DFSR\Staging\CS{B7FD78BC-99BF-3907-5F63-E306B387BADA}\43\487-{5B2D37B6-8090-4AC3-8F00-3FB36CF92005}-v243-{5B2D37B6-8090-4AC3-8F00-3FB36CF92005}-v487-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Messenger\eternal_lasting_love@hotmail.com\SharingMetadata\avamirdragniz@hotmail.com\DFSR\Staging\CS{B7FD78BC-99BF-3907-5F63-E306B387BADA}\43\487-{5B2D37B6-8090-4AC3-8F00-3FB36CF92005}-v243-{5B2D37B6-8090-4AC3-8F00-3FB36CF92005}-v487-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
ADS C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Messenger\eternal_lasting_love@hotmail.com\SharingMetadata\avamirdragniz@hotmail.com\DFSR\Staging\CS{B7FD78BC-99BF-3907-5F63-E306B387BADA}\43\487-{5B2D37B6-8090-4AC3-8F00-3FB36CF92005}-v243-{5B2D37B6-8090-4AC3-8F00-3FB36CF92005}-v487-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Messenger\eternal_lasting_love@hotmail.com\SharingMetadata\avamirdragniz@hotmail.com\DFSR\Staging\CS{B7FD78BC-99BF-3907-5F63-E306B387BADA}\44\489-{5B2D37B6-8090-4AC3-8F00-3FB36CF92005}-v244-{5B2D37B6-8090-4AC3-8F00-3FB36CF92005}-v489-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Messenger\eternal_lasting_love@hotmail.com\SharingMetadata\avamirdragniz@hotmail.com\DFSR\Staging\CS{B7FD78BC-99BF-3907-5F63-E306B387BADA}\44\489-{5B2D37B6-8090-4AC3-8F00-3FB36CF92005}-v244-{5B2D37B6-8090-4AC3-8F00-3FB36CF92005}-v489-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
ADS C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Messenger\eternal_lasting_love@hotmail.com\SharingMetadata\avamirdragniz@hotmail.com\DFSR\Staging\CS{B7FD78BC-99BF-3907-5F63-E306B387BADA}\44\489-{5B2D37B6-8090-4AC3-8F00-3FB36CF92005}-v244-{5B2D37B6-8090-4AC3-8F00-3FB36CF92005}-v489-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Messenger\eternal_lasting_love@hotmail.com\SharingMetadata\melodywaltz@hotmail.com\DFSR\Staging\CS{CCC1F0B2-3E72-1BD9-C063-4024DA2CB0EA}\01\591-{CCC1F0B2-3E72-1BD9-C063-4024DA2CB0EA}-v1-{07A55DCD-B0F6-49EF-A519-CF9E5FDEA37E}-v591-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Messenger\eternal_lasting_love@hotmail.com\SharingMetadata\melodywaltz@hotmail.com\DFSR\Staging\CS{CCC1F0B2-3E72-1BD9-C063-4024DA2CB0EA}\68\168-{B51107E0-380F-4782-9FE8-8497494A85D0}-v168-{B51107E0-380F-4782-9FE8-8497494A85D0}-v168-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Messenger\eternal_lasting_love@hotmail.com\SharingMetadata\melodywaltz@hotmail.com\DFSR\Staging\CS{CCC1F0B2-3E72-1BD9-C063-4024DA2CB0EA}\68\168-{B51107E0-380F-4782-9FE8-8497494A85D0}-v168-{B51107E0-380F-4782-9FE8-8497494A85D0}-v168-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
ADS C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Messenger\eternal_lasting_love@hotmail.com\SharingMetadata\melodywaltz@hotmail.com\DFSR\Staging\CS{CCC1F0B2-3E72-1BD9-C063-4024DA2CB0EA}\68\168-{B51107E0-380F-4782-9FE8-8497494A85D0}-v168-{B51107E0-380F-4782-9FE8-8497494A85D0}-v168-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Messenger\eternal_lasting_love@hotmail.com\SharingMetadata\melodywaltz@hotmail.com\DFSR\Staging\CS{CCC1F0B2-3E72-1BD9-C063-4024DA2CB0EA}\96\16-{07A55DCD-B0F6-49EF-A519-CF9E5FDEA37E}-v596-{722C2D1A-AC5B-4025-BB65-C601756DB6BC}-v16-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Messenger\eternal_lasting_love@hotmail.com\SharingMetadata\melodywaltz@hotmail.com\DFSR\Staging\CS{CCC1F0B2-3E72-1BD9-C063-4024DA2CB0EA}\96\16-{07A55DCD-B0F6-49EF-A519-CF9E5FDEA37E}-v596-{722C2D1A-AC5B-4025-BB65-C601756DB6BC}-v16-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
ADS C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Messenger\eternal_lasting_love@hotmail.com\SharingMetadata\melodywaltz@hotmail.com\DFSR\Staging\CS{CCC1F0B2-3E72-1BD9-C063-4024DA2CB0EA}\96\16-{07A55DCD-B0F6-49EF-A519-CF9E5FDEA37E}-v596-{722C2D1A-AC5B-4025-BB65-C601756DB6BC}-v16-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Messenger\eternal_lasting_love@hotmail.com\SharingMetadata\natalie_ngan@hotmail.com\DFSR\Staging\CS{8BD3962D-5146-CC25-B821-30C11F7D0888}\01\590-{8BD3962D-5146-CC25-B821-30C11F7D0888}-v1-{07A55DCD-B0F6-49EF-A519-CF9E5FDEA37E}-v590-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Messenger\eternal_lasting_love@hotmail.com\SharingMetadata\natalie_ngan@hotmail.com\DFSR\Staging\CS{8BD3962D-5146-CC25-B821-30C11F7D0888}\13\13-{D3A4C29F-2927-4E96-853D-F9FB0DEA204B}-v13-{D3A4C29F-2927-4E96-853D-F9FB0DEA204B}-v13-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Messenger\eternal_lasting_love@hotmail.com\SharingMetadata\natalie_ngan@hotmail.com\DFSR\Staging\CS{8BD3962D-5146-CC25-B821-30C11F7D0888}\95\595-{07A55DCD-B0F6-49EF-A519-CF9E5FDEA37E}-v595-{07A55DCD-B0F6-49EF-A519-CF9E5FDEA37E}-v595-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Messenger\eternal_lasting_love@hotmail.com\SharingMetadata\natalie_ngan@hotmail.com\DFSR\Staging\CS{8BD3962D-5146-CC25-B821-30C11F7D0888}\95\595-{07A55DCD-B0F6-49EF-A519-CF9E5FDEA37E}-v595-{07A55DCD-B0F6-49EF-A519-CF9E5FDEA37E}-v595-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
ADS C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Messenger\eternal_lasting_love@hotmail.com\SharingMetadata\natalie_ngan@hotmail.com\DFSR\Staging\CS{8BD3962D-5146-CC25-B821-30C11F7D0888}\95\595-{07A55DCD-B0F6-49EF-A519-CF9E5FDEA37E}-v595-{07A55DCD-B0F6-49EF-A519-CF9E5FDEA37E}-v595-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Messenger\eternal_lasting_love@hotmail.com\SharingMetadata\wu_man425@hotmail.com\DFSR\Staging\CS{813D50DE-C6DA-B152-7B11-47F61989427E}\01\567-{813D50DE-C6DA-B152-7B11-47F61989427E}-v1-{07A55DCD-B0F6-49EF-A519-CF9E5FDEA37E}-v567-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\Darrell Lau\Local Settings\Application Data\Microsoft\Messenger\eternal_lasting_love@hotmail.com\SharingMetadata\wu_man425@hotmail.com\DFSR\Staging\CS{813D50DE-C6DA-B152-7B11-47F61989427E}\66\566-{07A55DCD-B0F6-49EF-A519-CF9E5FDEA37E}-v566-{07A55DCD-B0F6-49EF-A519-CF9E5FDEA37E}-v566-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

---- EOF - GMER 1.0.12 ----

demonic_angel
2007-05-29, 10:06
Phew.. long document.

One thing. Nod32 detected something in svchost.exe while I was copying all that. I'm assuming that's a bad thing?

shelf life
2007-05-29, 17:09
hi demonic_angel,

thanks for all the info. that was long but it all looks ok. those 04 entries, lets try hjt again. make sure ad aware ad watch isnt running. you can disable it like this:

1. Right click on the Ad-Watch icon in the system tray and select "Restore Ad-Watch".
2. At the bottom of the screen there will be two checkable items called "Active" and "Automatic".

Active: Switches Monitoring On or Off without closing
Automatic: Switches Automatic Blocking On or Off

3. Uncheck (red X) both items.
----------------------------------------
scan with HJT, put a checkmark beside the items below, close all windows and click fix checked.

O4 - HKLM\..\Run: [AVPSrv] C:\WINDOWS\AVPSrv.exe
O4 - HKLM\..\Run: [mppds] C:\WINDOWS\mppds.exe
O4 - HKLM\..\Run: [cmdbcs] C:\WINDOWS\cmdbcs.exe
O4 - HKLM\..\Run: [msccrt] C:\WINDOWS\msccrt.exe
O4 - HKLM\..\Run: [upxdnd] C:\WINDOWS\upxdnd.exe
O4 - HKCU\..\Run: [8u3] C:\DOCUME~1\DARREL~1\LOCALS~1\Temp\c0nime.exe
-----------------------------------------
let try another online scan, this time at f-secure:

F-secure scan:
http://support.f-secure.com/enu/home/ols.shtml

click on the "start scanning button"
after the ActiveX applet installs--Click Full System Scan
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.

Click the Show Report button and Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

shelf life

demonic_angel
2007-05-30, 01:33
Scanning Report
Tuesday, May 29, 2007 08:40:41 - 15:28:37
Computer name: DARRELL
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\


--------------------------------------------------------------------------------

Result: 6 malware found
Backdoor.Win32.Agent.ahj (virus)
C:\WINDOWS\SYSTEM32\N1116660084K.EXE (Renamed & Submitted)
C:\WINDOWS\SYSTEM32\N1116660201K.EXE (Renamed & Submitted)
Trojan-PSW.Win32.OnLineGames.te (virus)
C:\WINDOWS\SYSTEM32\K11166423988.EXE (Renamed & Submitted)
C:\WINDOWS\SYSTEM32\K11166598938.EXE (Renamed & Submitted)
C:\WINDOWS\SYSTEM32\K11797180108.EXE (Renamed & Submitted)
Virus.VBS.Confi (virus)
D:\SYSTEM VOLUME INFORMATION\_RESTORE{8879F6E1-FCF4-4F33-876A-185E7B8FEAC0}\RP174\A0031619.DLL (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 38627
System: 4470
Not scanned: 4
Actions:
Disinfected: 0
Renamed: 5
Deleted: 0
None: 1
Submitted: 6
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\CC299263C1FBC6E1DC2382B484BAA392_FF4796C2-F9E6-404D-80BE-655D3F0173C8

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-05-26
F-Secure AVP: 7.0.171, 2007-05-29
F-Secure Orion: 1.2.37, 2007-05-29
F-Secure Blacklight: 1.0.53
F-Secure Draco: 1.0.35, 0260-23-12
F-Secure Pegasus: 1.19.0, 2007-04-27
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
Use Advanced heuristics

--------------------------------------------------------------------------------

Thanks again

shelf life
2007-05-30, 04:05
hi demonic_angel,

good, thanks for the info. are those 04's still showing up in a hjt scan?

shelf life

demonic_angel
2007-05-30, 04:52
I rebooted and ran HJT, because I just got home. When I logged into windows, Ad-watch said that there was an attempt to delete AVPrs.exe and
c0nime.exe. I clicked accept and rescanned with HJT:

Logfile of HijackThis v1.99.1
Scan saved at 5:50:34 PM, on 2007-05-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\NMSSvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\HI JACK!\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [BitComet] "D:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [Veoh] "D:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - Global Startup: NOD32 Control Center.lnk = C:\Program Files\ESET\nod32kui.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

it SEEMS to be gone, but I'm not quite sure.

Thanks

shelf life
2007-05-31, 01:28
hi demonic_angel,

should be ok now. i think it was real time protection and a non-reboot that was holding us up. i say you are good to go after making a new restore point. sometimes malware can get archived in the system restore points. easy to make a new one:

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.(new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot

careful what you get with bit comet. some p2p info:
http://security-central.us/SafeHex/file_sharing.htm

shelf life

demonic_angel
2007-05-31, 01:34
Okay, but there's one thing. I just came back from school, and Nod32 detected something trying to attack svchost.exe. some trojan. keeps popping up, but I'm not sure if its gone.

shelf life
2007-05-31, 05:28
hi demonic_angel


Nod32 detected something trying to attack svchost.exe.

does it do anything with it, delete, quarantine it? can you provide more details.

shelf life

demonic_angel
2007-06-01, 01:54
Hi

Nod32 says it was moved to quarantine and I could close the window

shelf life
2007-06-01, 04:34
hi demonic_angel,


Nod32 says it was moved to quarantine

ok good. sounds like its all under control now. hows it all looking on your end?

shelf life

demonic_angel
2007-06-01, 05:14
Hi everything seems to be fine, except for the fact that I still have to select from a list when I open c or d drive. Other than that, nothing seems to be wrong with my computer now. Thanks!

shelf life
2007-06-02, 06:17
hi demonic_angel,


everything seems to be fine
ok good.


I still have to select from a list when I open c or d drive
you mean the "open with" list when you click on a drive. what do you select to open it?

demonic_angel
2007-06-02, 20:20
I chose internet explorer to open it...but the list opens every time

shelf life
2007-06-03, 01:48
hi demonic_angel,

try this: go to this website:

http://www.dougknox.com/xp/file_assoc.htm

find the "Drive association fix"

download it to desktop, its a zip file.

create a new folder on your desktop called "drive"

doubleclick the file you downloaded, extract it to the new folder you created (drive)
doubleclick the extracted file (.reg) select yes when prompted to merge into the regisrty

see if that fixes it.

shelf life

demonic_angel
2007-06-04, 08:20
Hi

It doesn't work. It still sends me to the list whenever I double click.

Thanks again

shelf life
2007-06-04, 23:44
hi demonic_angel,

visit this link and follow along, see if it helps:

http://support.microsoft.com/kb/307859

shelf life

demonic_angel
2007-06-05, 03:32
Hi,

I just tried that, and it didn't work. I found that if I right click and press open, it doesn't go to the list, only when I double click.

Thanks again

shelf life
2007-06-05, 05:47
hi demonic_angel,

running out of ideas. try this-- go to start>run and type in:

regsvr32 /i shell32.dll

there is a space after the i

then enter, a msg box should popup saying it worked.
reboot computer once and see.

shelf life

demonic_angel
2007-06-06, 02:49
Hi

Same result with the other things. Doesn't work. Maybe the virus/trojan infected explorer or something?

shelf life
2007-06-06, 05:00
hi demonic_angel,


Maybe the virus/trojan infected explorer or something?
its possible. virus that copy themselves to .exe or .dlls can be removed but can leave behind a damaged file. iam not saying thats what happened in your case.


double click my computer-- at top go to tools>folder options>file types
see if you see a restore button to set everything back to default settings under the file types tab.

shelf life

demonic_angel
2007-06-06, 06:18
Hi

That didn't work either. Sorry, this is probably getting annoying.

Thanks once again

shelf life
2007-06-07, 01:28
hi,

well you can try this, its a long shot.

system file checker: to check for corrupt/replaced OS files. a long shot because iam pretty sure its a registry problem. cant hurt to try:

see link:
http://www.updatexp.com/scannow-sfc.html

also try this once more:
go to start>run and type in:

regsvr32 /i shell32.dll

there is a space after the i

then enter, a msg box should popup saying it worked.

shelf life

demonic_angel
2007-06-07, 03:53
Didn't work because I don't have the cd. Would this problem do anything other than be annoying?

shelf life
2007-06-07, 05:16
hi demonic_angel,


Would this problem do anything other than be annoying?

no i dont think so. pretty sure its a registry fix somewhere, somehow--should only be like you said: annoying.

shelf life

demonic_angel
2007-06-07, 07:26
Okay thanks alot for the help xD I hope I wasn't too much of a nuisance!

-Darrell

shelf life
2007-06-08, 04:27
hi Darrell,

no problem. glad to help. at least we got rid of the malware.

happy safe surfing

shelf life