Hi,

I'm very impressed with all the help offered to the people with various problems by the forum regulars. I hope someone can help me too.

Yesterday my Spybot detected Virtumonde, Smitfraud.C and Torpig. First Spybot couldn't delete them, but after reading some posts here, I managed to delete them. I have run the combofix.exe, sdfix.exe and vundofix.exe in safe mode and I have installed AVG anti-spyware. Furthermore I'm running Avast 4 Home.

My Spybot now doesn't detect any problems anymore except some tracking cookies, but the Avast mail scanner keeps scanning outgoing mails to random addresses and with different senders. These emails have subjects like "Payday Loans" and "Refinance". AVG anti-spyware sometimes gives an alert saying there are a lot of mails being sent simultaniously.

I will post the most recent log from HJT and the log from SDfix and Combofix I have just run. These were run on the order: Combofix, SDfix, HJT. I'll be happy to provide more information. Thanks for your time!

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 23:51:33, on 24-6-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Xfire.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\atwtusb.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
G:\My Shared Folder\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Xfire] Xfire.exe /minimize
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\Spyware Doctor\tools\iesdpb.dll
O9 - Extra button: InterCasino $$$ - {909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} - C:\Documents and Settings\Tobias Verhoog\Bureaublad\InterCasino $$$.lnk
O9 - Extra 'Tools' menuitem: InterCasino $$$ - {909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} - C:\Documents and Settings\Tobias Verhoog\Bureaublad\InterCasino $$$.lnk
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: InterCasino Deutschland - {8CBAFC3D-456C-4993-A7E8-0A079DD184F4} - C:\Documents and Settings\Tobias Verhoog\Bureaublad\InterCasino Deutschland.lnk (HKCU)
O9 - Extra 'Tools' menuitem: InterCasino Deutschland - {8CBAFC3D-456C-4993-A7E8-0A079DD184F4} - C:\Documents and Settings\Tobias Verhoog\Bureaublad\InterCasino Deutschland.lnk (HKCU)
O9 - Extra button: Playboy Casino USD - {D62F3523-3F8C-4F1B-B888-FAEE3F4B8CF2} - C:\Documents and Settings\Tobias Verhoog\Bureaublad\Playboy Casino USD.lnk (HKCU)
O9 - Extra 'Tools' menuitem: Playboy Casino USD - {D62F3523-3F8C-4F1B-B888-FAEE3F4B8CF2} - C:\Documents and Settings\Tobias Verhoog\Bureaublad\Playboy Casino USD.lnk (HKCU)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://777dragon.microgaming.com/777dragon/FlashAX.cab
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Object) - https://casinoclassic.microgaming.com/casinoclassic/FlashAX2.cab
O20 - Winlogon Notify: Xnosixr - C:\WINDOWS\SYSTEM32\Xnosixr.dll
O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 9074 bytes

--------------------------------------------------------------------------
SDFIX LOG:

SDFix: Version 1.88

Run by Tobias Verhoog on zo 24-06-2007 at 22:12

Microsoft Windows XP [versie 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing SharedAccess Service

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\system32\drivers\asc3550u.sys - Deleted



Removing Temp Files...

ADS Check:

Checking C:\WINDOWS
C:\WINDOWS
No streams found.

Checking C:\WINDOWS\system32
C:\WINDOWS\system32
No streams found.

Checking C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Checking C:\WINDOWS\system32\ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Disabled:Messenger"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Steam\\steamapps\\tverhoog\\counter-strike\\hl.exe"="C:\\Program Files\\Steam\\steamapps\\tverhoog\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Last.fm\\LastFM.exe"="C:\\Program Files\\Last.fm\\LastFM.exe:*:Enabled:LastFM"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Listing Files with Hidden Attributes:

C:\Program Files\Picasa2\setup.exe
C:\WINDOWS\system32\4B14766367.sys
C:\WINDOWS\system32\KGyGaAvL.sys
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG

Listing User Accounts:


__vmware_user__ Administrator Gast
HelpAssistant SUPPORT_388945a0 Tobias Verhoog


Finished

COMBOFIX LOG:

ComboFix 07-06-21.3 - G:\My Shared Folder\ComboFix.exe
"Tobias Verhoog" - 2007-06-23 14:11:31 - Service Pack 2 NTFS [SAFE MODE]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\microsoft shared\web folders\ibm00001.dll
C:\Program Files\Common Files\microsoft shared\web folders\ibm00002.dll
C:\Program Files\winpop
C:\Program Files\winpop\UnInstall.exe
C:\Program Files\winpop\winpop.exe
C:\WINDOWS\b.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\system32\0_exception.nls
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2


((((((((((((((((((((((((( Files Created from 2007-05-23 to 2007-06-23 )))))))))))))))))))))))))))))))


2007-06-23 12:57 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot
2007-06-23 12:56 <DIR> dr-h----- C:\DOCUME~1\TOBIAS~1\Onlangs geopend
2007-06-23 12:51 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-23 12:31 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-22 23:28 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-06-22 23:28 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-06-22 23:27 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-06-22 23:26 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-06-22 23:26 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-06-22 23:26 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-06-22 23:26 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-06-22 23:26 <DIR> d-------- C:\Program Files\Alwil Software
2007-06-22 23:09 <DIR> d-------- C:\VundoFix Backups
2007-06-22 23:04 <DIR> d-------- C:\!KillBox
2007-06-22 22:31 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2007-06-22 21:55 <DIR> d-------- C:\DOCUME~1\TOBIAS~1\APPLIC~1\VMware
2007-06-22 21:42 71,680 --a------ C:\WINDOWS\g38537968.exe
2007-06-22 21:42 59,072 --a------ C:\WINDOWS\system32\drivers\asc3550u.sys
2007-06-22 21:42 19,968 --a------ C:\cskd.exe
2007-06-22 21:42 1,536 --a------ C:\bwarny.exe
2007-06-22 21:42 <DIR> d-------- C:\WINDOWS\system32\{35745379-1114-1232-1122-334425667788}
2007-06-22 21:32 16,816 -ra------ C:\WINDOWS\system32\drivers\vmnetadapter.sys
2007-06-22 21:32 13,104 -ra------ C:\WINDOWS\system32\vnetinst.dll
2007-06-22 21:32 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\VMware
2007-06-22 21:31 50,992 -ra------ C:\WINDOWS\system32\vmnetbridge.dll
2007-06-22 21:31 437,040 --a------ C:\WINDOWS\system32\vnetlib.dll
2007-06-22 21:31 28,592 -ra------ C:\WINDOWS\system32\drivers\vmnetbridge.sys
2007-06-22 21:31 25,264 --a------ C:\WINDOWS\system32\drivers\vmnetuserif.sys
2007-06-22 21:31 21,040 --a------ C:\WINDOWS\system32\drivers\VMkbd.sys
2007-06-22 21:31 17,712 -ra------ C:\WINDOWS\system32\drivers\vmnet.sys
2007-06-22 21:31 150,320 --a------ C:\WINDOWS\system32\vmnat.exe
2007-06-22 21:31 121,648 --a------ C:\WINDOWS\system32\vmnetdhcp.exe
2007-06-22 21:30 <DIR> d-------- C:\Program Files\VMware
2007-06-22 21:30 <DIR> d-------- C:\Program Files\Common Files\VMware
2007-06-22 21:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\VMware
2007-06-22 21:27 <DIR> d-------- C:\Program Files\PowerISO
2007-06-21 20:22 88 -r-hs---- C:\WINDOWS\system32\4B14766367.sys
2007-06-21 20:22 2,880 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-06-21 20:22 <DIR> d-------- C:\DOCUME~1\TOBIAS~1\APPLIC~1\Corel
2007-06-21 20:21 <DIR> d-------- C:\Program Files\Corel
2007-06-21 20:21 <DIR> d-------- C:\Program Files\Common Files\Corel
2007-06-21 20:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Corel
2007-06-21 20:14 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-06-20 17:43 <DIR> d-------- C:\Program Files\Joost
2007-06-16 21:02 701,676 --a------ C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2007-06-16 21:02 47,104 --a------ C:\WINDOWS\SOUNDMAN.EXE
2007-06-16 21:02 208,896 --------- C:\WINDOWS\alcupd.exe
2007-06-16 21:02 131,072 --------- C:\WINDOWS\alcrmv.exe
2007-06-15 14:35 <DIR> d-------- C:\Program Files\Steam
2007-06-12 23:33 490,272 --a------ C:\WINDOWS\system32\LVUI2.dll
2007-06-12 23:33 465,696 --a------ C:\WINDOWS\system32\LVUI2RC.dll
2007-06-12 23:33 416,544 --a------ C:\WINDOWS\system32\LVCodec2.dll
2007-06-12 23:33 41,888 --a------ C:\WINDOWS\system32\drivers\LVUSBSta.sys
2007-06-12 23:33 195,360 --a------ C:\WINDOWS\system32\lvci1100.dll
2007-06-12 23:33 15,558 --a------ C:\WINDOWS\system32\Repository.reg
2007-06-12 23:33 14,112 --a------ C:\WINDOWS\system32\drivers\lv302af.sys
2007-06-12 23:33 1,276,832 --a------ C:\WINDOWS\system32\drivers\LV302V32.SYS
2007-06-12 23:32 <DIR> d-------- C:\Program Files\Logitech
2007-06-12 23:32 <DIR> d-------- C:\Program Files\Common Files\LogiShrd
2007-06-12 23:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Logitech
2007-06-12 23:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\LogiShrd
2007-06-08 21:43 <DIR> d-------- C:\Program Files\MultiRes
2007-06-01 11:34 <DIR> d-------- C:\Program Files\Last.fm
2007-05-31 17:47 <DIR> d-------- C:\DOCUME~1\TOBIAS~1\APPLIC~1\Opera
2007-05-31 17:14 73,728 --a------ C:\WINDOWS\RmTablet.exe
2007-05-31 17:14 61,440 --a------ C:\WINDOWS\system32\tblmouse.exe
2007-05-31 17:14 57,344 --a------ C:\WINDOWS\system32\wintab32.dll
2007-05-31 17:14 49,152 --a------ C:\WINDOWS\system32\Tblfunc.dll
2007-05-31 17:14 49,152 --a------ C:\WINDOWS\system32\Funckey.dll
2007-05-31 17:14 36,864 --a------ C:\WINDOWS\system32\utblfilt.dll
2007-05-31 17:14 32,768 --a------ C:\WINDOWS\system32\ATWinLog.dll
2007-05-31 17:14 305,152 --a------ C:\WINDOWS\IsUn0413.exe
2007-05-31 17:14 294,989 --a------ C:\WINDOWS\system32\atwtusbL.exe
2007-05-31 17:14 290,816 --a------ C:\WINDOWS\system32\atwtusb.exe
2007-05-31 17:14 22,272 --a------ C:\WINDOWS\system32\drivers\aiptektp.sys
2007-05-31 17:14 1,544,192 --a------ C:\WINDOWS\system32\TblRes.dll
2007-05-31 17:14 <DIR> d-------- C:\WINDOWS\udtablet
2007-05-31 17:14 <DIR> d-------- C:\DOCUME~1\TOBIAS~1\WINDOWS
2007-05-29 17:08 <DIR> d-------- C:\Program Files\Real Alternative
2007-05-29 17:08 <DIR> d-------- C:\Program Files\Media Player Classic
2007-05-29 17:08 <DIR> d-------- C:\DOCUME~1\TOBIAS~1\APPLIC~1\Real
2007-05-29 17:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Real
2007-05-27 17:52 <DIR> d-------- C:\Program Files\BeTheDealer Casino
2007-05-23 09:40 <DIR> d-------- C:\Program Files\CCleaner


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-23 10:45:54 -------- d-----w C:\Program Files\Hitman Pro
2007-06-22 20:31:27 -------- d-----w C:\DOCUME~1\TOBIAS~1\APPLIC~1\Azureus
2007-06-22 19:31:25 54,628 ----a-w C:\WINDOWS\system32\perfc013.dat
2007-06-22 19:31:25 367,014 ----a-w C:\WINDOWS\system32\perfh013.dat
2007-06-21 18:11:40 682,232 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-06-18 20:56:24 -------- d-----w C:\Program Files\WH GBP Casino
2007-06-16 20:48:04 -------- d-----w C:\Program Files\AltBinz
2007-06-16 19:02:16 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-16 14:08:59 -------- d-----w C:\Program Files\MSN Messenger
2007-06-16 09:02:00 -------- d-----w C:\Program Files\Google
2007-06-11 11:50:42 -------- d-----w C:\Program Files\Playboy Casino USD
2007-06-09 08:38:24 -------- d-----w C:\Program Files\InterCasino $$$
2007-06-05 16:46:01 -------- d-----w C:\Program Files\eMule
2007-06-05 08:30:06 -------- d-----w C:\Program Files\32red
2007-05-23 07:51:51 -------- d-----w C:\Program Files\Winamp
2007-05-21 16:32:54 -------- d-----w C:\DOCUME~1\TOBIAS~1\APPLIC~1\Joost
2007-05-17 08:25:18 323,624 ----a-w C:\WINDOWS\system32\wiaaut.dll
2007-05-16 15:19:43 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-11 15:30:16 25,888 ----a-w C:\WINDOWS\system32\drivers\LVPr2Mon.sys
2007-05-11 15:29:54 2,142,752 ----a-w C:\WINDOWS\system32\drivers\LVMVdrv.sys
2007-05-11 15:27:58 2,107,808 ----a-w C:\WINDOWS\system32\drivers\Lvckap.sys
2007-05-09 21:41:14 -------- d-----w C:\Program Files\Badongo
2007-05-09 21:40:51 -------- d-----w C:\Program Files\MediaMonkey
2007-05-08 09:53:33 -------- d-----w C:\DOCUME~1\TOBIAS~1\APPLIC~1\GrabIt
2007-05-07 19:25:07 -------- d-----w C:\Program Files\InterCasino Deutschland
2007-05-05 09:58:11 -------- d-----w C:\Program Files\GrabIt
2007-05-04 14:11:10 -------- d-----w C:\DOCUME~1\TOBIAS~1\APPLIC~1\Media Player Classic
2007-05-04 14:10:37 -------- d-----w C:\Program Files\K-Lite Codec Pack
2007-05-03 10:17:03 -------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2007-05-02 17:28:58 107,520 ----a-w C:\WINDOWS\system32\UnCasino5.exe
2007-05-01 20:52:52 34,608 ----a-w C:\WINDOWS\system32\drivers\hcmon.sys
2007-05-01 20:52:50 430,128 ----a-w C:\WINDOWS\system32\drivers\vmx86.sys
2007-05-01 20:52:02 16,176 ----a-w C:\WINDOWS\system32\drivers\vmparport.sys
2007-05-01 19:45:40 207,664 ----a-w C:\WINDOWS\system32\vmnc.dll
2007-04-25 14:22:52 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-24 17:19:58 -------- d-----w C:\Program Files\WiFiConnector
2007-04-24 10:47:38 -------- d-----w C:\DOCUME~1\TOBIAS~1\APPLIC~1\Google
2007-04-20 13:10:13 1,541 ----a-w C:\WINDOWS\mozver.dat
2007-04-18 16:15:26 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 20:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 20:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 20:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 20:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 20:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 20:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 20:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 20:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-01 17:01:10 249,856 ------w C:\WINDOWS\Setup1.exe
2007-04-01 17:01:09 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-03-23 08:05:16 5,451,776 ----a-r C:\WINDOWS\system32\V2iDiskLib.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll [2006-12-15 04:23]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Xfire"="Xfire.exe" [2001-11-13 16:28 C:\WINDOWS\system32\xfire.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 14:00 C:\WINDOWS\system32\bthprops.cpl]
"atwtusb"="atwtusb.exe" [2005-03-09 17:29 C:\WINDOWS\system32\atwtusb.exe]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 23:48]
"vmware-tray"="C:\Program Files\VMware\VMware Workstation\vmware-tray.exe" [2007-05-01 22:52]
"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe" [2007-05-01 22:52]
"avast!"="C:\Program Files\Alwil Software\Avast4\ashDisp.exe" [2007-04-30 17:42]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-02-24 21:09]
"Steam"="" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 14:29]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjvd32]
winjvd32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wudb]
C:\WINDOWS\system32\wudb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Xnosixr]
xnosixr.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Nero\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
"C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
"C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Samsung Common SM]
"C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoftickPPP]
"C:\Program Files\Softick\PPP\Bin\PPPGate.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs
NtmlSvc


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-23 14:16:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ufad-ws60]
"ImagePath"="\"C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe\" -d \"C:\Program Files\VMware\VMware Workstation\\\" -s ufad-p2v.xml"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services\{00001000-0000-1000-8000-00805f9b34fb}]


[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services\{00001101-0000-1000-8000-00805f9b34fb}]


[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services\{00001105-0000-1000-8000-00805f9b34fb}]


[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services\{00001115-0000-1000-8000-00805f9b34fb}]


Completion time: 2007-06-23 14:18:36
C:\ComboFix-quarantined-files.txt ... 2007-06-23 14:18

--- E O F ---

This is the message i recieve from avast mail scanner:

There are too many identical e-mails in appointed time


Sender: "Thomas Robinson" <wwimyd@visitpensacola.com>
Recipient: "Jose" <atlanta@fotopic.net>
Subject: Refinance

hi tverhoog,

looks like you got rid of some malware. logs look ok. can you do a scan with avg then post that report. also rename the hjt icon tosomething else like scanme.exe, then rescan and post a new hjt log also.

avg report:
after the scan is done:
Next select the "Reports" icon at the top.
* Select the "Save report as" button in the lower left hand of the
screen and save it as a text file on your computer. Please post the AVG log in next reply.
----------------
shelf life

I have scanned my computer with avg and also HJT after renaming it to scanner.exe. I have performed all the suggested actions with AVG (deleted the cookies and quarantined the Trojan).

Thanks a lot for your time Shelf Life! :bigthumb:

Here are the logs from AVG and HJT:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 0:21:46 3-7-2007

+ Scan result:



C:\System Volume Information\_restore{EFA6688D-3E0B-49CB-B749-E36C7E143C8F}\RP85\A0034930.exe -> Adware.Rond : Ignored.
:mozilla.183:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.184:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.185:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Tobias Verhoog\Cookies\tobias_verhoog@www.belstat[1].txt -> TrackingCookie.Belstat : Cleaned.
:mozilla.653:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.111:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.112:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.113:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.114:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.115:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.116:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.117:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.563:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.304:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Cqcounter : Cleaned.
:mozilla.710:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Cqcounter : Cleaned.
:mozilla.257:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Dealtime : Cleaned.
:mozilla.258:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Dealtime : Cleaned.
:mozilla.259:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Dealtime : Cleaned.
:mozilla.261:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Dealtime : Cleaned.
:mozilla.262:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Dealtime : Cleaned.
:mozilla.268:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Dealtime : Cleaned.
:mozilla.354:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.487:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.488:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.494:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.495:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.496:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.601:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.252:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.77:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.78:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.409:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.410:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.411:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Tobias Verhoog\Cookies\tobias_verhoog@server.lon.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.100:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.101:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.102:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.103:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.104:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.90:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.91:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.92:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.93:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.94:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.95:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.96:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.97:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.98:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.99:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
C:\Documents and Settings\Tobias Verhoog\Cookies\tobias_verhoog@stat.onestat[1].txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.492:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\Tobias Verhoog\Cookies\tobias_verhoog@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
:mozilla.220:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.221:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.222:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.223:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.224:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.225:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.60:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.61:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.62:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.63:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.64:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.65:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.633:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.635:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.637:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.638:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.765:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.766:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.316:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.317:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.318:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.319:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.320:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.729:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.730:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.731:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.747:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Weborama : Cleaned.
:mozilla.449:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\Tobias Verhoog\Cookies\tobias_verhoog@m.webtrends[1].txt -> TrackingCookie.Webtrends : Cleaned.
:mozilla.129:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.130:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.673:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.674:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.675:C:\Documents and Settings\Tobias Verhoog\Application Data\Mozilla\Firefox\Profiles\4qvi6tkg.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
C:\QooBox\Quarantine\C\Program Files\WinPop\UnInstall.exe.vir -> Trojan.Small.oa : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EFA6688D-3E0B-49CB-B749-E36C7E143C8F}\RP85\A0034929.exe -> Trojan.Small.oa : Cleaned with backup (quarantined).


::Report end

And the Hijack This! log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 0:12:30, on 3-7-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\Xfire.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
G:\My Shared Folder\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [Xfire] Xfire.exe /minimize
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Azureus.lnk = C:\Program Files\Azureus\Azureus.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\Spyware Doctor\tools\iesdpb.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: (no name) - AutorunsDisabled - (no file) (HKCU)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://777dragon.microgaming.com/777dragon/FlashAX.cab
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Object) - https://casinoclassic.microgaming.com/casinoclassic/FlashAX2.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O20 - Winlogon Notify: Xnosixr - C:\WINDOWS\SYSTEM32\Xnosixr.dll
O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 8858 bytes

hi tverhoog,

one thing, this entry:
Winlogon Notify: Xnosixr - C:\WINDOWS\SYSTEM32\Xnosixr.dll
--------------------------------
to show all files:
FOr XP: on the desktop double click my computer,go to tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok

next go to the system32 dir. and locate:
Xnosixr.dll
---------------------------
go to this website:
http://virusscan.jotti.org/
browse for the file again, then click submit to upload it.
when the scan is done you can copy/paste the results into notepad and post back here.

also go to this website:
http://www.norman.com/microsites/nsic/Submit/en-us
browse for file again, click upload. you can use my email address:

echoreply(at)hotmail(dot)com

shelf life

I have located the file but the following errors occurred.

When I try that with the first page, I receive the message:


The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

With the second website I receive the message:


Error occured while uploading file. Make sure you have selected a file.

I have tried again with my firewall turned off and after I restarted windows in safe mode, but that didn't help. Copying the file isn't possible either because it is in use. Do you have another possibility or does this make the file suspicious right away?

hi tverhoog,


make the file suspicious right away
no, what makes it suspicious is i cant find any reference to that .dll
lets try Suspicious File Packer;

go here:
http://www.safer-networking.org/en/tools/index.html

download Suspicious File Packer to desktop.
double click the icon
copy/paste in the window:

C:\WINDOWS\SYSTEM32\Xnosixr.dll

then click the continue button.

it will create a compressed file on the desktop. you can email it to me as a attachment to:
echoreply(at)hotmail(dot)com

shelf life

Allright, the files have been sent.

hi tverhoog,

thanks, but same problem no file. find the .dll in the system32 dir, right click on it and select properties. under the general tab, see what the file size is and under the version tab see if any information is listed please.

shelf life

It says there that the file size is 57,5 Kb (58.880 bytes) and that it has been created on 14:00:00 aug 4th of 2004 and last opened june 22nd of 2007.

There is no version tab.

hi tverhoog,

ok thanks. it could be legit. you ran vundofix, please rerun it and post the log.
hows your computer behaving? what about the email msg's you where getting.

shelf life

Hi shelf life,

Vundofix found no infected files. My PC is still sending spam. Avast on access Mail scanner reports a scanned count of 750 in the last 6 hours. The spam program usually doesn't send any mail in the first half hour and then sends a lot in a short period of time. I receive a lot of the pop-up messages from avast mail scanner that there are too much messages going out.

My firewall (sygate personal firewall) doesn't detect the sending of mail, I think. When I look at the traffic log the only files that are sending out are the avast mail scanner (C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe) and Gmail Notifier (C:\Program Files\Google\Gmail Notifier\gnotify.exe).

I found some information on the internet about rootkits and I think rootkit revealer detected some things. But I'm not sure and I don't really know if rootkits may be the source of this nor how to remove them. I will post the report from rootkit revealer:

HKU\.DEFAULT\Control Panel\International 23-6-2007 14:18 0 bytes Security mismatch.
HKU\.DEFAULT\Control Panel\International\Geo 23-6-2007 14:18 0 bytes Security mismatch.
HKU\S-1-5-21-436374069-1972579041-839522115-1003\Control Panel\International 23-6-2007 14:18 0 bytes Security mismatch.
HKU\S-1-5-21-436374069-1972579041-839522115-1003\Control Panel\International\Geo 23-6-2007 14:18 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International 23-6-2007 14:18 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International\Geo 23-6-2007 14:18 0 bytes Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC* 12-2-2007 20:33 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 12-2-2007 20:33 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg 24-2-2007 20:39 0 bytes Access is denied.

hi,

that was my next step actually:

Please run a GMER Rootkit scan:

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

shelf life

Hi, thanks for the reply. GMER found quite a list. Here it is:

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-07-08 17:56:01
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.13 ----

SSDT sptd.sys ZwEnumerateKey
SSDT sptd.sys ZwEnumerateValueKey

---- Devices - GMER 1.0.13 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 8990E1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 8990E1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 8990E1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 8990E1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 8990E1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 8990E1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 8990E1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 8990E1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 8990E1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 8990E1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 8990E1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 8990E1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 8990E1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 8990E1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 8990E1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 8990E1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 8990E1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 8990E1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 8990E1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 8990E1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 8990E1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 8990E1E8

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [B16DAF74] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [B16D9812] aswMon2.SYS

Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE 879F71E8
Device \FileSystem\Fastfat \Fat IRP_MJ_CLOSE 879F71E8
Device \FileSystem\Fastfat \Fat IRP_MJ_READ 879F71E8
Device \FileSystem\Fastfat \Fat IRP_MJ_WRITE 879F71E8
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION 879F71E8
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION 879F71E8
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA 879F71E8
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_EA 879F71E8
Device \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS 879F71E8
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION 879F71E8
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION 879F71E8
Device \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL 879F71E8
Device \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL 879F71E8
Device \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL 879F71E8
Device \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN 879F71E8
Device \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL 879F71E8
Device \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP 879F71E8
Device \FileSystem\Fastfat \Fat IRP_MJ_PNP 879F71E8

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_NAMED_PIPE [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLOSE [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_READ [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_WRITE [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_EA [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_MAILSLOT [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_SECURITY [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_SECURITY [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_POWER [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SYSTEM_CONTROL [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CHANGE [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_QUOTA [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_QUOTA [BA7F102A] InCDrec.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_NAMED_PIPE [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLOSE [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_READ [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_WRITE [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_EA [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_MAILSLOT [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_SECURITY [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_SECURITY [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_POWER [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SYSTEM_CONTROL [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CHANGE [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_QUOTA [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_QUOTA [F781908C] ikhfile.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_NAMED_PIPE [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLOSE [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_READ [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_WRITE [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_EA [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [B16DAF74] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_MAILSLOT [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_SECURITY [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_SECURITY [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_POWER [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SYSTEM_CONTROL [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CHANGE [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_QUOTA [B16D9812] aswMon2.SYS
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_QUOTA [B16D9812] aswMon2.SYS

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F7698220] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F7698480] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F76985A0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F76985D0] wpsdrvnt.sys

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_READ [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [BA2522C0] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_POWER [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA [BA2528E6] aswTdi.SYS

Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F7698220] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F7698480] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F76985A0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F76985D0] wpsdrvnt.sys

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_READ [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [BA2522C0] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [BA2528E6] aswTdi.SYS

Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F7698220] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F7698480] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F76985A0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F76985D0] wpsdrvnt.sys

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_READ [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_WRITE [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [BA2522C0] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_POWER [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA [BA2528E6] aswTdi.SYS

Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F7698220] wpsdrvnt.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F7698480] wpsdrvnt.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F76985A0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F76985D0] wpsdrvnt.sys

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_READ [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [BA2522C0] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_POWER [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA [BA2528E6] aswTdi.SYS
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_CREATE [B5788606] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_CREATE_NAMED_PIPE [B57885D6] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_CLOSE [B5788606] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_READ [B578863C] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_WRITE [B57885D6] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_QUERY_INFORMATION [B57885D6] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SET_INFORMATION [B57885D6] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_QUERY_EA [B57885D6] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SET_EA [B57885D6] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_FLUSH_BUFFERS [B57885D6] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_QUERY_VOLUME_INFORMATION [B57885D6] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SET_VOLUME_INFORMATION [B57885D6] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_DIRECTORY_CONTROL [B57885D6] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_FILE_SYSTEM_CONTROL [B57885D6] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_DEVICE_CONTROL [B5787988] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_INTERNAL_DEVICE_CONTROL [B57885D6] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SHUTDOWN [B57885D6] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_LOCK_CONTROL [B57885D6] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_CLEANUP [B5787792] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_CREATE_MAILSLOT [B57885D6] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_QUERY_SECURITY [B57885D6] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SET_SECURITY [B57885D6] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_POWER [B5787508] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SYSTEM_CONTROL [B57885D6] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_DEVICE_CHANGE [B57885D6] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_QUERY_QUOTA [B57885D6] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IRP_MJ_SET_QUOTA [B57885D6] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_CREATE [B5788606] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_CREATE_NAMED_PIPE [B57885D6] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_CLOSE [B5788606] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_READ [B578863C] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_WRITE [B57885D6] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_QUERY_INFORMATION [B57885D6] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_SET_INFORMATION [B57885D6] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_QUERY_EA [B57885D6] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_SET_EA [B57885D6] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_FLUSH_BUFFERS [B57885D6] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_QUERY_VOLUME_INFORMATION [B57885D6] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_SET_VOLUME_INFORMATION [B57885D6] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_DIRECTORY_CONTROL [B57885D6] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_FILE_SYSTEM_CONTROL [B57885D6] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_DEVICE_CONTROL [B5787988] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_INTERNAL_DEVICE_CONTROL [B57885D6] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_SHUTDOWN [B57885D6] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_LOCK_CONTROL [B57885D6] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_CLEANUP [B5787792] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_CREATE_MAILSLOT [B57885D6] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_QUERY_SECURITY [B57885D6] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_SET_SECURITY [B57885D6] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_POWER [B5787508] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_SYSTEM_CONTROL [B57885D6] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_DEVICE_CHANGE [B57885D6] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_QUERY_QUOTA [B57885D6] VMkbd.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IRP_MJ_SET_QUOTA [B57885D6] VMkbd.sys

---- EOF - GMER 1.0.13 ----

hi tverhoog,

thanks for all the info. these two:

aswTdi.SYS
aswMon2.SYS

are processes from Avast and they certainly look busy reading and writing to disk.

everything else looks ok. i dont see anything that looks like a rootkit anyway
have you had avast all along or recently install it?

i say we try and get rid of this since we cant id it.
Winlogon Notify: Xnosixr - C:\WINDOWS\SYSTEM32\Xnosixr.dll

we can try hjt first to delete it.
start hjt, click on open misc tools section
then delete a file on reboot
in the file name window copy/paste:
C:\WINDOWS\SYSTEM32\Xnosixr.dll
click on open, at the prompt to reboot select yes.
--------------------------
after the reboot rescan and post a new hjt log.
also do a online scan here:

F-secure scan:
http://support.f-secure.com/enu/home/ols.shtml

click on the "start scanning button" at bottom
click to accept/install the ActiveX applet,Click Full System Scan
Once the download completes (may take awhile),the scan will begin automatically.
The scan will take some time to finish.
When the scan completes, click the Automatic cleaning (recommended) button.

Click the Show Report button and Copy&Paste the entire report in your next reply along with a current HijackThis log.
-------------------------------------
also since you have a unidentified winlogon .dll and e-mail activity that has yet to be solved i would use the computer as little as possible and dont do any financial transactions or anything involving passwords. if you have another computer use it. trojans/rootkits can setup spam relays as well as have backdoor controls.


shelf life

I probably had Avast installed after the infection. So the program might be infected too.

I have successfully remove xnosixr.dll with HJT. Then I scanned my pc with F-secure and HJT. Here are the logs:

Scanning Report
Sunday, July 08, 2007 23:17:49 - 00:23:27

Computer name: cc902864-a
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ G:\
Result: 17 malware found
Tracking Cookie (spyware)

* System (Disinfected)
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System
* System

Trojan-Downloader.Win32.Agent.bvg (virus)

* C:\CSKD.EXE (Renamed & Submitted)

Trojan-Downloader.Win32.Tiny.gx (virus)

* C:\BWARNY.EXE (Renamed & Submitted)

Statistics
Scanned:

* Files: 39360
* System: 5265
* Not scanned: 6

Actions:

* Disinfected: 1
* Renamed: 2
* Deleted: 0
* None: 14
* Submitted: 2

Files not scanned:

* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{4E129413-337E-4671-AFA2-1829C239E815}.BIN
* C:\DOCUMENTS AND SETTINGS\TOBIAS VERHOOG\LOCAL SETTINGS\TEMP\HSPERFDATA_TOBIAS VERHOOG\2456

Options
Scanning engines:

* F-Secure Libra: 2.4.2, 2007-07-05
* F-Secure AVP: 7.0.171, 2007-07-07
* F-Secure Orion: 1.2.37, 2007-07-07
* F-Secure Blacklight: 1.0.64
* F-Secure Draco: 1.0.35, 0260-23-12
* F-Secure Pegasus: 1.19.0, 2007-06-06

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
* Use Advanced heuristics

==========================================================

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 0:29:26, on 9-7-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\Xfire.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\LClock\lclock.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tobias Verhoog\Bureaublad\cmd.exe
C:\DOCUME~1\TOBIAS~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk32.exe
C:\DOCUME~1\TOBIAS~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fssm32.exe
C:\Program Files\VMware\VMware Workstation\vmware.exe
C:\Program Files\VMware\VMware Workstation\bin\vmware-vmx.exe
G:\My Shared Folder\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Xfire] Xfire.exe /minimize
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\lclock.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Azureus.lnk = C:\Program Files\Azureus\Azureus.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\Spyware Doctor\tools\iesdpb.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: (no name) - AutorunsDisabled - (no file) (HKCU)
O9 - Extra button: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - C:\Documents and Settings\Tobias Verhoog\Bureaublad\WH GBP Casino.lnk (HKCU)
O9 - Extra 'Tools' menuitem: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - C:\Documents and Settings\Tobias Verhoog\Bureaublad\WH GBP Casino.lnk (HKCU)
O9 - Extra button: InterCasino $$$ - {909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} - C:\Documents and Settings\Tobias Verhoog\Bureaublad\InterCasino $$$.lnk (HKCU)
O9 - Extra 'Tools' menuitem: InterCasino $$$ - {909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} - C:\Documents and Settings\Tobias Verhoog\Bureaublad\InterCasino $$$.lnk (HKCU)
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://777dragon.microgaming.com/777dragon/FlashAX.cab
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Object) - https://casinoclassic.microgaming.com/casinoclassic/FlashAX2.cab
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 9424 bytes


Thanks again for all the time and effort you put into this. :bigthumb:

hi tverhoog,

ok good. thanks for all the info. i see you got rid of the .dll, only guessing really at it being malware. the online scan found some files also.

still sending out those e-mails? if so then:

lets try another rootkit tool.

please download Rootkit unhooker from here:

http://rku.nm.ru/

it will add afolder to root drive C:\
double click the skull icon in the folder
click the report tab, then the scan button.
after the scan. File>save report
post file in next reply.

shelf life

Hi shelf life,

We have done something right because Avast Mail Scanner tells me that since the reboot which deleted xnosixr.dll and the F-secure scan no spam has been sent. :)

Here is the unhooker scan report anyway:

>SSDT State
NtAllocateVirtualMemory
Actual Address 0xB54B4B30
Hooked by: C:\WINDOWS\system32\drivers\wpsdrvnt.sys

NtCreateKey
Actual Address 0xF74EF0D0
Hooked by: sptd.sys

NtCreateThread
Actual Address 0xB54B46F0
Hooked by: C:\WINDOWS\system32\drivers\wpsdrvnt.sys

NtEnumerateKey
Actual Address 0xF74F4E2C
Hooked by: sptd.sys

NtEnumerateValueKey
Actual Address 0xF74F51BA
Hooked by: sptd.sys

NtMapViewOfSection
Actual Address 0xB54B4470
Hooked by: C:\WINDOWS\system32\drivers\wpsdrvnt.sys

NtOpenKey
Actual Address 0xF74EF0B0
Hooked by: sptd.sys

NtOpenProcess
Actual Address 0xF7A688AC
Hooked by: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys

NtProtectVirtualMemory
Actual Address 0xB54B4C50
Hooked by: C:\WINDOWS\system32\drivers\wpsdrvnt.sys

NtQueryKey
Actual Address 0xF74F5292
Hooked by: sptd.sys

NtQueryValueKey
Actual Address 0xF74F5112
Hooked by: sptd.sys

NtSetValueKey
Actual Address 0xF74F5324
Hooked by: sptd.sys

NtShutdownSystem
Actual Address 0xB54B4990
Hooked by: C:\WINDOWS\system32\drivers\wpsdrvnt.sys

NtTerminateProcess
Actual Address 0xF7A68812
Hooked by: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys

NtWriteVirtualMemory
Actual Address 0xB54B4D60
Hooked by: C:\WINDOWS\system32\drivers\wpsdrvnt.sys

>Shadow
>Processes
>Drivers
>Stealth
>Files
Suspect File: C:\Documents and Settings\Tobias Verhoog\Local Settings\Application Data\Microsoft\Messenger\tverhoog@hotmail.com\SharingMetadata\Working\database_3ED0_1915_D018_D4CD\fsr00371.log Status: Hidden
Suspect File: C:\Documents and Settings\Tobias Verhoog\Local Settings\Temp\hsperfdata_Tobias Verhoog\2456::$DATA Status: Hidden
>Hooks
tcpip.sys+0x00003CFA, Type: Inline - RelativeCall at address 0xB3F41CFA hook handler located in [Teefer.sys]
tcpip.sys+0x0000544E, Type: Inline - RelativeCall at address 0xB3F4344E hook handler located in [Teefer.sys]
tcpip.sys+0x0000A4E0, Type: Inline - RelativeCall at address 0xB3F484E0 hook handler located in [Teefer.sys]
tcpip.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification at address 0xB3F7CF28 hook handler located in [Teefer.sys]
tcpip.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification at address 0xB3F7CF54 hook handler located in [Teefer.sys]
tcpip.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification at address 0xB3F7CF60 hook handler located in [Teefer.sys]
wanarp.sys+0x000053FD, Type: Inline - RelativeCall at address 0xBA73D3FD hook handler located in [Teefer.sys]
wanarp.sys-->ndis.sys-->NdisCloseAdapter, Type: IAT modification at address 0xBA73DB4C hook handler located in [Teefer.sys]
wanarp.sys-->ndis.sys-->NdisDeregisterProtocol, Type: IAT modification at address 0xBA73DB1C hook handler located in [Teefer.sys]
wanarp.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification at address 0xBA73DB3C hook handler located in [Teefer.sys]
wanarp.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification at address 0xBA73DB28 hook handler located in [Teefer.sys]
[1296]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x010010A0 hook handler located in [wblind.dll]
[1424]ashMaiSv.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x0042D170 hook handler located in [wblind.dll]
[1424]ashMaiSv.exe-->kernel32.dll-->LoadLibraryExA, Type: IAT modification at address 0x0042D098 hook handler located in [wblind.dll]
[1448]vmware-tray.exe-->kernel32.dll-->LoadLibraryExA, Type: IAT modification at address 0x0040A0C0 hook handler located in [wblind.dll]
[1448]vmware-tray.exe-->user32.dll-->SetWindowLongA, Type: IAT modification at address 0x0040A1E8 hook handler located in [wbhelp.dll]
[1448]vmware-tray.exe-->user32.dll-->TrackPopupMenu, Type: IAT modification at address 0x0040A230 hook handler located in [wblind.dll]
[1528]nvsvc32.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x0041D244 hook handler located in [wblind.dll]
[1528]nvsvc32.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification at address 0x0041D21C hook handler located in [wblind.dll]
[1528]nvsvc32.exe-->user32.dll-->GetWindowRect, Type: IAT modification at address 0x0041D274 hook handler located in [wbhelp.dll]
[1528]nvsvc32.exe-->user32.dll-->SetWindowPos, Type: IAT modification at address 0x0041D26C hook handler located in [wbhelp.dll]
[1532]msnmsgr.exe-->gdi32.dll-->GetPixel, Type: IAT modification at address 0x00401660 hook handler located in [wblind.dll]
[1532]msnmsgr.exe-->gdi32.dll-->SetPixel, Type: IAT modification at address 0x00401624 hook handler located in [wblind.dll]
[1532]msnmsgr.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x004014BC hook handler located in [wblind.dll]
[1532]msnmsgr.exe-->kernel32.dll-->LoadLibraryExA, Type: IAT modification at address 0x004015FC hook handler located in [wblind.dll]
[1532]msnmsgr.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification at address 0x0040146C hook handler located in [wblind.dll]
[1532]msnmsgr.exe-->kernel32.dll-->SetUnhandledExceptionFilter, Type: Inline - RelativeJump at address 0x7C84467D hook handler located in [msnmsgr.exe]
[1532]msnmsgr.exe-->user32.dll-->GetWindowPlacement, Type: IAT modification at address 0x004017F8 hook handler located in [wbhelp.dll]
[1532]msnmsgr.exe-->user32.dll-->GetWindowRect, Type: IAT modification at address 0x00401830 hook handler located in [wbhelp.dll]
[1532]msnmsgr.exe-->user32.dll-->MoveWindow, Type: IAT modification at address 0x0040174C hook handler located in [wbhelp.dll]
[1532]msnmsgr.exe-->user32.dll-->SetWindowLongW, Type: IAT modification at address 0x004018BC hook handler located in [wbhelp.dll]
[1532]msnmsgr.exe-->user32.dll-->SetWindowPlacement, Type: IAT modification at address 0x004017DC hook handler located in [wbhelp.dll]
[1532]msnmsgr.exe-->user32.dll-->SetWindowPos, Type: IAT modification at address 0x0040182C hook handler located in [wbhelp.dll]
[1532]msnmsgr.exe-->user32.dll-->TrackPopupMenu, Type: IAT modification at address 0x00401734 hook handler located in [wblind.dll]
[1532]msnmsgr.exe-->user32.dll-->TrackPopupMenuEx, Type: IAT modification at address 0x00401848 hook handler located in [wblind.dll]
[1788]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x010010A0 hook handler located in [wblind.dll]
[1940]xfire.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x0045E258 hook handler located in [wblind.dll]
[1940]xfire.exe-->user32.dll-->CallWindowProcA, Type: IAT modification at address 0x0045E5EC hook handler located in [wbhelp.dll]
[1940]xfire.exe-->user32.dll-->DeferWindowPos, Type: IAT modification at address 0x0045E424 hook handler located in [wbhelp.dll]
[1940]xfire.exe-->user32.dll-->GetWindowPlacement, Type: IAT modification at address 0x0045E498 hook handler located in [wbhelp.dll]
[1940]xfire.exe-->user32.dll-->GetWindowRect, Type: IAT modification at address 0x0045E584 hook handler located in [wbhelp.dll]
[1940]xfire.exe-->user32.dll-->MoveWindow, Type: IAT modification at address 0x0045E3F8 hook handler located in [wbhelp.dll]
[1940]xfire.exe-->user32.dll-->SetWindowLongA, Type: IAT modification at address 0x0045E4C4 hook handler located in [wbhelp.dll]
[1940]xfire.exe-->user32.dll-->SetWindowPos, Type: IAT modification at address 0x0045E470 hook handler located in [wbhelp.dll]
[1940]xfire.exe-->user32.dll-->TrackPopupMenu, Type: IAT modification at address 0x0045E454 hook handler located in [wblind.dll]
[1944]Smc.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x005E65B4 hook handler located in [wblind.dll]
[1944]Smc.exe-->user32.dll-->DeferWindowPos, Type: IAT modification at address 0x005E67FC hook handler located in [wbhelp.dll]
[1944]Smc.exe-->user32.dll-->GetWindowPlacement, Type: IAT modification at address 0x005E68CC hook handler located in [wbhelp.dll]
[1944]Smc.exe-->user32.dll-->GetWindowRect, Type: IAT modification at address 0x005E6A04 hook handler located in [wbhelp.dll]
[1944]Smc.exe-->user32.dll-->MoveWindow, Type: IAT modification at address 0x005E69C8 hook handler located in [wbhelp.dll]
[1944]Smc.exe-->user32.dll-->SetWindowLongA, Type: IAT modification at address 0x005E69F8 hook handler located in [wbhelp.dll]
[1944]Smc.exe-->user32.dll-->SetWindowPlacement, Type: IAT modification at address 0x005E6818 hook handler located in [wbhelp.dll]
[1944]Smc.exe-->user32.dll-->SetWindowPos, Type: IAT modification at address 0x005E684C hook handler located in [wbhelp.dll]
[1944]Smc.exe-->user32.dll-->TrackPopupMenu, Type: IAT modification at address 0x005E6814 hook handler located in [wblind.dll]
[1964]rundll32.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification at address 0x01001034 hook handler located in [wblind.dll]
[2008]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x010010A0 hook handler located in [wblind.dll]
[2128]vmware-authd.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x0040E128 hook handler located in [wblind.dll]
[248]gnotify.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x0045E250 hook handler located in [wblind.dll]
[248]gnotify.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification at address 0x0045E124 hook handler located in [wblind.dll]
[248]gnotify.exe-->user32.dll-->GetWindowRect, Type: IAT modification at address 0x0045E2F4 hook handler located in [wbhelp.dll]
[248]gnotify.exe-->user32.dll-->SetLayeredWindowAttributes, Type: IAT modification at address 0x0045E2E4 hook handler located in [wblind.dll]
[248]gnotify.exe-->user32.dll-->SetWindowLongW, Type: IAT modification at address 0x0045E32C hook handler located in [wbhelp.dll]
[248]gnotify.exe-->user32.dll-->SetWindowPos, Type: IAT modification at address 0x0045E2E8 hook handler located in [wbhelp.dll]
[248]gnotify.exe-->user32.dll-->TrackPopupMenu, Type: IAT modification at address 0x0045E33C hook handler located in [wblind.dll]
[268]ashDisp.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x004070A0 hook handler located in [wblind.dll]
[268]ashDisp.exe-->kernel32.dll-->LoadLibraryExA, Type: IAT modification at address 0x0040708C hook handler located in [wblind.dll]
[268]ashDisp.exe-->user32.dll-->TrackPopupMenu, Type: IAT modification at address 0x004071C8 hook handler located in [wblind.dll]
[2864]vmount2.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x004261C4 hook handler located in [wblind.dll]
[2864]vmount2.exe-->kernel32.dll-->LoadLibraryExA, Type: IAT modification at address 0x004261F8 hook handler located in [wblind.dll]
[3020]LVComSer.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x0041E0B8 hook handler located in [wblind.dll]
[3020]LVComSer.exe-->kernel32.dll-->LoadLibraryExA, Type: IAT modification at address 0x0041E0AC hook handler located in [wblind.dll]
[3020]LVComSer.exe-->user32.dll-->SetWindowLongA, Type: IAT modification at address 0x0041E264 hook handler located in [wbhelp.dll]
[320]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x010010A0 hook handler located in [wblind.dll]
[340]LClock.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x0040A030 hook handler located in [wblind.dll]
[340]LClock.exe-->user32.dll-->TrackPopupMenu, Type: IAT modification at address 0x0040A1B4 hook handler located in [wblind.dll]
[348]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x010010A0 hook handler located in [wblind.dll]
[3680]cmd.exe-->gdi32.dll-->GetPixel, Type: IAT modification at address 0x0044F024 hook handler located in [wblind.dll]
[3680]cmd.exe-->gdi32.dll-->SetPixel, Type: IAT modification at address 0x0044F020 hook handler located in [wblind.dll]
[3680]cmd.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x0044F058 hook handler located in [wblind.dll]
[3680]cmd.exe-->user32.dll-->GetWindowPlacement, Type: IAT modification at address 0x0044F19C hook handler located in [wbhelp.dll]
[3680]cmd.exe-->user32.dll-->GetWindowRect, Type: IAT modification at address 0x0044F21C hook handler located in [wbhelp.dll]
[3680]cmd.exe-->user32.dll-->MoveWindow, Type: IAT modification at address 0x0044F1BC hook handler located in [wbhelp.dll]
[3680]cmd.exe-->user32.dll-->SetWindowLongA, Type: IAT modification at address 0x0044F170 hook handler located in [wbhelp.dll]
[3680]cmd.exe-->user32.dll-->SetWindowPlacement, Type: IAT modification at address 0x0044F1EC hook handler located in [wbhelp.dll]
[488]LVComSer.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x0041E0B8 hook handler located in [wblind.dll]
[488]LVComSer.exe-->kernel32.dll-->LoadLibraryExA, Type: IAT modification at address 0x0041E0AC hook handler located in [wblind.dll]
[488]LVComSer.exe-->user32.dll-->SetWindowLongA, Type: IAT modification at address 0x0041E264 hook handler located in [wbhelp.dll]
[5284]vmware.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x0051812C hook handler located in [wblind.dll]
[5284]vmware.exe-->kernel32.dll-->LoadLibraryExA, Type: IAT modification at address 0x005180F8 hook handler located in [wblind.dll]
[5284]vmware.exe-->user32.dll-->GetWindowPlacement, Type: IAT modification at address 0x00518560 hook handler located in [wbhelp.dll]
[5284]vmware.exe-->user32.dll-->GetWindowRect, Type: IAT modification at address 0x00518478 hook handler located in [wbhelp.dll]
[5284]vmware.exe-->user32.dll-->MoveWindow, Type: IAT modification at address 0x005184A8 hook handler located in [wbhelp.dll]
[5284]vmware.exe-->user32.dll-->SetWindowLongA, Type: IAT modification at address 0x00518364 hook handler located in [wbhelp.dll]
[5284]vmware.exe-->user32.dll-->SetWindowPlacement, Type: IAT modification at address 0x0051855C hook handler located in [wbhelp.dll]
[5284]vmware.exe-->user32.dll-->SetWindowPos, Type: IAT modification at address 0x00518424 hook handler located in [wbhelp.dll]
[5284]vmware.exe-->user32.dll-->TrackPopupMenu, Type: IAT modification at address 0x00518584 hook handler located in [wblind.dll]
[5284]vmware.exe-->user32.dll-->TrackPopupMenuEx, Type: IAT modification at address 0x00518520 hook handler located in [wblind.dll]
[544]ashServ.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x00413104 hook handler located in [wblind.dll]
[544]ashServ.exe-->kernel32.dll-->LoadLibraryExA, Type: IAT modification at address 0x00413120 hook handler located in [wblind.dll]
[544]ashServ.exe-->user32.dll-->TrackPopupMenu, Type: IAT modification at address 0x0041339C hook handler located in [wblind.dll]
[5508]firefox.exe-->gdi32.dll-->SetPixel, Type: IAT modification at address 0x00968144 hook handler located in [wblind.dll]
[5508]firefox.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x009682A4 hook handler located in [wblind.dll]
[5508]firefox.exe-->user32.dll-->DeferWindowPos, Type: IAT modification at address 0x009685B8 hook handler located in [wbhelp.dll]
[5508]firefox.exe-->user32.dll-->GetWindowPlacement, Type: IAT modification at address 0x009686E4 hook handler located in [wbhelp.dll]
[5508]firefox.exe-->user32.dll-->GetWindowRect, Type: IAT modification at address 0x00968644 hook handler located in [wbhelp.dll]
[5508]firefox.exe-->user32.dll-->SendMessageW, Type: IAT modification at address 0x00968788 hook handler located in [wblind.dll]
[5508]firefox.exe-->user32.dll-->SetWindowLongA, Type: IAT modification at address 0x00968628 hook handler located in [wbhelp.dll]
[5508]firefox.exe-->user32.dll-->SetWindowLongW, Type: IAT modification at address 0x00968780 hook handler located in [wbhelp.dll]
[5508]firefox.exe-->user32.dll-->SetWindowPos, Type: IAT modification at address 0x009685C0 hook handler located in [wbhelp.dll]
[5936]vmware-vmx.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x006542B0 hook handler located in [wblind.dll]
[5936]vmware-vmx.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification at address 0x00654194 hook handler located in [wblind.dll]
[5936]vmware-vmx.exe-->user32.dll-->GetWindowRect, Type: IAT modification at address 0x006547FC hook handler located in [wbhelp.dll]
[5936]vmware-vmx.exe-->user32.dll-->SetWindowLongA, Type: IAT modification at address 0x00654710 hook handler located in [wbhelp.dll]
[5936]vmware-vmx.exe-->user32.dll-->SetWindowPos, Type: IAT modification at address 0x00654800 hook handler located in [wbhelp.dll]
[704]avgas.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x004A32C4 hook handler located in [wblind.dll]
[704]avgas.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification at address 0x004A3324 hook handler located in [wblind.dll]
[704]avgas.exe-->user32.dll-->GetWindowRect, Type: IAT modification at address 0x004A34D4 hook handler located in [wbhelp.dll]
[704]avgas.exe-->user32.dll-->MoveWindow, Type: IAT modification at address 0x004A3464 hook handler located in [wbhelp.dll]
[704]avgas.exe-->user32.dll-->SetWindowLongW, Type: IAT modification at address 0x004A34E8 hook handler located in [wbhelp.dll]
[704]avgas.exe-->user32.dll-->SetWindowPos, Type: IAT modification at address 0x004A34EC hook handler located in [wbhelp.dll]
[704]avgas.exe-->user32.dll-->TrackPopupMenu, Type: IAT modification at address 0x004A3428 hook handler located in [wblind.dll]
[860]explorer.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x01001150 hook handler located in [wblind.dll]
[860]explorer.exe-->kernel32.dll-->LoadLibraryExA, Type: IAT modification at address 0x010010A8 hook handler located in [wblind.dll]
[860]explorer.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification at address 0x010011D0 hook handler located in [wblind.dll]
[860]explorer.exe-->user32.dll-->CallWindowProcW, Type: IAT modification at address 0x010013A4 hook handler located in [wbhelp.dll]
[860]explorer.exe-->user32.dll-->DeferWindowPos, Type: IAT modification at address 0x010014D8 hook handler located in [wbhelp.dll]
[860]explorer.exe-->user32.dll-->GetWindowPlacement, Type: IAT modification at address 0x01001378 hook handler located in [wbhelp.dll]
[860]explorer.exe-->user32.dll-->GetWindowRect, Type: IAT modification at address 0x010015A8 hook handler located in [wbhelp.dll]
[860]explorer.exe-->user32.dll-->LoadImageW, Type: IAT modification at address 0x0100137C hook handler located in [wblind.dll]
[860]explorer.exe-->user32.dll-->MoveWindow, Type: IAT modification at address 0x01001348 hook handler located in [wbhelp.dll]
[860]explorer.exe-->user32.dll-->SendMessageW, Type: IAT modification at address 0x010013D8 hook handler located in [wblind.dll]
[860]explorer.exe-->user32.dll-->SetWindowPlacement, Type: IAT modification at address 0x0100132C hook handler located in [wbhelp.dll]
[860]explorer.exe-->user32.dll-->SetWindowPos, Type: IAT modification at address 0x010015AC hook handler located in [wbhelp.dll]
[860]explorer.exe-->user32.dll-->TrackPopupMenu, Type: IAT modification at address 0x01001478 hook handler located in [wblind.dll]
[860]explorer.exe-->user32.dll-->TrackPopupMenuEx, Type: IAT modification at address 0x01001450 hook handler located in [wblind.dll]
!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

hi tverhoog,

ok good. i was getting worried, much longer and your isp may have been contacting you about being a spam bot

i guess that dll and the f-secure (which also scans for rootkits)scan took care of it. first time ive seen a problem like that and a clean hjt log and malware scanners not finding anything. it had to be a rootkit. had to be more than just that .dll, nothing i saw though.

and now for the bad news:

dont know how long you had it on your computer and not all rootkits have backdoors or capture traffic like passwords etc. it would be a good idea to at least change all your passwords you use online. also i would repeat that online scan at f-secure. some even reccomend a reformat of the computer after rootkit activity.malware is getting much more invasive these days.
-------------------------
if you dont reformat last thing to do is to make new restore points. its possible for malware to get archived. making a new one will clean out anything. like this:

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.(new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot

shelf life

Hi Shelf Life,

Great! My PC hasn't behaved suspicious anymore. I was getting worried about my ISP as well. I have deleted the system restore files and will change all of my passwords. I will keep track of any strange behavior of my computer and will reformat if the symptoms return. I will also keep my security programs up-to-date.

Many, may thanks to you Shelf Life for helping me get rid of this malware. I think it's great work you guys are doing here and I will absolutely donate to the spybot forum because you and Spybot S&D have saved me a lot of trouble.

Thanks Again! :bigthumb:

hi tverhoog,

good. glad to help. see my prevention page for avoiding malware, link below.
happy safe surfing.

shelf life