PDA

View Full Version : MSSoap...The bane of my existence!!



Churchy
2007-07-02, 12:59
Hi,

My computer's running slow as, i think it might have something to do with MSSoap. Tried several different virus checks but they've found nothing. Here's my HJT log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:57:36 PM, on 7/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Chris.MIKE-HOME\My Documents\HiJackThis_v2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - <default> - (no file)
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Vidcntl] c:\windows\system32\vidcntl.exe
O4 - HKCU\..\Run: [Un32info] c:\windows\system32\un32info.exe
O4 - HKCU\..\Run: [Pwr32ctr] c:\windows\system32\pwr32ctr.exe
O4 - HKCU\..\Run: [peak body] C:\DOCUME~1\Mike\APPLIC~1\MESSGR~1\Titleeggs.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCxdm491YYAU
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{524F076C-4663-4256-B0C2-A34C8355D0E5}: NameServer = 203.12.160.35,203.12.160.36
O17 - HKLM\System\CCS\Services\Tcpip\..\{712B2112-0F5B-4030-B52A-93F240957BF1}: NameServer = 203.12.160.35,203.12.160.36
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O18 - Filter: text/plain - (no CLSID) - (no file)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 4523 bytes

Any help would be greatly appreciated.

Angelfire777
2007-07-02, 14:10
Hello, welcome to Safer Networking Forums!

I noticed that you are not running any AntiVirus application. You could get infected immediately after we clean you up. Please download and install ONE of these:

» Avast! (http://www.asw.cz/eng/avast_4_home.html)
» AVG AntiVirus (http://free.grisoft.com/doc/5390/lng/us/tpl/v5#avg-anti-virus-free)
» AntiVir (http://www.free-av.com/)


*Uninstall the following via Add/Remove Programs, if present :

CiD Help
CiD Manager
Messenger plus or messenger plus and client
Download Plugin for Internet Explorer
Bitdownload
Zone Media
WinZix
Search Plugin
Bitgrabber
BitRol
Netpumper
MyWebSearch


In case, during the uninstall, when asked for the uninstall Verification, please enter the numbers that will appear in the window.

Then reboot. Important!

* Download Deljob.exe (http://home.hetnet.nl/~stefsmeenk/deljob.exe) and save it to your desktop.
Doubleclick Deljob.exe.

A log, (logit.txt) should open afterwards. This log will be present on your desktop.
Post the contents of the logfile in your next reply.
________________

*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

R3 - URLSearchHook: (no name) - <default> - (no file)
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O4 - HKCU\..\Run: [Vidcntl] c:\windows\system32\vidcntl.exe
O4 - HKCU\..\Run: [Un32info] c:\windows\system32\un32info.exe
O4 - HKCU\..\Run: [Pwr32ctr] c:\windows\system32\pwr32ctr.exe
O4 - HKCU\..\Run: [peak body] C:\DOCUME~1\Mike\APPLIC~1\MESSGR~1\Titleeggs.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZCxdm491YYAU
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O18 - Filter: text/plain - (no CLSID) - (no file)

If you or your system administrator didn't set the following policy, please fix it too.

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
________________

Configure your machine to view hidden files:

Windows XP
Click Start.
Open My Computer..
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the "Hidden files and folders" heading select Show hidden files and folders.
Uncheck the Hide Protected Operating System Files Option.
Click Yes to confirm.
Click OK.


*Using Windows Explorer, find and delete these files:

c:\windows\system32\vidcntl.exe
c:\windows\system32\un32info.exe
c:\windows\system32\pwr32ctr.exe

Empty your recycle bin.

Reboot.

In your next reply, please post a fresh HijackThis log along with the contents of logit.txt and a detailed description on how your machine is running

Churchy
2007-07-03, 09:56
Hi, i did what you said and grabbed the logs and used HJT to get rid of those files, but i couldn't find them manually through explorer in sytem32 folder or anywhere else. It's still running extremely slow, it took ages for it to load the desktop. Here's the logs:


File(s) moved to C:\deljob

AC133FFE9188B2DA.job
AD269D3A9189110A.job
--------------------------------------------------------
Files remaining after cleaning

AppleSoftwareUpdate.job
--------------------------------------------------------
App data folders

Volume in drive C has no label.
Volume Serial Number is 8CE9-9335

Directory of C:\Documents and Settings\Chris.MIKE-HOME\Application Data

04/13/2007 01:55 PM <DIR> .
04/13/2007 01:55 PM <DIR> ..
10/05/2005 09:56 PM <DIR> Adobe
03/20/2006 09:06 PM <DIR> AdobeUM
05/21/2006 06:57 PM <DIR> ALIVEG~1 Alive Games
11/25/2005 09:53 PM <DIR> APPLEC~1 Apple Computer
10/04/2006 04:11 PM <DIR> Azureus
11/05/2006 08:07 PM <DIR> Creative
07/14/2005 02:33 PM <DIR> DIGITA~1 Digital Design Ltd
04/13/2007 01:55 PM <DIR> DivX
10/02/2006 06:55 PM <DIR> FlashFXP
02/26/2006 05:12 PM <DIR> Google
12/17/2005 08:33 PM <DIR> Help
10/25/2004 06:57 PM <DIR> IDENTI~1 Identities
03/14/2005 07:44 PM <DIR> INSTAL~1 InstallShield Installation Information
11/07/2004 08:10 PM <DIR> Lavasoft
07/03/2007 11:03 AM <DIR> LimeWire
01/21/2005 08:18 PM <DIR> MACROM~1 Macromedia
03/02/2007 05:34 PM <DIR> MICROS~1 Microsoft
08/14/2006 03:42 PM <DIR> Mozilla
01/22/2007 10:56 PM <DIR> NCHSWI~1 NCH Swift Sound
06/17/2006 07:48 PM <DIR> PCSUIT~1 PC Suite
10/07/2006 06:16 PM <DIR> RECORD~1 RecordPad
04/12/2007 01:55 AM <DIR> REGIST~1 Registry Booster
10/21/2006 06:46 PM <DIR> SONYCO~1 Sony Corporation
12/30/2005 11:54 PM <DIR> Sun
08/24/2006 10:12 PM <DIR> Symantec
04/04/2006 09:02 PM <DIR> SYNTRI~1 Syntrillium
0 File(s) 0 bytes
28 Dir(s) 11,760,070,656 bytes free
Volume in drive C has no label.
Volume Serial Number is 8CE9-9335

Directory of C:\Documents and Settings\All Users\Application Data

07/02/2007 08:36 PM <DIR> .
07/02/2007 08:36 PM <DIR> ..
04/19/2007 10:41 PM <DIR> Adobe
04/23/2007 07:39 PM <DIR> APPLEC~1 Apple Computer
06/16/2006 09:20 PM <DIR> BLUETO~1 Bluetooth
07/26/2006 11:10 PM <DIR> DOWNLO~1 Downloaded Installations
02/24/2006 06:36 PM <DIR> GOOGLE~1 Google Updater
10/07/2005 08:44 PM <DIR> LOGOCA~1 LogoCastStyleBin
02/24/2006 07:41 PM <DIR> McAfee.com
10/07/2005 08:44 PM <DIR> MEOWIN~1 meow internet dead build
07/02/2007 11:08 PM <DIR> MICROS~1 Microsoft
04/06/2003 09:07 PM <DIR> MSN6
08/07/2006 09:07 PM <DIR> MUMBOJ~1 MumboJumbo
10/07/2006 06:16 PM <DIR> NCHSWI~1 NCH Swift Sound
05/02/2004 12:05 PM <DIR> NVIEW_~1 nView_Profiles
03/21/2006 04:01 PM <DIR> PIXELS~1 pixelStorm
05/29/2005 04:53 PM <DIR> QUICKT~1 QuickTime
10/21/2006 06:37 PM <DIR> SONYCO~1 Sony Corporation
07/03/2007 09:53 AM <DIR> SPYBOT~1 Spybot - Search & Destroy
09/22/2006 09:52 PM <DIR> Symantec
08/05/2005 08:51 PM <DIR> WINDOW~1 Windows Genuine Advantage
03/02/2007 02:52 PM <DIR> WINDOW~2 Windows Live Toolbar
0 File(s) 0 bytes
22 Dir(s) 11,760,070,656 bytes free
--------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 4:32:49 PM, on 7/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Chris.MIKE-HOME\My Documents\Killer.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{524F076C-4663-4256-B0C2-A34C8355D0E5}: NameServer = 203.12.160.35,203.12.160.36
O17 - HKLM\System\CCS\Services\Tcpip\..\{712B2112-0F5B-4030-B52A-93F240957BF1}: NameServer = 203.12.160.35,203.12.160.36
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 4061 bytes

Not sure if i did everything right i'm slightly amature at this.

Churchy
2007-07-03, 09:58
BTW couldn't find any of those programs in add/remove programs either.

Angelfire777
2007-07-03, 13:57
Hi,


Not sure if i did everything right i'm slightly amature at this.

You did great but if you have some questions, just ask :)

*A few optionals that I would recommend be uninstalled.

LimeWire
Azureus
These programs maybe the reason why your machine is infected. Even when programs like these arenot infected theirselves, they may still bring malware into your system because more than half of all files available for download from peer-to-peer networks have been deliberately infected with some form of malware. I recommend that you remove these programs from your system.

*Click Start > Control Panel > Add or Remove Programs and uninstall the items I listed in bold if found.

*Reboot
____________

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update AVG Antispyware.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update. Do not use it yet!

Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune

Do not use it yet.
______________

Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

O18 - Filter hijack: text/html - (no CLSID) - (no file)

Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
______________

You may want to print these instructions here or save them in notepad since you'll work offline.

Reboot into Safe Mode.

To enter Safe Mode..

Click Start > Turn Off Computer > Restart > Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to Safe Mode> Hit enter.

*Using Windows explorer, please delete the following folders:

C:\Documents and Settings\All Users\Application Data\meow internet dead build
C:\Documents and Settings\All Users\Application Data\LogoCastStyleBin
C:\Documents and Settings\Chris.MIKE-HOME\Application Data\Symantec
C:\Documents and Settings\All Users\Application Data\McAfee.com
C:\Documents and Settings\All Users\Application Data\Symantec

*Delete the following folders if you uninstalled their corresponding programs:

C:\Documents and Settings\Chris.MIKE-HOME\Application Data\LimeWire
C:\Program Files\Limewire
C:\Program Files\Azureus
C:\Documents and Settings\Chris.MIKE-HOME\Application Data\Azureus

*Delete the following file:

C:\Documents and Settings\Chris.MIKE-HOME\My Documents\Killer.exe
________________

Important: Make sure all your browsers are closed before running ATF Cleaner..

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose:Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click
No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE:If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Please run AVG AntiSpyware, and run a full scan as follow:

IMPORTANT: Do not open any other windows or programs while AVG AntiSpyware is scanning, it may interfere with the scanning process.

Launch AVG AntiSpyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
AVG AntiSpyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save Report As" button in the lower left hand of the screen and save it to a text file on your system. (Make sure to remember where you saved that file, this is important).
Close AVG AntiSpyware.
Reboot to normal mode.


On your next reply, please post a fresh HijackThis log, AVG Antispyware log and tell me if it is running slow..

Churchy
2007-07-04, 07:16
Hi,

I did what you said and my computer seems to be running "slightly" faster than before. Then again i might be just getting used to waiting. Here's the logs:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:42:23 PM 7/4/2007

+ Scan result:



HKLM\SOFTWARE\Altnet -> Adware.Altnet : Cleaned.
HKLM\SOFTWARE\Altnet\Dashboard -> Adware.Altnet : Cleaned.
HKLM\SOFTWARE\Altnet\Dashboard\Settings -> Adware.Altnet : Cleaned.
HKLM\SOFTWARE\Classes\NaviPromo.EGNaviScoring -> Adware.NaviPromo : Cleaned.
HKLM\SOFTWARE\Classes\NaviPromo.EGNaviScoring.1 -> Adware.NaviPromo : Cleaned.
HKLM\SOFTWARE\Classes\NaviPromo.EGNaviScoring\CLSID -> Adware.NaviPromo : Cleaned.


::Report end


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:12:17 PM, on 7/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Chris.MIKE-HOME\My Documents\Killer.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{524F076C-4663-4256-B0C2-A34C8355D0E5}: NameServer = 203.12.160.35,203.12.160.36
O17 - HKLM\System\CCS\Services\Tcpip\..\{712B2112-0F5B-4030-B52A-93F240957BF1}: NameServer = 203.12.160.35,203.12.160.36
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 4573 bytes

BTW the killer.exe app is just HJT, i renamed it on the advice of another thread i was reading. Appreciate the help so far.

Angelfire777
2007-07-06, 17:15
Hi,


BTW the killer.exe app is just HJT, i renamed it on the advice of another thread i was reading. Appreciate the help so far.

Renaming is unnecessary in your case because there is no infection called vundo in your machine. Next time, it may be better if you only follow my advice in cleaning your computer's machine :)

Please download Navilog1 by IL-MAFIOSO:
http://perso.orange.fr/il.mafioso/Navifix/Navilog1.zip

Extract its contents to the desktop.
Double click on navilog1.exe to install it on your computer.
When the installation is complete, the tool will start automatically.
If it doesn't start automatically, please double click on Navilog1 shortcut on your desktop to run it.
Press E for English from the language Menu.
Type 1 in the next Menu to select Search and press Enter.
Wait for the Scan to finish (It may take a reasonable amount of time)
Press any key as requested .
A new document will be produced: fixnavi.txt.
Please copy/paste the contents of this report in your next reply.


The report is also saved in the root of the directory, "%SystemDrive%\fixnavi.txt". (usually C:\fixnavi.txt)

Churchy
2007-07-07, 09:37
Sorry, I just like to check to see if other people have problems similar to me first, to save creating another thread and wasting time. Anyway, here's the log:


Search Navipromo version 2.0.5 began on Sat 07/07/2007 at 16:15:35.98

!!! Warning, this report may include legitimate files/programs !!!
!!! Post this report on the forum you are being helped !!!
!!! Don't continue with removal unless instructed by an authorized helper !!!

Fix running from C:\Program Files\navilog1
Updated on 01.07.2007 at 12h00 by IL-MAFIOSO

Done in normal mode

*** Searching for installed Software ***




*** Search folders in C:\WINDOWS ***


C:\WINDOWS\winmgts found !


*** Search folders in C:\Program Files ***




*** Search folders in C:\Documents and Settings\All Users\Application Data ***




*** Search folders in C:\Documents and Settings\Mike\Application Data ***



*** Search with BlackLight Engine/F-secure ***
BlackLight Engine is a product of F-secure, for more info:
http://www.f-secure.com/blacklight/blacklight_help.html


F-SECURE BLACKLIGHT ROOTKIT ELIMINATOR
======================================

Copyright 2005-2006 F-Secure Corporation. All rights reserved.
This is a beta version. It will expire on 1st of October, 2007.
Version information: 2.2.1064.

[+] Started on 07/07/07 at 16:15:41.
[+] Initializing ...
[+] Starting scan, press Ctrl-C to abort.
[+] Scanning for hidden items ......................................................................................................
[+] Scan complete.
[+] Summary: 0 hidden item(s) found, 0 scheduled for renaming.
[+] Exited on 07/07/07 at 16:28:05 (return code = 0).


*** Search files ***




*** Search registry keys ***


Search in [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs]



Search in [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/eglivecam_1029.dll


Search Magic Control Key



*** Complementary Search ***
(Search specifics files)

1)Search known files:


2)Heuristic Search :
*
**
***
****
*****
******
*******
********

3)Certificates Search :


*** Search completed on Sat 07/07/2007 at 16:28:37.62 ***

What's the program searching for, if you don't mind me asking?

Angelfire777
2007-07-07, 09:48
Sorry, I just like to check to see if other people have problems similar to me first, to save creating another thread and wasting time.

That's not true. When people get infected, they get infected in so many ways and in each user, the case is different and sometimes, by running the wrong sets of tools, you may make the situation worse. I've seen it happen to a lot of people. So, it is always advisable to create your own thread and wait for your helper's advice only.


What's the program searching for, if you don't mind me asking?

The program is searching for entries of a rootkit called Navipromo.

Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O18 - Filter hijack: text/html - (no CLSID) - (no file)


Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
__________________

Double click on Navilog1 shortcut icon on your desktop to run it.
Press E for English from the language Menu.
Type 3 in the next Menu and press Enter.
The tool will then advise you that it will restart your computer.
Close all open windows and save personnal documents, if open, too.
If your computer doesn't restart automatically, restart it manually.
Choose your usual session.
Wait for the *** Clean finished the ... *** message (It may take a reasonable amount of time)
A new document will be produced.
Please copy/paste the contents of this report in your next reply.
Your desktop will now appear.


Note : In the event you lose your desktop, press CTRL+ALT+Delete and run Explorer.exe as a new task.

The report is also saved in the root directory, %SystemDrive%\cleannavi.txt.. (usually C:\cleannavi.txt) Also, please post a fresh HijackThis log.

Churchy
2007-07-07, 10:48
Everything went smoothly, here's the logs:

Navipromo Removal version 2.0.5 started on Sat 07/07/2007 at 17:36:36.29

Fix running from C:\Program Files\navilog1
Updated on 01.07.2007 at 12h00 by IL-MAFIOSO

Automatic removal
without Blacklight results



*** Deleting folders in C:\WINDOWS ***

C:\WINDOWS\winmgts ...deleting...
C:\WINDOWS\winmgts deleted !


*** Deleting folders in C:\Program Files ***


*** Deleting folders in C:\Documents and Settings\All Users\Application Data ***


*** Deleting folders in C:\Documents and Settings\Mike\Application Data ***



*** Deleting files ***


*** Deleting temporary files ***

Cleanning C:\WINDOWS\Temp done !
Cleanning C:\Documents and Settings\Mike\Local Settings\Temp done !


*** Copy registry to Backupnavi folder***


Backing up registry done !


*** Clean registry ***


Registry cleaned

*** Complementary Search ***
(Search specifics files)

1)Search known files:


2)Searching and deleting Heuristics :

*
**
***
****
*****
******
*******
********

3)Check registry for others bad keys :

No new bad keys found in registry !

4)Certificates :


*** Cleaning finished on Sat 07/07/2007 at 17:42:06.90 ***


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 5:45:36 PM, on 7/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Chris.MIKE-HOME\My Documents\Killer.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{524F076C-4663-4256-B0C2-A34C8355D0E5}: NameServer = 203.12.160.35,203.12.160.36
O17 - HKLM\System\CCS\Services\Tcpip\..\{712B2112-0F5B-4030-B52A-93F240957BF1}: NameServer = 203.12.160.35,203.12.160.36
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 4529 bytes

I dunno why but O18 - Filter hijack: text/html - (no CLSID) - (no file) doesn't wanna go away.

Angelfire777
2007-07-07, 10:59
Try fixing that entry from safe mode then please post a fresh HijackThis log after you reboot back to normal mode.

Churchy
2007-07-07, 11:19
No joy, it's still there if I read the log right.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:18:02 PM, on 7/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Chris.MIKE-HOME\My Documents\Killer.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{524F076C-4663-4256-B0C2-A34C8355D0E5}: NameServer = 203.12.160.35,203.12.160.36
O17 - HKLM\System\CCS\Services\Tcpip\..\{712B2112-0F5B-4030-B52A-93F240957BF1}: NameServer = 203.12.160.35,203.12.160.36
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 4562 bytes

Angelfire777
2007-07-07, 11:40
HijackThis has been known to have problem with that entry..

click start > run > copy and paste:

reg delete "HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html" /f

Please post a fresh HijackThis log afterwards.

Churchy
2007-07-07, 12:08
Nicely done, that got rid of the sucker. Here's the proof:


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:04:46 PM, on 7/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Chris.MIKE-HOME\My Documents\Killer.exe


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{524F076C-4663-4256-B0C2-A34C8355D0E5}: NameServer = 203.12.160.35,203.12.160.36
O17 - HKLM\System\CCS\Services\Tcpip\..\{712B2112-0F5B-4030-B52A-93F240957BF1}: NameServer = 203.12.160.35,203.12.160.36
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 4516 bytes

Any idea what the process/app did? Or was it just clutter?

Angelfire777
2007-07-07, 14:45
Hi,


Any idea what the process/app did? Or was it just clutter?

It was just clutter :)

Congratulations! Your log looks clean!

This is a good time to clear your existing system restore points and establish a new clean restore point:
Go to Start > All Programs > Accessories > System Tools > System Restore

Select Create a restore point, and Ok it.

Next, go to Start > Run and type in cleanmgr

Select the More options tab

Choose the option to clean up system restore and OK it.

This will remove all restore points except the new one you just created.
______________________
Here are some free programs I recommend that could help you improve your pc's security.

Install SpyWare Blaster
~You can download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
~You can read the tutorial on how to use Spyware Blaster here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)

Install WinPatrol
~You can download it from here (http://www.winpatrol.com/download.html)
~You can get some information about how WinPatrol works here (http://www.winpatrol.com/features.html)

IESpyAds
~You can download it from here (http://www.spywarewarrior.com/uiuc/resource.htm#IESPYAD)
~If you want to know how IEspyads work you can take a look at it here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)
~Please note that IESpyAds only works with Internet Explorer.

Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Please check out Tony Klein's article "How did I get infected in the first place?" (http://castlecops.com/t7736-So_how_did_I_get_infected_in_the_first_place.html)

Happy safe surfing!

Churchy
2007-07-08, 12:53
I'm glad my log looks all clear. Unfortunately, my computer is still runnning slowly, although it is much better since we began. Any other possible infections you may have overlooked? Or is my computer just reaching the end of it's proverbial life?

Churchy
2007-07-08, 13:10
There are multiple accounts on my machine, could an infection be occuring in another account and affecting all users but not showing up in the logs from the particular account i'm using? Sorry i don't know how to edit previous replies.

Angelfire777
2007-07-08, 13:10
Yes, what you just said is possible. Please run this scan on the account that we just cleaned then, please post a HijackThis log for each account in that machine :)

Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT

Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases

Click OK
Now under select a target to scan:Select My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Churchy
2007-07-09, 09:59
heres the logs got a few hits on kasperspy:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, July 09, 2007 4:28:25 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 9/07/2007
Kaspersky Anti-Virus database records: 359878
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 47953
Number of viruses found: 3
Number of infected objects: 7 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:17:02

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\MachineKeys\1dc4894067e5277b6daf1b0375b40000_a25df787-9b04-4715-8c66-5199c40ab0ff Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\MachineKeys\c74c6f795ada87022536668c055d2c0e_a25df787-9b04-4715-8c66-5199c40ab0ff Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\000bd8af4621e8eec73f566a2b434250_a25df787-9b04-4715-8c66-5199c40ab0ff Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\001c413dc8f6ba76aa34ce7ed416d468_a25df787-9b04-4715-8c66-5199c40ab0ff Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0161db60a1bfd9fb5c0fe5e20f9fbfc5_a25df787-9b04-4715-8c66-5199c40ab0ff Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0180382fd763b1070869404c5738438f_a25df787-9b04-4715-8c66-5199c40ab0ff Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\036ea92d9ce6d396ff8a4cf92aa2df6e_a25df787-9b04-4715-8c66-5199c40ab0ff Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\038397a0fd9ee7c14830219e18331e1f_a25df787-9b04-4715-8c66-5199c40ab0ff Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\03a715ea83d1fb11d937f1245494e041_a25df787-9b04-4715-8c66-5199c40ab0ff Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\03e2bd6bfcab7798934164084af51977_a25df787-9b04-4715-8c66-5199c40ab0ff Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0406976c17e22ff66d65084639f1ad81_a25df787-9b04-4715-8c66-5199c40ab0ff Object is locked skipped


I'm ignoring the majority of the 'machinekeys' as there's about 100,000 characters of it, and seem to pretty much repeat themselves. If you want them just tell me. Here's the 'good part':



C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\OneCare Protection\Support\MPLog-07022007-225700.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Protection Service\edb.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Protection Service\MPSSVCPolicyIdLog.etl Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mike\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mike\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Mike\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Shan\Incomplete\T-210050-_RAZOR_ those little pills _final_ (Tool).wma Infected: Trojan-Downloader.WMA.Wimad.d skipped
C:\Documents and Settings\Shan\Incomplete\T-316328-(DONE) kill a million brain cells _crack_ [Theme].wma Infected: Trojan-Downloader.WMA.Wimad.d skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Ent.dat Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\Database\edb.log Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\Database\tmp.edb Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\Database\WinSS_st.edb Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\WinSSSvc_log.bin Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edbtmp.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\cedjolkk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\MSFWSVC.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\Windows_OneCare_Evt.evt Object is locked skipped
C:\WINDOWS\system32\fmpsvdpl.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\WINDOWS\system32\glxtbyyd.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\oqgrurvo.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\WINDOWS\system32\rxrprsbp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Churchy
2007-07-09, 10:03
This is the log of the other account:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 4:40:06 PM, on 7/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Chris.MIKE-HOME\My Documents\Killer.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1220945662-1993962763-1343024091-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Mike')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{524F076C-4663-4256-B0C2-A34C8355D0E5}: NameServer = 203.12.160.35,203.12.160.36
O17 - HKLM\System\CCS\Services\Tcpip\..\{712B2112-0F5B-4030-B52A-93F240957BF1}: NameServer = 203.12.160.35,203.12.160.36
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 4403 bytes

Angelfire777
2007-07-09, 12:54
Hi,


I'm ignoring the majority of the 'machinekeys' as there's about 100,000 characters of it, and seem to pretty much repeat themselves. If you want them just tell me. Here's the 'good part':

Thanks for sorting it out. It helps me save time :)

The other accounts HijackThis log looks good..However, there are some nasties that Kaspersky just showed us..


You may want to print these instructions here or save them in notepad since you'll work offline.

Reboot into Safe Mode.

To enter Safe Mode..

Click Start > Turn Off Computer > Restart > Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to Safe Mode> Hit enter.

*Open notepad.
Copy and paste the text inside the Code Box below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type delete.bat in the File name and save it to your desktop.


@echo off
for %%g in (
C:\Documents and Settings\Shan\Incomplete\T-210050-_RAZOR_ those little pills _final_ (Tool).wma
C:\Documents and Settings\Shan\Incomplete\T-316328-(DONE) kill a million brain cells _crack_ [Theme].wma
C:\WINDOWS\system32\cedjolkk.dll
C:\WINDOWS\system32\fmpsvdpl.dll
C:\WINDOWS\system32\glxtbyyd.dll
C:\WINDOWS\system32\oqgrurvo.dll
C:\WINDOWS\system32\rxrprsbp.dll
) do (
attrib -s -h -r %%g
del /s /q %%g
)
cls
echo.Done!! Press any key to exit....
pause>nul
del %0


Locate delete.bat on your Desktop and double-click on it.

Reboot to normal mode then tell me how it is running.

Churchy
2007-07-09, 15:21
I ran the .bat and the files were deleted. Unfortunately my computer hasn't sped up at all as far as I can tell.

Angelfire777
2007-07-09, 15:56
May I ask how much is the RAM of your machine? and when is the last time you defragmented your hard drive? Also, can you be more specific by "speed?"

Churchy
2007-07-09, 16:07
Sorry for my ignorance, but how do I check how much RAM I have? I think the last defrag was roughly a month ago. By speed i mean that my machine is taking MUCH longer than usual to log in to an account, and essentially do anything. sort of like lag when playing an online game.

Churchy
2007-07-09, 16:08
Found the RAM size, I apparently have 128 MB of RAM.

Angelfire777
2007-07-09, 16:12
Found the RAM size, I apparently have 128 MB of RAM.

That would explain everything. Windows XP alone already takes roughly 128 ram of your machine..What more if you have several programs running..? The least RAM you could at least get for an XP machine is 256 RAM...As of now, I'm running with 256 RAM and it is really not enough... You should seriously consider upgrading your RAM to 512..If not, boost it up to AT LEAST 256..:)

Churchy
2007-07-09, 16:16
That's odd, it's never been a problem before. This sudden slow down in performance happened just in the last two weeks or so. No viruses/malware etc can screw with the RAM can they?

Angelfire777
2007-07-09, 16:23
I don't know of any that can do that but if it is true that your system has only 128RAM, that's a different story..

Let's try these:

Download Gmer (http://www.majorgeeks.com/downloadget.php?id=5198&file=15&evp=3f18075291813a665b2a25536a70b307)
Disconnect from internet and close running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double click gmer.exe
Let the gmer.sys driver load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run scan...say Ok.
If no warning....
Click "Rootkit" tab and click "Scan"
Once done, click "Copy"
Open Notepad and hit "ctrl+v" to paste the log.
Reconnect to the internet and post the log back to this thread please.


*Create a Boot Log
Using Windows Explorer, please look for this file listed in bold c:\windows\ntbtlog.txt and if found, delete it.
Click Start > Run > type in msconfig in the box and click Ok
Click on the BOOT.INI tab and check the box that says /BOOTLOG
Click Apply & Ok and reboot the PC ( Booting will be noticeably slower as it creates the log)
Click Start > Run > type in msconfig in the box and click Ok
Check Normal Startup on the GENERAL tab, and on the BOOT.INI tab, Uncheck /BOOTLOG. Click Apply, OK.
When a message asks if you want to Reboot now, Click Exit Without Reboot.
Using Windows Explorer, find the file listed in bold, c:\windows\ntbtlog.txt , open it and paste the contents of the file here in your topic.

Churchy
2007-07-12, 10:24
Boot log:

Service Pack 2 7 9 2007 23:41:08.500
Loaded driver \WINDOWS\system32\ntoskrnl.exe
Loaded driver \WINDOWS\system32\hal.dll
Loaded driver \WINDOWS\system32\KDCOM.DLL
Loaded driver \WINDOWS\system32\BOOTVID.dll
Loaded driver ACPI.sys
Loaded driver \WINDOWS\System32\DRIVERS\WMILIB.SYS
Loaded driver pci.sys
Loaded driver isapnp.sys
Loaded driver ohci1394.sys
Loaded driver \WINDOWS\System32\DRIVERS\1394BUS.SYS
Loaded driver viaide.sys
Loaded driver \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Loaded driver MountMgr.sys
Loaded driver ftdisk.sys
Loaded driver PartMgr.sys
Loaded driver VolSnap.sys
Loaded driver atapi.sys
Loaded driver viasraid.sys
Loaded driver \WINDOWS\System32\DRIVERS\SCSIPORT.SYS
Loaded driver disk.sys
Loaded driver \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Loaded driver fltmgr.sys
Loaded driver PxHelp20.sys
Loaded driver KSecDD.sys
Loaded driver Ntfs.sys
Loaded driver NDIS.sys
Loaded driver viaagp.sys
Loaded driver uagp35.sys
Loaded driver Mup.sys
Loaded driver BTHidMgr.sys
Loaded driver \SystemRoot\System32\DRIVERS\amdk7.sys
Loaded driver \SystemRoot\System32\DRIVERS\nv4_mini.sys
Loaded driver \SystemRoot\system32\DRIVERS\smserial.sys
Loaded driver \SystemRoot\System32\Drivers\Modem.SYS
Loaded driver \SystemRoot\System32\DRIVERS\imapi.sys
Loaded driver \SystemRoot\system32\drivers\pfc.sys
Loaded driver \SystemRoot\System32\Drivers\Cdr4_2K.SYS
Loaded driver \SystemRoot\System32\DRIVERS\cdrom.sys
Loaded driver \SystemRoot\System32\DRIVERS\redbook.sys
Loaded driver \SystemRoot\System32\Drivers\Cdralw2k.SYS
Loaded driver \SystemRoot\SYSTEM32\DRIVERS\GEARAspiWDM.sys
Loaded driver \SystemRoot\System32\Drivers\Cdralw2k.SYS
Loaded driver \SystemRoot\System32\DRIVERS\usbuhci.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbehci.sys
Loaded driver \SystemRoot\system32\drivers\ALCXWDM.SYS
Loaded driver \SystemRoot\system32\drivers\ALCXSENS.SYS
Loaded driver \SystemRoot\System32\DRIVERS\RTL8139.SYS
Loaded driver \SystemRoot\System32\DRIVERS\fdc.sys
Loaded driver \SystemRoot\System32\DRIVERS\serial.sys
Loaded driver \SystemRoot\System32\DRIVERS\serenum.sys
Loaded driver \SystemRoot\System32\DRIVERS\parport.sys
Loaded driver \SystemRoot\System32\DRIVERS\i8042prt.sys
Loaded driver \SystemRoot\system32\DRIVERS\L8042pr2.Sys
Loaded driver \SystemRoot\system32\DRIVERS\LMouFlt2.Sys
Loaded driver \SystemRoot\System32\DRIVERS\mouclass.sys
Loaded driver \SystemRoot\System32\DRIVERS\kbdclass.sys
Loaded driver \SystemRoot\System32\DRIVERS\gameenum.sys
Loaded driver \SystemRoot\System32\DRIVERS\audstub.sys
Loaded driver \SystemRoot\System32\Drivers\RootMdm.sys
Loaded driver \SystemRoot\system32\DRIVERS\rasirda.sys
Loaded driver \SystemRoot\System32\DRIVERS\rasl2tp.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndistapi.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndiswan.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspppoe.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspptp.sys
Loaded driver \SystemRoot\System32\DRIVERS\msgpc.sys
Loaded driver \SystemRoot\System32\DRIVERS\psched.sys
Loaded driver \SystemRoot\System32\DRIVERS\ptilink.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspti.sys
Loaded driver \SystemRoot\System32\DRIVERS\termdd.sys
Loaded driver \SystemRoot\System32\DRIVERS\swenum.sys
Loaded driver \SystemRoot\System32\DRIVERS\update.sys
Loaded driver \SystemRoot\System32\DRIVERS\mssmbios.sys
Loaded driver \SystemRoot\system32\drivers\WmBEnum.sys
Loaded driver \SystemRoot\system32\drivers\WmXlCore.sys
Loaded driver \SystemRoot\system32\drivers\MODEMCSA.sys
Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS
Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
Loaded driver \SystemRoot\System32\DRIVERS\usbhub.sys
Loaded driver \SystemRoot\System32\DRIVERS\flpydisk.sys
Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS
Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS
Did not load driver \SystemRoot\System32\Drivers\i2omgmt.SYS
Did not load driver \SystemRoot\System32\Drivers\Changer.SYS
Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS
Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS
Loaded driver \SystemRoot\System32\Drivers\Null.SYS
Loaded driver \SystemRoot\System32\Drivers\Beep.SYS
Loaded driver \SystemRoot\System32\DRIVERS\AvgAsCln.sys
Did not load driver \SystemRoot\system32\DRIVERS\kbdhid.sys
Loaded driver \SystemRoot\System32\drivers\vga.sys
Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS
Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys
Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS
Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS
Loaded driver \SystemRoot\System32\DRIVERS\rasacd.sys
Loaded driver \SystemRoot\system32\DRIVERS\msfwhlpr.sys
Loaded driver \SystemRoot\System32\DRIVERS\ipsec.sys
Loaded driver \SystemRoot\System32\DRIVERS\tcpip.sys
Loaded driver \SystemRoot\System32\DRIVERS\ipnat.sys
Loaded driver \??\C:\Program Files\Symantec\SYMEVENT.SYS
Loaded driver \SystemRoot\System32\Drivers\SYMTDI.SYS
Loaded driver \SystemRoot\System32\DRIVERS\netbt.sys
Loaded driver \SystemRoot\System32\drivers\afd.sys
Loaded driver \SystemRoot\System32\DRIVERS\netbios.sys
Did not load driver \SystemRoot\System32\DRIVERS\processr.sys
Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS
Loaded driver \SystemRoot\System32\DRIVERS\rdbss.sys
Loaded driver \SystemRoot\System32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\System32\DRIVERS\wanarp.sys
Loaded driver \SystemRoot\System32\Drivers\Fips.SYS
Loaded driver \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbprint.sys
Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS
Loaded driver \SystemRoot\system32\DRIVERS\irda.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndisuio.sys
Did not load driver \SystemRoot\System32\DRIVERS\rdbss.sys
Did not load driver \SystemRoot\System32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\System32\DRIVERS\mrxdav.sys
Loaded driver \SystemRoot\System32\Drivers\ParVdm.SYS
Loaded driver \SystemRoot\System32\Drivers\Cdralw2k.SYS
Loaded driver \SystemRoot\System32\Drivers\DgiVecp.sys
Loaded driver \SystemRoot\System32\DRIVERS\ipfltdrv.sys
Loaded driver \SystemRoot\system32\DRIVERS\msfwdrv.sys
Loaded driver \SystemRoot\System32\DRIVERS\secdrv.sys
Loaded driver \SystemRoot\System32\DRIVERS\srv.sys
Did not load driver \SystemRoot\System32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\system32\drivers\wdmaud.sys
Loaded driver \SystemRoot\system32\drivers\sysaudio.sys
Loaded driver \SystemRoot\system32\drivers\splitter.sys
Loaded driver \SystemRoot\system32\drivers\aec.sys
Loaded driver \SystemRoot\system32\drivers\swmidi.sys
Loaded driver \SystemRoot\system32\drivers\DMusic.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\system32\drivers\drmkaud.sys
Loaded driver \SystemRoot\System32\Drivers\HTTP.sys
Loaded driver \SystemRoot\system32\DRIVERS\MpFilter.sys
Loaded driver \SystemRoot\System32\DRIVERS\gmer.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\System32\DRIVERS\RTL8139.SYS
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\System32\DRIVERS\nic1394.sys
Loaded driver \SystemRoot\System32\DRIVERS\arp1394.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Churchy
2007-07-12, 10:27
gmer log

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-07-10 00:23:13
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.13 ----

SSDT FF9BBA78 ZwConnectPort
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess

---- Devices - GMER 1.0.13 ----

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F9F7A020] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F9F7A020] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F9F7A020] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F9F7A0C0] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F9F7A130] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F9F7A020] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F9F7A020] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F9F7A020] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F9F7A020] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F9F7A020] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F9F7A020] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F9F7A020] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F9F7A020] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F9F7A020] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F9F7A020] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F9F7A020] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F9F7A020] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F9F7A020] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F9F7A020] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F9F7A020] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F9F7A020] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F9F7A020] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F9F7A020] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F9F7A020] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F9F7A020] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F9F7A020] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F9F7A020] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [FC3EA1DE] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [FC3EA1DE] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [FC3DDF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [FC3DDF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [FC3DDF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [FC3DDF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [FC3DDF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [FC3DDF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [FC3DDF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [FC3DDF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [FC3DDF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [FC3DDF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [FC3DDF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [FC3EA454] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [FC3DDF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [FC3DDF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [FC3DDF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [FC3DDF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [FC3DDF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [FC3EA1DE] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [FC3DDF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [FC3DDF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [FC3DDF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [FC3DDF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [FC3DDF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [FC3DDF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [FC3DDF4C] fltmgr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_READ [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_POWER [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [FA06D718] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_READ [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_POWER [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_READ [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [FA06D718] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_READ [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [F9FD6CCC] SYMTDI.SYS

Churchy
2007-07-12, 10:28
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_READ [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_WRITE [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_POWER [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL [FA06D718] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_READ [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_WRITE [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_POWER [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_READ [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_POWER [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL [FA06D718] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA [FA059968] msfwhlpr.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_READ [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_POWER [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA [F9FD6CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA [F9FD6CCC] SYMTDI.SYS

---- EOF - GMER 1.0.13 ----

Apoligies for the late reply.

Angelfire777
2007-07-12, 13:29
Hi,

Everything looks ok:bigthumb:

Let's try to clean out some dirt..

Backup Your Registry with ERUNT
Please use the following link and scroll down to ERUNT and download it.
http://aumha.org/freeware/freeware.php
For version with the Installer:
Use the setup program to install ERUNT on your computer
For the zipped version:
Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe
_____________

I recommend you download RegSeeker (http://www.hoverdesk.net/dl/en/RegSeeker.zip). Extract it to it's own folder, open and double click RegSeeker.exe to start the program. Maximize the window and click clean registry. Check all sections and click OK. When the scan is complete, verify the backup box in lower left corner is checked and click the select all button, then select all again. Then right click within the search results and select delete. Run it again and again, deleting everything it finds until it finds nothing. Reboot and make sure your programs are working properly, control panel and add/remove programs windows open, etc (basically just do a quick check of everything). In the event anything was 'broken', you can open RegSeeker, click backups and double click any/all files to put the information back. A reboot may be required for the effects to be seen. Reboot When done.

NOTE: To be extra safe you can choose to only remove the items in RED
____________

After that, please run disk defragmenter by opening my computer then right click C:\ > properties > tools tab > click defragment now

Reboot then tell me if it is performing faster..

Angelfire777
2007-07-15, 15:16
Churchy?

Churchy
2007-07-18, 06:34
Sorry for the late reply, I've been a tad busy. Yeah my computer seems to be running somewhat faster although nowhere near what i'm used to. I think the next thing for me to do is to get some more RAM, see if that helps. Thanks for helping me clean out my system, I think it needed it quite badly. You deserve a medal for your work in cleaning out other peoples' computers when they aren't really your problem. If i need any help in the future i know where to go.

Angelfire777
2007-07-18, 12:04
That's ok. I'm quite busy in school too:D:

Since everything is ok now, I guess we're done!

Remember to read all the recommendations on post #15 for a more secure system.

Take care:laugh:

Angelfire777
2007-07-22, 03:05
Glad we could be of assistance :bigthumb:

Since the problem has been resolved, this topic is now closed and archived. If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.