PDA

View Full Version : Very puzzling - am I infected or not??? Rootkit?


goldengate
2006-11-17, 20:28
Environment: I am running Windows XP Media edition with Norton (ugh) Anti-virus/systemworks. I also run Windows Defender and periodically scan with Ad Aware and Spybot, and have Spybot's Teatime running.

Symptoms/Action taken: Every 24 hours or so I get a message that process csrss.exe has crashed as memory "could not be read". And the computer just seems "off". For example, if I perform an online virus scan with Trend Micro, the scan indicates infection with ADWARE_BHO_MYWAY and then the browser closes. Norton Anti Virus, windows defender, Spybot (in safe mode), and Ad Aware find nothing wrong. Windows Malicious Software tool said a file was infected with "BACKDOOR: WIN32/HACKDEF.L" and I deleted that file. When I re-ran the tool, it said my computer was fine. I also ran SYSCLEAN from Trend Micro in safe mode and it found no infections. And I performed an online scan with Bit Defender and it said no problems, but when I tried an online scan with eTrust, it didn't seem to be scanning.

So I think either I have something very sneaky (like a rootkit?) or else my computer is fine -- but then why the strange errors with csrss.exe? And why the strange behavior from the trend micro online scanner that used to work fine? And what about that BHO MYWAY adware warning?

Here's my Hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 5:58:59 AM, on 11/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Rob\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://excite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Auto EPSON Stylus CX6400 on downstairs] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P38 "Auto EPSON Stylus CX6400 on downstairs" /O18 "\\DOWNSTAIRS\epson" /M "Stylus CX6400"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127790397751
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1127970221515
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


Here's the log from Rootkit revealer:
HKLM\SECURITY\Policy\Secrets\SAC* 8/19/2004 8:25 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 8/19/2004 8:25 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\webcal\URL Protocol 8/29/2005 3:35 PM 13 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg 9/17/2006 3:27 PM 0 bytes Access is denied.


Appreciate any help!!!!!!!!!
Mr_JAk3
2006-11-18, 09:44
Hi goldengate and welcome to Safer Networking Forums :)

Do you remember the name/path of the file that Windows Malicious Software tool removed ?

I can't see anything bad in your HijackThis log...

Please run a GMER Rootkit scan:

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.
goldengate
2006-11-18, 17:36
Hi there, Thank you so much for your help.... !

The file that the malicious software removal tool said was infected was:

c:/program files/adobe/adobe help center/browser/es262-32.dll

I deleted it and my adobe programs still seem to work. It's still in my recycle bin just in case I need it - could it do harm there? I found the following web page which makes me wonder if I should have deleted it:

http://www.fbmsoftware.com/spyware-net/process/es262-32_dll/2664/

When I try to cut and paste the GMER log to this message, I get a warning that says "The text you have entered is too long (57761 characters)...please shorten to 20000 characters" so I'll have to see how I can cut and paste it... perhaps in two posts.... (and I didn't check that show all box)....

GMER 1.0.12.11889 - http://www.gmer.net
Rootkit scan 2006-11-18 08:33:14
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT 82282790 ZwConnectPort
SSDT sptd.sys ZwCreateKey
SSDT sptd.sys ZwEnumerateKey
SSDT sptd.sys ZwEnumerateValueKey
SSDT sptd.sys ZwOpenKey
SSDT 82230128 ZwOpenProcess
SSDT 81DC9B98 ZwOpenThread
SSDT sptd.sys ZwQueryKey
SSDT sptd.sys ZwQueryValueKey
SSDT sptd.sys ZwSetValueKey

---- User code sections - GMER 1.0.12 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[640] USER32.dll!DialogBoxParamW 77D5662C 5 Bytes JMP 7E1F5415 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[640] USER32.dll!DialogBoxIndirectParamW 77D62043 5 Bytes JMP 7E38C510 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[640] USER32.dll!MessageBoxIndirectA 77D6A05A 5 Bytes JMP 7E38C491 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[640] USER32.dll!DialogBoxParamA 77D6B11C 5 Bytes JMP 7E38C4D5 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[640] USER32.dll!MessageBoxExW 77D80538 5 Bytes JMP 7E38C3D9 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[640] USER32.dll!MessageBoxExA 77D8055C 5 Bytes JMP 7E38C413 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[640] USER32.dll!DialogBoxIndirectParamA 77D86CAD 5 Bytes JMP 7E38C54B C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[640] USER32.dll!MessageBoxIndirectW 77D96093 5 Bytes JMP 7E38C44D C:\WINDOWS\system32\IEFRAME.dll

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 825D6C78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 825D6C78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 825D6C78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 825D6C78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 825D6C78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 825D6C78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 825D6C78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 825D6C78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 825D6C78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 825D6C78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 825D6C78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 825D6C78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 825D6C78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 825D6C78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 825D6C78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 825D6C78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 825D6C78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 825D6C78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 825D6C78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 825D6C78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 825D6C78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 825D6C78
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CREATE 82589590
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CLOSE 82589590
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_READ 82589590
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_WRITE 82589590
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_FLUSH_BUFFERS 82589590
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_DEVICE_CONTROL 82589590
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_INTERNAL_DEVICE_CONTROL 82589590
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SHUTDOWN 82589590
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_POWER 82589590
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SYSTEM_CONTROL 82589590
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_PNP 82589590
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CREATE 82589590
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CLOSE 82589590
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_READ 82589590
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_WRITE 82589590
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_FLUSH_BUFFERS 82589590
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_DEVICE_CONTROL 82589590
goldengate
2006-11-18, 17:40
here's part 2:

Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_INTERNAL_DEVICE_CONTROL 82589590
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SHUTDOWN 82589590
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_POWER 82589590
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SYSTEM_CONTROL 82589590
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_PNP 82589590
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CREATE 82589590
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CLOSE 82589590
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_READ 82589590
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_WRITE 82589590
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_FLUSH_BUFFERS 82589590
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_DEVICE_CONTROL 82589590
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_INTERNAL_DEVICE_CONTROL 82589590
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SHUTDOWN 82589590
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_POWER 82589590
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SYSTEM_CONTROL 82589590
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_PNP 82589590
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CREATE 82589590
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CLOSE 82589590
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_READ 82589590
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_WRITE 82589590
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_FLUSH_BUFFERS 82589590
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_DEVICE_CONTROL 82589590
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_INTERNAL_DEVICE_CONTROL 82589590
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SHUTDOWN 82589590
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_POWER 82589590
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SYSTEM_CONTROL 82589590
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_PNP 82589590
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SYSTEM_CONTROL 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_PNP 825897C8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 82424A38
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 82424A38
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 82424A38
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 82424A38
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 82424A38
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 82424A38
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 82424A38
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 82424A38
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 82424A38
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 82424A38
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 82424A38
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_READ 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_WRITE 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_FLUSH_BUFFERS 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_DEVICE_CONTROL 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_INTERNAL_DEVICE_CONTROL 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SHUTDOWN 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CLEANUP 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_POWER 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SYSTEM_CONTROL 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_PNP 825897C8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE 8222A350
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE_NAMED_PIPE 8222A350
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CLOSE 8222A350
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_READ 8222A350
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_WRITE 8222A350
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_INFORMATION 8222A350
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_INFORMATION 8222A350
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_EA 8222A350
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_EA 8222A350
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_FLUSH_BUFFERS 8222A350
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_VOLUME_INFORMATION 8222A350
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_VOLUME_INFORMATION 8222A350
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DIRECTORY_CONTROL 8222A350
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_FILE_SYSTEM_CONTROL 8222A350
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DEVICE_CONTROL 8222A350
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_INTERNAL_DEVICE_CONTROL 8222A350
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SHUTDOWN 8222A350
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_LOCK_CONTROL 8222A350
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CLEANUP 8222A350
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE_MAILSLOT 8222A350
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_SECURITY 8222A350
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_SECURITY 8222A350
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_POWER 8222A350
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SYSTEM_CONTROL 8222A350
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DEVICE_CHANGE 8222A350
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_QUOTA 8222A350
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_QUOTA 8222A350
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_CREATE 825897C8
goldengate
2006-11-18, 17:41
here's part 3 (I am guessing I am doing something wrong here)

Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_READ 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_WRITE 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_FLUSH_BUFFERS 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_DEVICE_CONTROL 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_INTERNAL_DEVICE_CONTROL 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SHUTDOWN 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_CLEANUP 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_POWER 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SYSTEM_CONTROL 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_PNP 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_CREATE 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_READ 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_WRITE 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_FLUSH_BUFFERS 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_DEVICE_CONTROL 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_INTERNAL_DEVICE_CONTROL 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_SHUTDOWN 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_CLEANUP 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_POWER 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_SYSTEM_CONTROL 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_PNP 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume5 IRP_MJ_CREATE 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume5 IRP_MJ_READ 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume5 IRP_MJ_WRITE 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume5 IRP_MJ_FLUSH_BUFFERS 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume5 IRP_MJ_DEVICE_CONTROL 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume5 IRP_MJ_INTERNAL_DEVICE_CONTROL 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume5 IRP_MJ_SHUTDOWN 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume5 IRP_MJ_CLEANUP 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume5 IRP_MJ_POWER 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume5 IRP_MJ_SYSTEM_CONTROL 825897C8
Device \Driver\Ftdisk \Device\HarddiskVolume5 IRP_MJ_PNP 825897C8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CREATE 821B8EB0
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLOSE 821B8EB0
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_DEVICE_CONTROL 821B8EB0
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_INTERNAL_DEVICE_CONTROL 821B8EB0
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLEANUP 821B8EB0
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_PNP 821B8EB0
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CREATE 821B8EB0
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLOSE 821B8EB0
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_DEVICE_CONTROL 821B8EB0
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_INTERNAL_DEVICE_CONTROL 821B8EB0
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLEANUP 821B8EB0
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_PNP 821B8EB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_CREATE 825D6EB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_CLOSE 825D6EB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_READ 825D6EB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_WRITE 825D6EB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_FLUSH_BUFFERS 825D6EB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_DEVICE_CONTROL 825D6EB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_INTERNAL_DEVICE_CONTROL 825D6EB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_SHUTDOWN 825D6EB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_POWER 825D6EB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_SYSTEM_CONTROL 825D6EB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_PNP 825D6EB0
Device \Driver\Disk \Device\Harddisk1\DR1 IRP_MJ_CREATE 825D6EB0
Device \Driver\Disk \Device\Harddisk1\DR1 IRP_MJ_CLOSE 825D6EB0
Device \Driver\Disk \Device\Harddisk1\DR1 IRP_MJ_READ 825D6EB0
Device \Driver\Disk \Device\Harddisk1\DR1 IRP_MJ_WRITE 825D6EB0
Device \Driver\Disk \Device\Harddisk1\DR1 IRP_MJ_FLUSH_BUFFERS 825D6EB0
Device \Driver\Disk \Device\Harddisk1\DR1 IRP_MJ_DEVICE_CONTROL 825D6EB0
Device \Driver\Disk \Device\Harddisk1\DR1 IRP_MJ_INTERNAL_DEVICE_CONTROL 825D6EB0
Device \Driver\Disk \Device\Harddisk1\DR1 IRP_MJ_SHUTDOWN 825D6EB0
Device \Driver\Disk \Device\Harddisk1\DR1 IRP_MJ_POWER 825D6EB0
Device \Driver\Disk \Device\Harddisk1\DR1 IRP_MJ_SYSTEM_CONTROL 825D6EB0
Device \Driver\Disk \Device\Harddisk1\DR1 IRP_MJ_PNP 825D6EB0
Device \Driver\NetBT \Device\NetBT_Tcpip_{7838E6D0-46FA-4233-A7BC-6E660DB1CEF4} IRP_MJ_CREATE 821B8EB0
Device \Driver\NetBT \Device\NetBT_Tcpip_{7838E6D0-46FA-4233-A7BC-6E660DB1CEF4} IRP_MJ_CLOSE 821B8EB0
Device \Driver\NetBT \Device\NetBT_Tcpip_{7838E6D0-46FA-4233-A7BC-6E660DB1CEF4} IRP_MJ_DEVICE_CONTROL 821B8EB0
Device \Driver\NetBT \Device\NetBT_Tcpip_{7838E6D0-46FA-4233-A7BC-6E660DB1CEF4} IRP_MJ_INTERNAL_DEVICE_CONTROL 821B8EB0
Device \Driver\NetBT \Device\NetBT_Tcpip_{7838E6D0-46FA-4233-A7BC-6E660DB1CEF4} IRP_MJ_CLEANUP 821B8EB0
Device \Driver\NetBT \Device\NetBT_Tcpip_{7838E6D0-46FA-4233-A7BC-6E660DB1CEF4} IRP_MJ_PNP 821B8EB0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE 82373958
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_NAMED_PIPE 82373958
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLOSE 82373958
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 82373958
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_WRITE 82373958
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_INFORMATION 82373958
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_INFORMATION 82373958
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_EA 82373958
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_EA 82373958
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FLUSH_BUFFERS 82373958
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_VOLUME_INFORMATION 82373958
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_VOLUME_INFORMATION 82373958
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DIRECTORY_CONTROL 82373958
goldengate
2006-11-18, 17:43
part 4:

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FILE_SYSTEM_CONTROL 82373958
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CONTROL 82373958
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_INTERNAL_DEVICE_CONTROL 82373958
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SHUTDOWN 82373958
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_LOCK_CONTROL 82373958
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLEANUP 82373958
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_MAILSLOT 82373958
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_SECURITY 82373958
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_SECURITY 82373958
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_POWER 82373958
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SYSTEM_CONTROL 82373958
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CHANGE 82373958
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_QUOTA 82373958
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_QUOTA 82373958
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP 82373958
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE 82373958
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_NAMED_PIPE 82373958
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLOSE 82373958
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 82373958
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_WRITE 82373958
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_INFORMATION 82373958
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_INFORMATION 82373958
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_EA 82373958
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_EA 82373958
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FLUSH_BUFFERS 82373958
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_VOLUME_INFORMATION 82373958
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_VOLUME_INFORMATION 82373958
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DIRECTORY_CONTROL 82373958
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FILE_SYSTEM_CONTROL 82373958
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CONTROL 82373958
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_INTERNAL_DEVICE_CONTROL 82373958
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SHUTDOWN 82373958
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_LOCK_CONTROL 82373958
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLEANUP 82373958
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_MAILSLOT 82373958
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_SECURITY 82373958
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_SECURITY 82373958
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_POWER 82373958
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SYSTEM_CONTROL 82373958
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CHANGE 82373958
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_QUOTA 82373958
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_QUOTA 82373958
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP 82373958
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CREATE 82212EB0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CREATE_NAMED_PIPE 82212EB0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CLOSE 82212EB0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_READ 82212EB0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_WRITE 82212EB0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_INFORMATION 82212EB0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_SET_INFORMATION 82212EB0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_FLUSH_BUFFERS 82212EB0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_VOLUME_INFORMATION 82212EB0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_DIRECTORY_CONTROL 82212EB0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_FILE_SYSTEM_CONTROL 82212EB0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CLEANUP 82212EB0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_SECURITY 82212EB0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_SET_SECURITY 82212EB0
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CREATE 825897C8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_READ 825897C8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_WRITE 825897C8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_FLUSH_BUFFERS 825897C8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_DEVICE_CONTROL 825897C8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_INTERNAL_DEVICE_CONTROL 825897C8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SHUTDOWN 825897C8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CLEANUP 825897C8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_POWER 825897C8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SYSTEM_CONTROL 825897C8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_PNP 825897C8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CREATE 8221BA98
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CLOSE 8221BA98
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_READ 8221BA98
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_WRITE 8221BA98
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_QUERY_INFORMATION 8221BA98
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_SET_INFORMATION 8221BA98
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_QUERY_VOLUME_INFORMATION 8221BA98
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_DIRECTORY_CONTROL 8221BA98
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_FILE_SYSTEM_CONTROL 8221BA98
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CLEANUP 8221BA98
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CREATE_MAILSLOT 8221BA98
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_QUERY_SECURITY 8221BA98
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_SET_SECURITY 8221BA98
Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE 821AF730
Device \FileSystem\Fastfat \Fat IRP_MJ_CLOSE 821AF730
Device \FileSystem\Fastfat \Fat IRP_MJ_READ 821AF730
Device \FileSystem\Fastfat \Fat IRP_MJ_WRITE 821AF730
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION 821AF730
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION 821AF730
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA 821AF730
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_EA 821AF730
Device \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS 821AF730
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION 821AF730
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION 821AF730
Device \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL 821AF730
Device \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL 821AF730
Device \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL 821AF730
Device \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN 821AF730
Device \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL 821AF730
Device \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP 821AF730
Device \FileSystem\Fastfat \Fat IRP_MJ_PNP 821AF730
Device \FileSystem\Fastfat \Fat FastIoCheckIfPossible F7D131F9
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE 8243EAA8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLOSE 8243EAA8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ 8243EAA8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_INFORMATION 8243EAA8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SET_INFORMATION 8243EAA8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_VOLUME_INFORMATION 8243EAA8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DIRECTORY_CONTROL 8243EAA8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL [ECCB8912] DLAIFS_M.SYS
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL 8243EAA8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SHUTDOWN 8243EAA8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_LOCK_CONTROL 8243EAA8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLEANUP 8243EAA8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_PNP 8243EAA8

---- Files - GMER 1.0.12 ----

ADS C:\Documents and Settings\All Users\Application Data\Symantec\hpc:468323563
ADS C:\Documents and Settings\Rob\Favorites\BEFORE you POST -Preliminary Steps and scanning with SPYBOT-S&D - Safer Networking Forums.url:favicon
ADS C:\Documents and Settings\Rob\Favorites\Links\Fidelity.url:favicon
ADS C:\Documents and Settings\Rob\Favorites\Links\Microsoft Update.url:favicon
ADS C:\Documents and Settings\Rob\Favorites\Links\MRQE.url:favicon
ADS C:\Documents and Settings\Rob\Favorites\Links\SfGate.url:favicon
ADS C:\Documents and Settings\Rob\Favorites\SWI Forums winlogon.exe - application error!!!.url:favicon
ADS C:\Documents and Settings\Rob\Favorites\Very puzzling - am I infected or not Rootkit - Safer Networking Forums.url:favicon

---- EOF - GMER 1.0.12 ----
Mr_JAk3
2006-11-18, 20:23
Hi again, you posted the right log :)

That WIN32/HACKDEF.L (es262-32.dll) is a false positive from Microsoft. You can restore the file to it's original location :)

You have Dell's MyWay (http://support.dell.com/support/topics/global.aspx/support/dsn/en/document?c=us&cs=19&l=en&s=dhs&dn=1091919) installed. Are you using this ? If you do not use this, I'll recommend that you remove it. Removal instructions here (http://forums.us.dell.com/supportforums/board/message?board.id=si_virus&message.id=42328).

The I recommend that run a scan with AVG Anti-Spyware:

You should print these instructions or save these to a text file. Follow these instructions carefully.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.

Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.

Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

================

When you're ready, please post the following logs to here:
- AVG's report
goldengate
2006-11-19, 08:53
Yes, I do believe I was infected! Can you tell me why Spybot, Windows Defender, Ad Aware and Norton did not find this infection? Very strange....

Here's the log:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:13:35 PM 11/18/2006

+ Scan result:



C:\Program Files\DIGStream\digstream.exe -> Not-A-Virus.Downloader.Win32.DigStream : Cleaned with backup (quarantined).
C:\Program Files\BlindWrite 5.2.9 + Copytodvd 3.0.41 + Dvd Shrink 2.3 + DivxToDvd + PhotoDVD 1.0.1, Multilangues et cracks.rar/BlindWrite 5.2.9 + Copytodvd 3.0.41 + Dvd Shrink 2.3 + DivxToDvd + PhotoDVD 1.0.1\Photodvd 0.9.7 Fr\Crack.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
:mozilla.11:C:\RECYCLER\NPROTECT\00001346.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.11:C:\RECYCLER\NPROTECT\00001347.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.11:C:\RECYCLER\NPROTECT\00001348.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.11:C:\RECYCLER\NPROTECT\00001358.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.11:C:\RECYCLER\NPROTECT\00001359.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.11:C:\RECYCLER\NPROTECT\00001365.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.11:C:\RECYCLER\NPROTECT\00001366.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.11:C:\RECYCLER\NPROTECT\00001367.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.11:C:\RECYCLER\NPROTECT\00001411.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.11:C:\RECYCLER\NPROTECT\00001570.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.12:C:\RECYCLER\NPROTECT\00001346.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.12:C:\RECYCLER\NPROTECT\00001347.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.12:C:\RECYCLER\NPROTECT\00001348.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.12:C:\RECYCLER\NPROTECT\00001358.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.12:C:\RECYCLER\NPROTECT\00001359.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.12:C:\RECYCLER\NPROTECT\00001365.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.12:C:\RECYCLER\NPROTECT\00001366.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.12:C:\RECYCLER\NPROTECT\00001367.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.12:C:\RECYCLER\NPROTECT\00001411.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.12:C:\RECYCLER\NPROTECT\00001570.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.13:C:\RECYCLER\NPROTECT\00001346.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.13:C:\RECYCLER\NPROTECT\00001347.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.13:C:\RECYCLER\NPROTECT\00001348.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.13:C:\RECYCLER\NPROTECT\00001358.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.13:C:\RECYCLER\NPROTECT\00001359.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.13:C:\RECYCLER\NPROTECT\00001365.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.13:C:\RECYCLER\NPROTECT\00001366.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.13:C:\RECYCLER\NPROTECT\00001367.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.13:C:\RECYCLER\NPROTECT\00001411.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.13:C:\RECYCLER\NPROTECT\00001570.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.14:C:\RECYCLER\NPROTECT\00001346.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.14:C:\RECYCLER\NPROTECT\00001347.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.14:C:\RECYCLER\NPROTECT\00001348.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.14:C:\RECYCLER\NPROTECT\00001358.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.14:C:\RECYCLER\NPROTECT\00001359.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.14:C:\RECYCLER\NPROTECT\00001365.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.14:C:\RECYCLER\NPROTECT\00001366.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.14:C:\RECYCLER\NPROTECT\00001367.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.14:C:\RECYCLER\NPROTECT\00001411.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.14:C:\RECYCLER\NPROTECT\00001570.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.15:C:\RECYCLER\NPROTECT\00001346.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.15:C:\RECYCLER\NPROTECT\00001347.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.15:C:\RECYCLER\NPROTECT\00001348.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.15:C:\RECYCLER\NPROTECT\00001358.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.15:C:\RECYCLER\NPROTECT\00001359.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.15:C:\RECYCLER\NPROTECT\00001365.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.15:C:\RECYCLER\NPROTECT\00001366.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.15:C:\RECYCLER\NPROTECT\00001367.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.15:C:\RECYCLER\NPROTECT\00001411.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.15:C:\RECYCLER\NPROTECT\00001570.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.20:C:\RECYCLER\NPROTECT\00001345.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.20:C:\RECYCLER\NPROTECT\00001571.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.20:C:\RECYCLER\NPROTECT\00001572.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.20:C:\RECYCLER\NPROTECT\00001573.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.21:C:\RECYCLER\NPROTECT\00001344.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.21:C:\RECYCLER\NPROTECT\00001345.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.21:C:\RECYCLER\NPROTECT\00001571.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.21:C:\RECYCLER\NPROTECT\00001572.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.122:C:\RECYCLER\NPROTECT\00004038.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.122:C:\RECYCLER\NPROTECT\00006915.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.123:C:\RECYCLER\NPROTECT\00004031.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.123:C:\RECYCLER\NPROTECT\00004034.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.123:C:\RECYCLER\NPROTECT\00004038.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.123:C:\RECYCLER\NPROTECT\00004039.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.123:C:\RECYCLER\NPROTECT\00006915.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.124:C:\RECYCLER\NPROTECT\00004031.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.124:C:\RECYCLER\NPROTECT\00004038.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.124:C:\RECYCLER\NPROTECT\00004039.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.124:C:\RECYCLER\NPROTECT\00004793.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.124:C:\RECYCLER\NPROTECT\00004794.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.125:C:\RECYCLER\NPROTECT\00004031.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.125:C:\RECYCLER\NPROTECT\00004039.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.125:C:\RECYCLER\NPROTECT\00004793.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.125:C:\RECYCLER\NPROTECT\00004794.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.125:C:\RECYCLER\NPROTECT\00004795.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.125:C:\RECYCLER\NPROTECT\00004796.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.125:C:\RECYCLER\NPROTECT\00004807.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.125:C:\RECYCLER\NPROTECT\00004811.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.125:C:\RECYCLER\NPROTECT\00004813.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.125:C:\RECYCLER\NPROTECT\00005043.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.125:C:\RECYCLER\NPROTECT\00006914.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.126:C:\RECYCLER\NPROTECT\00004793.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.126:C:\RECYCLER\NPROTECT\00004794.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.126:C:\RECYCLER\NPROTECT\00004795.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.126:C:\RECYCLER\NPROTECT\00004796.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.126:C:\RECYCLER\NPROTECT\00004807.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.126:C:\RECYCLER\NPROTECT\00004811.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.126:C:\RECYCLER\NPROTECT\00004813.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.126:C:\RECYCLER\NPROTECT\00005043.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.126:C:\RECYCLER\NPROTECT\00006914.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.127:C:\RECYCLER\NPROTECT\00004795.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.127:C:\RECYCLER\NPROTECT\00004796.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.127:C:\RECYCLER\NPROTECT\00004807.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.127:C:\RECYCLER\NPROTECT\00004811.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.127:C:\RECYCLER\NPROTECT\00004813.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.127:C:\RECYCLER\NPROTECT\00005043.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.127:C:\RECYCLER\NPROTECT\00006914.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.16:C:\RECYCLER\NPROTECT\00006916.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.16:C:\RECYCLER\NPROTECT\00006917.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.17:C:\RECYCLER\NPROTECT\00006916.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.17:C:\RECYCLER\NPROTECT\00006917.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.18:C:\RECYCLER\NPROTECT\00006916.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.18:C:\RECYCLER\NPROTECT\00006917.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.34:C:\RECYCLER\NPROTECT\00001345.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.35:C:\RECYCLER\NPROTECT\00001345.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.37:C:\RECYCLER\NPROTECT\00001359.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.37:C:\RECYCLER\NPROTECT\00001365.MOZ -> :mozilla.65:C:\RECYCLER\NPROTECT\00004811.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.65:C:\RECYCLER\NPROTECT\00004813.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.65:C:\RECYCLER\NPROTECT\00005043.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.65:C:\RECYCLER\NPROTECT\00006914.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.67:C:\RECYCLER\NPROTECT\00001344.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.67:C:\RECYCLER\NPROTECT\00006916.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.67:C:\RECYCLER\NPROTECT\00006917.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.27:C:\RECYCLER\NPROTECT\00001359.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.27:C:\RECYCLER\NPROTECT\00001365.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.27:C:\RECYCLER\NPROTECT\00001366.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.27:C:\RECYCLER\NPROTECT\00001367.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.27:C:\RECYCLER\NPROTECT\00001411.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.27:C:\RECYCLER\NPROTECT\00001570.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.28:C:\RECYCLER\NPROTECT\00001359.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.28:C:\RECYCLER\NPROTECT\00001365.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.28:C:\RECYCLER\NPROTECT\00001366.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.28:C:\RECYCLER\NPROTECT\00001367.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.28:C:\RECYCLER\NPROTECT\00001411.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.28:C:\RECYCLER\NPROTECT\00001570.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.29:C:\RECYCLER\NPROTECT\00001359.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.29:C:\RECYCLER\NPROTECT\00001365.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.29:C:\RECYCLER\NPROTECT\00001366.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.29:C:\RECYCLER\NPROTECT\00001367.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.29:C:\RECYCLER\NPROTECT\00001411.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.29:C:\RECYCLER\NPROTECT\00001570.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.30:C:\RECYCLER\NPROTECT\00001347.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.30:C:\RECYCLER\NPROTECT\00001348.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.30:C:\RECYCLER\NPROTECT\00001358.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.30:C:\RECYCLER\NPROTECT\00001359.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.30:C:\RECYCLER\NPROTECT\00001365.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.30:C:\RECYCLER\NPROTECT\00001366.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.30:C:\RECYCLER\NPROTECT\00001367.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.30:C:\RECYCLER\NPROTECT\00001411.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.30:C:\RECYCLER\NPROTECT\00001570.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.31:C:\RECYCLER\NPROTECT\00001346.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.31:C:\RECYCLER\NPROTECT\00001347.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.31:C:\RECYCLER\NPROTECT\00001348.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.31:C:\RECYCLER\NPROTECT\00001358.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.32:C:\RECYCLER\NPROTECT\00001346.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.32:C:\RECYCLER\NPROTECT\00001347.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.32:C:\RECYCLER\NPROTECT\00001348.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.32:C:\RECYCLER\NPROTECT\00001358.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.33:C:\RECYCLER\NPROTECT\00001346.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.33:C:\RECYCLER\NPROTECT\00001347.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.33:C:\RECYCLER\NPROTECT\00001348.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.33:C:\RECYCLER\NPROTECT\00001358.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.34:C:\RECYCLER\NPROTECT\00001346.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.36:C:\RECYCLER\NPROTECT\00001571.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.36:C:\RECYCLER\NPROTECT\00001572.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.36:C:\RECYCLER\NPROTECT\00001573.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.37:C:\RECYCLER\NPROTECT\00001571.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.37:C:\RECYCLER\NPROTECT\00001572.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.37:C:\RECYCLER\NPROTECT\00001573.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.38:C:\RECYCLER\NPROTECT\00001571.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.38:C:\RECYCLER\NPROTECT\00001572.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.38:C:\RECYCLER\NPROTECT\00001573.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.39:C:\RECYCLER\NPROTECT\00001571.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.39:C:\RECYCLER\NPROTECT\00001572.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.39:C:\RECYCLER\NPROTECT\00001573.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.43:C:\RECYCLER\NPROTECT\00001345.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.44:C:\RECYCLER\NPROTECT\00001345.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.45:C:\RECYCLER\NPROTECT\00001345.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.46:C:\RECYCLER\NPROTECT\00001345.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.52:C:\RECYCLER\NPROTECT\00004034.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.53:C:\RECYCLER\NPROTECT\00004034.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.53:C:\RECYCLER\NPROTECT\00004038.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.54:C:\RECYCLER\NPROTECT\00004031.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.54:C:\RECYCLER\NPROTECT\00004034.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.54:C:\RECYCLER\NPROTECT\00004038.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.54:C:\RECYCLER\NPROTECT\00004039.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.54:C:\RECYCLER\NPROTECT\00006915.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.55:C:\RECYCLER\NPROTECT\00004031.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.55:C:\RECYCLER\NPROTECT\00004034.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.55:C:\RECYCLER\NPROTECT\00004038.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.55:C:\RECYCLER\NPROTECT\00004039.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.55:C:\RECYCLER\NPROTECT\00004793.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.55:C:\RECYCLER\NPROTECT\00004794.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.55:C:\RECYCLER\NPROTECT\00006915.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.56:C:\RECYCLER\NPROTECT\00004031.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.56:C:\RECYCLER\NPROTECT\00004038.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.56:C:\RECYCLER\NPROTECT\00004039.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.56:C:\RECYCLER\NPROTECT\00004793.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.56:C:\RECYCLER\NPROTECT\00004794.MOZ -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.31:C:\RECYCLER\NPROTECT\00001365.MOZ -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.31:C:\RECYCLER\NPROTECT\00001366.MOZ -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.31:C:\RECYCLER\NPROTECT\00001367.MOZ -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.31:C:\RECYCLER\NPROTECT\00001411.MOZ -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.31:C:\RECYCLER\NPROTECT\00001570.MOZ -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.32:C:\RECYCLER\NPROTECT\00006916.MOZ -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.32:C:\RECYCLER\NPROTECT\00006917.MOZ -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.34:C:\RECYCLER\NPROTECT\00001347.MOZ -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.34:C:\RECYCLER\NPROTECT\00001348.MOZ -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.34:C:\RECYCLER\NPROTECT\00001358.MOZ -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.35:C:\RECYCLER\NPROTECT\00001346.MOZ -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.40:C:\RECYCLER\NPROTECT\00001571.MOZ -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.40:C:\RECYCLER\NPROTECT\00001572.MOZ -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.40:C:\RECYCLER\NPROTECT\00001573.MOZ -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.47:C:\RECYCLER\NPROTECT\00001345.MOZ -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.61:C:\RECYCLER\NPROTECT\00001344.MOZ -> TrackingCookie.Tribalfusion : Cleaned.
C:\Program Files\VirtualDub\vdub.exe -> Trojan.Delf.sp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP20\A0001204.exe -> Trojan.PdPinch.fo : Cleaned with backup (quarantined).


::Report end

The AVG program found several trojans that no other programs found, and also found the csrss.exe trojan in a scan I performed not in safe mode while I was waiting for a program to finish up.

Thank you so much for your help!!!! :angel: Should I give up on the other programs and only use AVG?

Thanks again!!!!
Mr_JAk3
2006-11-19, 15:42
Hi again, it is looking good now :)

Well not any scanner can find all the infections. You get best results by using multiple scanners.

I think that the following is a false positive:


C:\Program Files\VirtualDub\vdub.exe -> Trojan.Delf.sp : Cleaned with backup (quarantined).
Lets find out if it is...

Open AVG AntiSpyware
Infections
Select the following: C:\Program Files\VirtualDub\vdub.exe -> Trojan.Delf.sp : Cleaned with backup (quarantined).
Hit "Restore" and answer "Yes"
Close AVG

Go to virustotal.com (http://www.virustotal.com)
Click on the Browse button
Browse to the following file: C:\Program Files\VirtualDub\vdub.exe
Click Open and then on Send
Wait for the scan to end.

Copy & Paste the scan results to here.


C:\Program Files\BlindWrite 5.2.9 + Copytodvd 3.0.41 + Dvd Shrink 2.3 + DivxToDvd + PhotoDVD 1.0.1, Multilangues et cracks.rar/BlindWrite 5.2.9 + Copytodvd 3.0.41 + Dvd Shrink 2.3 + DivxToDvd + PhotoDVD 1.0.1\Photodvd 0.9.7 Fr\Crack.exe
The usage of cracks and pirated software is illegal and as you can see, it gets you infected.

Let me know how the computer is running...
goldengate
2006-11-19, 16:49
Virus Total is a very interesting website! Here are the results, what do you think...?

AntiVir 7.2.0.39 11.19.2006 no virus found
Authentium 4.93.8 11.17.2006 no virus found
Avast 4.7.892.0 11.18.2006 no virus found
AVG 386 11.18.2006 PSW.Generic2.RES
BitDefender 7.2 11.19.2006 no virus found
CAT-QuickHeal 8.00 11.18.2006 no virus found
ClamAV devel-20060426 11.18.2006 no virus found
DrWeb 4.33 11.19.2006 no virus found
eSafe 7.0.14.0 11.19.2006 no virus found
eTrust-InoculateIT 23.73.59 11.18.2006 no virus found
eTrust-Vet 30.3.3197 11.17.2006 no virus found
Ewido 4.0 11.19.2006 Trojan.Delf.sp
Fortinet 2.82.0.0 11.19.2006 no virus found
F-Prot 3.16f 11.17.2006 no virus found
F-Prot4 4.2.1.29 11.17.2006 no virus found
Ikarus 0.2.65.0 11.17.2006 no virus found
Kaspersky 4.0.2.24 11.19.2006 no virus found
McAfee 4899 11.18.2006 no virus found
Microsoft 1.1609 11.19.2006 no virus found
NOD32v2 1871 11.19.2006 no virus found
Norman 5.80.02 11.17.2006 no virus found
Panda 9.0.0.4 11.19.2006 no virus found
Prevx1 V2 11.19.2006 no virus found
Sophos 4.11.0 11.16.2006 no virus found
TheHacker 6.0.3.122 11.18.2006 no virus found
UNA 1.83 11.17.2006 no virus found
VBA32 3.11.1 11.19.2006 Trojan-PSW.Win32.Delf.sp
VirusBuster 4.3.15:9 11.18.2006 no virus found



Also, I ran another AVG scan last night in safe mode before I went to sleep... here is the log:

+ Created at: 7:27:21 AM 11/19/2006

+ Scan result:



C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP21\A0001255.exe -> Not-A-Virus.Downloader.Win32.DigStream : Cleaned.
C:\Documents and Settings\Rob\Cookies\rob@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Rob\Cookies\rob@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP21\A0001254.exe -> Trojan.Delf.sp : Cleaned.


::Report end

Last night I didn't use the computer at all except for Itunes... is it normal for more to appear?

Thanks again :)
Mr_JAk3
2006-11-20, 07:58
Hi again :)

Sorry for the delay...

I downloaded the latest version of VirtualDub and scanned the vdub.exe @ virustotal. Here are my results:


Complete scanning result of "vdub.exe", received in VirusTotal at 11.20.2006, 07:56:00 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.39 11.20.2006 no virus found
Authentium 4.93.8 11.17.2006 no virus found
Avast 4.7.892.0 11.18.2006 no virus found
AVG 386 11.20.2006 no virus found
BitDefender 7.2 11.20.2006 no virus found
CAT-QuickHeal 8.00 11.18.2006 no virus found
ClamAV devel-20060426 11.19.2006 no virus found
DrWeb 4.33 11.20.2006 no virus found
eSafe 7.0.14.0 11.19.2006 no virus found
eTrust-InoculateIT 23.73.59 11.18.2006 no virus found
eTrust-Vet 30.3.3203 11.20.2006 no virus found
Ewido 4.0 11.19.2006 no virus found
Fortinet 2.82.0.0 11.20.2006 no virus found
F-Prot 3.16f 11.17.2006 no virus found
F-Prot4 4.2.1.29 11.17.2006 no virus found
Ikarus 0.2.65.0 11.20.2006 no virus found
Kaspersky 4.0.2.24 11.20.2006 no virus found
McAfee 4899 11.18.2006 no virus found
Microsoft 1.1609 11.20.2006 no virus found
NOD32v2 1871 11.19.2006 no virus found
Norman 5.80.02 11.17.2006 no virus found
Panda 9.0.0.4 11.19.2006 no virus found
Prevx1 V2 11.20.2006 no virus found
Sophos 4.11.0 11.16.2006 no virus found
TheHacker 6.0.3.122 11.18.2006 no virus found
UNA 1.83 11.17.2006 no virus found
VBA32 3.11.1 11.19.2006 no virus found
VirusBuster 4.3.15:9 11.20.2006 no virus found

Aditional Information
File size: 8704 bytes
MD5: 7c094fd6bf7ecc6fc1b2055007944cd7
SHA1: 624e3da9af0f3b847e8d972c921fb00a3fdb77b2

So you're copy of Vdub seems to be infected...
Did you download it from a trusted source ?

Remove the following file:
C:\Program Files\VirtualDub\vdub.exe

Then you should uninstall the whole VirtualDub via Control Panel, Add/Remove Programs.

Remove the whole folder:
C:\Program Files\VirtualDub

Then you can download and install it again if you want.

AVG found just cookies and some infections from System restore.
You can block cookies with a hosts files and SpywareBlaster. I'll give instructions for these and for cleaning System restore below...

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.

Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.

Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.

Use AVG Anti-Spyware (http://www.ewido.net/en/)
Update it and scan your computer regularly with it.

Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.

Install SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)
SpywareBlaster will prevent spyware from being installed.

Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.

Use Firefox browser (http://www.mozilla.org)
Firefox is faster, safer and better browser than Internet Explorer.

Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly.

Keep your antivirus and firewall up-to-date
Scan your computer regularly with your antivirus.

Read this article by TonyKlein (http://castlecops.com/postlite7736-.html)
So how did I get infected in the first place?

Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.


Stay clean and be safe ;)
goldengate
2006-11-21, 03:23
THANK YOU again for all your help.....

You are definitely an ANGEL!!! :angel: :angel:

I hope that others are able to learn from this post.

Thanks again!!!
Mr_JAk3
2006-11-21, 08:50
That's great news and you're very welcome :D:

As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.

Glad we could help :2thumb: