iexplore.exe works under system and HJT couldnt see it

H

hemlock00

New member
hi guys.

whenever i start my computer iexplore.exe works under system. there was a lot of exes such as algs.exe spoolsvc.exe gvyfeq.exe and some random names exes coming under my system32 folder. i have a sygate personal firewall and it doesn't work now. i think it is blocked by some malware. here is my hjt log

Logfile of HijackThis v1.99.1
Scan saved at 20:24:22, on 12/04/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\csrss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\System32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
h:\program files\internet explorer\iexplore.exe
H:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\System32\alg.exe
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
H:\WINDOWS\runservice.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
H:\WINDOWS\System32\taskmgr.exe
H:\WINDOWS\System32\ctfmon.exe
F:\hijackthis\ogan.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - h:\program files\google\googletoolbar4.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - H:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: Stumble&Upon - {22D003CE-6952-46C5-80B9-D19B479620AB} - H:\WINDOWS\System32\s1939.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - H:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - h:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O8 - Extra context menu item: Download all with Free Download Manager - file://H:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://H:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://H:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Microsoft Excel'e Gö&nder - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon: &Blog This - res://H:\WINDOWS\System32\s1939.dll/blogimage
O9 - Extra button: Arastir - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: *.stumbleupon.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{076906E4-8FA8-4359-A04F-BF16F404E404}: NameServer = 85.255.116.151,85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{40C2DE37-E67D-413A-BDB1-28E4843CF41D}: NameServer = 85.255.116.151,85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{41C6D82A-159E-4006-8ED5-DA50DE458B80}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{49CC645E-1B8B-4750-BF99-969A10E1C080}: NameServer = 85.255.116.151,85.255.112.20
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.151 85.255.112.20
O17 - HKLM\System\CS1\Services\Tcpip\..\{076906E4-8FA8-4359-A04F-BF16F404E404}: NameServer = 85.255.116.151,85.255.112.20
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.151 85.255.112.20
O17 - HKLM\System\CS2\Services\Tcpip\..\{076906E4-8FA8-4359-A04F-BF16F404E404}: NameServer = 85.255.116.151,85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.151 85.255.112.20
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - Unknown owner - H:\WINDOWS\ATKKBService.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Unknown owner - H:\Program Files\Sygate\SPF\smc.exe

your help is needed. thanks
 
Hi hemlock00

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

  • Save it to your desktop and run it. Click Next, then Install, make sure Run fixit is checked and click Finish.
  • The fix will begin; follow the prompts.
  • You will be asked to reboot your computer; please do so.
  • Your system may take longer than usual to load; this is normal.
  • Once the desktop loads, post the text that will open (report.txt) and a new Hijackthis log in the forum please.
 
thank you Shaba.

here is fixwareout log.

Fixwareout Last edited 4/5/2007
Post this report in the forums please
...
»»»»»Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="cswfk.exe"

»»»»» System restarted

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "xedocne" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "gib_ogol" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "repiwoh" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "llun" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "golmedi" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "23plhps" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "mgcppp" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "tesvaf" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "32refaselif" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "putesprpgd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "0mdm" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "1mdm" Deleted
....
»»»»» Misc files.
H:\WINDOWS\Help\SPAlert.chm Deleted
H:\WINDOWS\System32\drivers\zpmodemnt.sys Deleted
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.



Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other



»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="\"H:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
 
and new HJT log

Logfile of HijackThis v1.99.1
Scan saved at 10:07:53, on 13/04/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\System32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Sygate\SPF\smc.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
H:\WINDOWS\runservice.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\notepad.exe
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
H:\Program Files\Mozilla Firefox\firefox.exe
H:\WINDOWS\System32\taskmgr.exe
F:\hijackthis\ogan.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - H:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: Stumble&Upon - {22D003CE-6952-46C5-80B9-D19B479620AB} - H:\WINDOWS\System32\s1939.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O8 - Extra context menu item: Download selected with Free Download Manager - file://H:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://H:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Microsoft Excel'e Gö&nder - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon: &Blog This - res://H:\WINDOWS\System32\s1939.dll/blogimage
O15 - Trusted Zone: *.stumbleupon.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{41C6D82A-159E-4006-8ED5-DA50DE458B80}: NameServer = 192.168.0.1
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - Unknown owner - H:\WINDOWS\ATKKBService.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - H:\Program Files\Sygate\SPF\smc.exe
 
Hi

Update AVG anti-spyware, don't scan yet

Boot in safe mode

Do a complete system scan with AVG a-s and save report

Re-run fixwareout

Post:

- a fresh HijackThis log
- AVG a-s report
- fixwareout report
 
sorry for delay.

here is AVG log

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:49:43 13/04/2007

+ Scan result:



Nothing found.



::Report end

fixvare

Fixwareout Last edited 4/5/2007
Post this report in the forums please
...
»»»»»Prerun check

»»»»» System restarted

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.



Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other



»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="\"H:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
 
hijack

Logfile of HijackThis v1.99.1
Scan saved at 11:53:08, on 13/04/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\System32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Sygate\SPF\smc.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
H:\WINDOWS\runservice.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\notepad.exe
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
H:\Program Files\Mozilla Firefox\firefox.exe
H:\WINDOWS\System32\wuauclt.exe
F:\hijackthis\ogan.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - H:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: Stumble&Upon - {22D003CE-6952-46C5-80B9-D19B479620AB} - H:\WINDOWS\System32\s1939.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O8 - Extra context menu item: Download selected with Free Download Manager - file://H:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://H:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Microsoft Excel'e Gö&nder - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon: &Blog This - res://H:\WINDOWS\System32\s1939.dll/blogimage
O15 - Trusted Zone: *.stumbleupon.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{41C6D82A-159E-4006-8ED5-DA50DE458B80}: NameServer = 192.168.0.1
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - Unknown owner - H:\WINDOWS\ATKKBService.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - H:\Program Files\Sygate\SPF\smc.exe

it seems clear now but i tried panda active online scan before it founds some malware. and i used sdfix before we talked. when i ran cathme.bat it founds two hidden files. maybe i'm a bit paranoid so do you think my pc is safe now?
 
Hi

We can run some rootkit scan a bit later.

Next please run panda scan and post its log along with a fresh HijackThis log :)
 
results for panda active scan


Incident Status Location

Adware:adware/webattaker Not disinfected h:\windows\uniq
Potentially unwanted tool:Application/Processor Not disinfected C:\Downloads\SDFix.exe[SDFix\apps\Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Downloads\SmitfraudFix\Process.exe
Spyware:Cookie/Go Not disinfected H:\Documents and Settings\ogan\Application Data\Mozilla\Firefox\Profiles\tvz9nn9p.default\cookies.txt[.go.com/]
Potentially unwanted tool:Application/NirCmd.A Not disinfected H:\fixwareout\FindT\nircmd.exe
Potentially unwanted tool:Application/Processor Not disinfected H:\Program Files\Free Download Manager\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected H:\SDFix\apps\Process.exe
 
Hi

Delete this:

h:\windows\uniq

Empty Recycle Bin

Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEdition Classic - Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition - Free edition of the AVG anti-virus program for Windows.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

* Download GMER from
here:
Unzip it and start GMER.exe
Click the rootkit-tab and click scan.

Once done, click the Copy button.
This will copy the results to clipboard.
Paste the results in your next reply along with a fresh HijackThis log.
 
thanx again shaba for your effort and help.

here is gmer log .

it is very long. so if you want it as a another txt file i can give. i cant attach txt file because it's 116kb.

GMER 1.0.12.12086 - http://www.gmer.net
Rootkit scan 2007-04-13 19:32:18
Windows 5.1.2600 Service Pack 1


---- System - GMER 1.0.12 ----

SSDT \??\H:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwAllocateVirtualMemory
SSDT sptd.sys ZwCreateKey
SSDT \??\H:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwCreateThread
SSDT sptd.sys ZwEnumerateKey
SSDT sptd.sys ZwEnumerateValueKey
SSDT \??\H:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwMapViewOfSection
SSDT sptd.sys ZwOpenKey
SSDT \??\H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \??\H:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwProtectVirtualMemory
SSDT sptd.sys ZwQueryKey
SSDT sptd.sys ZwQueryValueKey
SSDT sptd.sys ZwSetValueKey
SSDT \??\H:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwShutdownSystem
SSDT \??\H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess
SSDT \??\H:\WINDOWS\System32\drivers\wpsdrvnt.sys ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!KeInitializeInterrupt + B67 804DA23C 1 Byte [ 06 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 150 805025CC 4 Bytes [ 30, 8B, 70, F8 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1B0 8050262C 4 Bytes [ B0, F0, 43, F8 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1E0 8050265C 4 Bytes [ F0, 86, 70, F8 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 228 805026A4 4 Bytes [ 4E, 48, 44, F8 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 230 805026AC 4 Bytes [ EE, 4B, 44, F8 ]
.text ...
? H:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload F7C32A80 5 Bytes JMP 823691B8
? System32\Drivers\a1hiaqsr.SYS The system cannot find the file specified.
.text tcpip.sys!IPTransmit + 93E AAEF16A2 6 Bytes CALL F827DE50 Teefer.sys
.text tcpip.sys!IPTransmit + A35E AAEFB0C2 6 Bytes CALL F827DE50 Teefer.sys
.text tcpip.sys!IPSetIPSecStatus + 53A AAF0586C 6 Bytes CALL F827DE50 Teefer.sys
.text wanarp.sys F767E0C1 7 Bytes CALL F827DFA0 Teefer.sys
.text ntdll.dll!NtClose 77F5B5C8 5 Bytes JMP 720342BA
.text ntdll.dll!NtCreateProcess 77F5B728 5 Bytes JMP 72034445
.text ntdll.dll!NtCreateProcessEx 77F5B738 5 Bytes JMP 72034329
.text ntdll.dll!NtCreateSection 77F5B758 5 Bytes JMP 720342D8

---- User code sections - GMER 1.0.12 ----

.text H:\Program Files\MSN Messenger\msnmsgr.exe[468] kernel32.dll!SetUnhandledExceptionFilter 77E7E5A1 9 Bytes JMP 004DE392 H:\Program Files\MSN Messenger\msnmsgr.exe

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 823681D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 823681D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 823681D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 823681D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 823681D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 823681D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 823681D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 823681D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 823681D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 823681D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 823681D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 823681D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 823681D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 823681D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 823681D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 823681D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 823681D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 823681D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 823681D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 823681D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 823681D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 823681D8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CREATE 8207C1D8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CLOSE 8207C1D8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_READ 820AA33C
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_WRITE 8207C1D8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_INFORMATION 8207C1D8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_INFORMATION 8207C1D8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_EA 8207C1D8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_EA 8207C1D8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_FLUSH_BUFFERS 8207C1D8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_VOLUME_INFORMATION 8207C1D8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_VOLUME_INFORMATION 8207C1D8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_DIRECTORY_CONTROL 8207C1D8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_FILE_SYSTEM_CONTROL 8207C1D8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_DEVICE_CONTROL 8207C1D8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SHUTDOWN 8207C1D8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_LOCK_CONTROL 8207C1D8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CLEANUP 8207C1D8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_PNP 8207C1D8
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F8707220] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F8707480] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F87075A0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F87075D0] wpsdrvnt.sys
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_CREATE 823DD1D8
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_CLOSE 823DD1D8
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_DEVICE_CONTROL 823DD1D8
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL 823DD1D8
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_POWER 823DD1D8
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_SYSTEM_CONTROL 823DD1D8
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_PNP 823DD1D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CREATE 823DB1D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CLOSE 823DB1D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_READ 823DB1D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_WRITE 823DB1D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_FLUSH_BUFFERS 823DB1D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_DEVICE_CONTROL 823DB1D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_INTERNAL_DEVICE_CONTROL 823DB1D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SHUTDOWN 823DB1D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_POWER 823DB1D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SYSTEM_CONTROL 823DB1D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_PNP 823DB1D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CREATE 823DB1D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CLOSE 823DB1D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_READ 823DB1D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_WRITE 823DB1D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_FLUSH_BUFFERS 823DB1D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_DEVICE_CONTROL 823DB1D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_INTERNAL_DEVICE_CONTROL 823DB1D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SHUTDOWN 823DB1D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_POWER 823DB1D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SYSTEM_CONTROL 823DB1D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_PNP 823DB1D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CREATE 823DB1D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CLOSE 823DB1D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_READ 823DB1D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_WRITE 823DB1D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_FLUSH_BUFFERS 823DB1D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_DEVICE_CONTROL 823DB1D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_INTERNAL_DEVICE_CONTROL 823DB1D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SHUTDOWN 823DB1D8
 
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_POWER 823DB1D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SYSTEM_CONTROL 823DB1D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_PNP 823DB1D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CREATE 823DB1D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CLOSE 823DB1D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_READ 823DB1D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_WRITE 823DB1D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_FLUSH_BUFFERS 823DB1D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_DEVICE_CONTROL 823DB1D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_INTERNAL_DEVICE_CONTROL 823DB1D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SHUTDOWN 823DB1D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_POWER 823DB1D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SYSTEM_CONTROL 823DB1D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_PNP 823DB1D8
Device \Driver\usbohci \Device\USBPDO-1 IRP_MJ_CREATE 823DD1D8
Device \Driver\usbohci \Device\USBPDO-1 IRP_MJ_CLOSE 823DD1D8
Device \Driver\usbohci \Device\USBPDO-1 IRP_MJ_DEVICE_CONTROL 823DD1D8
Device \Driver\usbohci \Device\USBPDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL 823DD1D8
Device \Driver\usbohci \Device\USBPDO-1 IRP_MJ_POWER 823DD1D8
Device \Driver\usbohci \Device\USBPDO-1 IRP_MJ_SYSTEM_CONTROL 823DD1D8
Device \Driver\usbohci \Device\USBPDO-1 IRP_MJ_PNP 823DD1D8
Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_CREATE 82072310
Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_CLOSE 82072310
Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_DEVICE_CONTROL 82072310
Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_INTERNAL_DEVICE_CONTROL 82072310
Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_POWER 82072310
Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_SYSTEM_CONTROL 82072310
Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_PNP 82072310
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F8707220] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F8707480] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F87075A0] wpsdrvnt.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F87075D0] wpsdrvnt.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SYSTEM_CONTROL 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_PNP 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_READ 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_WRITE 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_FLUSH_BUFFERS 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_DEVICE_CONTROL 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_INTERNAL_DEVICE_CONTROL 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SHUTDOWN 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CLEANUP 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_POWER 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SYSTEM_CONTROL 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_PNP 8236B1D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_NAMED_PIPE 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_INFORMATION 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_INFORMATION 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_EA 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_EA 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_VOLUME_INFORMATION 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_VOLUME_INFORMATION 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DIRECTORY_CONTROL 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FILE_SYSTEM_CONTROL 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_LOCK_CONTROL 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLEANUP 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_MAILSLOT 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_SECURITY 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_SECURITY 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CHANGE 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_QUOTA 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_QUOTA 81F4B420
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 81F4B420
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_READ 81E81BA4
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_CREATE 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_READ 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_WRITE 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_FLUSH_BUFFERS 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_DEVICE_CONTROL 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_INTERNAL_DEVICE_CONTROL 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SHUTDOWN 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_CLEANUP 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_POWER 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SYSTEM_CONTROL 8236B1D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_PNP 8236B1D8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_NAMED_PIPE 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_INFORMATION 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_INFORMATION 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_EA 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_EA 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_VOLUME_INFORMATION 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_VOLUME_INFORMATION 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DIRECTORY_CONTROL 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FILE_SYSTEM_CONTROL 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_LOCK_CONTROL 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLEANUP 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_MAILSLOT 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_SECURITY 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_SECURITY 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CHANGE 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_QUOTA 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_QUOTA 81F4B420
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 81F4B420
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_CREATE 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_CREATE_NAMED_PIPE 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_CLOSE 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_READ 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_WRITE 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_QUERY_INFORMATION 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_SET_INFORMATION 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_QUERY_EA 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_SET_EA 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_FLUSH_BUFFERS 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_QUERY_VOLUME_INFORMATION 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_SET_VOLUME_INFORMATION 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_DIRECTORY_CONTROL 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_FILE_SYSTEM_CONTROL 81EB1D20
 
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_DEVICE_CONTROL 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_INTERNAL_DEVICE_CONTROL 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_SHUTDOWN 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_LOCK_CONTROL 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_CLEANUP 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_CREATE_MAILSLOT 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_QUERY_SECURITY 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_SET_SECURITY 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_POWER 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_SYSTEM_CONTROL 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_DEVICE_CHANGE 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_QUERY_QUOTA 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_SET_QUOTA 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 IRP_MJ_PNP 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_NAMED_PIPE 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLOSE 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_READ 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_WRITE 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_INFORMATION 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_INFORMATION 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_EA 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_EA 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FLUSH_BUFFERS 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_VOLUME_INFORMATION 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_VOLUME_INFORMATION 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DIRECTORY_CONTROL 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FILE_SYSTEM_CONTROL 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CONTROL 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SHUTDOWN 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_LOCK_CONTROL 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLEANUP 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_MAILSLOT 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_SECURITY 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_SECURITY 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_POWER 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SYSTEM_CONTROL 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CHANGE 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_QUOTA 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_QUOTA 81EB1D20
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_PNP 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CREATE 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CREATE_NAMED_PIPE 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CLOSE 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_READ 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_WRITE 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_INFORMATION 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_INFORMATION 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_EA 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_EA 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_FLUSH_BUFFERS 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_VOLUME_INFORMATION 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_VOLUME_INFORMATION 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_DIRECTORY_CONTROL 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_FILE_SYSTEM_CONTROL 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_DEVICE_CONTROL 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_INTERNAL_DEVICE_CONTROL 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SHUTDOWN 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_LOCK_CONTROL 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CLEANUP 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CREATE_MAILSLOT 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_SECURITY 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_SECURITY 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_POWER 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SYSTEM_CONTROL 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_DEVICE_CHANGE 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_QUOTA 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_QUOTA 81EB1D20
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_PNP 81EB1D20
 
and new hjt log. i feel like i'm a spammer . :)

Logfile of HijackThis v1.99.1
Scan saved at 19:34:11, on 13/04/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\System32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Sygate\SPF\smc.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
H:\WINDOWS\runservice.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
H:\Program Files\Mozilla Firefox\firefox.exe
H:\WINDOWS\System32\ctfmon.exe
H:\Program Files\MSN Messenger\msnmsgr.exe
H:\Program Files\uTorrent\utorrent.exe
H:\PROGRA~1\FREEDO~1\fdm.exe
H:\WINDOWS\System32\taskmgr.exe
H:\WINDOWS\system32\notepad.exe
F:\hijackthis\ogan.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - H:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: Stumble&Upon - {22D003CE-6952-46C5-80B9-D19B479620AB} - H:\WINDOWS\System32\s1939.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O8 - Extra context menu item: Download selected with Free Download Manager - file://H:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://H:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Microsoft Excel'e Gö&nder - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon: &Blog This - res://H:\WINDOWS\System32\s1939.dll/blogimage
O15 - Trusted Zone: *.stumbleupon.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{41C6D82A-159E-4006-8ED5-DA50DE458B80}: NameServer = 192.168.0.1
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - H:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - Unknown owner - H:\WINDOWS\ATKKBService.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - H:\Program Files\Sygate\SPF\smc.exe
 
Hi

Then you're clean!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEdition Classic - Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition - Free edition of the AVG anti-virus program for Windows.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

  • Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

Reenable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources


  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.

    This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:

    Instructions for - Spybot S & D and Ad-aware

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
  • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean!
 
Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
 
You must log in or register to reply here.
Back
Top