Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google link hijack issue, Highjackthis log inside


  • This topic is locked This topic is locked
24 replies to this topic

#1 personalepitaph

personalepitaph

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:birmingham, AL
  • Local time:02:04 PM

Posted 09 March 2009 - 02:58 PM

In my add remove programs I do see a program called searchassist. when trying to use addremove to remove this, the window simply closes.

Log below.






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:41:40 PM, on 3/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Norton 360\Engine\3.0.0.134\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton 360\Engine\3.0.0.134\ccSvcHst.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3070822
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3070822
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3070822
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.0.0.134\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.0.0.134\IPSBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.0.0.134\coIEPlg.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: $McRebootA5E6DEAA56$.lnk = C:\WINDOWS\system32\cmd.exe
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.0.0.134\coIEPlg.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\508\G2AWinLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\508\g2aservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.0.0.134\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe

--
End of file - 9627 bytes

BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:03:04 PM

Posted 21 March 2009 - 04:18 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 personalepitaph

personalepitaph
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:birmingham, AL
  • Local time:02:04 PM

Posted 21 March 2009 - 06:18 PM

Hi! The delay is no problem!

Sorry to say though, that the problem I'm having still exists. It's rather benign (or so it seems.) When searching for something, say, "cheesecake" on google, I'll get the usual results, but when I click on a result, some of the time -- a good deal of the time -- I am redirected to another site. These sites range from yellowbook.com to cnn.com to once I got a result that led me to a site to buy prescription meds from Mexico! Usually, the site is somewhat related to what I searched for in the first place, but not all the time. Porn sites are not involved (thank goodness!) This problem doesn't seem to repeat itself on dogpile, but did on yahoo.

To get rid of this, I've tried everything, I've run mbam, superantispyware, ad-aware, norton 360. I have updated my java, I have done everything short of run combofix, but I'm not dumb enough to do that without supervision. All of these scans return with 0 hits, throughout the duration of me trying to fix this rather annoying little problem.

I also can't seem to get dds.scr to run. I have disabled all of my a/v, but to no avail. I will double click the icon and it will not even load the window. It's as if I didn't double click at all.

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:04 PM

Posted 21 March 2009 - 08:45 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Let's see what we can do.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
If ComboFix does not run when you double click it, delete the copy. Then, download a new one. At the Save as box, save it as ComboFix123.exe and try again.

Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.
In your next reply include:
-the ComboFix log
-the GMER scan log


With Regards,
The Panda

Edited by PropagandaPanda, 21 March 2009 - 08:46 PM.


#5 personalepitaph

personalepitaph
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:birmingham, AL
  • Local time:02:04 PM

Posted 21 March 2009 - 09:28 PM

I'm having to run combofix and gmer in safemode with networking, I've tried disabling all of my a/v but I can't seem to get either working outside of safemode. Hopefully this won't be a problem. If it's not, let me know. I'll have both logs posted after running in safe mode shortly regardless.

#6 personalepitaph

personalepitaph
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:birmingham, AL
  • Local time:02:04 PM

Posted 21 March 2009 - 10:07 PM

Here are the two logs you requested.

Combofix

ComboFix 09-03-19.02 - Aya 2009-03-21 21:00:12.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3069.2697 [GMT -5:00]
Running from: c:\documents and settings\Aya\Desktop\ComboFix123.exe
AV: Norton 360 *On-access scanning disabled* (Updated)
FW: Norton 360 *disabled*
.

((((((((((((((((((((((((( Files Created from 2009-02-22 to 2009-03-22 )))))))))))))))))))))))))))))))
.

2009-03-19 15:07 . 2009-03-19 15:07 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-19 15:07 . 2009-03-19 15:07 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-17 12:28 . 2009-03-21 20:53 <DIR> d-------- c:\documents and settings\LocalService\Application Data\WTablet
2009-03-17 12:26 . 2008-10-30 10:50 172,840 --a------ c:\windows\system32\Wintab32.dll
2009-03-17 12:23 . 2009-03-21 20:52 <DIR> d-------- c:\documents and settings\Aya\Application Data\WTablet
2009-03-16 16:37 . 2009-03-16 16:37 <DIR> d-------- c:\program files\iPod
2009-03-16 16:37 . 2009-03-16 16:37 <DIR> d-------- c:\program files\Bonjour
2009-03-16 16:37 . 2009-03-16 16:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-16 16:36 . 2009-03-16 16:36 <DIR> d-------- c:\program files\QuickTime
2009-03-16 16:35 . 2009-03-16 16:35 <DIR> d-------- c:\program files\Apple Software Update
2009-03-16 16:34 . 2009-03-05 23:59 1,900,544 --a------ c:\windows\system32\usbaaplrc.dll
2009-03-16 03:00 . 2009-03-16 03:00 <DIR> d-------- C:\rsit
2009-03-13 04:16 . 2009-03-13 04:16 <DIR> d-------- c:\documents and settings\Aya\WINDOWS
2009-03-13 04:16 . 1998-01-23 12:22 304,128 --a------ c:\windows\IsUninst.exe
2009-03-13 04:16 . 2001-07-31 04:19 13,408 --a------ c:\windows\system32\tabinst.dll
2009-03-13 04:16 . 1999-04-15 08:41 4,032 --a------ c:\windows\system32\tabins16.dll
2009-03-13 04:06 . 2009-03-17 12:26 <DIR> d-------- c:\windows\system32\WTablet
2009-03-13 04:06 . 2008-10-30 10:59 6,525,736 --a------ c:\windows\system32\WacomTablet.cpl
2009-03-13 04:06 . 2008-10-30 11:13 2,749,224 --a------ c:\windows\system32\Wacom_Tablet.exe
2009-03-13 04:06 . 2008-09-30 13:38 1,651,788 --a------ c:\windows\system32\WacomTablet.znc
2009-03-13 04:06 . 2008-10-30 11:00 182,056 --a------ c:\windows\system32\Wacom_Tablet.dll
2009-03-13 04:06 . 2008-10-06 11:53 15,656 --a------ c:\windows\system32\drivers\wacmoumonitor.sys
2009-03-13 04:06 . 2008-07-11 11:16 13,352 --a------ c:\windows\system32\drivers\wacomvhid.sys
2009-03-13 04:06 . 2007-02-15 16:11 11,440 --a------ c:\windows\system32\drivers\WacomVKHid.sys
2009-03-13 04:06 . 2007-02-16 11:12 11,312 --a------ c:\windows\system32\drivers\wacommousefilter.sys
2009-03-13 04:05 . 2009-03-17 12:26 <DIR> d-------- c:\program files\Tablet
2009-03-09 23:00 . 2009-03-17 11:55 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-09 23:00 . 2009-03-09 23:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-09 22:29 . 2009-03-09 22:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-09 22:28 . 2009-03-09 22:28 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-03-09 22:28 . 2009-03-09 22:28 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-09 22:28 . 2009-03-09 22:28 <DIR> d-------- c:\documents and settings\Aya\Application Data\SUPERAntiSpyware.com
2009-03-09 22:27 . 2009-03-09 22:27 1,339,460 --a------ C:\MGtools.exe
2009-03-09 14:25 . 2009-03-09 14:25 <DIR> d-------- c:\program files\Trend Micro
2009-03-09 14:13 . 2009-03-09 14:13 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-09 14:13 . 2009-03-09 14:13 <DIR> d-------- c:\documents and settings\Aya\Application Data\Malwarebytes
2009-03-09 14:13 . 2009-03-09 14:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-09 14:13 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-09 14:13 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-09 13:41 . 2008-11-06 02:03 <DIR> d-------- C:\SDFix
2009-03-08 17:12 . 2009-03-08 17:12 <DIR> d-------- c:\windows\system32\drivers\N360
2009-03-08 17:12 . 2009-03-08 17:12 <DIR> d-------- c:\program files\Windows Sidebar
2009-03-08 17:12 . 2009-03-08 17:12 <DIR> d-------- c:\program files\Symantec
2009-03-08 17:12 . 2009-03-08 17:12 <DIR> d-------- c:\program files\NortonInstaller
2009-03-08 17:12 . 2009-03-08 17:12 <DIR> d-------- c:\program files\Norton 360
2009-03-08 17:12 . 2009-03-08 17:26 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2009-03-08 17:12 . 2009-03-09 02:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2009-03-08 17:12 . 2009-03-08 17:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-03-08 17:12 . 2009-03-08 17:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton
2009-03-08 17:12 . 2009-03-08 17:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-03-08 17:12 . 2009-03-08 17:12 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-08 17:12 . 2009-03-08 17:12 60,808 --a------ c:\windows\system32\S32EVNT1.DLL
2009-03-08 17:12 . 2009-03-08 17:12 36,400 -ra------ c:\windows\system32\drivers\SymIM.sys
2009-03-08 17:12 . 2009-03-08 17:12 7,386 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-08 17:12 . 2009-03-08 17:12 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2009-03-08 17:00 . 2009-03-08 17:00 <DIR> d-------- c:\documents and settings\All Users\Symantec Temporary Files
2009-03-08 14:35 . 2009-03-08 14:35 <DIR> d-------- c:\windows\system32\scripting
2009-03-08 14:35 . 2009-03-08 14:35 <DIR> d-------- c:\windows\system32\en
2009-03-08 14:35 . 2009-03-08 14:35 <DIR> d-------- c:\windows\system32\bits
2009-03-08 14:35 . 2009-03-08 14:35 <DIR> d-------- c:\windows\l2schemas
2009-03-08 14:34 . 2009-03-08 14:34 <DIR> d-------- c:\windows\ServicePackFiles
2009-03-08 14:04 . 2009-03-08 14:03 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-03-08 13:59 . 2009-03-08 13:59 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-07 18:49 . 2009-03-07 18:50 <DIR> d-------- c:\program files\Common Files\AOL
2009-03-07 18:43 . 2009-03-07 18:49 <DIR> d-------- c:\program files\AIM6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-22 00:13 --------- d-----w c:\program files\Mozilla Thunderbird
2009-03-21 23:40 --------- d-----w c:\program files\Azureus
2009-03-21 23:40 --------- d-----w c:\documents and settings\Aya\Application Data\Azureus
2009-03-19 20:07 --------- d-----w c:\program files\Java
2009-03-17 03:54 --------- d-----w c:\program files\Semagic
2009-03-16 21:38 --------- d-----w c:\program files\iTunes
2009-03-16 21:37 --------- d-----w c:\program files\Common Files\Apple
2009-03-09 04:58 --------- d-----w c:\program files\World of Warcraft
2009-03-08 21:59 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-03-08 18:58 --------- d-----w c:\program files\Lavasoft
2009-03-07 23:50 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-03-07 23:49 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2009-03-06 04:59 36,864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:13 1,846,784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-03 02:16 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-17 03:35 3,594,752 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-04-16 22:19 61,224 ----a-w c:\documents and settings\Aya\GoToAssistDownloadHelper.exe
2008-01-23 20:25 32 ----a-r c:\documents and settings\All Users\hash.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-21 50472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 576320]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 600896]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-08 515416]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-06 177472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-19 148888]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-01-20 c:\windows\KHALMNPR.Exe]
"SigmatelSysTrayApp"="stsystra.exe" [2007-04-12 c:\windows\stsystra.exe]
"nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
$McRebootA5E6DEAA56$.lnk - c:\windows\system32\cmd.exe [2005-08-16 389120]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-04-16 17:19 10536 c:\program files\Citrix\GoToAssist\508\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2007-10-04 11:58 184320 c:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
"aux"= c:\windows\system32\..\usclrsu.yxt

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
--a------ 2004-02-19 06:23 61440 c:\dell\bldbubg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
--------- 2003-06-18 01:00 45056 c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2007-03-15 12:09 460784 c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2006-08-17 09:00 1116920 c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2005-11-08 05:30 16384 c:\windows\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
--a------ 2006-03-01 21:00 18944 c:\windows\system32\CTXFIHLP.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-08 64160]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0300000.086\SymEFA.sys [2009-03-08 17:12:33 310320]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-03-13 15656]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0300000.086\BHDrvx86.sys [2009-03-08 17:12:33 258608]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0300000.086\cchpx86.sys [2009-03-08 17:12:33 482352]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090310.003\IDSXpx86.sys [2009-03-11 276344]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951632]
S2 N360;Norton 360;c:\program files\Norton 360\Engine\3.0.0.134\ccSvcHst.exe [2009-03-08 115560]
S2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2009-03-13 2749224]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-08 101936]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-16 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-08 14:03]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3070822
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3070822
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Copy to Semagic - c:\program files\Semagic\copy.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Semagic - c:\program files\Semagic\link.htm
Trusted Zone: internet
Trusted Zone: mcafee.com
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\Norton 360\Engine\3.0.0.134\CoIEPlg.dll
FF - ProfilePath - c:\documents and settings\Aya\Application Data\Mozilla\Firefox\Profiles\ic46rm51.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-21 21:00:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.0.0.134\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.0.0.134\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-558030912-296881327-808387747-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:03,8e,90,61,22,fc,50,fc,34,f1,aa,cb,b9,6b,ec,f2,8c,68,0f,ee,f7,f9,4e,
e2,63,73,2f,b7,25,1b,20,c5,eb,2f,33,81,3a,ec,35,5b,2f,43,21,61,53,23,1b,03,\
"??"=hex:8a,c2,d2,e8,82,0c,99,e7,d0,89,32,25,35,3f,a0,71

[HKEY_USERS\S-1-5-21-558030912-296881327-808387747-1005\Software\SecuROM\License information*]
"datasecu"=hex:6b,6e,8a,d4,8c,66,b4,a2,9d,48,4a,02,7e,8b,89,1e,e5,09,08,43,21,
f2,9e,e1,ef,ea,a9,4b,00,53,83,81,88,2d,39,37,dd,6b,d2,86,e5,9d,f2,c2,7f,f6,\
"rkeysecu"=hex:e2,26,6d,94,9c,ba,ad,1d,64,79,70,1b,d8,19,de,23
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(856)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Citrix\GoToAssist\508\G2AWinLogon.dll
c:\program files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll
.
Completion time: 2009-03-21 21:02:00
ComboFix-quarantined-files.txt 2009-03-22 02:01:53

Pre-Run: 675,251,585,024 bytes free
Post-Run: 675,260,620,800 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

254 --- E O F --- 2009-03-21 08:01:44







GMER

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2009-03-21 22:04:43
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.12 ----

SSDT Lbd.sys ZwCreateKey
SSDT spve.sys ZwEnumerateKey
SSDT spve.sys ZwEnumerateValueKey
SSDT spve.sys ZwOpenKey
SSDT spve.sys ZwQueryKey
SSDT spve.sys ZwQueryValueKey
SSDT Lbd.sys ZwSetValueKey

---- Kernel code sections - GMER 1.0.12 ----

.text USBPORT.SYS!DllUnload BA5AC8AC 5 Bytes JMP 8AD001D8
.text ayub5me3.SYS BA489384 1 Byte [ 20 ]
.text ayub5me3.SYS BA489386 35 Bytes [ 00, 68, 00, 00, 00, 00, 00, ... ]
.text ayub5me3.SYS BA4893AA 24 Bytes [ 00, 00, 20, 00, 00, E0, 00, ... ]
.text ayub5me3.SYS BA4893C4 3 Bytes [ 00, 00, 00 ]
.text ayub5me3.SYS BA4893C9 1 Byte [ 00 ]
.text ...

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 8AD4B1F8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 8AD4B1F8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 8AD4B1F8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 8AD4B1F8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 8AD4B1F8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 8AD4B1F8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 8AD4B1F8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 8AD4B1F8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 8AD4B1F8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 8AD4B1F8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 8AD4B1F8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 8AD4B1F8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 8AD4B1F8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 8AD4B1F8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 8AD4B1F8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 8AD4B1F8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 8AD4B1F8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 8AD4B1F8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 8AD4B1F8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 8AD4B1F8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 8AD4B1F8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 8AD4B1F8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CREATE 8A99B1F8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CLOSE 8A99B1F8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_READ 8A99B1F8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_WRITE 8A99B1F8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_INFORMATION 8A99B1F8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_INFORMATION 8A99B1F8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_EA 8A99B1F8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_EA 8A99B1F8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_FLUSH_BUFFERS 8A99B1F8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_VOLUME_INFORMATION 8A99B1F8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_VOLUME_INFORMATION 8A99B1F8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_DIRECTORY_CONTROL 8A99B1F8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_FILE_SYSTEM_CONTROL 8A99B1F8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_DEVICE_CONTROL 8A99B1F8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SHUTDOWN 8A99B1F8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_LOCK_CONTROL 8A99B1F8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CLEANUP 8A99B1F8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_PNP 8A99B1F8
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_CREATE 8ACFF1F8
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_CLOSE 8ACFF1F8
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_DEVICE_CONTROL 8ACFF1F8
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL 8ACFF1F8
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_POWER 8ACFF1F8
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_SYSTEM_CONTROL 8ACFF1F8
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_PNP 8ACFF1F8
Device \Driver\sptd \Device\2231094118 IRP_MJ_CREATE [F74D9000] spve.sys
Device \Driver\sptd \Device\2231094118 IRP_MJ_CREATE_NAMED_PIPE [F74D9000] spve.sys
Device \Driver\sptd \Device\2231094118 IRP_MJ_CLOSE [F74D9000] spve.sys
Device \Driver\sptd \Device\2231094118 IRP_MJ_READ [F74D9000] spve.sys
Device \Driver\sptd \Device\2231094118 IRP_MJ_WRITE [F74D9000] spve.sys
Device \Driver\sptd \Device\2231094118 IRP_MJ_QUERY_INFORMATION [F74D9000] spve.sys
Device \Driver\sptd \Device\2231094118 IRP_MJ_SET_INFORMATION [F74D9000] spve.sys
Device \Driver\sptd \Device\2231094118 IRP_MJ_QUERY_EA [F74D9000] spve.sys
Device \Driver\sptd \Device\2231094118 IRP_MJ_SET_EA [F74D9000] spve.sys
Device \Driver\sptd \Device\2231094118 IRP_MJ_FLUSH_BUFFERS [F74D9000] spve.sys
Device \Driver\sptd \Device\2231094118 IRP_MJ_QUERY_VOLUME_INFORMATION [F74D9000] spve.sys
Device \Driver\sptd \Device\2231094118 IRP_MJ_SET_VOLUME_INFORMATION [F74D9000] spve.sys
Device \Driver\sptd \Device\2231094118 IRP_MJ_DIRECTORY_CONTROL [F74D9000] spve.sys
Device \Driver\sptd \Device\2231094118 IRP_MJ_FILE_SYSTEM_CONTROL [F74D9000] spve.sys
Device \Driver\sptd \Device\2231094118 IRP_MJ_DEVICE_CONTROL [F74D9000] spve.sys
Device \Driver\sptd \Device\2231094118 IRP_MJ_INTERNAL_DEVICE_CONTROL [F74D9000] spve.sys
Device \Driver\sptd \Device\2231094118 IRP_MJ_SHUTDOWN [F74D9000] spve.sys
Device \Driver\sptd \Device\2231094118 IRP_MJ_LOCK_CONTROL [F74D9000] spve.sys
Device \Driver\sptd \Device\2231094118 IRP_MJ_CLEANUP [F74D9000] spve.sys
Device \Driver\sptd \Device\2231094118 IRP_MJ_CREATE_MAILSLOT [F74D9000] spve.sys
Device \Driver\sptd \Device\2231094118 IRP_MJ_QUERY_SECURITY [F74D9000] spve.sys
Device \Driver\sptd \Device\2231094118 IRP_MJ_SET_SECURITY [F74D9000] spve.sys
Device \Driver\sptd \Device\2231094118 IRP_MJ_POWER [F74D9000] spve.sys
Device \Driver\sptd \Device\2231094118 IRP_MJ_SYSTEM_CONTROL [F74D9000] spve.sys
Device \Driver\sptd \Device\2231094118 IRP_MJ_DEVICE_CHANGE [F74D9000] spve.sys
Device \Driver\sptd \Device\2231094118 IRP_MJ_QUERY_QUOTA [F74D9000] spve.sys
Device \Driver\sptd \Device\2231094118 IRP_MJ_SET_QUOTA [F74D9000] spve.sys
Device \Driver\sptd \Device\2231094118 IRP_MJ_PNP [F74D9000] spve.sys
Device \Driver\sptd \Device\2231094118 FastIoDeviceControl [F74EA558] spve.sys
Device \Driver\usbehci \Device\USBPDO-1 IRP_MJ_CREATE 8ACFE1F8
Device \Driver\usbehci \Device\USBPDO-1 IRP_MJ_CLOSE 8ACFE1F8
Device \Driver\usbehci \Device\USBPDO-1 IRP_MJ_DEVICE_CONTROL 8ACFE1F8
Device \Driver\usbehci \Device\USBPDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL 8ACFE1F8
Device \Driver\usbehci \Device\USBPDO-1 IRP_MJ_POWER 8ACFE1F8
Device \Driver\usbehci \Device\USBPDO-1 IRP_MJ_SYSTEM_CONTROL 8ACFE1F8
Device \Driver\usbehci \Device\USBPDO-1 IRP_MJ_PNP 8ACFE1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CREATE 8AD4D1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CLOSE 8AD4D1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_READ 8AD4D1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_WRITE 8AD4D1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_FLUSH_BUFFERS 8AD4D1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_DEVICE_CONTROL 8AD4D1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_INTERNAL_DEVICE_CONTROL 8AD4D1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SHUTDOWN 8AD4D1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_POWER 8AD4D1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SYSTEM_CONTROL 8AD4D1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_PNP 8AD4D1F8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CREATE 8AD4D1F8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CLOSE 8AD4D1F8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_READ 8AD4D1F8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_WRITE 8AD4D1F8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_FLUSH_BUFFERS 8AD4D1F8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_DEVICE_CONTROL 8AD4D1F8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_INTERNAL_DEVICE_CONTROL 8AD4D1F8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SHUTDOWN 8AD4D1F8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_POWER 8AD4D1F8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SYSTEM_CONTROL 8AD4D1F8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_PNP 8AD4D1F8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CREATE 8AD4D1F8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CLOSE 8AD4D1F8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_READ 8AD4D1F8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_WRITE 8AD4D1F8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_FLUSH_BUFFERS 8AD4D1F8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_DEVICE_CONTROL 8AD4D1F8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_INTERNAL_DEVICE_CONTROL 8AD4D1F8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SHUTDOWN 8AD4D1F8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_POWER 8AD4D1F8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SYSTEM_CONTROL 8AD4D1F8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_PNP 8AD4D1F8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CREATE 8AD4D1F8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CLOSE 8AD4D1F8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_READ 8AD4D1F8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_WRITE 8AD4D1F8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_FLUSH_BUFFERS 8AD4D1F8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_DEVICE_CONTROL 8AD4D1F8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_INTERNAL_DEVICE_CONTROL 8AD4D1F8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SHUTDOWN 8AD4D1F8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_POWER 8AD4D1F8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SYSTEM_CONTROL 8AD4D1F8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_PNP 8AD4D1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{5DD20689-9684-40CF-B096-F0C79A62FEE0} IRP_MJ_CREATE 8A9F8500
Device \Driver\NetBT \Device\NetBT_Tcpip_{5DD20689-9684-40CF-B096-F0C79A62FEE0} IRP_MJ_CLOSE 8A9F8500
Device \Driver\NetBT \Device\NetBT_Tcpip_{5DD20689-9684-40CF-B096-F0C79A62FEE0} IRP_MJ_DEVICE_CONTROL 8A9F8500
Device \Driver\NetBT \Device\NetBT_Tcpip_{5DD20689-9684-40CF-B096-F0C79A62FEE0} IRP_MJ_INTERNAL_DEVICE_CONTROL 8A9F8500
Device \Driver\NetBT \Device\NetBT_Tcpip_{5DD20689-9684-40CF-B096-F0C79A62FEE0} IRP_MJ_CLEANUP 8A9F8500
Device \Driver\NetBT \Device\NetBT_Tcpip_{5DD20689-9684-40CF-B096-F0C79A62FEE0} IRP_MJ_PNP 8A9F8500
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 8ADC21F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ 8ADC21F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE 8ADC21F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS 8ADC21F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL 8ADC21F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL 8ADC21F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN 8ADC21F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP 8ADC21F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER 8ADC21F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SYSTEM_CONTROL 8ADC21F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_PNP 8ADC21F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE 8ADC21F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_READ 8ADC21F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_WRITE 8ADC21F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_FLUSH_BUFFERS 8ADC21F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_DEVICE_CONTROL 8ADC21F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_INTERNAL_DEVICE_CONTROL 8ADC21F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SHUTDOWN 8ADC21F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CLEANUP 8ADC21F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_POWER 8ADC21F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SYSTEM_CONTROL 8ADC21F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_PNP 8ADC21F8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 8ACFD1F8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 8ACFD1F8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 8ACFD1F8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 8ACFD1F8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 8ACFD1F8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 8ACFD1F8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 8ACFD1F8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 8ACFD1F8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 8ACFD1F8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 8ACFD1F8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 8ACFD1F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_CREATE 8ADC21F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_READ 8ADC21F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_WRITE 8ADC21F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_FLUSH_BUFFERS 8ADC21F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_DEVICE_CONTROL 8ADC21F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_INTERNAL_DEVICE_CONTROL 8ADC21F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SHUTDOWN 8ADC21F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_CLEANUP 8ADC21F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_POWER 8ADC21F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SYSTEM_CONTROL 8ADC21F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_PNP 8ADC21F8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 8ACFD1F8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE 8ACFD1F8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ 8ACFD1F8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 8ACFD1F8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 8ACFD1F8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 8ACFD1F8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 8ACFD1F8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 8ACFD1F8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 8ACFD1F8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 8ACFD1F8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 8ACFD1F8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_CREATE 8ADC21F8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_READ 8ADC21F8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_WRITE 8ADC21F8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_FLUSH_BUFFERS 8ADC21F8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_DEVICE_CONTROL 8ADC21F8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_INTERNAL_DEVICE_CONTROL 8ADC21F8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_SHUTDOWN 8ADC21F8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_CLEANUP 8ADC21F8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_POWER 8ADC21F8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_SYSTEM_CONTROL 8ADC21F8
Device \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_PNP 8ADC21F8
Device \Driver\PCI_PNP5368 \Device\00000067 IRP_MJ_CREATE [F751BAD2] spve.sys
Device \Driver\PCI_PNP5368 \Device\00000067 IRP_MJ_CREATE_NAMED_PIPE [F751BAD2] spve.sys
Device \Driver\PCI_PNP5368 \Device\00000067 IRP_MJ_CLOSE [F751BAD2] spve.sys
Device \Driver\PCI_PNP5368 \Device\00000067 IRP_MJ_READ [F751BAD2] spve.sys
Device \Driver\PCI_PNP5368 \Device\00000067 IRP_MJ_WRITE [F751BAD2] spve.sys
Device \Driver\PCI_PNP5368 \Device\00000067 IRP_MJ_QUERY_INFORMATION [F751BAD2] spve.sys
Device \Driver\PCI_PNP5368 \Device\00000067 IRP_MJ_SET_INFORMATION [F751BAD2] spve.sys
Device \Driver\PCI_PNP5368 \Device\00000067 IRP_MJ_QUERY_EA [F751BAD2] spve.sys
Device \Driver\PCI_PNP5368 \Device\00000067 IRP_MJ_SET_EA [F751BAD2] spve.sys
Device \Driver\PCI_PNP5368 \Device\00000067 IRP_MJ_FLUSH_BUFFERS [F751BAD2] spve.sys
Device \Driver\PCI_PNP5368 \Device\00000067 IRP_MJ_QUERY_VOLUME_INFORMATION [F751BAD2] spve.sys
Device \Driver\PCI_PNP5368 \Device\00000067 IRP_MJ_SET_VOLUME_INFORMATION [F751BAD2] spve.sys
Device \Driver\PCI_PNP5368 \Device\00000067 IRP_MJ_DIRECTORY_CONTROL [F751BAD2] spve.sys
Device \Driver\PCI_PNP5368 \Device\00000067 IRP_MJ_FILE_SYSTEM_CONTROL [F751BAD2] spve.sys
Device \Driver\PCI_PNP5368 \Device\00000067 IRP_MJ_DEVICE_CONTROL [F751BAD2] spve.sys
Device \Driver\PCI_PNP5368 \Device\00000067 IRP_MJ_INTERNAL_DEVICE_CONTROL [F751BAD2] spve.sys
Device \Driver\PCI_PNP5368 \Device\00000067 IRP_MJ_SHUTDOWN [F751BAD2] spve.sys
Device \Driver\PCI_PNP5368 \Device\00000067 IRP_MJ_LOCK_CONTROL [F751BAD2] spve.sys
Device \Driver\PCI_PNP5368 \Device\00000067 IRP_MJ_CLEANUP [F751BAD2] spve.sys
Device \Driver\PCI_PNP5368 \Device\00000067 IRP_MJ_CREATE_MAILSLOT [F751BAD2] spve.sys
Device \Driver\PCI_PNP5368 \Device\00000067 IRP_MJ_QUERY_SECURITY [F751BAD2] spve.sys
Device \Driver\PCI_PNP5368 \Device\00000067 IRP_MJ_SET_SECURITY [F751BAD2] spve.sys
Device \Driver\PCI_PNP5368 \Device\00000067 IRP_MJ_POWER [F74E2A1A] spve.sys
Device \Driver\PCI_PNP5368 \Device\00000067 IRP_MJ_SYSTEM_CONTROL [F74F4514] spve.sys
Device \Driver\PCI_PNP5368 \Device\00000067 IRP_MJ_DEVICE_CHANGE [F751BAD2] spve.sys
Device \Driver\PCI_PNP5368 \Device\00000067 IRP_MJ_QUERY_QUOTA [F751BAD2] spve.sys
Device \Driver\PCI_PNP5368 \Device\00000067 IRP_MJ_SET_QUOTA [F751BAD2] spve.sys
Device \Driver\PCI_PNP5368 \Device\00000067 IRP_MJ_PNP [F7518C6A] spve.sys
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CREATE 8A9F8500
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLOSE 8A9F8500
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_DEVICE_CONTROL 8A9F8500
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_INTERNAL_DEVICE_CONTROL 8A9F8500
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLEANUP 8A9F8500
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_PNP 8A9F8500
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CREATE 8A9F8500
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLOSE 8A9F8500
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_DEVICE_CONTROL 8A9F8500
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_INTERNAL_DEVICE_CONTROL 8A9F8500
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLEANUP 8A9F8500
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_PNP 8A9F8500
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_CREATE 8ACFF1F8
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_CLOSE 8ACFF1F8
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_DEVICE_CONTROL 8ACFF1F8
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL 8ACFF1F8
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_POWER 8ACFF1F8
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_SYSTEM_CONTROL 8ACFF1F8
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_PNP 8ACFF1F8
Device \Driver\usbehci \Device\USBFDO-1 IRP_MJ_CREATE 8ACFE1F8
Device \Driver\usbehci \Device\USBFDO-1 IRP_MJ_CLOSE 8ACFE1F8
Device \Driver\usbehci \Device\USBFDO-1 IRP_MJ_DEVICE_CONTROL 8ACFE1F8
Device \Driver\usbehci \Device\USBFDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL 8ACFE1F8
Device \Driver\usbehci \Device\USBFDO-1 IRP_MJ_POWER 8ACFE1F8
Device \Driver\usbehci \Device\USBFDO-1 IRP_MJ_SYSTEM_CONTROL 8ACFE1F8
Device \Driver\usbehci \Device\USBFDO-1 IRP_MJ_PNP 8ACFE1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_NAMED_PIPE 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLOSE 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_WRITE 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_INFORMATION 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_INFORMATION 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_EA 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_EA 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FLUSH_BUFFERS 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_VOLUME_INFORMATION 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_VOLUME_INFORMATION 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DIRECTORY_CONTROL 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FILE_SYSTEM_CONTROL 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CONTROL 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_INTERNAL_DEVICE_CONTROL 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SHUTDOWN 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_LOCK_CONTROL 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLEANUP 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_MAILSLOT 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_SECURITY 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_SECURITY 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_POWER 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SYSTEM_CONTROL 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CHANGE 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_QUOTA 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_QUOTA 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_NAMED_PIPE 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLOSE 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_WRITE 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_INFORMATION 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_INFORMATION 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_EA 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_EA 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FLUSH_BUFFERS 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_VOLUME_INFORMATION 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_VOLUME_INFORMATION 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DIRECTORY_CONTROL 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FILE_SYSTEM_CONTROL 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CONTROL 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_INTERNAL_DEVICE_CONTROL 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SHUTDOWN 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_LOCK_CONTROL 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLEANUP 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_MAILSLOT 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_SECURITY 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_SECURITY 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_POWER 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SYSTEM_CONTROL 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CHANGE 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_QUOTA 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_QUOTA 8A9E91F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP 8A9E91F8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CREATE 8ADC21F8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_READ 8ADC21F8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_WRITE 8ADC21F8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_FLUSH_BUFFERS 8ADC21F8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_DEVICE_CONTROL 8ADC21F8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_INTERNAL_DEVICE_CONTROL 8ADC21F8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SHUTDOWN 8ADC21F8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CLEANUP 8ADC21F8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_POWER 8ADC21F8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SYSTEM_CONTROL 8ADC21F8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_PNP 8ADC21F8
Device \Driver\ayub5me3 \Device\Scsi\ayub5me31 IRP_MJ_CREATE 8ABF4500
Device \Driver\ayub5me3 \Device\Scsi\ayub5me31 IRP_MJ_CLOSE 8ABF4500
Device \Driver\ayub5me3 \Device\Scsi\ayub5me31 IRP_MJ_DEVICE_CONTROL 8ABF4500
Device \Driver\ayub5me3 \Device\Scsi\ayub5me31 IRP_MJ_INTERNAL_DEVICE_CONTROL 8ABF4500
Device \Driver\ayub5me3 \Device\Scsi\ayub5me31 IRP_MJ_POWER 8ABF4500
Device \Driver\ayub5me3 \Device\Scsi\ayub5me31 IRP_MJ_SYSTEM_CONTROL 8ABF4500
Device \Driver\ayub5me3 \Device\Scsi\ayub5me31 IRP_MJ_PNP 8ABF4500
Device \Driver\ayub5me3 \Device\Scsi\ayub5me31Port5Path0Target0Lun0 IRP_MJ_CREATE 8ABF4500
Device \Driver\ayub5me3 \Device\Scsi\ayub5me31Port5Path0Target0Lun0 IRP_MJ_CLOSE 8ABF4500
Device \Driver\ayub5me3 \Device\Scsi\ayub5me31Port5Path0Target0Lun0 IRP_MJ_DEVICE_CONTROL 8ABF4500
Device \Driver\ayub5me3 \Device\Scsi\ayub5me31Port5Path0Target0Lun0 IRP_MJ_INTERNAL_DEVICE_CONTROL 8ABF4500
Device \Driver\ayub5me3 \Device\Scsi\ayub5me31Port5Path0Target0Lun0 IRP_MJ_POWER 8ABF4500
Device \Driver\ayub5me3 \Device\Scsi\ayub5me31Port5Path0Target0Lun0 IRP_MJ_SYSTEM_CONTROL 8ABF4500
Device \Driver\ayub5me3 \Device\Scsi\ayub5me31Port5Path0Target0Lun0 IRP_MJ_PNP 8ABF4500
Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE 8A99B1F8
Device \FileSystem\Fastfat \Fat IRP_MJ_CLOSE 8A99B1F8
Device \FileSystem\Fastfat \Fat IRP_MJ_READ 8A99B1F8
Device \FileSystem\Fastfat \Fat IRP_MJ_WRITE 8A99B1F8
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION 8A99B1F8
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION 8A99B1F8
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA 8A99B1F8
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_EA 8A99B1F8
Device \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS 8A99B1F8
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION 8A99B1F8
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION 8A99B1F8
Device \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL 8A99B1F8
Device \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL 8A99B1F8
Device \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL 8A99B1F8
Device \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN 8A99B1F8
Device \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL 8A99B1F8
Device \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP 8A99B1F8
Device \FileSystem\Fastfat \Fat IRP_MJ_PNP 8A99B1F8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE 8A99A1F8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLOSE 8A99A1F8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ 8A99A1F8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_INFORMATION 8A99A1F8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SET_INFORMATION 8A99A1F8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_VOLUME_INFORMATION 8A99A1F8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DIRECTORY_CONTROL 8A99A1F8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL 8A99A1F8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL 8A99A1F8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SHUTDOWN 8A99A1F8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_LOCK_CONTROL 8A99A1F8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLEANUP 8A99A1F8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_PNP 8A99A1F8

---- Registry - GMER 1.0.12 ----

Reg \Registry\USER\S-1-5-21-558030912-296881327-808387747-1005\Software\SecuROM\!CAUTION! NEVER DELETE OR CHANGE ANY KEY@?? 0x03 0x8E 0x90 0x61 ...
Reg \Registry\USER\S-1-5-21-558030912-296881327-808387747-1005\Software\SecuROM\!CAUTION! NEVER DELETE OR CHANGE ANY KEY@?? 0x8A 0xC2 0xD2 0xE8 ...
Reg \Registry\USER\S-1-5-21-558030912-296881327-808387747-1005\Software\SecuROM\License information@datasecu 0x6B 0x6E 0x8A 0xD4 ...
Reg \Registry\USER\S-1-5-21-558030912-296881327-808387747-1005\Software\SecuROM\License information@rkeysecu 0xE2 0x26 0x6D 0x94 ...

---- Files - GMER 1.0.12 ----

ADS C:\Documents and Settings\Aya\Desktop\Logs\Untitled1.dmsd:Roxio EMC Stream

---- EOF - GMER 1.0.12 ----

Attached Files



#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:04 PM

Posted 22 March 2009 - 10:44 AM

Hello.

Let's finish that off.

Run ComboFix with CFScript
We will run ComboFix again with a script.

If ComboFix reboots your computer, allow it to boot into normal mode, even if it will crash.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    Folder::
    c:\windows\system32\..
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=-
    
    Dirlook::
    c:\documents and settings\Aya\WINDOWS
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Are you still unable to boot into normal mode?

With Regards,
The Panda

#8 personalepitaph

personalepitaph
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:birmingham, AL
  • Local time:02:04 PM

Posted 22 March 2009 - 11:26 AM

Combofix is running just fine right now in normal mode :thumbup2: I'll have that log posted soon.
If you don't mind me asking, PP, what exactly looks like is going on?

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:04 PM

Posted 22 March 2009 - 11:33 AM

Hello personalepitaph.

It appears that an infection has added a driver to load automatically at startup, though I can't be sure at the moment.

I'll take a look at the files ComboFix removed next round.

Please tell me if Google results are still hijacked after this ComboFix run.

With Regards,
The Panda

#10 personalepitaph

personalepitaph
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:birmingham, AL
  • Local time:02:04 PM

Posted 22 March 2009 - 11:58 AM

okay this is making me a little nervous.
Combofix is still running, and windows just popped up a window that states:

Files that are rewquired for windows to run properly have been replaced by unrecognized version. to maintain system stability, windows must restore the original versions of these files.

insert your windows xp professional CD2 now
(retry) (more information) (cancel)

what should I do?

And If it helps, I'm posting this from a separate computer just to avoid confusion.

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:04 PM

Posted 22 March 2009 - 12:07 PM

Hello.

Select cancel and ignore the warning please.

With Regards,
The Panda

#12 personalepitaph

personalepitaph
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:birmingham, AL
  • Local time:02:04 PM

Posted 22 March 2009 - 12:49 PM

The window has popped up again, this time reading

Files that are required for Window sto run properly have been replaced by unrecognized versions. To maintain system stability Windows must restore the original versions of these file.

THe network location from which the files should be copied, C:\WINDOWS\ServicePackFiles\i386/gdplus.man, is not avaliable

contact your system administrator or insert Windows XP KB938464 Source Files now.


This time I cannot cancel the notice, as it just disregards my action and stays there.


In addition to this combofix seems to have stalled. It looked like it was deleting my whole c:\windows\system32\.. folder!

What I can see on the combofix screen is as follows:

c:\windows\system32\..
Completed Stage_1
Completed Stage_2
Completed Stage_3
Completed Stage_4
Completed Stage_5
Completed Stage_6
Completed Stage_7
Completed Stage_8
Completed Stage_9
Completed Stage_10
Completed Stage_12
Completed Stage_13
Completed Stage_14
Completed Stage_15
Completed Stage_16

' .CFEXE; .COM; .EXE; .BAT; .CMD; .UBS; .UBE; .JS; .JSE; WSF; .WSH' is not recognized as an internal or external command, operable program or batch file.
Completed Stage_1

this doesn't look good at all!! :thumbup2:

Edited by personalepitaph, 22 March 2009 - 12:50 PM.


#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:04 PM

Posted 22 March 2009 - 01:19 PM

Hello.

ComboFix did not delete the system32. It removed a subfolder "system32\..\". The folder ".." was being removed.

Please click the X on the ComboFix screen.

Reboot your computer. Take a new DDS log and we'll go from there.

With Regards,
The Panda

#14 personalepitaph

personalepitaph
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:birmingham, AL
  • Local time:02:04 PM

Posted 22 March 2009 - 01:23 PM

tried rebooting. got this screen:

Windows could not start because the following file is missing or corrupt:

<Windows root>\system32\hal.dll
please reinstall a copy of the above file

#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:04 PM

Posted 22 March 2009 - 01:27 PM

Hello.

Please give me some time to look this over.

I'm running a test on a Virtual Machine. ComboFix may have misinterpreted the script directive.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users