Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ie Homepage Hijacked/ Unable To Boot Into Safe Mode


  • Please log in to reply
19 replies to this topic

#1 Rykon

Rykon

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 02 August 2006 - 01:21 PM

After I attempted to run a key generator, the exe deleted itself and the problems began. I started receiving the windows alert popups instructing me to purchase bogus antivirus software. My Internet explorer homepage was also hijacked and boots up to www.syssecuritypage.com/ along with a message telling me that it's been infected with W32.Myzor.Fk@yf. There's also a system alert in the system tray. The worst part of all of this is me finding out that i'm now unable to boot into safe mode, when i attempt to do this, explorer.exe is automatically closed and when i attempt to boot it, it closes within 5 seconds.

Here's my most recent hjt log any help is greatly appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 11:19:22 AM, on 8/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\isnotify.exe
C:\WINDOWS\system32\issearch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\AOL\1144519743\ee\AOLSoftware.exe
C:\Program Files\ipwins\ipwins.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ASEMBL~1\winword.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dion.DERRIN-DION\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R3 - URLSearchHook: (no name) - {B242B74C-71A8-5A2B-DF8E-5317C6F45F97} - C:\WINDOWS\system32\zbnkf.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Alcohol Toolbar - {DC59A0D4-0ED6-4A73-B356-1B977F2A7725} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1144519743\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [IPHSend] "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [IpWins] "C:\Program Files\ipwins\ipwins.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Cwoe] "C:\WINDOWS\system32\ASEMBL~1\winword.exe" -vt yax
O4 - HKCU\..\Run: [Bplekyl] C:\DOCUME~1\DION~1.DER\APPLIC~1\CROSOF~1\LGONUI~1.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'w2pxdrv.dll' missing
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...0/installer.exe
O16 - DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} (Quantum Streaming IE VersionManager Class) - http://qmedia.xlontech.net/100170/sdk/late...2ie06041001.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - AppInit_DLLs: C:\WINDOWS\system32\chkntfs.dll C:\WINDOWS\system32\mshta.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (file missing)
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Edited by KoanYorel, 02 August 2006 - 03:08 PM.


BC AdBot (Login to Remove)

 


#2 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:32 PM

Posted 03 August 2006 - 09:22 AM

Hi,

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Jotti File Submission:
  • Make sure all hidden files are showing
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
    • C:\WINDOWS\system32\chkntfs.dll
  • Click on the submit button
  • Do the same for these files:
    • C:\WINDOWS\system32\mshta.dll
    • C:\WINDOWS\system32\ASEMBL~1\winword.exe
  • Please post the results in your next reply.
----------------

Can you rename HijackThis.exe to Analyse.exe ?
Rightclick Hijackthis.exe and choose rename.
Then reboot and after reboot, doubleclick Analyse.exe and post the log it creates in your next reply (this will be a hijackthislog ofcourse).

#3 Rykon

Rykon
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 03 August 2006 - 02:39 PM

Ok I ran the three files through jotti and these were the results:
For C:\WINDOWS\system32\chkntfs.dll and C:\WINDOWS\system32\mshta.dll

I recieved this message The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

when i uploaded C:\WINDOWS\system32\ASEMBL~1\winword.exe I got this response.

File: winword.exe
Status:
INFECTED/MALWARE
MD5 2dca36999e52773ecda0b36e7308da9f
Packers detected:

UPX Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found Trojan.PurityScan.BJ
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found W32/EV!tr.dldr
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found Backdoor.Rbot.2 (paranoid heuristics) (probable variant)


And here's the new hjt log

Logfile of HijackThis v1.99.1
Scan saved at 12:33:37 PM, on 8/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\system32\issearch.exe
C:\WINDOWS\system32\ismon.exe
C:\WINDOWS\system32\isnotify.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\AOL\1144519743\ee\AOLSoftware.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\{8002291B-07D9-1033-0105-060823050001}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ASEMBL~1\winword.exe
C:\DOCUME~1\DION~1.DER\APPLIC~1\CROSOF~1\LGONUI~1.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Dion.DERRIN-DION\Desktop\analyse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R3 - URLSearchHook: (no name) - {B242B74C-71A8-5A2B-DF8E-5317C6F45F97} - C:\WINDOWS\system32\zbnkf.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Alcohol Toolbar Helper - {0ACF00E0-C1E4-4F6B-B290-10AC7505C47A} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - C:\WINDOWS\system32\ixt0.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {B242B74C-71A8-5A2B-DF8E-5317C6F45F97} - C:\WINDOWS\system32\zbnkf.dll
O2 - BHO: (no name) - {B69033BC-DD94-408B-A449-FFDDFFF7EDFF} - C:\WINDOWS\system32\mljgd.dll
O2 - BHO: (no name) - {B7F2B6BE-6F84-4610-9157-4D75414792A2} - (no file)
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O2 - BHO: (no name) - {CD2AF172-6AC0-1E1C-B8B1-45B6ACE22897} - C:\WINDOWS\system32\hswvst.dll (file missing)
O2 - BHO: (no name) - {E521797A-22DE-4B46-8B2F-8E98AB77B942} - C:\WINDOWS\system32\byxvtur.dll
O2 - BHO: (no name) - {F8A082AE-36F7-40BC-A2B8-D7390F04285F} - (no file)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Alcohol Toolbar - {DC59A0D4-0ED6-4A73-B356-1B977F2A7725} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - C:\Program Files\Safety Bar\Safety Bar.dll
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1144519743\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [IPHSend] "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Cwoe] "C:\WINDOWS\system32\ASEMBL~1\winword.exe" -vt yax
O4 - HKCU\..\Run: [Bplekyl] C:\DOCUME~1\DION~1.DER\APPLIC~1\CROSOF~1\LGONUI~1.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'w2pxdrv.dll' missing
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...0/installer.exe
O16 - DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} (Quantum Streaming IE VersionManager Class) - http://qmedia.xlontech.net/100170/sdk/late...2ie06041001.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - AppInit_DLLs: C:\WINDOWS\system32\mshta.dll C:\WINDOWS\system32\chkntfs.dll
O20 - Winlogon Notify: byxvtur - C:\WINDOWS\SYSTEM32\byxvtur.dll
O20 - Winlogon Notify: mljgd - C:\WINDOWS\system32\mljgd.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winmfu32 - C:\WINDOWS\SYSTEM32\winmfu32.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (file missing)
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

#4 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:32 PM

Posted 03 August 2006 - 03:30 PM

Please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop and run it.

Paste the following list of bad files into the Suspicious File Packer window:

C:\WINDOWS\system32\ASEMBL~1\winword.exe

Allow SFP to pack the files. This will generate a CAB archive on your desktop. Please email the files to me at:

didom[AT]malware-research.co.uk (replace [AT] with @)

Thank you! :thumbsup:

------------------------
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1

Go to start > controlpanel > software > add/remove programs and uninstall next if present:

Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin

or anything similar with Oin in it.


If OIN not listed, download and run this uninstaller.

Reboot when done! Really important!

Step #2

Download: DelDomains.inf
  • Locate DelDomains.inf
  • Right-click and select "Install"
Step #3

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
Step #4

Scan again with HijackThis and check the following items:
R3 - URLSearchHook: (no name) - {B242B74C-71A8-5A2B-DF8E-5317C6F45F97} - C:\WINDOWS\system32\zbnkf.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - C:\WINDOWS\system32\ixt0.dll
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll
O2 - BHO: (no name) - {B242B74C-71A8-5A2B-DF8E-5317C6F45F97} - C:\WINDOWS\system32\zbnkf.dll
O2 - BHO: (no name) - {B69033BC-DD94-408B-A449-FFDDFFF7EDFF} - C:\WINDOWS\system32\mljgd.dll
O2 - BHO: (no name) - {B7F2B6BE-6F84-4610-9157-4D75414792A2} - (no file)
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O2 - BHO: (no name) - {CD2AF172-6AC0-1E1C-B8B1-45B6ACE22897} - C:\WINDOWS\system32\hswvst.dll (file missing)
O2 - BHO: (no name) - {E521797A-22DE-4B46-8B2F-8E98AB77B942} - C:\WINDOWS\system32\byxvtur.dll
O2 - BHO: (no name) - {F8A082AE-36F7-40BC-A2B8-D7390F04285F} - (no file)
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - C:\Program Files\Safety Bar\Safety Bar.dll
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll

O4 - HKCU\..\Run: [Cwoe] "C:\WINDOWS\system32\ASEMBL~1\winword.exe" -vt yax
O4 - HKCU\..\Run: [Bplekyl] C:\DOCUME~1\DION~1.DER\APPLIC~1\CROSOF~1\LGONUI~1.EXE

O18 - Filter: text/html - (no CLSID) - (no file)

O20 - AppInit_DLLs: C:\WINDOWS\system32\mshta.dll C:\WINDOWS\system32\chkntfs.dll
O20 - Winlogon Notify: byxvtur - C:\WINDOWS\SYSTEM32\byxvtur.dll
O20 - Winlogon Notify: mljgd - C:\WINDOWS\system32\mljgd.dll
O20 - Winlogon Notify: winmfu32 - C:\WINDOWS\SYSTEM32\winmfu32.dll

After checking these items, close all browser windows except HijackThis and click "Fix checked".

Step #5

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Step #6

Reboot Your System in Safe Mode:
  • Restart the computer.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #7

Find and delete these files and folders (if they are still there):
C:\WINDOWS\system32\ASEMBL~1\winword.exe <= this file
C:\DOCUME~1\DION~1.DER\APPLIC~1\CROSOF~1 <= this folder
C:\Program Files\ToolBar888 <= this folder
C:\Program Files\Safety Bar <= this folder
C:\WINDOWS\system32\mshta.dll <= this file
C:\WINDOWS\system32\chkntfs.dll <= this file


Step #8

Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Reboot your computer normally.

Step #9

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
Start HijackThis, perform a new scan and save the log file.

Use the Add Reply button to post your new logs (The Panda log, the contents of C:\vundofix.txt and a fresh HijackThis log) back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

#5 Rykon

Rykon
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 03 August 2006 - 04:57 PM

Panda Scan Results:


Incident Status Location

Adware:Adware/SuperSpider Not disinfected C:\WINDOWS\system32\winmfu32.dll
Adware:adware/mediatickets Not disinfected C:\WINDOWS\system32\oins.exe
Adware:adware/securityerror Not disinfected c:\windows\system32\ot.ico
Adware:adware/mirar Not disinfected c:\windows\system32\WinDmy.dll
Dialer:dialer.avv Not disinfected c:\windows\downloaded program files\gdnUS2339.exe
Adware:adware/yazzle Not disinfected c:\windows\downloaded program files\YazzleActiveX.inf
Adware:adware/cydoor Not disinfected c:\windows\cdmxtras
Adware:adware/outerinfo Not disinfected Windows Registry
Adware:adware/rxtoolbar Not disinfected Windows Registry
Potentially unwanted tool:application/mywebsearch Not disinfected hkey_classes_root\clsid\{9AFB8248-617F-460d-9366-D71CDEDA3179}
Adware:adware/sidesearch Not disinfected Windows Registry
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\w79aq3ho.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\w79aq3ho.default\cookies.txt[.clickbank.net/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\q719tof6.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\q719tof6.default\cookies.txt[.qksrv.net/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\q719tof6.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\q719tof6.default\cookies.txt[.qksrv.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\q719tof6.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\q719tof6.default\cookies.txt[data.coremetrics.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\q719tof6.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\q719tof6.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\q719tof6.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\q719tof6.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\q719tof6.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\q719tof6.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\q719tof6.default\cookies.txt[.zedo.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Dad\Cookies\dad@ad.yieldmanager[2].txt
Spyware:Cookie/Malwarewipe Not disinfected C:\Documents and Settings\Dad\Cookies\dad@malwarewipe[2].txt
Adware:Adware/SystemDoctor Not disinfected C:\Documents and Settings\Dad\Local Settings\Temp\h91746.exe

Vundo Fix results:

VundoFix V4.2.22
Scan started at 2:03:32 PM 8/3/2006

Listing files found while scanning....


C:\WINDOWS\system32\dgjlm.bak1
C:\WINDOWS\system32\dgjlm.bak2
C:\WINDOWS\system32\dgjlm.tmp
C:\WINDOWS\system32\dgjlm.ini
C:\WINDOWS\system32\dgjlm.ini2
C:\WINDOWS\system32\mljgd.dll
C:\WINDOWS\system32\dgjlm.ini2
C:\WINDOWS\system32\dgjlm.bak2
C:\WINDOWS\system32\dgjlm.tmp
C:\WINDOWS\system32\dgjlm.ini
C:\WINDOWS\system32\dgjlm.ini2
C:\WINDOWS\system32\mljgd.dll
Attempting to delete C:\WINDOWS\system32\dgjlm.bak1
C:\WINDOWS\system32\dgjlm.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\dgjlm.bak2
C:\WINDOWS\system32\dgjlm.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\dgjlm.tmp
C:\WINDOWS\system32\dgjlm.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\dgjlm.ini
C:\WINDOWS\system32\dgjlm.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\dgjlm.ini2
C:\WINDOWS\system32\dgjlm.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\mljgd.dll
C:\WINDOWS\system32\mljgd.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\mljgd.dll
C:\WINDOWS\system32\mljgd.dll Could not be deleted.

Performing Repairs to the registry.
Done!

HJT Log:
Logfile of HijackThis v1.99.1
Scan saved at 2:53:50 PM, on 8/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\system32\ismon.exe
C:\WINDOWS\system32\issearch.exe
C:\WINDOWS\system32\isnotify.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\AOL\1144519743\ee\AOLSoftware.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\Common Files\{8002291B-07D9-1033-0105-060823050001}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dion.DERRIN-DION\Desktop\analyse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Alcohol Toolbar Helper - {0ACF00E0-C1E4-4F6B-B290-10AC7505C47A} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - C:\WINDOWS\system32\ixt0.dll
O2 - BHO: (no name) - {8847FD9D-2CF5-426E-BEA2-F641C1C05570} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {B242B74C-71A8-5A2B-DF8E-5317C6F45F97} - (no file)
O2 - BHO: (no name) - {B69033BC-DD94-408B-A449-FFDDFFF7EDFF} - (no file)
O2 - BHO: (no name) - {B7F2B6BE-6F84-4610-9157-4D75414792A2} - (no file)
O2 - BHO: (no name) - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - (no file)
O2 - BHO: (no name) - {CD2AF172-6AC0-1E1C-B8B1-45B6ACE22897} - (no file)
O2 - BHO: (no name) - {CFFD8D13-8371-4FDF-B5DD-377CD459CCFE} - C:\WINDOWS\system32\ssqrr.dll
O2 - BHO: (no name) - {F5A92E47-940B-4C06-80FE-B9C8883EB01B} - (no file)
O2 - BHO: (no name) - {F8A082AE-36F7-40BC-A2B8-D7390F04285F} - (no file)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Alcohol Toolbar - {DC59A0D4-0ED6-4A73-B356-1B977F2A7725} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1144519743\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [IPHSend] "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'w2pxdrv.dll' missing
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...0/installer.exe
O16 - DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} (Quantum Streaming IE VersionManager Class) - http://qmedia.xlontech.net/100170/sdk/late...2ie06041001.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: mljgd - C:\WINDOWS\
O20 - Winlogon Notify: ssqrr - C:\WINDOWS\system32\ssqrr.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winmfu32 - C:\WINDOWS\SYSTEM32\winmfu32.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (file missing)
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

#6 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:32 PM

Posted 03 August 2006 - 05:20 PM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer during HijackThis Cleanup
Then, Download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

Download Killbox.
Click killbox.exe.
Select the option "Delete on reboot".

Now copy the next bold part:

C:\WINDOWS\system32\winmfu32.dll
C:\WINDOWS\system32\oins.exe
c:\windows\system32\ot.ico
c:\windows\system32\WinDmy.dll
c:\windows\downloaded program files\gdnUS2339.exe
c:\windows\downloaded program files\YazzleActiveX.inf
c:\windows\cdmxtras


Open 'file' in the killboxmenu on top and choose Paste from clipboard

Now you will see, this is pasted in the "Full Path of File to Delete"-field.
There's a little arrow (dropdown-arrow) next to that field.
If you expand it, these lines must be there together if the files are
present!

Click the button: All Files (!important!)

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click YES
If you don't get that message, reboot manually.

Your computer must reboot now.

Step #2

Scan again with HijackThis and check the following items:
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - C:\WINDOWS\system32\ixt0.dll
O2 - BHO: (no name) - {8847FD9D-2CF5-426E-BEA2-F641C1C05570} - (no file)
O2 - BHO: (no name) - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {B242B74C-71A8-5A2B-DF8E-5317C6F45F97} - (no file)
O2 - BHO: (no name) - {B69033BC-DD94-408B-A449-FFDDFFF7EDFF} - (no file)
O2 - BHO: (no name) - {B7F2B6BE-6F84-4610-9157-4D75414792A2} - (no file)
O2 - BHO: (no name) - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - (no file)
O2 - BHO: (no name) - {CD2AF172-6AC0-1E1C-B8B1-45B6ACE22897} - (no file)
O2 - BHO: (no name) - {CFFD8D13-8371-4FDF-B5DD-377CD459CCFE} - C:\WINDOWS\system32\ssqrr.dll
O2 - BHO: (no name) - {F5A92E47-940B-4C06-80FE-B9C8883EB01B} - (no file)
O2 - BHO: (no name) - {F8A082AE-36F7-40BC-A2B8-D7390F04285F} - (no file)

O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123

O20 - Winlogon Notify: mljgd - C:\WINDOWS\
O20 - Winlogon Notify: ssqrr - C:\WINDOWS\system32\ssqrr.dll
O20 - Winlogon Notify: winmfu32 - C:\WINDOWS\SYSTEM32\winmfu32.dll

After checking these items, close all browser windows except HijackThis and click "Fix checked".

Reboot your computer.

Step #3

Find and delete this folder :
C:\!Killbox <= this folder

Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.

Step #4

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
Start HijackThis, perform a new scan and save the log file.

Use the Add Reply button to post your new logs back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

#7 Rykon

Rykon
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 03 August 2006 - 07:10 PM

Here we are once again

Panda Scan:

Incident Status Location

Adware:adware/securityerror Not disinfected C:\Documents and Settings\Dion.DERRIN-DION\Favorites\Antivirus Test Online.url
Adware:adware/cydoor Not disinfected c:\windows\cdmxtras
Adware:adware/outerinfo Not disinfected Windows Registry
Adware:adware/rxtoolbar Not disinfected Windows Registry
Adware:adware/mirar Not disinfected Windows Registry
Potentially unwanted tool:application/mywebsearch Not disinfected hkey_classes_root\clsid\{9AFB8248-617F-460d-9366-D71CDEDA3179}
Adware:adware/sidesearch Not disinfected Windows Registry
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\w79aq3ho.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\w79aq3ho.default\cookies.txt[.clickbank.net/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\q719tof6.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\q719tof6.default\cookies.txt[.qksrv.net/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\q719tof6.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\q719tof6.default\cookies.txt[.qksrv.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\q719tof6.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\q719tof6.default\cookies.txt[data.coremetrics.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\q719tof6.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\q719tof6.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\q719tof6.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\q719tof6.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\q719tof6.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\q719tof6.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\q719tof6.default\cookies.txt[.zedo.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Dad\Cookies\dad@ad.yieldmanager[2].txt
Spyware:Cookie/Malwarewipe Not disinfected C:\Documents and Settings\Dad\Cookies\dad@malwarewipe[2].txt
Adware:Adware/SystemDoctor Not disinfected C:\Documents and Settings\Dad\Local Settings\Temp\h91746.exe


Logfile of HijackThis v1.99.1
Scan saved at 5:09:00 PM, on 8/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\system32\issearch.exe
C:\WINDOWS\system32\isnotify.exe
C:\WINDOWS\system32\ismon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\AOL\1144519743\ee\AOLSoftware.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\Common Files\{8002291B-07D9-1033-0105-060823050001}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Dion.DERRIN-DION\Desktop\analyse.exe

And HJT

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Alcohol Toolbar Helper - {0ACF00E0-C1E4-4F6B-B290-10AC7505C47A} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - C:\WINDOWS\system32\ixt0.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {BB81EE1A-D806-4432-8036-8F080BB6FDEE} - C:\WINDOWS\system32\ssqrr.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Alcohol Toolbar - {DC59A0D4-0ED6-4A73-B356-1B977F2A7725} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1144519743\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [IPHSend] "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'w2pxdrv.dll' missing
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...0/installer.exe
O16 - DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} (Quantum Streaming IE VersionManager Class) - http://qmedia.xlontech.net/100170/sdk/late...2ie06041001.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: ssqrr - C:\WINDOWS\system32\ssqrr.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (file missing)
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

#8 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:32 PM

Posted 04 August 2006 - 07:35 AM

Please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop and run it.

Paste the following list of bad files into the Suspicious File Packer window:

C:\WINDOWS\system32\ssqrr.dll

Allow SFP to pack the files. This will generate a CAB archive on your desktop. Please email the files to me at:

didom[AT]malware-research.co.uk (replace [AT] with @)

Thank you! :thumbsup:

---------------------------
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, Right click the list box (white box) in the main VundoFix window.
  • Select “Add More Files?” from the menu that comes up. This will open a new VundoFix window.
  • In the Window: copy and paste next in the first field: C:\WINDOWS\system32\ssqrr.dll
  • Copy and paste next in the second field: C:\WINDOWS\system32\rrqss.*
  • Click the “Add Files” button.
  • Click the "Close Window" button.
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report.
Step #2

Scan again with HijackThis and check the following items:
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - C:\WINDOWS\system32\ixt0.dll
O2 - BHO: (no name) - {BB81EE1A-D806-4432-8036-8F080BB6FDEE} - C:\WINDOWS\system32\ssqrr.dll

O20 - Winlogon Notify: ssqrr - C:\WINDOWS\system32\ssqrr.dll

After checking these items, close all browser windows except HijackThis and click "Fix checked".

Step #3

Please run Notepad and paste the following text into a new file:

REGEDIT4

[-hkey_classes_root\clsid\{9AFB8248-617F-460d-9366-D71CDEDA3179}]

Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files".
This is how the reg file must look afterwards: Posted Image

Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

Then reboot your computer.

Step #4

Download Killbox.
Click killbox.exe.
Select the option "Delete on reboot".

Now copy the next bold part:

C:\Documents and Settings\Dion.DERRIN-DION\Favorites\Antivirus Test Online.url
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\w79aq3ho.default\cookies.txt
C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\q719tof6.default\cookies.txt
C:\Documents and Settings\Dad\Cookies\dad@ad.yieldmanager[2].txt
C:\Documents and Settings\Dad\Cookies\dad@malwarewipe[2].txt
C:\Documents and Settings\Dad\Local Settings\Temp\h91746.exe


Open 'file' in the killboxmenu on top and choose Paste from clipboard

Now you will see, this is pasted in the "Full Path of File to Delete"-field.
There's a little arrow (dropdown-arrow) next to that field.
If you expand it, these lines must be there together if the files are
present!

Click the button: All Files (!important!)

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click YES
If you don't get that message, reboot manually.

Your computer must reboot now.

Find and delete this folders :
C:\!Killbox <= this folder
c:\windows\cdmxtras <= this folder

Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.

Run Panda's online virus scan and perform a full system scan: Panda ActiveScan

Save the scan log and post it along with a new HijackThis Log in your next reply.

#9 Rykon

Rykon
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 04 August 2006 - 11:25 AM

Logfile of HijackThis v1.99.1
Scan saved at 9:23:43 AM, on 8/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\system32\issearch.exe
C:\WINDOWS\system32\ismon.exe
C:\WINDOWS\system32\isnotify.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\AOL\1144519743\ee\AOLSoftware.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\Common Files\{8002291B-07D9-1033-0105-060823050001}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Dion.DERRIN-DION\Desktop\analyse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Alcohol Toolbar Helper - {0ACF00E0-C1E4-4F6B-B290-10AC7505C47A} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - C:\WINDOWS\system32\ixt0.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {ABE3E72B-35B2-42E7-B94D-DA0D874619EB} - C:\WINDOWS\system32\ssqrr.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Alcohol Toolbar - {DC59A0D4-0ED6-4A73-B356-1B977F2A7725} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - C:\Program Files\Safety Bar\Safety Bar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1144519743\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [IPHSend] "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'w2pxdrv.dll' missing
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...0/installer.exe
O16 - DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} (Quantum Streaming IE VersionManager Class) - http://qmedia.xlontech.net/100170/sdk/late...2ie06041001.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\mshta.dll
O20 - Winlogon Notify: ssqrr - C:\WINDOWS\system32\ssqrr.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (file missing)
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

Panda log

Incident Status Location

Adware:adware/outerinfo Not disinfected Windows Registry
Adware:adware/rxtoolbar Not disinfected Windows Registry
Adware:adware/mirar Not disinfected Windows Registry
Adware:adware/sidesearch Not disinfected Windows Registry
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Dad\Cookies\dad@2o7[1].txt

#10 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:32 PM

Posted 04 August 2006 - 12:24 PM

Please post the contents of C:\vundofix.txt
.

#11 Rykon

Rykon
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 05 August 2006 - 01:44 AM

Sorry about that, I had an event to go to, here are the results of vundofix


VundoFix V4.2.22
Scan started at 2:03:32 PM 8/3/2006

Listing files found while scanning....


C:\WINDOWS\system32\dgjlm.bak1
C:\WINDOWS\system32\dgjlm.bak2
C:\WINDOWS\system32\dgjlm.tmp
C:\WINDOWS\system32\dgjlm.ini
C:\WINDOWS\system32\dgjlm.ini2
C:\WINDOWS\system32\mljgd.dll
C:\WINDOWS\system32\dgjlm.ini2
C:\WINDOWS\system32\dgjlm.bak2
C:\WINDOWS\system32\dgjlm.tmp
C:\WINDOWS\system32\dgjlm.ini
C:\WINDOWS\system32\dgjlm.ini2
C:\WINDOWS\system32\mljgd.dll
Attempting to delete C:\WINDOWS\system32\dgjlm.bak1
C:\WINDOWS\system32\dgjlm.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\dgjlm.bak2
C:\WINDOWS\system32\dgjlm.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\dgjlm.tmp
C:\WINDOWS\system32\dgjlm.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\dgjlm.ini
C:\WINDOWS\system32\dgjlm.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\dgjlm.ini2
C:\WINDOWS\system32\dgjlm.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\mljgd.dll
C:\WINDOWS\system32\mljgd.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\mljgd.dll
C:\WINDOWS\system32\mljgd.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V4.2.22
Scan started at 8:20:31 AM 8/4/2006

Listing files found while scanning....


C:\WINDOWS\system32\rrqss.bak1
C:\WINDOWS\system32\rrqss.bak2
C:\WINDOWS\system32\rrqss.ini
C:\WINDOWS\system32\ssqrr.dll

VundoFix V4.2.22
Scan started at 8:22:52 AM 8/4/2006

Listing files found while scanning....


C:\WINDOWS\system32\rrqss.bak1
C:\WINDOWS\system32\rrqss.bak2
C:\WINDOWS\system32\rrqss.ini
C:\WINDOWS\system32\ssqrr.dll
Attempting to delete C:\WINDOWS\system32\rrqss.bak1
C:\WINDOWS\system32\rrqss.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rrqss.bak2
C:\WINDOWS\system32\rrqss.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rrqss.ini
C:\WINDOWS\system32\rrqss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqrr.dll
C:\WINDOWS\system32\ssqrr.dll Could not be deleted.

Performing Repairs to the registry.
Done!

#12 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:32 PM

Posted 05 August 2006 - 08:42 AM

Please post a fresh HijackThis log!

#13 Rykon

Rykon
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 05 August 2006 - 01:16 PM

Logfile of HijackThis v1.99.1
Scan saved at 11:15:03 AM, on 8/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\system32\issearch.exe
C:\WINDOWS\system32\isnotify.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ismon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\AOL\1144519743\ee\AOLSoftware.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\Common Files\{8002291B-07D9-1033-0105-060823050001}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Dion.DERRIN-DION\Desktop\analyse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {05FC7AE6-FDF4-4159-9281-E40DF6D86BD0} - C:\WINDOWS\system32\ssqrr.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Alcohol Toolbar Helper - {0ACF00E0-C1E4-4F6B-B290-10AC7505C47A} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: (no name) - {873eb32d-ae1a-4183-89bd-45a77f761be4} - C:\WINDOWS\system32\ixt0.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Alcohol Toolbar - {DC59A0D4-0ED6-4A73-B356-1B977F2A7725} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - C:\Program Files\Safety Bar\Safety Bar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1144519743\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [IPHSend] "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'w2pxdrv.dll' missing
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...0/installer.exe
O16 - DPF: {E3E02F12-2ADB-478C-8742-5F0819F9F0F4} (Quantum Streaming IE VersionManager Class) - http://qmedia.xlontech.net/100170/sdk/late...2ie06041001.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\mshta.dll
O20 - Winlogon Notify: ssqrr - C:\WINDOWS\system32\ssqrr.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (file missing)
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

#14 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:32 PM

Posted 06 August 2006 - 05:11 AM

1. Download and Save Blacklight to your desktop:

Double-click blbeta.exe then accept the agreement, click > scan then > next

You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"

2. Please download RootKitRevealer from here:
http://www.sysinternals.com/files/rootkitrevealer.zip
Unzip it to the desktop, run it, and click Scan. This will generate a log file; please post the entire contents of the log file here for me to see.

3. Please run a GMER Rootkit scan:

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

If you're having problems with running GMER.exe, try it in safe mode.
This tools works in safe mode. Other rootkitrevealers don't.

#15 Rykon

Rykon
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:32 AM

Posted 06 August 2006 - 04:41 PM

Blacklist Log

08/06/06 13:17:24 [Info]: BlackLight Engine 1.0.42 initialized
08/06/06 13:17:24 [Info]: OS: 5.1 build 2600 (Service Pack 2)
08/06/06 13:17:24 [Note]: 7019 4
08/06/06 13:17:24 [Note]: 7005 0
08/06/06 13:17:28 [Note]: 7006 0
08/06/06 13:17:28 [Note]: 7011 1852
08/06/06 13:17:28 [Note]: 7026 0
08/06/06 13:17:28 [Note]: 7026 0
08/06/06 13:17:33 [Note]: FSRAW library version 1.7.1019
08/06/06 13:25:26 [Note]: 7007 0

Rootkit

HKLM\S-1-5-21-117609710-362288127-725345543-1004\Software\Alcohol Soft\Alcohol Toolbar\ 8/6/2006 1:23 PM 4 bytes Windows API length not consistent with raw hive data.
HKLM\S-1-5-21-117609710-362288127-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Components\Installed\65007\Iteration 8/6/2006 2:50 AM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-117609710-362288127-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}\iexplore\Count 8/6/2006 1:23 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-117609710-362288127-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}\iexplore\Time 8/6/2006 1:23 PM 16 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-117609710-362288127-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\iexplore\Count 8/6/2006 1:23 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-117609710-362288127-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\iexplore\Time 8/6/2006 1:23 PM 16 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-117609710-362288127-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\iexplore\Count 8/6/2006 1:18 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-117609710-362288127-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\iexplore\Time 8/6/2006 1:18 PM 16 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-117609710-362288127-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0ACF00E0-C1E4-4F6B-B290-10AC7505C47A}\iexplore\Count 8/6/2006 1:23 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-117609710-362288127-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0ACF00E0-C1E4-4F6B-B290-10AC7505C47A}\iexplore\Time 8/6/2006 1:23 PM 16 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-117609710-362288127-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3369AF0D-62E9-4BDA-8103-B4C75499B578}\iexplore\Count 8/6/2006 1:18 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-117609710-362288127-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3369AF0D-62E9-4BDA-8103-B4C75499B578}\iexplore\Time 8/6/2006 1:18 PM 16 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-117609710-362288127-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore\Count 8/6/2006 1:23 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-117609710-362288127-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore\Time 8/6/2006 1:23 PM 16 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-117609710-362288127-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}\iexplore\Count 8/6/2006 1:23 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-117609710-362288127-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}\iexplore\Time 8/6/2006 1:23 PM 16 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-117609710-362288127-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{873EB32D-AE1A-4183-89BD-45A77F761BE4}\iexplore\Count 8/6/2006 1:23 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-117609710-362288127-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{873EB32D-AE1A-4183-89BD-45A77F761BE4}\iexplore\Time 8/6/2006 1:23 PM 16 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-117609710-362288127-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9030D464-4C02-4ABF-8ECC-5164760863C6}\iexplore\Count 8/6/2006 1:23 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-117609710-362288127-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9030D464-4C02-4ABF-8ECC-5164760863C6}\iexplore\Time 8/6/2006 1:23 PM 16 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-117609710-362288127-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\iexplore\Count 8/6/2006 1:18 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-117609710-362288127-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\iexplore\Time 8/6/2006 1:18 PM 16 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-117609710-362288127-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\iexplore\Count 8/6/2006 1:18 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-117609710-362288127-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\iexplore\Time 8/6/2006 1:18 PM 16 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-117609710-362288127-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DC59A0D4-0ED6-4A73-B356-1B977F2A7725}\iexplore\Count 8/6/2006 1:23 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-117609710-362288127-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DC59A0D4-0ED6-4A73-B356-1B977F2A7725}\iexplore\Time 8/6/2006 1:23 PM 16 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-117609710-362288127-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E6DBF321-EE82-477C-8BA9-E560AC85E7D4}\iexplore\Count 8/6/2006 1:23 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-117609710-362288127-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E6DBF321-EE82-477C-8BA9-E560AC85E7D4}\iexplore\Time 8/6/2006 1:23 PM 16 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-117609710-362288127-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\iexplore\Count 8/6/2006 1:23 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-117609710-362288127-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\iexplore\Time 8/6/2006 1:23 PM 16 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-117609710-362288127-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore\Count 8/6/2006 1:18 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-117609710-362288127-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore\Time 8/6/2006 1:18 PM 16 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-117609710-362288127-725345543-1004\Software\Yahoo\Companion\Profiles\!guest\LastUse 8/5/2006 6:13 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Classes\Installer\Products\32418F9EE1126B64A90E8365B85CFCF6\ProductName 7/6/2006 12:03 PM 26 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 8/6/2006 1:26 PM 80 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}\DisplayName 7/6/2006 12:16 PM 26 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\SecuROM\!CAUTION! NEVER DELETE OR CHANGE ANY KEY* 4/9/2006 7:54 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg 7/6/2006 11:54 AM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet001\Services\Vax347s\Config\jdgg40 7/6/2006 2:39 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Application Data\Aim\hxwsyhvb\DjSquizzum\urlcache\aim4.tmp 8/6/2006 1:14 PM 443 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Dion.DERRIN-DION\Application Data\Aim\hxwsyhvb\DjSquizzum\urlcache\aim6D.tmp 8/6/2006 1:44 PM 443 bytes Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Cookies\dion@advertising[1].txt 8/6/2006 1:52 PM 399 bytes Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Cookies\dion@advertising[2].txt 8/5/2006 10:10 PM 407 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\AOL\UserProfiles\1144519743\dion\metrics\cmls_ms.tlv 8/6/2006 1:54 PM 144 bytes Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\007E0F00d01 8/6/2006 1:39 PM 22.73 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\085EE3F6d01 8/6/2006 1:41 PM 28.60 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\0BBCBEBCd01 8/6/2006 1:47 PM 19.88 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\0BBDBEBCd01 8/6/2006 1:47 PM 18.03 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\0BBEBEBCd01 8/6/2006 1:47 PM 24.60 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\0C2672CEd01 8/6/2006 1:41 PM 28.53 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\0D2AE518d01 8/6/2006 1:40 PM 25.77 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\0D7C2882d01 8/6/2006 1:44 PM 17.46 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\161928F1d01 8/6/2006 1:40 PM 20.98 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\248D97B2d01 8/6/2006 1:42 PM 36.83 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\26FF6B4Dd01 8/6/2006 1:40 PM 26.25 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\271BF039d01 8/6/2006 1:42 PM 28.67 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\287E0487d01 8/6/2006 1:40 PM 23.55 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\2A2BCE75d01 8/6/2006 1:39 PM 19.44 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\3EDEB0E8d01 8/6/2006 1:39 PM 19.85 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\4176C55Cd01 8/6/2006 1:47 PM 42.54 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\4377995Ed01 8/6/2006 1:46 PM 66.23 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\497ACEC9d01 8/6/2006 1:44 PM 19.58 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\4F7259F3d01 8/6/2006 1:41 PM 32.37 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\55992A43d01 8/6/2006 1:40 PM 23.91 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\58EEDF73d01 8/6/2006 1:53 PM 50.04 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\59B85444d01 8/6/2006 1:41 PM 26.30 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\5D0CEB53d01 8/6/2006 1:48 PM 57.66 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\5D681613d01 8/6/2006 1:47 PM 52.22 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\5D7717C3d01 8/6/2006 1:52 PM 57.99 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\5E2FC863d01 8/6/2006 1:54 PM 58.83 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\5E498ED3d01 8/6/2006 1:51 PM 48.74 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\5F20CB35d01 8/6/2006 1:41 PM 28.85 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\601B4C83d01 8/6/2006 1:41 PM 35.31 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\60FD7220d01 8/6/2006 1:41 PM 26.24 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\66E7DEFFd01 8/6/2006 1:41 PM 26.32 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\677C3B46d01 8/6/2006 1:39 PM 26.03 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\6881F2DEd01 8/6/2006 1:40 PM 19.74 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\6904F2A6d01 8/6/2006 1:39 PM 26.01 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\6AA840AFd01 8/6/2006 1:41 PM 26.33 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\6D4C9CC9d01 8/6/2006 1:45 PM 20.01 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\731A240Ad01 8/6/2006 1:46 PM 17.76 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\73DB9A00d01 8/6/2006 1:39 PM 17.53 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\7D5CAD67d01 8/6/2006 1:42 PM 43.84 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\867BB844d01 8/6/2006 1:41 PM 19.85 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\870B5284d01 8/6/2006 1:46 PM 47.16 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\95D368C0d01 8/6/2006 1:39 PM 27.58 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\95DC97ADd01 8/6/2006 1:40 PM 26.21 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\964F8B5Dd01 8/6/2006 1:42 PM 23.45 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\99CA6F84d01 8/6/2006 1:53 PM 39.13 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\99EB0C08d01 8/6/2006 1:42 PM 23.48 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\9D7AE92Bd01 8/6/2006 1:39 PM 18.67 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\9F0A26C4d01 8/6/2006 1:49 PM 38.04 KB Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\9F5A01D4d01 8/6/2006 1:47 PM 36.45 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\A1147580d01 8/6/2006 1:40 PM 26.23 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\B1798B65d01 8/6/2006 1:41 PM 26.16 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\B51DC697d01 8/6/2006 1:41 PM 25.79 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\B55449DDd01 8/6/2006 1:48 PM 34.78 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\B58A2B4Bd01 8/6/2006 1:40 PM 23.45 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\BBC3D7C2d01 8/6/2006 1:41 PM 26.23 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\BD9B44D4d01 8/6/2006 1:42 PM 26.03 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\BF87CB28d01 8/6/2006 1:41 PM 26.33 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\C1F9A688d01 8/6/2006 1:39 PM 27.48 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\C1F9C1B0d01 8/6/2006 1:40 PM 27.48 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\C94DC445d01 8/6/2006 1:52 PM 16.58 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\CCA47BF0d01 8/6/2006 1:47 PM 44.12 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\CF2FCAB1d01 8/6/2006 1:39 PM 26.00 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\D1766D20d01 8/6/2006 1:40 PM 60.02 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\D28ED2E5d01 8/6/2006 1:42 PM 19.49 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\D4C60D85d01 8/6/2006 1:40 PM 26.23 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\D52B2CFCd01 8/6/2006 1:39 PM 26.38 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\D62B8FD9d01 8/6/2006 1:42 PM 26.01 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\DA1EACBFd01 8/6/2006 1:42 PM 25.73 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\E030D001d01 8/6/2006 1:46 PM 28.20 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\E0681D5Ed01 8/6/2006 1:39 PM 28.89 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\E2280F33d01 8/6/2006 1:41 PM 26.24 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\E47310F1d01 8/6/2006 1:41 PM 28.67 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\E48A8A79d01 8/6/2006 1:47 PM 47.54 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\E8A04FC8d01 8/6/2006 1:41 PM 18.22 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\E99D5C6Fd01 8/6/2006 1:41 PM 26.30 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\F6774D45d01 8/6/2006 1:40 PM 26.14 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\F71BF159d01 8/6/2006 1:41 PM 28.67 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\F74ACA08d01 8/6/2006 1:41 PM 26.34 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\F803ED5Fd01 8/6/2006 1:46 PM 19.15 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\F98FA89Cd01 8/6/2006 1:44 PM 27.77 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\FAB96944d01 8/6/2006 1:42 PM 23.31 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\FBDE13FEd01 8/6/2006 1:41 PM 25.23 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Application Data\Mozilla\Firefox\Profiles\c8ehmm1k.default\Cache\FC91D0EBd01 8/6/2006 1:41 PM 27.49 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Temporary Internet Files\Content.IE5\4XA7W967\aol[5].htm 8/6/2006 1:14 PM 179 bytes Visible in Windows API, MFT, but not in directory index.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Temporary Internet Files\Content.IE5\4XA7W967\index[2].htm 8/6/2006 1:49 PM 1.74 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Temporary Internet Files\Content.IE5\GDUBO9UR\Com_Mess;MN=93189867;wm=o;rm=1;am1=1;ua=20;ug=1;!c=d-dxp;sz=120x90;tile=1;dcove=d;ord=625092431[2] 8/6/2006 1:52 PM 491 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Temporary Internet Files\Content.IE5\GDUBO9UR\index[2].htm 8/5/2006 4:50 PM 1.74 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Temporary Internet Files\Content.IE5\SPE3KTIV\ctrt=4[2] 8/6/2006 1:52 PM 1.06 KB Hidden from Windows API.
C:\Documents and Settings\Dion.DERRIN-DION\Local Settings\Temporary Internet Files\Content.IE5\SPE3KTIV\jsc[1].html 8/6/2006 1:15 PM 105 bytes Visible in Windows API, but not in MFT or directory index.


Gmer log

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-08-06 14:38:13
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.10 ----

SSDT Vax347b.sys ZwClose
SSDT Vax347b.sys ZwCreateKey
SSDT Vax347b.sys ZwCreatePagingFile
SSDT Vax347b.sys ZwEnumerateKey
SSDT Vax347b.sys ZwEnumerateValueKey
SSDT Vax347b.sys ZwOpenKey
SSDT \??\C:\Program Files\ewido anti-malware\guard.sys ZwOpenProcess
SSDT Vax347b.sys ZwQueryKey
SSDT Vax347b.sys ZwQueryValueKey
SSDT Vax347b.sys ZwSetSystemPowerState
SSDT sptd.sys ZwSetValueKey
SSDT \??\C:\Program Files\ewido anti-malware\guard.sys ZwTerminateProcess

---- Devices - GMER 1.0.10 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 8678BEB0
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 867D6C78
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 862D4530
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_NAMED_PIPE 862D4530
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSEIRP_MJ_READ 862D4530
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 862D4530
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_INFORMATION 862D4530
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_INFORMATION 862D4530
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_EA 862D4530
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_EA 862D4530
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 862D4530
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_VOLUME_INFORMATION 862D4530
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_VOLUME_INFORMATION 862D4530
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DIRECTORY_CONTROL 862D4530
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FILE_SYSTEM_CONTROL 862D4530
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 862D4530
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 862D4530
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 862D4530
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_LOCK_CONTROL 862D4530
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLEANUP 862D4530
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_MAILSLOT 862D4530
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_SECURITY 862D4530
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_SECURITY 862D4530
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 862D4530
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 862D4530
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CHANGE 862D4530
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_QUOTA 862D4530
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_QUOTA 862D4530
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 862D4530
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP_POWER 862D4530
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE 862979E0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE_NAMED_PIPE 862979E0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CLOSEIRP_MJ_READ 862979E0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_WRITE 86300290
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_INFORMATION 862979E0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_INFORMATION 862979E0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_EA 862979E0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_EA 862979E0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_FLUSH_BUFFERS 862979E0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_VOLUME_INFORMATION 862979E0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_VOLUME_INFORMATION 862979E0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DIRECTORY_CONTROL 862979E0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_FILE_SYSTEM_CONTROL 862979E0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DEVICE_CONTROL 862979E0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_INTERNAL_DEVICE_CONTROL 862979E0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SHUTDOWN 862979E0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_LOCK_CONTROL 862979E0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CLEANUP 862979E0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE_MAILSLOT 862979E0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_SECURITY 862979E0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_SECURITY 862979E0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_POWER 862979E0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SYSTEM_CONTROL 862979E0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DEVICE_CHANGE 862979E0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_QUOTA 862979E0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_QUOTA 862979E0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_PNP 862979E0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 862D4530
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_NAMED_PIPE 862D4530
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSEIRP_MJ_READ 862D4530
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 862D4530
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_INFORMATION 862D4530
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_INFORMATION 862D4530
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_EA 862D4530
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_EA 862D4530
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 862D4530
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_VOLUME_INFORMATION 862D4530
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_VOLUME_INFORMATION 862D4530
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DIRECTORY_CONTROL 862D4530
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FILE_SYSTEM_CONTROL 862D4530
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 862D4530
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 862D4530
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 862D4530
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_LOCK_CONTROL 862D4530
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLEANUP 862D4530
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_MAILSLOT 862D4530
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_SECURITY 862D4530
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_SECURITY 862D4530
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 862D4530
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 862D4530
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CHANGE 862D4530
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_QUOTA 862D4530
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_QUOTA 862D4530
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 862D4530
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP_POWER 862D4530
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE 862D4530
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE_NAMED_PIPE 862D4530
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CLOSEIRP_MJ_READ 862D4530
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_WRITE 862D4530
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_INFORMATION 862D4530
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_INFORMATION 862D4530
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_EA 862D4530
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_EA 862D4530
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_FLUSH_BUFFERS 862D4530
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_VOLUME_INFORMATION 862D4530
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_VOLUME_INFORMATION 862D4530
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DIRECTORY_CONTROL 862D4530
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_FILE_SYSTEM_CONTROL 862D4530
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DEVICE_CONTROL 862D4530
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_INTERNAL_DEVICE_CONTROL 862D4530
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SHUTDOWN 862D4530
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_LOCK_CONTROL 862D4530
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CLEANUP 862D4530
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE_MAILSLOT 862D4530
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_SECURITY 862D4530
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_SECURITY 862D4530
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_POWER 862D4530
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SYSTEM_CONTROL 862D4530
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DEVICE_CHANGE 862D4530
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_QUOTA 862D4530
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_QUOTA 862D4530
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_PNP 862D4530
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_PNP_POWER 862D4530
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_CREATE 862D4530
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_CREATE_NAMED_PIPE 862D4530
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_CLOSEIRP_MJ_READ 862D4530
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_WRITE 862D4530
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_QUERY_INFORMATION 862D4530
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_SET_INFORMATION 862D4530
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_QUERY_EA 862D4530
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_SET_EA 862D4530
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_FLUSH_BUFFERS 862D4530
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_QUERY_VOLUME_INFORMATION 862D4530
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_SET_VOLUME_INFORMATION 862D4530
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_DIRECTORY_CONTROL 862D4530
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_FILE_SYSTEM_CONTROL 862D4530
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_DEVICE_CONTROL 862D4530
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_INTERNAL_DEVICE_CONTROL 862D4530
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_SHUTDOWN 862D4530
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_LOCK_CONTROL 862D4530
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_CLEANUP 862D4530
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_CREATE_MAILSLOT 862D4530
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_QUERY_SECURITY 862D4530
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_SET_SECURITY 862D4530
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_POWER 862D4530
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_SYSTEM_CONTROL 862D4530
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_DEVICE_CHANGE 862D4530
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_QUERY_QUOTA 862D4530
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_SET_QUOTA 862D4530
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_PNP 862D4530
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_PNP_POWER 862D4530
Device \Driver\usbstor \Device\00000075 IRP_MJ_CREATE 8643FD88
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_CREATE 862D4530
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_CREATE_NAMED_PIPE 862D4530
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_CLOSEIRP_MJ_READ 862D4530
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_WRITE 862D4530
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_QUERY_INFORMATION 862D4530
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_SET_INFORMATION 862D4530
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_QUERY_EA 862D4530
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_SET_EA 862D4530
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_FLUSH_BUFFERS 862D4530
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_QUERY_VOLUME_INFORMATION 862D4530
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_SET_VOLUME_INFORMATION 862D4530
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_DIRECTORY_CONTROL 862D4530
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_FILE_SYSTEM_CONTROL 862D4530
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_DEVICE_CONTROL 862D4530
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_INTERNAL_DEVICE_CONTROL 862D4530
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_SHUTDOWN 862D4530
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_LOCK_CONTROL 862D4530
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_CLEANUP 862D4530
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_CREATE_MAILSLOT 862D4530
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_QUERY_SECURITY 862D4530
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_SET_SECURITY 862D4530
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_POWER 862D4530
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_SYSTEM_CONTROL 862D4530
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_DEVICE_CHANGE 862D4530
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_QUERY_QUOTA 862D4530
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_SET_QUOTA 862D4530
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_PNP 862D4530
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_PNP_POWER 862D4530
Device \Driver\usbstor \Device\00000076 IRP_MJ_CREATE 8643FD88
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_CREATE 862D4530
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_CREATE_NAMED_PIPE 862D4530
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_CLOSEIRP_MJ_READ 862D4530
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_WRITE 862D4530
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_QUERY_INFORMATION 862D4530
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_SET_INFORMATION 862D4530
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_QUERY_EA 862D4530
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_SET_EA 862D4530
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_FLUSH_BUFFERS 862D4530
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_QUERY_VOLUME_INFORMATION 862D4530
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_SET_VOLUME_INFORMATION 862D4530
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_DIRECTORY_CONTROL 862D4530
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_FILE_SYSTEM_CONTROL 862D4530
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_DEVICE_CONTROL 862D4530
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_INTERNAL_DEVICE_CONTROL 862D4530
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_SHUTDOWN 862D4530
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_LOCK_CONTROL 862D4530
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_CLEANUP 862D4530
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_CREATE_MAILSLOT 862D4530
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_QUERY_SECURITY 862D4530
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_SET_SECURITY 862D4530
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_POWER 862D4530
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_SYSTEM_CONTROL 862D4530
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_DEVICE_CHANGE 862D4530
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_QUERY_QUOTA 862D4530
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_SET_QUOTA 862D4530
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_PNP 862D4530
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_PNP_POWER 862D4530
Device \Driver\usbstor \Device\00000077 IRP_MJ_CREATE 8643FD88
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CREATE 86308EB0
Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_CREATE 862D4530
Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_CREATE_NAMED_PIPE 862D4530
Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_CLOSEIRP_MJ_READ 862D4530
Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_WRITE 862D4530
Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_QUERY_INFORMATION 862D4530
Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_SET_INFORMATION 862D4530
Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_QUERY_EA 862D4530
Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_SET_EA 862D4530
Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_FLUSH_BUFFERS 862D4530
Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_QUERY_VOLUME_INFORMATION 862D4530
Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_SET_VOLUME_INFORMATION 862D4530
Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_DIRECTORY_CONTROL 862D4530
Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_FILE_SYSTEM_CONTROL 862D4530
Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_DEVICE_CONTROL 862D4530
Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_INTERNAL_DEVICE_CONTROL 862D4530
Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_SHUTDOWN 862D4530
Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_LOCK_CONTROL 862D4530
Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_CLEANUP 862D4530
Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_CREATE_MAILSLOT 862D4530
Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_QUERY_SECURITY 862D4530
Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_SET_SECURITY 862D4530
Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_POWER 862D4530
Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_SYSTEM_CONTROL 862D4530
Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_DEVICE_CHANGE 862D4530
Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_QUERY_QUOTA 862D4530
Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_SET_QUOTA 862D4530
D




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users