Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Search Hijacker


  • Please log in to reply
11 replies to this topic

#1 brianbecker

brianbecker

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 29 September 2006 - 07:21 AM

Hello. I've come down with a bug that redirects my Google search results links (via the address 85.255.116.218/click.php) to unwanted sites like freewirelessworld.com, ads.clicksor.com, etc.

A Spybot scan turned up Pipas.A trojan, and a Panda Online scan found Ruins.A. Both were supposedly disinfected, but the problem persists. AdAware, AVG, and Trendmicro Housecall found nothing.

Any help would be greatly appreciated. Thanks!

Here's my HijackThis log:



Logfile of HijackThis v1.99.1
Scan saved at 8:14:24 AM, on 9/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\dxwizard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\odbc.exe
C:\WINDOWS\system32\ole2.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RECGUARD] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [AudCtrl] RunDll32 AudCtrl.dll,RCMonitor
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1157157947593
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B79CD0E0-7DB7-4724-A9D0-ED3179536593}: NameServer = 85.255.115.19,85.255.112.71
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8523945-20FC-4075-9964-C53B86FA08C6}: NameServer = 85.255.115.19,85.255.112.71
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9F8C6DF-DD53-4D3A-A493-682CDE68B845}: NameServer = 85.255.115.19,85.255.112.71
O17 - HKLM\System\CCS\Services\Tcpip\..\{FDB83DC0-0CA4-4410-B45A-D2673252BD08}: NameServer = 85.255.115.19,85.255.112.71
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.19 85.255.112.71
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.19 85.255.112.71
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: DirectX common - Unknown owner - C:\WINDOWS\system32\dxwizard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ODBC service - Unknown owner - C:\WINDOWS\system32\odbc.exe
O23 - Service: OLE multi config - Unknown owner - C:\WINDOWS\system32\ole2.exe
O23 - Service: Windows Media Connect Service (WMConnectCDS) - Unknown owner - C:\Program Files\Windows Media Connect 2\wmccds.exe (file missing)

BC AdBot (Login to Remove)

 


m

#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:16 AM

Posted 29 September 2006 - 11:26 AM

Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\system32\dxwizard.exe
C:\WINDOWS\system32\odbc.exe
C:\WINDOWS\system32\ole2.exe


Open 'file' in the killboxmenu on top and choose Paste from clipboard
You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click "yes".
Click OK at any Pending File Rename Operations prompt, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O17 - HKLM\System\CCS\Services\Tcpip\..\{B79CD0E0-7DB7-4724-A9D0-ED3179536593}: NameServer = 85.255.115.19,85.255.112.71
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8523945-20FC-4075-9964-C53B86FA08C6}: NameServer = 85.255.115.19,85.255.112.71
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9F8C6DF-DD53-4D3A-A493-682CDE68B845}: NameServer = 85.255.115.19,85.255.112.71
O17 - HKLM\System\CCS\Services\Tcpip\..\{FDB83DC0-0CA4-4410-B45A-D2673252BD08}: NameServer = 85.255.115.19,85.255.112.71
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.19 85.255.112.71
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.19 85.255.112.71
O23 - Service: DirectX common - Unknown owner - C:\WINDOWS\system32\dxwizard.exe
O23 - Service: ODBC service - Unknown owner - C:\WINDOWS\system32\odbc.exe
O23 - Service: OLE multi config - Unknown owner - C:\WINDOWS\system32\ole2.exe


Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Go to Control Panel. - If you are using Windows XP's Category View, select the Network and Internet Connections category. If you are in Classic View, go to the next step .
  • Double-click the Network Connections icon
  • Right-click the Local Area Connection icon and select Properties.
  • Hilight Internet Protocol (TCP/IP) and click the Properties button.
  • Be sure Obtain DNS server address automatically is selected.
  • OK your way out.
Go to Start > Run and type in cmd
Click OK.
This will open a commad prompt.
Type or copy and paste the following line in the command window:

ipconfig /flushdns

Hit Enter
Exit the command window

Open notepad and copy and paste next in it:

sc delete "DirectX common"
sc stop "DirectX common"
sc delete "ODBC service"
sc stop "ODBC service"
sc delete "OLE multi config"
sc stop "OLE multi config"

Save this as fix.bat
Choose to save as all files.
This is how the batch must look afterwards: Posted Image
Doubleclick fix.bat and let the program run.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.

David

#3 brianbecker

brianbecker
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 29 September 2006 - 04:37 PM

Okay, got through all the steps with no problems. I had to manually download and unzip BFU as part of the Fixwareout step, but other than that, everything seemed to go correctly. My Google searches aren't being redirected anymore, but now my first click on a search result link often yields a "This page cannot be displayed" error, whereas going back and clicking a second time brings up the appropriate site with no problem.

My Fixwareout report.txt:




Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6C26EAF0CBA9-9D6B-CE44-29E1-AF66FEF7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\cmzmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\0mdm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1mdm
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmzmc.exe"=-
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSCWI.EXE 51,730 2006-09-27
C:\WINDOWS\SYSTEM32\DMZMC.EXE 60,996 2004-08-04

Other suspects.
Directory of C:\WINDOWS\system32

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.

And my new HijackThis:



Logfile of HijackThis v1.99.1
Scan saved at 5:27:25 PM, on 9/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\HJT\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RECGUARD] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [AudCtrl] RunDll32 AudCtrl.dll,RCMonitor
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1157157947593
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Windows Media Connect Service (WMConnectCDS) - Unknown owner - C:\Program Files\Windows Media Connect 2\wmccds.exe (file missing)

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:16 AM

Posted 29 September 2006 - 06:01 PM

Hello there,

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\SYSTEM32\CSCWI.EXE
C:\WINDOWS\SYSTEM32\DMZMC.EXE


Open 'file' in the killboxmenu on top and choose Paste from clipboard
You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click "yes".
Click OK at any Pending File Rename Operations prompt, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

Click on start > run and type the following then hit enter:
sc delete WMConnectCDS

Malware like this normally never comes alone and there are probably infected files left on your computer.
Please visit Panda Online to carry out a virus scan.
Once you are on the Panda site click the Scan your PC button.
A new window will open...click the Check Now button.
Enter your personal details.
Click the big Scan Now button.
It will ask to install various content - please allow this.
It will start downloading the files it requires for the scan, which may take a while.
When download is complete, click on Local Disks to start the scan.
When the scan completes, click the See Report button.
Click Save Report and save the file to your desktop.
Post the contents of the report in your next reply, along with a new Hijackthis log.

David

#5 brianbecker

brianbecker
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 29 September 2006 - 07:02 PM

Done. I've found that my new connection problems aren't limited to Google searches. Manually entered addresses in Internet Explorer will also fail to connect until the second or third attempt, as do Favorites (including this page). Outlook Express and the Panda Online Scanner have problems as well, although Panda refreshed itself enough times to complete its scan and display its results.

The Panda scan:


Incident
Status
Location

Spyware:Cookie/Server.iad.Liveperson
Not disinfected
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@server.iad.liveperson[1].txt

Potentially unwanted tool:Application/KillApp.B
Not disinfected
C:\hp\bin\KillIt.exe



And a new HijackThis:


Logfile of HijackThis v1.99.1
Scan saved at 7:51:57 PM, on 9/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RECGUARD] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [AudCtrl] RunDll32 AudCtrl.dll,RCMonitor
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1157157947593
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Edited by brianbecker, 29 September 2006 - 07:02 PM.


#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:16 AM

Posted 30 September 2006 - 03:21 AM

Hey there Brian.

I want you to clean your cache and cookies from your internet explorer.
There are a few infected files which need to be removed from your system.

° Close all instances of Internet Explorer .
° Go to your control panel and open "Internet Options".
° Click on the "General" tab.
° Click the "Delete Cookies" button, then the "Delete Files" button.
° When prompted, place a tick in the "Delete all offline content" box and click OK.

Next, let's try and repair the internet connection:
Go to start > run and type cmd
A dos Window will appear.
Type next in the dos window: netsh winsock reset
Hit enter and reboot.

See if the connection problem rectifies itself now.
Did this problem arise after running my first instructions?
Or was it there before hand?

#7 brianbecker

brianbecker
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 30 September 2006 - 07:29 AM

Hm. Still having the same connection issues.

I don't recall having these problems before I caught the Google redirect bug, so I imagine it probably has to do with that. I also installed a Netgear wireless G router (to which this computer is hardwired) shortly before I got the redirect virus, but everything seemed to be working fine when I first set it up.

Along with web pages and other services taking several attempts to connect, some pages don't show up correctly, i.e. frames not setting up properly, some images not loading, etc.


EDIT: I just unplugged and replugged my cable modem and router, and everything was working okay for ten minutes. Now, it's back to the same problems.

Edited by brianbecker, 30 September 2006 - 08:06 AM.


#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:16 AM

Posted 30 September 2006 - 09:17 AM

I agree with you that this is most likely down to the Wareout infection that you had. The problem with this infection is that is messes around with your connection and often causes problems like this. Normally after running FixWareout, and flushing the dns the problem is rectified. I think that there are two things that we should do. Firstly I want to see if there are any leftover files from the infection left on the PC that might be causing the connection issues - there was a part of the infection that fixwareout was not able to catch that was circulating a while back so we should check for that also.

Just a quick question, did you follow the two steps in my first post to you right after fixing the entries with Hijackthis? This involved running the command "ipconfig /flushdns", and then making sure that "Obtain DNS server address automatically" was checked in your internet connection settings. It is possible that you missed this step, but the never the less I would like you to try it again. You might also like to ring your ISP and check with them that everything is being sent to you OK; if you report the infection and the problems with the line they might be able to give you some help - they are the probably the most knowledgable people to talk to I guess.

Ok, two scans I want to run.

Firstly lets run a rooktit/hidden process finder to confirm that the rootkit has been killed.

Download GMER from Here
Right Click the Zip and Select "Extract All"
Double Click gmer.exe to launch the program.
Click on the Rootkit Tab and then click Scan.
It takes a while to run, once complete, copy the results to notepad and save them somewhere safe.
Post those results in the next reply.

Next I want you to download Ewido, which is capable of removing Wareout leftovers.

Please download, install, and update Ewido anti-spyware
Load Ewido and then click the Update tab at the top.
Under Manual Update click Start update.

After the update finishes (the status bar at the bottom will display "Update successful")
Then click on the Scanner tab at the top.
Click the "Settings" tab and then change the recommended action to Quarantine.
Click Automatically generate report after every scan.
Click back to the "Scan" tab and then click on Complete System Scan.
This scan can take quite a while to run, so be prepared.
Ewido will list any infections found on the left hand side.

When the scan has finished, it will automatically set the recommended action.
Click the Apply all actions button.
Ewido will display "All actions have been applied" on the right hand side.
Click on "Save Report", then "Save Report As".
This will create a text file. Make sure you know where to find this file again (like on the Desktop).
Close Ewido and reboot!!

So post that log and the Gmer log and we can move on from there.
Please keep me updated whether or not the connection quality changes.
David

#9 brianbecker

brianbecker
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 30 September 2006 - 10:22 AM

I did get all those steps the first time around, but I did them again just in case. As far as the connetion goes, I junked the router and returned to my original setup (one PC connected through cable modem only), and the connection is fine now.

Here's my GMER report:


GMER 1.0.11.11390 - http://www.gmer.net
Rootkit 2006-09-30 10:35:35
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.11 ----

SSDT sptd.sys ZwCreateKey
SSDT sptd.sys ZwEnumerateKey
SSDT sptd.sys ZwEnumerateValueKey
SSDT sptd.sys ZwOpenKey
SSDT sptd.sys ZwQueryKey
SSDT sptd.sys ZwQueryValueKey
SSDT sptd.sys ZwSetValueKey

---- Devices - GMER 1.0.11 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 89E14BF8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 89E14BF8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 89E14BF8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 89E14BF8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 89E14BF8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 89E14BF8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 89E14BF8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 89E14BF8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 89E14BF8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 89E14BF8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 89E14BF8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 89E14BF8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 89E14BF8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 89E14BF8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 89E14BF8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 89E14BF8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 89E14BF8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 89E14BF8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 89E14BF8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 89E14BF8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 89E14BF8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 89E14BF8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CREATE 8995F2F0
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CLOSE 8995F2F0
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_READ 8995F2F0
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_WRITE 8995F2F0
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_INFORMATION 8995F2F0
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_INFORMATION 8995F2F0
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_EA 8995F2F0
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_EA 8995F2F0
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_FLUSH_BUFFERS 8995F2F0
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_VOLUME_INFORMATION 8995F2F0
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_VOLUME_INFORMATION 8995F2F0
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_DIRECTORY_CONTROL 8995F2F0
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_FILE_SYSTEM_CONTROL 8995F2F0
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_DEVICE_CONTROL 8995F2F0
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SHUTDOWN 8995F2F0
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_LOCK_CONTROL 8995F2F0
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CLEANUP 8995F2F0
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_PNP 8995F2F0
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [BADB285A] avgtdi.sys
Device \Driver\00000045 \Device\00000048 IRP_MJ_POWER [BA6E3EA8] sptd.sys
Device \Driver\00000045 \Device\00000048 IRP_MJ_SYSTEM_CONTROL [BA6F7A70] sptd.sys
Device \Driver\00000045 \Device\00000048 IRP_MJ_PNP [BA6F0728] sptd.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [BADB285A] avgtdi.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 89E15948
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ 89E15948
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE 89E15948
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS 89E15948
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL 89E15948
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL 89E15948
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN 89E15948
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP 89E15948
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER 89E15948
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SYSTEM_CONTROL 89E15948
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_PNP 89E15948
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE 89E15948
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_READ 89E15948
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_WRITE 89E15948
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_FLUSH_BUFFERS 89E15948
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_DEVICE_CONTROL 89E15948
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_INTERNAL_DEVICE_CONTROL 89E15948
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SHUTDOWN 89E15948
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CLEANUP 89E15948
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_POWER 89E15948
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SYSTEM_CONTROL 89E15948
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_PNP 89E15948
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 899130E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 899130E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 899130E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 899130E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 899130E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 899130E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 899130E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 899130E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 899130E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 899130E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 899130E8
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE 899FBBB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE_NAMED_PIPE 899FBBB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CLOSE 899FBBB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_READ 899FBBB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_WRITE 899FBBB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_INFORMATION 899FBBB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_INFORMATION 899FBBB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_EA 899FBBB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_EA 899FBBB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_FLUSH_BUFFERS 899FBBB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_VOLUME_INFORMATION 899FBBB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_VOLUME_INFORMATION 899FBBB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DIRECTORY_CONTROL 899FBBB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_FILE_SYSTEM_CONTROL 899FBBB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DEVICE_CONTROL 899FBBB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_INTERNAL_DEVICE_CONTROL 899FBBB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SHUTDOWN 899FBBB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_LOCK_CONTROL 899FBBB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CLEANUP 899FBBB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE_MAILSLOT 899FBBB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_SECURITY 899FBBB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_SECURITY 899FBBB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_POWER 899FBBB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SYSTEM_CONTROL 899FBBB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DEVICE_CHANGE 899FBBB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_QUOTA 899FBBB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_QUOTA 899FBBB0
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_CREATE 89E15948
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_READ 89E15948
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_WRITE 89E15948
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_FLUSH_BUFFERS 89E15948
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_DEVICE_CONTROL 89E15948
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_INTERNAL_DEVICE_CONTROL 89E15948
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SHUTDOWN 89E15948
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_CLEANUP 89E15948
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_POWER 89E15948
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SYSTEM_CONTROL 89E15948
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_PNP 89E15948
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 899130E8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE 899130E8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ 899130E8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 899130E8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 899130E8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 899130E8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 899130E8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 899130E8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 899130E8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 899130E8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 899130E8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CREATE 8995BDC0
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLOSE 8995BDC0
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_DEVICE_CONTROL 8995BDC0
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_INTERNAL_DEVICE_CONTROL 8995BDC0
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLEANUP 8995BDC0
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_PNP 8995BDC0
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CREATE 8995BDC0
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLOSE 8995BDC0
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_DEVICE_CONTROL 8995BDC0
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_INTERNAL_DEVICE_CONTROL 8995BDC0
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLEANUP 8995BDC0
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_PNP 8995BDC0
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [BADB285A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [BADB285A] avgtdi.sys
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_CREATE 89E14EB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_CLOSE 89E14EB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_READ 89E14EB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_WRITE 89E14EB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_FLUSH_BUFFERS 89E14EB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_DEVICE_CONTROL 89E14EB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_INTERNAL_DEVICE_CONTROL 89E14EB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_SHUTDOWN 89E14EB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_POWER 89E14EB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_SYSTEM_CONTROL 89E14EB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_PNP 89E14EB0
Device \Driver\Disk \Device\Harddisk1\DR1 IRP_MJ_CREATE 89E14EB0
Device \Driver\Disk \Device\Harddisk1\DR1 IRP_MJ_CLOSE 89E14EB0
Device \Driver\Disk \Device\Harddisk1\DR1 IRP_MJ_READ 89E14EB0
Device \Driver\Disk \Device\Harddisk1\DR1 IRP_MJ_WRITE 89E14EB0
Device \Driver\Disk \Device\Harddisk1\DR1 IRP_MJ_FLUSH_BUFFERS 89E14EB0
Device \Driver\Disk \Device\Harddisk1\DR1 IRP_MJ_DEVICE_CONTROL 89E14EB0
Device \Driver\Disk \Device\Harddisk1\DR1 IRP_MJ_INTERNAL_DEVICE_CONTROL 89E14EB0
Device \Driver\Disk \Device\Harddisk1\DR1 IRP_MJ_SHUTDOWN 89E14EB0
Device \Driver\Disk \Device\Harddisk1\DR1 IRP_MJ_POWER 89E14EB0
Device \Driver\Disk \Device\Harddisk1\DR1 IRP_MJ_SYSTEM_CONTROL 89E14EB0
Device \Driver\Disk \Device\Harddisk1\DR1 IRP_MJ_PNP 89E14EB0
Device \Driver\NetBT \Device\NetBT_Tcpip_{F9F8C6DF-DD53-4D3A-A493-682CDE68B845} IRP_MJ_CREATE 8995BDC0
Device \Driver\NetBT \Device\NetBT_Tcpip_{F9F8C6DF-DD53-4D3A-A493-682CDE68B845} IRP_MJ_CLOSE 8995BDC0
Device \Driver\NetBT \Device\NetBT_Tcpip_{F9F8C6DF-DD53-4D3A-A493-682CDE68B845} IRP_MJ_DEVICE_CONTROL 8995BDC0
Device \Driver\NetBT \Device\NetBT_Tcpip_{F9F8C6DF-DD53-4D3A-A493-682CDE68B845} IRP_MJ_INTERNAL_DEVICE_CONTROL 8995BDC0
Device \Driver\NetBT \Device\NetBT_Tcpip_{F9F8C6DF-DD53-4D3A-A493-682CDE68B845} IRP_MJ_CLEANUP 8995BDC0
Device \Driver\NetBT \Device\NetBT_Tcpip_{F9F8C6DF-DD53-4D3A-A493-682CDE68B845} IRP_MJ_PNP 8995BDC0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_NAMED_PIPE 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLOSE 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_WRITE 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_INFORMATION 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_INFORMATION 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_EA 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_EA 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FLUSH_BUFFERS 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_VOLUME_INFORMATION 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_VOLUME_INFORMATION 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DIRECTORY_CONTROL 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FILE_SYSTEM_CONTROL 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CONTROL 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_INTERNAL_DEVICE_CONTROL 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SHUTDOWN 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_LOCK_CONTROL 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLEANUP 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_MAILSLOT 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_SECURITY 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_SECURITY 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_POWER 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SYSTEM_CONTROL 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CHANGE 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_QUOTA 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_QUOTA 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP 898B80E8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [BADB285A] avgtdi.sys
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_NAMED_PIPE 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLOSE 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_WRITE 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_INFORMATION 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_INFORMATION 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_EA 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_EA 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FLUSH_BUFFERS 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_VOLUME_INFORMATION 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_VOLUME_INFORMATION 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DIRECTORY_CONTROL 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FILE_SYSTEM_CONTROL 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CONTROL 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_INTERNAL_DEVICE_CONTROL 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SHUTDOWN 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_LOCK_CONTROL 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLEANUP 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_MAILSLOT 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_SECURITY 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_SECURITY 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_POWER 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SYSTEM_CONTROL 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CHANGE 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_QUOTA 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_QUOTA 898B80E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP 898B80E8
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CREATE 89A1A9A0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CREATE_NAMED_PIPE 89A1A9A0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CLOSE 89A1A9A0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_READ 89A1A9A0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_WRITE 89A1A9A0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_INFORMATION 89A1A9A0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_SET_INFORMATION 89A1A9A0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_FLUSH_BUFFERS 89A1A9A0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_VOLUME_INFORMATION 89A1A9A0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_DIRECTORY_CONTROL 89A1A9A0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_FILE_SYSTEM_CONTROL 89A1A9A0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CLEANUP 89A1A9A0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_SECURITY 89A1A9A0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_SET_SECURITY 89A1A9A0
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CREATE 89E15948
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_READ 89E15948
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_WRITE 89E15948
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_FLUSH_BUFFERS 89E15948
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_DEVICE_CONTROL 89E15948
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_INTERNAL_DEVICE_CONTROL 89E15948
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SHUTDOWN 89E15948
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CLEANUP 89E15948
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_POWER 89E15948
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SYSTEM_CONTROL 89E15948
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_PNP 89E15948
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CREATE 899570E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CLOSE 899570E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_READ 899570E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_WRITE 899570E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_QUERY_INFORMATION 899570E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_SET_INFORMATION 899570E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_QUERY_VOLUME_INFORMATION 899570E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_DIRECTORY_CONTROL 899570E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_FILE_SYSTEM_CONTROL 899570E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CLEANUP 899570E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CREATE_MAILSLOT 899570E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_QUERY_SECURITY 899570E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_SET_SECURITY 899570E8
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port4Path0Target0Lun0 IRP_MJ_CREATE 89A33EB0
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port4Path0Target0Lun0 IRP_MJ_CLOSE 89A33EB0
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port4Path0Target0Lun0 IRP_MJ_DEVICE_CONTROL 89A33EB0
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port4Path0Target0Lun0 IRP_MJ_INTERNAL_DEVICE_CONTROL 89A33EB0
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port4Path0Target0Lun0 IRP_MJ_POWER 89A33EB0
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port4Path0Target0Lun0 IRP_MJ_SYSTEM_CONTROL 89A33EB0
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port4Path0Target0Lun0 IRP_MJ_PNP 89A33EB0
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_CREATE 89A33EB0
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_CLOSE 89A33EB0
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_DEVICE_CONTROL 89A33EB0
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_INTERNAL_DEVICE_CONTROL 89A33EB0
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_POWER 89A33EB0
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_SYSTEM_CONTROL 89A33EB0
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_PNP 89A33EB0
Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE 8995F2F0
Device \FileSystem\Fastfat \Fat IRP_MJ_CLOSE 8995F2F0
Device \FileSystem\Fastfat \Fat IRP_MJ_READ 8995F2F0
Device \FileSystem\Fastfat \Fat IRP_MJ_WRITE 8995F2F0
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION 8995F2F0
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION 8995F2F0
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA 8995F2F0
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_EA 8995F2F0
Device \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS 8995F2F0
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION 8995F2F0
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION 8995F2F0
Device \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL 8995F2F0
Device \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL 8995F2F0
Device \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL 8995F2F0
Device \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN 8995F2F0
Device \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL 8995F2F0
Device \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP 8995F2F0
Device \FileSystem\Fastfat \Fat IRP_MJ_PNP 8995F2F0
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE 898B65C0
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLOSE 898B65C0
Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ 898B65C0
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_INFORMATION 898B65C0
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SET_INFORMATION 898B65C0
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_VOLUME_INFORMATION 898B65C0
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DIRECTORY_CONTROL 898B65C0
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL 898B65C0
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL 898B65C0
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SHUTDOWN 898B65C0
Device \FileSystem\Cdfs \Cdfs IRP_MJ_LOCK_CONTROL 898B65C0
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLEANUP 898B65C0
Device \FileSystem\Cdfs \Cdfs IRP_MJ_PNP 898B65C0

---- Files - GMER 1.0.11 ----

ADS ...
ADS ...

---- EOF - GMER 1.0.11 ----



And my Ewido report:


---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:11:36 AM 9/30/2006

+ Scan result:



C:\Documents and Settings\HP_Owner\Cookies\hp_owner@e-2dj6wfkowhczcgq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@e-2dj6wfloeodzmlp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\!KillBox\dxwizard.exe -> Trojan.Agent.ye : Cleaned with backup (quarantined).
C:\!KillBox\odbc.exe -> Trojan.Agent.ye : Cleaned with backup (quarantined).
C:\!KillBox\ole2.exe -> Trojan.Agent.ye : Cleaned with backup (quarantined).


::Report end

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:16 AM

Posted 30 September 2006 - 10:38 AM

Great to hear that the connection has settled down, even if it meant removing the router.
The GMER log you posted was clean which is a good sign but I want to check one last thing.

Run HijackThis, click on Open the Misc Tools Section
Click on Open ADS Spy
uncheck the "Quick Scan"
Check the "Ignore safe system info data streams"
Finally, click Scan button. ADS Spy will scan the system and report all the ADS present in the system.
Click Save log and post the ADS log back here.

If it doesn't find anything then just let me know anyway.
How is the PC running now?

#11 brianbecker

brianbecker
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 30 September 2006 - 10:49 AM

ADS Spy didn't find anything. The computer is running very well now, no connection or browser issues as far as I can tell. The router is no big loss. It was free from a friend. If I ever want to get a network going, I'll buy a new router that actually comes with the proper setup CD. :thumbsup:

Thank you very much for all your help on this!

#12 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:16 AM

Posted 30 September 2006 - 10:57 AM

Glad I could help! :thumbsup:
The latest log is looking clean!
Follow this list and your potential for being infected again will be reduced dramatically.

Use an Anti Virus Software -
* It is very important that your computer has an anti-virus software running on your machine.
* This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:
* Click here for more information on -> Computer Safety On line - Anti-Virus
* I would recommend Grisoft's AVG or AVAST.
* These are the more secure and better ones.

Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall -
* I can not stress how important it is that you use a Firewall on your computer.
* Without a firewall your computer is susceptible to being hacked and taken over.
* Simply using a Firewall in its default configuration can lower your risk greatly.
* For an article on Firewalls and a listing of some available ones see the link below:
* Click here for more information on -> Computer Safety On line - Software Firewalls
* I would recommend ZoneAlarm as a firewall as it's easy to use.

Visit Microsoft's Windows Update Site Frequently -
* It is important that you visit http://www.windowsupdate.com regularly.
* This will ensure your computer has always the latest security updates available installed on your computer.
* If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Next, if they're not already present, I would recommend the download and installation of some or all of the following programs (all free), and the updating of them regularly

Install Spybot© - Search and Destroy- Install and download Spybot - Search and Destroy with its TeaTimer option.
* This will provide real-time spyware & hijacker protection on your computer alongside your virus protection.
* You should also scan your computer with program on a regular basis just as you would an anti virus software.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Lavasofts© Ad-Aware - Install and download Ad-Aware.
* You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Javacools© SpywareBlaster -
* SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
* A article on anti-malware products with links for this program and others can be found here:
* Click here for more info -->Computer Safety on line - Anti-Malware

Update all these programs regularly - Make sure you update all the programs I have listed regularly.
Without regular updates you WILL NOT be protected when new malicious programs are released.

If you have any addition questions just ask...
David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users