Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Generic3.kiz


  • Please log in to reply
15 replies to this topic

#1 foogan

foogan

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 09 May 2007 - 04:43 AM

I started getting this problem a couple months ago. About once or twice a day, I get a "threat detected" notification from AVG, and I click "heal" and it goes away. It's always called "trojan horse generic3.kiz"

I have absolutely no symptoms of any infection, other than the AVG notifications. No hijacks, windows errors, popups, slowdowns, or any general shenannigans. My system runs smoother than a baby's ass.

I'm posting my hijackthis log, and a list of what's in my AVG vault, and maybe somebody can tell me what I have

AVG vault:

Trojan horse Generic3.KIZ C:\WINDOWS\Web\printers\urldoc.dll 4/25/2007 6:01:15 PM urldoc.dll 692 KB
Trojan horse Generic3.KIZ C:\WINDOWS\Web\printers\dvdas.dll 4/2/2007 7:41:10 PM dvdas.dll 692 KB
Trojan horse Generic3.KIZ C:\WINDOWS\system\util.dll 4/15/2007 8:14:41 PM util.dll 692 KB
Trojan horse Generic3.KIZ C:\WINDOWS\system\svrap.dll 4/21/2007 7:16:28 PM svrap.dll 692 KB
Trojan horse Generic3.KIZ C:\WINDOWS\system\mfcwin.dll 4/23/2007 3:29:37 AM mfcwin.dll 692 KB
Trojan horse Generic3.KIZ C:\WINDOWS\system\eulareg.dll 3/29/2007 1:58:57 PM eulareg.dll 692 KB
Trojan horse Generic3.KIZ C:\WINDOWS\system\dosbas.dll 5/1/2007 8:30:44 AM dosbas.dll 692 KB
Trojan horse Generic3.KIZ C:\WINDOWS\system\accdoc.dll 4/3/2007 8:27:58 PM accdoc.dll 692 KB
Trojan horse Generic3.KIZ C:\WINDOWS\security\templates\vbimg.dll 4/10/2007 4:20:29 PM vbimg.dll 692 KB
Trojan horse Generic3.KIZ C:\WINDOWS\security\templates\olerun.dll 5/2/2007 4:58:27 PM olerun.dll 692 KB
Trojan horse Generic3.KIZ C:\WINDOWS\repair\taskdrv.dll 4/7/2007 8:12:32 AM taskdrv.dll 692 KB
Trojan horse Generic3.KIZ C:\WINDOWS\Registration\CRMLog\vbdisk.dll 5/8/2007 6:16:41 AM vbdisk.dll 692 KB
Trojan horse Generic3.KIZ C:\WINDOWS\Registration\binkb.dll 4/10/2007 3:24:18 AM binkb.dll 692 KB
Trojan horse Generic3.KIZ C:\WINDOWS\msagent\tasksrv.dll 5/4/2007 5:20:05 PM tasksrv.dll 692 KB
Trojan horse Generic3.KIZ C:\WINDOWS\msagent\chars\cabwave.dll 4/20/2007 6:56:23 PM cabwave.dll 692 KB
Trojan horse Generic3.KIZ C:\WINDOWS\Microsoft.NET\Framework\svcdns.dll 5/5/2007 5:43:31 PM svcdns.dll 692 KB
Trojan horse Generic3.KIZ C:\WINDOWS\Microsoft.NET\Framework\maindisk.dll 4/23/2007 3:29:37 AM maindisk.dll 692 KB
Trojan horse Generic3.KIZ C:\WINDOWS\Microsoft.NET\accap.dll 4/13/2007 3:24:32 AM accap.dll 692 KB
Trojan horse Generic3.KIZ C:\WINDOWS\java\trustlib\cdisk.dll 4/19/2007 6:48:42 PM cdisk.dll 692 KB
Trojan horse Generic3.KIZ C:\WINDOWS\java\keybak.dll 4/6/2007 1:36:45 AM keybak.dll 692 KB
Trojan horse Generic3.KIZ C:\WINDOWS\inf\ipeula.dll 4/3/2007 8:28:00 PM ipeula.dll 692 KB
Trojan horse Generic3.KIZ C:\WINDOWS\inf\IEM\unlib.dll 4/18/2007 12:36:33 PM unlib.dll 692 KB
Trojan horse Generic3.KIZ C:\WINDOWS\Help\Tours\vgaun.dll 4/13/2007 5:12:16 PM vgaun.dll 692 KB
Trojan horse Generic3.KIZ C:\WINDOWS\Fonts\vsss.dll 4/13/2007 3:24:32 AM vsss.dll 692 KB
Trojan horse Generic3.KIZ C:\WINDOWS\Fonts\hard.dll 4/11/2007 5:07:02 PM hard.dll 692 KB
Trojan horse Generic3.KIZ C:\WINDOWS\Fonts\dllbak.dll 3/29/2007 2:42:46 PM dllbak.dll 692 KB
Trojan horse Generic3.KIZ C:\WINDOWS\Fonts\diskmp3.dll 4/1/2007 5:12:43 PM diskmp3.dll 692 KB
Trojan horse Generic3.KIZ C:\WINDOWS\Fonts\cabjava.dll 4/28/2007 3:30:58 AM cabjava.dll 692 KB
Trojan horse Generic3.KIZ C:\WINDOWS\Fonts\cabav.dll 4/16/2007 11:14:59 PM cabav.dll 692 KB
Trojan horse Generic3.KIZ C:\WINDOWS\Driver Cache\main.dll 5/1/2007 8:30:48 AM main.dll 692 KB
Trojan horse Generic3.KIZ C:\WINDOWS\Driver Cache\i386\maincab.dll 5/9/2007 6:18:29 AM maincab.dll 692 KB
Trojan horse Generic3.KIZ C:\WINDOWS\Driver Cache\i386\keymc.dll 4/5/2007 1:01:07 AM keymc.dll 692 KB
Trojan horse Generic3.KIZ C:\WINDOWS\Driver Cache\i386\cmdftp.dll 4/29/2007 8:05:03 PM cmdftp.dll 692 KB
Trojan horse Generic3.KIZ C:\WINDOWS\AppPatch\wins.dll 4/28/2007 4:56:56 PM wins.dll 692 KB
Trojan horse Generic3.KIZ C:\WINDOWS\AppPatch\sysdb.dll 5/3/2007 5:16:59 PM sysdb.dll 692 KB
Trojan horse Generic3.KIZ C:\WINDOWS\AppPatch\svrdos.dll 4/14/2007 7:20:49 PM svrdos.dll 692 KB
Trojan horse Generic3.KIZ C:\WINDOWS\AppPatch\skey.dll 4/24/2007 12:04:53 PM skey.dll 692 KB
Trojan horse Generic3.KIZ C:\WINDOWS\AppPatch\cabkb.dll 5/7/2007 6:03:36 AM cabkb.dll 692 KB
Trojan horse Generic3.KIZ C:\WINDOWS\addins\mfcdoc.dll 3/31/2007 4:30:37 PM mfcdoc.dll 692 KB
Trojan horse Generic3.KIZ C:\System Volume Information\_restore{30906A75-2B32-4DF3-A24B-4B4F624783A1}\RP43\A0009078.dll 3/30/2007 3:29:09 AM A0009078.dll 692 KB
Trojan horse Generic3.KIZ C:\Documents and Settings\Foog\Local Settings\Temporary Internet Files\Content.IE5\YQJ8UQLT\esys[1].dll 4/22/2007 3:29:09 AM esys[1].dll 692 KB
Trojan horse Generic3.KIZ C:\Documents and Settings\Foog\Local Settings\Temporary Internet Files\Content.IE5\YQJ8UQLT\esys[1].dll 4/20/2007 3:28:56 AM esys[1].dll 692 KB
Trojan horse Generic3.KIZ C:\Documents and Settings\Foog\Local Settings\Temporary Internet Files\Content.IE5\YQJ8UQLT\esys[1].dll 4/14/2007 3:30:12 AM esys[1].dll 692 KB
Trojan horse Generic3.KIZ C:\Documents and Settings\Foog\Local Settings\Temporary Internet Files\Content.IE5\ULW6L6FT\esys[1].dll 4/12/2007 3:24:10 AM esys[1].dll 692 KB
Trojan horse Generic3.KIZ C:\Documents and Settings\Foog\Local Settings\Temporary Internet Files\Content.IE5\ULW6L6FT\esys[1].dll 4/19/2007 3:30:57 AM esys[1].dll 692 KB
Trojan horse Generic3.KIZ C:\Documents and Settings\Foog\Local Settings\Temporary Internet Files\Content.IE5\ULW6L6FT\esys[1].dll 4/21/2007 3:29:08 AM esys[1].dll 692 KB
Trojan horse Generic3.KIZ C:\Documents and Settings\Foog\Local Settings\Temporary Internet Files\Content.IE5\ULW6L6FT\esys[1].dll 4/11/2007 3:24:13 AM esys[1].dll 692 KB
Trojan horse Generic3.KIZ C:\Documents and Settings\Foog\Local Settings\Temporary Internet Files\Content.IE5\TFODPLCJ\esys[1].dll 4/5/2007 3:26:49 AM esys[1].dll 692 KB
Trojan horse Generic3.KIZ C:\Documents and Settings\Foog\Local Settings\Temporary Internet Files\Content.IE5\S0G2TB7I\esys[2].dll 4/4/2007 3:25:50 AM esys[2].dll 692 KB
Trojan horse Generic3.KIZ C:\Documents and Settings\Foog\Local Settings\Temporary Internet Files\Content.IE5\S0G2TB7I\esys[1].dll 4/8/2007 3:23:45 AM esys[1].dll 692 KB
Trojan horse Generic3.KIZ C:\Documents and Settings\Foog\Local Settings\Temporary Internet Files\Content.IE5\S0G2TB7I\esys[1].dll 4/3/2007 3:43:30 AM esys[1].dll 692 KB
Trojan horse Generic3.KIZ C:\Documents and Settings\Foog\Local Settings\Temporary Internet Files\Content.IE5\S0G2TB7I\esys[1].dll 4/6/2007 3:26:19 AM esys[1].dll 692 KB
Trojan horse Generic3.KIZ C:\Documents and Settings\Foog\Local Settings\Temporary Internet Files\Content.IE5\O2HSIE7P\esys[1].dll 4/16/2007 3:28:54 AM esys[1].dll 692 KB
Trojan horse Generic3.KIZ C:\Documents and Settings\Foog\Local Settings\Temporary Internet Files\Content.IE5\O2HSIE7P\esys[1].dll 4/15/2007 3:28:38 AM esys[1].dll 692 KB
Trojan horse Generic3.KIZ C:\Documents and Settings\Foog\Local Settings\Temporary Internet Files\Content.IE5\NDWHKY6C\esys[1].dll 4/25/2007 3:29:32 AM esys[1].dll 692 KB
Trojan horse Generic3.KIZ C:\Documents and Settings\Foog\Local Settings\Temporary Internet Files\Content.IE5\NDWHKY6C\esys[1].dll 5/8/2007 3:30:17 AM esys[1].dll 692 KB
Trojan horse Generic3.KIZ C:\Documents and Settings\Foog\Local Settings\Temporary Internet Files\Content.IE5\MJY7DBDL\esys[1].dll 4/23/2007 3:29:37 AM esys[1].dll 692 KB
Trojan horse Generic3.KIZ C:\Documents and Settings\Foog\Local Settings\Temporary Internet Files\Content.IE5\MJY7DBDL\esys[1].dll 4/1/2007 3:28:41 AM esys[1].dll 692 KB
Trojan horse Generic3.KIZ C:\Documents and Settings\Foog\Local Settings\Temporary Internet Files\Content.IE5\KIGZ3EFB\esys[1].dll 3/29/2007 1:58:50 PM esys[1].dll 692 KB
Trojan horse Generic3.KIZ C:\Documents and Settings\Foog\Local Settings\Temporary Internet Files\Content.IE5\FMNKSW5A\esys[1].dll 4/17/2007 3:30:10 AM esys[1].dll 692 KB
Trojan horse Generic3.KIZ C:\Documents and Settings\Foog\Local Settings\Temporary Internet Files\Content.IE5\FMNKSW5A\esys[1].dll 4/13/2007 3:24:32 AM esys[1].dll 692 KB
Trojan horse Generic3.KIZ C:\Documents and Settings\Foog\Local Settings\Temporary Internet Files\Content.IE5\4D6DC7Y2\esys[1].dll 4/26/2007 3:29:46 AM esys[1].dll 692 KB
Trojan horse Generic3.KIZ C:\Documents and Settings\Foog\Local Settings\Temporary Internet Files\Content.IE5\4D6DC7Y2\esys[1].dll 4/30/2007 3:30:04 AM esys[1].dll 692 KB
Trojan horse Generic3.KIZ C:\Documents and Settings\Foog\Local Settings\Temporary Internet Files\Content.IE5\4D6DC7Y2\esys[1].dll 4/28/2007 3:30:58 AM esys[1].dll 692 KB
Trojan horse Generic3.KIZ C:\Documents and Settings\Foog\Local Settings\Temporary Internet Files\Content.IE5\4D6DC7Y2\esys[1].dll 5/5/2007 3:30:15 AM esys[1].dll 692 KB
Trojan horse Generic3.KIZ C:\Documents and Settings\Foog\Local Settings\Temporary Internet Files\Content.IE5\2A9REH9Z\esys[1].dll 5/4/2007 3:30:25 AM esys[1].dll 692 KB
Trojan horse Generic3.KIZ C:\Documents and Settings\Foog\Local Settings\Temporary Internet Files\Content.IE5\2A9REH9Z\esys[1].dll 5/2/2007 3:29:34 AM esys[1].dll 692 KB
Trojan horse Generic3.KIZ C:\Documents and Settings\Foog\Local Settings\Temporary Internet Files\Content.IE5\2A9REH9Z\esys[1].dll 4/29/2007 3:29:36 AM esys[1].dll 692 KB
Trojan horse Generic3.KIZ C:\Documents and Settings\Foog\Local Settings\Temporary Internet Files\Content.IE5\2A9REH9Z\esys[1].dll 5/3/2007 3:30:02 AM esys[1].dll 692 KB
Trojan horse Generic3.KIZ C:\Documents and Settings\Foog\Local Settings\Temporary Internet Files\Content.IE5\1K2WL5V8\esys[1].dll 5/6/2007 3:30:21 AM esys[1].dll 692 KB


Logfile of HijackThis v1.99.1
Scan saved at 6:13:29 AM, on 5/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Rage3DTweak\RegTwk.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\rage3dtweak\gameutil.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\mom.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\progra~1\window~2\wmplayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8E13DDE1-E013-47ec-9C4C-27C2F78BDD26} - C:\WINDOWS\system32\pmnll.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [RegTweak] C:\Program Files\Rage3DTweak\RegTwk.exe
O4 - HKLM\..\Run: [Clocks] RunDll32.exe OCpp.dll,SetClocks 391.50 366.75
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: gameutil.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O17 - HKLM\System\CCS\Services\Tcpip\..\{12DC6EAD-723C-41AA-BB6F-7475AA0A4124}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{467ED177-0088-41DE-8004-7D9E4EFC02ED}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{12DC6EAD-723C-41AA-BB6F-7475AA0A4124}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{12DC6EAD-723C-41AA-BB6F-7475AA0A4124}: NameServer = 192.168.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: pmnll - C:\WINDOWS\SYSTEM32\pmnll.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

Edited by foogan, 09 May 2007 - 04:43 AM.


BC AdBot (Login to Remove)

 


#2 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 14 May 2007 - 06:31 PM

Howdy foogan,


Welcome to BleepingComputer. You smooth child's bottom system (family access forum of course) has at least a Vundo infection attached to it, so let's see about some repairs on that and the other issue.



Download ComboFix.exe from here to your desktop, and click the downloaded file to run the repair.

When the command window opens, select 1 (and Enter). Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

-----------------------------------------------

Disable your antivirus program and go here (be sure to re-enable it after the scan completes) and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan" and take a break for a while.

When BitDefender completes the scan, select the "Detected Problems" tab. Click on "Click here to export scan". Save the file as an HTML to your Desktop. Then click on the saved file and allow it to open with your browser. Go to Edit - Select All. Then copy/paste that log back here.


--------------------------------------------------

Then go Here and download Silent Runners to your desktop. Run it, and post back here the log it creates. If your AV queries the script, allow it to run. It's not malicious. It will create a file named Startup Programs, and will notify when the scan is complete. Copy the log from the Startup Programs file back here, along with the ComboFox log, the BitDefender log and a new HijackThis scan please. You can use separate posts here if needed.
Ad eundum quo no duck ante iit

#3 foogan

foogan
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 15 May 2007 - 04:13 AM

Here's the log from combofix. I am leaving for work soon, and will post the other logs when i get home, if they're not done in time.

"Foog" - 2007-05-15 6:04:03 Service Pack 2
ComboFix 07-05.13.V - Running from: "C:\Documents and Settings\Foog\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\pmnll.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\drivers\sfsync02.sys


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_SFSYNC02
-------\sfsync02


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-15 ))))))))))))))))))))))))))))))))))


2007-05-15 06:04 0 --a------ C:\WINDOWS\system32\sfsync02.dll
2007-05-09 06:12 <DIR> d-------- C:\HijackThis
2007-05-08 20:06 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-05-08 19:54 86,016 --a------ C:\WINDOWS\unvise32.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-18 19:46:24 -------- d-----w C:\DOCUME~1\Foog\APPLIC~1\Cyberlink
2007-04-01 21:06:27 -------- d-----w C:\Program Files\Prime95
2007-03-28 19:02:45 -------- d-----w C:\DOCUME~1\Foog\APPLIC~1\Ahead
2007-03-28 16:49:24 -------- d-----w C:\Program Files\Common Files\Invictus
2007-03-28 02:12:17 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-03-28 00:43:03 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-03-27 18:35:16 -------- d-----w C:\Program Files\Snapshot Viewer
2007-03-27 18:34:19 646,392 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-03-27 18:33:59 -------- d-----w C:\DOCUME~1\Foog\APPLIC~1\Microsoft Web Folders
2007-03-27 18:33:47 -------- d-----w C:\Program Files\microsoft frontpage
2007-03-27 18:11:53 671 ----a-w C:\WINDOWS\mozver.dat
2007-03-27 18:09:47 -------- d-----w C:\Program Files\Azureus
2007-03-27 17:51:28 -------- d-----w C:\Program Files\Ahead
2007-03-27 17:51:19 -------- d-----w C:\Program Files\Common Files\Ahead
2007-03-27 17:50:06 -------- d-----w C:\Program Files\CyberLink DVD Solution
2007-03-27 17:49:42 -------- d-----w C:\Program Files\CyberLink
2007-03-27 17:20:28 -------- d-----w C:\Program Files\WCPUID
2007-03-27 17:19:02 -------- d-----w C:\Program Files\Belarc
2007-03-27 17:18:35 -------- d-----w C:\Program Files\PerformanceTest
2007-03-27 17:15:38 624,725 --sha-w C:\WINDOWS\system32\rsetup.exe
2007-03-27 17:12:50 -------- d-----w C:\Program Files\Motherboard Monitor 5
2007-03-27 17:09:28 -------- d-----w C:\Program Files\Ligos
2007-03-27 17:05:39 -------- d-----w C:\Program Files\Alcohol Soft
2007-03-27 16:57:52 -------- d-----w C:\Program Files\PowerISO
2007-03-27 16:28:57 -------- d-----w C:\DOCUME~1\Foog\APPLIC~1\Lavasoft
2007-03-27 16:28:54 -------- d-----w C:\Program Files\Lavasoft
2007-03-27 16:28:36 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-03-27 15:25:12 -------- d-----w C:\Program Files\FolderSize
2007-03-27 07:59:32 -------- d-----w C:\Program Files\Rage3DTweak
2007-03-27 07:21:11 -------- d-----w C:\DOCUME~1\Foog\APPLIC~1\ATI
2007-03-27 07:19:14 -------- d-----w C:\Program Files\ATI Technologies
2007-03-27 05:16:19 -------- d-----w C:\Program Files\Messenger
2007-03-27 05:03:36 -------- d-----w C:\Program Files\Common Files\Logitech
2007-03-27 05:03:35 -------- d-----w C:\Program Files\Logitech
2007-03-27 04:50:42 0 --sha-r C:\MSDOS.SYS
2007-03-27 04:50:42 0 --sha-r C:\IO.SYS
2007-03-27 04:50:42 0 ----a-w C:\CONFIG.SYS
2007-03-27 04:50:42 0 ----a-w C:\AUTOEXEC.BAT
2007-03-27 04:49:41 -------- d--h--w C:\Program Files\WindowsUpdate
2007-03-27 04:48:42 -------- d-----w C:\Program Files\Common Files\MSSoap
2007-03-27 04:48:31 -------- d-----w C:\Program Files\Movie Maker
2007-03-27 04:47:57 21,640 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-03-27 04:47:23 -------- d-----w C:\Program Files\Online Services
2007-03-27 04:47:14 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-03-27 04:47:03 -------- d-----w C:\Program Files\Windows NT
2007-03-27 04:46:57 -------- d-----w C:\Program Files\Creative
2007-03-27 04:45:50 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2007-03-27 04:45:50 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2007-03-27 04:45:44 -------- d-----w C:\DOCUME~1\Foog\APPLIC~1\Creative
2007-03-27 04:23:33 -------- d-----w C:\Program Files\ATI
2007-03-27 04:18:48 -------- d-----w C:\Program Files\MSN Messenger
2007-03-27 04:17:08 -------- d-----w C:\DOCUME~1\Foog\APPLIC~1\Talkback
2007-03-27 04:17:04 0 ----a-w C:\WINDOWS\nsreg.dat
2007-03-27 00:44:37 -------- d-----w C:\Program Files\Common Files\ODBC
2007-03-27 00:44:34 -------- d-----w C:\Program Files\Common Files\SpeechEngines
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 21:33]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"CTHelper"="CTHELPER.EXE"
"CTxfiHlp"="CTXFIHLP.EXE"
"zBrowser Launcher"="C:\\Program Files\\Logitech\\iTouch\\iTouch.exe"
"RegTweak"="C:\\Program Files\\Rage3DTweak\\RegTwk.exe"
"Clocks"="RunDll32.exe OCpp.dll,SetClocks 391.50 366.75"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"PWRISOVM.EXE"="C:\\Program Files\\PowerISO\\PWRISOVM.EXE"
"RemoteControl"="\"C:\\Program Files\\CyberLink DVD Solution\\PowerDVD\\PDVDServ.exe\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [])
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 15:56 C:\WINDOWS\system32\CTXFIHLP.EXE])
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2004-03-18 10:33]
"RegTweak"="C:\Program Files\Rage3DTweak\RegTwk.exe" [2003-03-07 14:12]
"Clocks"="OCpp.dll" [])
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-04-21 08:00]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2006-05-20 07:13]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 17:35]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 13:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"@"="" [])
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
@=""
"StartCCC"="C:\\Program Files\\ATI Technologies\\ATI.ACE\\Core-Static\\CLIStart.exe"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0




[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\0\0
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
DcomLaunch DcomLaunch\0TermService\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\defrag.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-15 06:06:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-15 6:07:15 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-15 06:07

#4 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 15 May 2007 - 02:50 PM

Good so far - progress, but looks like more to go. Post the remainder when they are done and let's make more repairs here.
Ad eundum quo no duck ante iit

#5 foogan

foogan
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 15 May 2007 - 04:48 PM

My Bitdefender scan results:


BitDefender Online Scanner







Scan report generated at: Tue, May 15, 2007 - 07:24:59









Scan path: A:\;C:\;D:\;E:\;F:\;L:\;M:\;N:\;O:\;P:\;















Statistics

Time


01:11:56

Files


361008

Folders


3741

Boot Sectors


4

Archives


3387

Packed Files


37058







Results

Identified Viruses


2

Infected Files


6

Suspect Files


0

Warnings


0

Disinfected


0

Deleted Files


6







Engines Info

Virus Definitions


506350

Engine build


AVCORE v1.0 (build 2397) (i386) (Feb 8 2007 14:24:08)

Scan plugins


14

Archive plugins


38

Unpack plugins


6

E-mail plugins


6

System plugins


1







Scan Settings

First Action


Disinfect

Second Action


Delete

Heuristics


Yes

Enable Warnings


Yes

Scanned Extensions


*;

Exclude Extensions




Scan Emails


Yes

Scan Archives


Yes

Scan Packed


Yes

Scan Files


Yes

Scan Boot


Yes








Scanned File


Status

C:\Documents and Settings\Foog\My Documents\My eBooks\Ebook - Complete Set of Hacking Tools + Manuals.pdf=>(ZIP Sfx g)=>complete_set_hacking_tools+manuals/hacking_tools/hvlscan.zip=>UHANFO.EXE


Infected with: Trojan.ControlDuSockets.A

C:\Documents and Settings\Foog\My Documents\My eBooks\Ebook - Complete Set of Hacking Tools + Manuals.pdf=>(ZIP Sfx g)=>complete_set_hacking_tools+manuals/hacking_tools/hvlscan.zip=>UHANFO.EXE


Disinfection failed

C:\Documents and Settings\Foog\My Documents\My eBooks\Ebook - Complete Set of Hacking Tools + Manuals.pdf=>(ZIP Sfx g)=>complete_set_hacking_tools+manuals/hacking_tools/hvlscan.zip=>UHANFO.EXE


Deleted

C:\Documents and Settings\Foog\My Documents\My eBooks\Ebook - Complete Set of Hacking Tools + Manuals.pdf=>(ZIP Sfx g)=>complete_set_hacking_tools+manuals/hacking_tools/hvlscan.zip


Updated

C:\Documents and Settings\Foog\My Documents\My eBooks\Ebook - Complete Set of Hacking Tools + Manuals.pdf=>(ZIP Sfx g)


Updated

C:\Documents and Settings\Foog\My Documents\My eBooks\Ebook - Complete Set of Hacking Tools + Manuals.pdf=>(ZIP Sfx g)=>complete_set_hacking_tools+manuals/hacking_tools/wingatespoof_hlp.zip=>UHANFO.EXE


Infected with: Trojan.ControlDuSockets.A

C:\Documents and Settings\Foog\My Documents\My eBooks\Ebook - Complete Set of Hacking Tools + Manuals.pdf=>(ZIP Sfx g)=>complete_set_hacking_tools+manuals/hacking_tools/wingatespoof_hlp.zip=>UHANFO.EXE


Disinfection failed

C:\Documents and Settings\Foog\My Documents\My eBooks\Ebook - Complete Set of Hacking Tools + Manuals.pdf=>(ZIP Sfx g)=>complete_set_hacking_tools+manuals/hacking_tools/wingatespoof_hlp.zip=>UHANFO.EXE


Deleted

C:\Documents and Settings\Foog\My Documents\My eBooks\Ebook - Complete Set of Hacking Tools + Manuals.pdf=>(ZIP Sfx g)=>complete_set_hacking_tools+manuals/hacking_tools/wingatespoof_hlp.zip


Updated

C:\Documents and Settings\Foog\My Documents\My eBooks\Ebook - Complete Set of Hacking Tools + Manuals.pdf=>(ZIP Sfx g)


Updated

C:\Documents and Settings\Foog\My Documents\My eBooks\Ebook - Complete Set of Hacking Tools + Manuals.pdf=>(ZIP Sfx g)=>complete_set_hacking_tools+manuals/hacking_tools/Haktek.exe


Infected with: Trojan.Nuker.Haktek.A

C:\Documents and Settings\Foog\My Documents\My eBooks\Ebook - Complete Set of Hacking Tools + Manuals.pdf=>(ZIP Sfx g)=>complete_set_hacking_tools+manuals/hacking_tools/Haktek.exe


Disinfection failed

C:\Documents and Settings\Foog\My Documents\My eBooks\Ebook - Complete Set of Hacking Tools + Manuals.pdf=>(ZIP Sfx g)=>complete_set_hacking_tools+manuals/hacking_tools/Haktek.exe


Deleted

C:\Documents and Settings\Foog\My Documents\My eBooks\Ebook - Complete Set of Hacking Tools + Manuals.pdf=>(ZIP Sfx g)


Updated

C:\Documents and Settings\Foog\My Documents\My eBooks\Ebook - Complete Set of Hacking Tools + Manuals.pdf


Update failed

C:\Documents and Settings\Foog\My Documents\My eBooks\Ebook - Complete Set of Hacking Tools + Manuals.pdf=>complete_set_hacking_tools+manuals/hacking_tools/hvlscan.zip=>UHANFO.EXE


Infected with: Trojan.ControlDuSockets.A

C:\Documents and Settings\Foog\My Documents\My eBooks\Ebook - Complete Set of Hacking Tools + Manuals.pdf=>complete_set_hacking_tools+manuals/hacking_tools/hvlscan.zip=>UHANFO.EXE


Disinfection failed

C:\Documents and Settings\Foog\My Documents\My eBooks\Ebook - Complete Set of Hacking Tools + Manuals.pdf=>complete_set_hacking_tools+manuals/hacking_tools/hvlscan.zip=>UHANFO.EXE


Deleted

C:\Documents and Settings\Foog\My Documents\My eBooks\Ebook - Complete Set of Hacking Tools + Manuals.pdf=>complete_set_hacking_tools+manuals/hacking_tools/hvlscan.zip


Updated

C:\Documents and Settings\Foog\My Documents\My eBooks\Ebook - Complete Set of Hacking Tools + Manuals.pdf


Update failed

C:\Documents and Settings\Foog\My Documents\My eBooks\Ebook - Complete Set of Hacking Tools + Manuals.pdf=>complete_set_hacking_tools+manuals/hacking_tools/wingatespoof_hlp.zip=>UHANFO.EXE


Infected with: Trojan.ControlDuSockets.A

C:\Documents and Settings\Foog\My Documents\My eBooks\Ebook - Complete Set of Hacking Tools + Manuals.pdf=>complete_set_hacking_tools+manuals/hacking_tools/wingatespoof_hlp.zip=>UHANFO.EXE


Disinfection failed

C:\Documents and Settings\Foog\My Documents\My eBooks\Ebook - Complete Set of Hacking Tools + Manuals.pdf=>complete_set_hacking_tools+manuals/hacking_tools/wingatespoof_hlp.zip=>UHANFO.EXE


Deleted

C:\Documents and Settings\Foog\My Documents\My eBooks\Ebook - Complete Set of Hacking Tools + Manuals.pdf=>complete_set_hacking_tools+manuals/hacking_tools/wingatespoof_hlp.zip


Updated

C:\Documents and Settings\Foog\My Documents\My eBooks\Ebook - Complete Set of Hacking Tools + Manuals.pdf


Update failed

C:\Documents and Settings\Foog\My Documents\My eBooks\Ebook - Complete Set of Hacking Tools + Manuals.pdf=>complete_set_hacking_tools+manuals/hacking_tools/Haktek.exe


Infected with: Trojan.Nuker.Haktek.A

C:\Documents and Settings\Foog\My Documents\My eBooks\Ebook - Complete Set of Hacking Tools + Manuals.pdf=>complete_set_hacking_tools+manuals/hacking_tools/Haktek.exe


Disinfection failed

C:\Documents and Settings\Foog\My Documents\My eBooks\Ebook - Complete Set of Hacking Tools + Manuals.pdf=>complete_set_hacking_tools+manuals/hacking_tools/Haktek.exe


Deleted

C:\Documents and Settings\Foog\My Documents\My eBooks\Ebook - Complete Set of Hacking Tools + Manuals.pdf


Update failed

#6 foogan

foogan
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 15 May 2007 - 05:27 PM

My silent runners log:

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"(Default)" = "(empty string)" [file not found]
"StartCCC" = "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTHelper" = "CTHELPER.EXE" ["Creative Technology Ltd"]
"CTxfiHlp" = "CTXFIHLP.EXE" ["Creative Technology Ltd"]
"zBrowser Launcher" = "C:\Program Files\Logitech\iTouch\iTouch.exe" ["Logitech Inc."]
"RegTweak" = "C:\Program Files\Rage3DTweak\RegTwk.exe" ["Byron Montgomerie"]
"Clocks" = "RunDll32.exe OCpp.dll,SetClocks 391.50 366.75" [MS]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"PWRISOVM.EXE" = "C:\Program Files\PowerISO\PWRISOVM.EXE" ["PowerISO Computing, Inc."]
"RemoteControl" = ""C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"" ["Cyberlink Corp."]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Sign-in Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll" [empty string]
"{CE594922-286A-11d5-B47B-00606767FEC7}" = "Custom Display Modes"
-> {HKLM...CLSID} = "Custom Display Modes"
\InProcServer32\(Default) = "C:\Program Files\Rage3DTweak\CDMpp.dll" ["Byron Montgomerie"]
"{86B89425-5944-11d6-BBCF-00024424ACD8}" = "Folding@Home"
-> {HKLM...CLSID} = "Folding@Home"
\InProcServer32\(Default) = "C:\Program Files\Rage3DTweak\FAHpp.dll" ["Byron Montgomerie"]
"{7D5477E0-2629-11d5-B47B-00606767FEC7}" = "Rage3D Overclocker"
-> {HKLM...CLSID} = "Rage3D Overclocker"
\InProcServer32\(Default) = "C:\Program Files\Rage3DTweak\OCpp.dll" ["Byron Montgomerie"]
"{BEB5F380-5501-11d3-BFDE-ADC2F2AAE920}" = "Rage3DTweak"
-> {HKLM...CLSID} = "Rage3DTweak"
\InProcServer32\(Default) = "C:\Program Files\Rage3DTweak\RegTwk.dll" ["Byron Montgomerie"]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}" = "PowerISO"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {HKLM...CLSID} = "AlcoholShellEx"
\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"
-> {HKLM...CLSID} = "Microsoft Office Binder Unbind"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\1033\UNBIND.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{04DAAD08-70EF-450E-834A-DCFAF9B48748}\(Default) = "Folder Size column"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\FolderSize\FolderSizeColumn.dll" ["Brio"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Foog\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Startup items in "Foog" & "All Users" startup folders:
------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Adobe Reader Synchronizer" -> shortcut to: "C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe" [null data]
"gameutil.exe" -> shortcut to: "C:\Program Files\rage3dtweak\gameutil.exe" ["Byron Montgomerie"]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"Symantec Fax Starter Edition Port" -> shortcut to: "C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE" [MS]


Enabled Scheduled Tasks:
------------------------

"defrag" -> launches: "C:\WINDOWS\system32\defrag.exe c:" ["Microsoft Corp. and Executive Software International, Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{F2CF5485-4E02-4F68-819C-B92DE9277049}"
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_01"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_01"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll" ["Sun Microsystems, Inc."]

{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVG7\avgemc.exe" ["GRISOFT, s.r.o."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe" ["GRISOFT, s.r.o."]
Folder Size, FolderSize, ""C:\Program Files\FolderSize\FolderSizeSvc.exe"" ["Brio"]
StarWind iSCSI Service, StarWindService, "C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
OLFax Ports\Driver = "OLFMNT40.DLL" [MS]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 44 seconds, including 18 seconds for message boxes)

#7 foogan

foogan
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 15 May 2007 - 05:29 PM

Final HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 7:25:18 PM, on 5/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Rage3DTweak\RegTwk.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [RegTweak] C:\Program Files\Rage3DTweak\RegTwk.exe
O4 - HKLM\..\Run: [Clocks] RunDll32.exe OCpp.dll,SetClocks 391.50 366.75
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: gameutil.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{12DC6EAD-723C-41AA-BB6F-7475AA0A4124}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{467ED177-0088-41DE-8004-7D9E4EFC02ED}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{12DC6EAD-723C-41AA-BB6F-7475AA0A4124}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{12DC6EAD-723C-41AA-BB6F-7475AA0A4124}: NameServer = 192.168.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

#8 foogan

foogan
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 15 May 2007 - 05:37 PM

I just deleted the Ebook that had the infections in it.. I had a whole bunch of ebooks that I downloaded a couple of years ago.. I haven't even looked at any of them, they've just been stored on my hard drive, been burnt to dvd-r's for saving from reformats, and put back on the hard drive again.

What disturbs me is that Norton Internet Security, AVG Free, and Trendmicro have ALL NEVER detected anything within that file.. with updated definitions, scanning within archives, etc..

#9 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 16 May 2007 - 05:45 AM

Darn - I had posted a response but somehow it did not remain. Different protective softwares often have different rules in what they consider harmful, as well as how they look for items of infection. BitDefender, when reading through file information there, was able to catch those dormant ebook's hack tools, which is is set to clean up. No reason to think your other protective software failed any tests from this example.


If you had NOT yourself placed those hack tool softwares on this computer, their presence would be a concern, and an indication of perhaps other infection activity. ComboFix found a hidden item though, but took it out of the way. I would like you to check on an uninstall file for now.


Make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"

Then Go to this SITE. Click on the Browse button, and navigate to the following hilighted file(s), upload and "Send" it. Copy the results with the notepad and copy/paste them back here.

C:\WINDOWS\unvise32.exe




Also Download gmer.zip from here. Once downloaded, doubleclick on gmer.zip and unzip the file to its own folder

When you have done this, doubleclick on Gmer.exe to run it and click on Settings. Check the first five settings (see below)

System Protection and Tracing
Processes
Save created processes to the log
Drivers
Save loaded drivers to the log


You will be prompted to restart your computer. Please do so.

Run Gmer again and click on the Rootkit tab. Look at the righthand side (under Files) and uncheck all drives with the exception of your C drive and then click on Scan (before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan). When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.
Ad eundum quo no duck ante iit

#10 foogan

foogan
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 16 May 2007 - 07:06 PM

Virustotal results for "c:\windows\unvise32.exe":

Complete scanning result of "unvise32.exe", processed in VirusTotal at
05/17/2007 01:03:14 (CET).

[ file data ]
* name: unvise32.exe
* size: 86016
* md5.: 84b4f61f59a421bd85d97b35d194b42b
* sha1: d3f2bac1a72f82c42d551c066c8ec841f46adb60

[ scan result ]
AhnLab-V3 2007.5.16.1/20070516 found nothing
AntiVir 7.4.0.23/20070516 found nothing
Authentium 4.93.8/20070516 found nothing
Avast 4.7.997.0/20070513 found nothing
AVG 7.5.0.467/20070516 found nothing
BitDefender 7.2/20070516 found nothing
CAT-QuickHeal 9.00/20070516 found nothing
ClamAV devel-20070416/20070516 found nothing
DrWeb 4.33/20070516 found nothing
eSafe 7.0.15.0/20070516 found nothing
eTrust-Vet 30.7.3632/20070514 found nothing
Ewido 4.0/20070516 found nothing
F-Prot 4.3.2.48/20070516 found nothing
F-Secure 6.70.13030.0/20070516 found nothing
FileAdvisor 1/20070517 found [No threat detected]
Fortinet 2.85.0.0/20070516 found nothing
Ikarus T3.1.1.7/20070516 found nothing
Kaspersky 4.0.2.24/20070517 found nothing
McAfee 5032/20070516 found nothing
Microsoft 1.2503/20070517 found nothing
NOD32v2 2271/20070516 found nothing
Norman 5.80.02/20070516 found nothing
Panda 9.0.0.4/20070516 found nothing
Prevx1 V2/20070517 found nothing
Sophos 4.17.0/20070516 found nothing
Sunbelt 2.2.907.0/20070517 found nothing
Symantec 10/20070517 found nothing
TheHacker 6.1.6.115/20070515 found nothing
VBA32 3.12.0/20070516 found nothing
VirusBuster 4.3.7:9/20070516 found nothing
Webwasher-Gateway 6.0.1/20070517 found nothing

[ notes ]
Bit9 info:
http://fileadvisor.bit9.com/services/extin...5d97b35d194b42b


Gmer results:

GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-05-16 20:57:35
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT Vax347b.sys ZwClose
SSDT Vax347b.sys ZwCreateKey
SSDT Vax347b.sys ZwCreatePagingFile
SSDT Vax347b.sys ZwEnumerateKey
SSDT Vax347b.sys ZwEnumerateValueKey
SSDT Vax347b.sys ZwOpenKey
SSDT Vax347b.sys ZwQueryKey
SSDT Vax347b.sys ZwQueryValueKey
SSDT Vax347b.sys ZwSetSystemPowerState
SSDT sptd.sys ZwSetValueKey

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!ZwYieldExecution + 452 804E4C8C 2 Bytes [ 8A, 9F ]
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload F70D662C 5 Bytes JMP 86B0F960
? C:\WINDOWS\system32\DRIVERS\update.sys

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 86F5D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 86F5D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 86F5D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 86F5D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 86F5D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 86F5D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 86F5D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 86F5D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 86F5D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 86F5D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 86F5D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 86F5D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 86F5D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 86F5D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 86F5D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 86F5D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 86F5D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 86F5D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 86F5D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 86F5D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 86F5D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 86F5D1E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CREATE 867FA538
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CLOSE 867FA538
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_READ 869E9EE0
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_WRITE 867FA538
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_INFORMATION 867FA538
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_INFORMATION 867FA538
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_EA 867FA538
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_EA 867FA538
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_FLUSH_BUFFERS 867FA538
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_VOLUME_INFORMATION 867FA538
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_VOLUME_INFORMATION 867FA538
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_DIRECTORY_CONTROL 867FA538
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_FILE_SYSTEM_CONTROL 867FA538
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_DEVICE_CONTROL 867FA538
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SHUTDOWN 867FA538
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_LOCK_CONTROL 867FA538
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CLEANUP 867FA538
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_PNP 867FA538
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B7A85A] avgtdi.sys
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_CREATE 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_CLOSE 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_DEVICE_CONTROL 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_POWER 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_SYSTEM_CONTROL 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_PNP 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_CREATE 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_CLOSE 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_DEVICE_CONTROL 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_POWER 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_SYSTEM_CONTROL 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_PNP 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_CREATE 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_CLOSE 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_DEVICE_CONTROL 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_INTERNAL_DEVICE_CONTROL 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_POWER 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_SYSTEM_CONTROL 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_PNP 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-3 IRP_MJ_CREATE 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-3 IRP_MJ_CLOSE 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-3 IRP_MJ_DEVICE_CONTROL 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-3 IRP_MJ_INTERNAL_DEVICE_CONTROL 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-3 IRP_MJ_POWER 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-3 IRP_MJ_SYSTEM_CONTROL 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-3 IRP_MJ_PNP 86AFF1E8
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_CREATE 86AA81E8
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_CLOSE 86AA81E8
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_DEVICE_CONTROL 86AA81E8
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_INTERNAL_DEVICE_CONTROL 86AA81E8
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_POWER 86AA81E8
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_SYSTEM_CONTROL 86AA81E8
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_PNP 86AA81E8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B7A85A] avgtdi.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 86F5F1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ 86F5F1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE 86F5F1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS 86F5F1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL 86F5F1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL 86F5F1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN 86F5F1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP 86F5F1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER 86F5F1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SYSTEM_CONTROL 86F5F1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_PNP 86F5F1E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{12DC6EAD-723C-41AA-BB6F-7475AA0A4124} IRP_MJ_CREATE 867FC490
Device \Driver\NetBT \Device\NetBT_Tcpip_{12DC6EAD-723C-41AA-BB6F-7475AA0A4124} IRP_MJ_CLOSE 867FC490
Device \Driver\NetBT \Device\NetBT_Tcpip_{12DC6EAD-723C-41AA-BB6F-7475AA0A4124} IRP_MJ_DEVICE_CONTROL 867FC490
Device \Driver\NetBT \Device\NetBT_Tcpip_{12DC6EAD-723C-41AA-BB6F-7475AA0A4124} IRP_MJ_INTERNAL_DEVICE_CONTROL 867FC490
Device \Driver\NetBT \Device\NetBT_Tcpip_{12DC6EAD-723C-41AA-BB6F-7475AA0A4124} IRP_MJ_CLEANUP 867FC490
Device \Driver\NetBT \Device\NetBT_Tcpip_{12DC6EAD-723C-41AA-BB6F-7475AA0A4124} IRP_MJ_PNP 867FC490
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_NAMED_PIPE 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_EA 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_EA 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_VOLUME_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_VOLUME_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DIRECTORY_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FILE_SYSTEM_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_LOCK_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLEANUP 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_MAILSLOT 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_SECURITY 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_SECURITY 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CHANGE 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_QUOTA 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_QUOTA 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 868FB178
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_READ 8665EA78
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_NAMED_PIPE 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_EA 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_EA 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_VOLUME_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_VOLUME_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DIRECTORY_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FILE_SYSTEM_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_LOCK_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLEANUP 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_MAILSLOT 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_SECURITY 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_SECURITY 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CHANGE 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_QUOTA 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_QUOTA 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 868FB178
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_NAMED_PIPE 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLOSE 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_READ 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_WRITE 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_INFORMATION 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_INFORMATION 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_EA 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_EA 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FLUSH_BUFFERS 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_VOLUME_INFORMATION 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_VOLUME_INFORMATION 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DIRECTORY_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FILE_SYSTEM_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SHUTDOWN 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_LOCK_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLEANUP 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_MAILSLOT 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_SECURITY 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_SECURITY 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_POWER 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SYSTEM_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CHANGE 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_QUOTA 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_QUOTA 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_PNP 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CREATE 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CREATE_NAMED_PIPE 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CLOSE 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_READ 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_WRITE 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_INFORMATION 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_INFORMATION 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_EA 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_EA 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_FLUSH_BUFFERS 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_VOLUME_INFORMATION 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_VOLUME_INFORMATION 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_DIRECTORY_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_FILE_SYSTEM_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_DEVICE_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_INTERNAL_DEVICE_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SHUTDOWN 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_LOCK_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CLEANUP 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CREATE_MAILSLOT 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_SECURITY 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_SECURITY 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_POWER 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SYSTEM_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_DEVICE_CHANGE 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_QUOTA 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_QUOTA 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_PNP 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_NAMED_PIPE 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLOSE 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_READ 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_WRITE 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_INFORMATION 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_INFORMATION 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_EA 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_EA 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FLUSH_BUFFERS 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_VOLUME_INFORMATION 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_VOLUME_INFORMATION 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DIRECTORY_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FILE_SYSTEM_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_INTERNAL_DEVICE_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SHUTDOWN 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_LOCK_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLEANUP 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_MAILSLOT 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_SECURITY 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_SECURITY 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_POWER 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SYSTEM_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CHANGE 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_QUOTA 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_QUOTA 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_PNP 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CREATE 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CREATE_NAMED_PIPE 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CLOSE 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_READ 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_WRITE 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_QUERY_INFORMATION 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SET_INFORMATION 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_QUERY_EA 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SET_EA 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_FLUSH_BUFFERS 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_QUERY_VOLUME_INFORMATION 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SET_VOLUME_INFORMATION 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_DIRECTORY_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_FILE_SYSTEM_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_DEVICE_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_INTERNAL_DEVICE_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SHUTDOWN 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_LOCK_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CLEANUP 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CREATE_MAILSLOT 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_QUERY_SECURITY 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SET_SECURITY 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_POWER 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SYSTEM_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_DEVICE_CHANGE 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_QUERY_QUOTA 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SET_QUOTA 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_PNP 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_CREATE 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_CREATE_NAMED_PIPE 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_CLOSE 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_READ 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_WRITE 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_QUERY_INFORMATION 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_SET_INFORMATION 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_QUERY_EA 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_SET_EA 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_FLUSH_BUFFERS 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_QUERY_VOLUME_INFORMATION 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_SET_VOLUME_INFORMATION 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_DIRECTORY_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_FILE_SYSTEM_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_DEVICE_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_INTERNAL_DEVICE_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_SHUTDOWN 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_LOCK_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_CLEANUP 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_CREATE_MAILSLOT 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_QUERY_SECURITY 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_SET_SECURITY 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_POWER 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_SYSTEM_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_DEVICE_CHANGE 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_QUERY_QUOTA 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_SET_QUOTA 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_PNP 868FB338
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE_NAMED_PIPE 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CLOSE 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_READ 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_WRITE 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_EA 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_EA 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_FLUSH_BUFFERS 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_VOLUME_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_VOLUME_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DIRECTORY_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_FILE_SYSTEM_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DEVICE_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_INTERNAL_DEVICE_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SHUTDOWN 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_LOCK_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CLEANUP 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE_MAILSLOT 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_SECURITY 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_SECURITY 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_POWER 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SYSTEM_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DEVICE_CHANGE 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_QUOTA 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_QUOTA 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_PNP 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_CREATE 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_CREATE_NAMED_PIPE 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_CLOSE 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_READ 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_WRITE 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_QUERY_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_SET_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_QUERY_EA 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_SET_EA 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_FLUSH_BUFFERS 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_QUERY_VOLUME_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_SET_VOLUME_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_DIRECTORY_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_FILE_SYSTEM_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_DEVICE_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_INTERNAL_DEVICE_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_SHUTDOWN 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_LOCK_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_CLEANUP 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_CREATE_MAILSLOT 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_QUERY_SECURITY 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_SET_SECURITY 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_POWER 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_SYSTEM_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_DEVICE_CHANGE 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_QUERY_QUOTA 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_SET_QUOTA 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_PNP 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_CREATE 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_CREATE_NAMED_PIPE 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_CLOSE 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_READ 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_WRITE 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_QUERY_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_SET_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_QUERY_EA 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_SET_EA 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_FLUSH_BUFFERS 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_QUERY_VOLUME_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_SET_VOLUME_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_DIRECTORY_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_FILE_SYSTEM_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_DEVICE_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_INTERNAL_DEVICE_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_SHUTDOWN 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_LOCK_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_CLEANUP 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_CREATE_MAILSLOT 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_QUERY_SECURITY 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_SET_SECURITY 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_POWER 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_SYSTEM_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_DEVICE_CHANGE 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_QUERY_QUOTA 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_SET_QUOTA 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_PNP 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_CREATE 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_CREATE_NAMED_PIPE 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_CLOSE 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_READ 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_WRITE 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_QUERY_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_SET_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_QUERY_EA 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_SET_EA 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_FLUSH_BUFFERS 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_QUERY_VOLUME_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_SET_VOLUME_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_DIRECTORY_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_FILE_SYSTEM_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_DEVICE_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_INTERNAL_DEVICE_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_SHUTDOWN 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_LOCK_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_CLEANUP 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_CREATE_MAILSLOT 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_QUERY_SECURITY 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_SET_SECURITY 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_POWER 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_SYSTEM_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_DEVICE_CHANGE 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_QUERY_QUOTA 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_SET_QUOTA 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_PNP 868FB178
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CREATE 867FC490
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLOSE 867FC490
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_DEVICE_CONTROL 867FC490
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_INTERNAL_DEVICE_CONTROL 867FC490
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLEANUP 867FC490
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_PNP 867FC490
Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_CREATE 868FB178
Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_CREATE_NAMED_PIPE 868FB178
Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_CLOSE 868FB178
Device \Driver\Cdrom \Device

#11 foogan

foogan
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 16 May 2007 - 07:08 PM

Gmer results, sorry the last ones didn't post completely:

GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-05-16 20:57:35
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT Vax347b.sys ZwClose
SSDT Vax347b.sys ZwCreateKey
SSDT Vax347b.sys ZwCreatePagingFile
SSDT Vax347b.sys ZwEnumerateKey
SSDT Vax347b.sys ZwEnumerateValueKey
SSDT Vax347b.sys ZwOpenKey
SSDT Vax347b.sys ZwQueryKey
SSDT Vax347b.sys ZwQueryValueKey
SSDT Vax347b.sys ZwSetSystemPowerState
SSDT sptd.sys ZwSetValueKey

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!ZwYieldExecution + 452 804E4C8C 2 Bytes [ 8A, 9F ]
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload F70D662C 5 Bytes JMP 86B0F960
? C:\WINDOWS\system32\DRIVERS\update.sys

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 86F5D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 86F5D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 86F5D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 86F5D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 86F5D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 86F5D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 86F5D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 86F5D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 86F5D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 86F5D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 86F5D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 86F5D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 86F5D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 86F5D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 86F5D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 86F5D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 86F5D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 86F5D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 86F5D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 86F5D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 86F5D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 86F5D1E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CREATE 867FA538
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CLOSE 867FA538
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_READ 869E9EE0
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_WRITE 867FA538
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_INFORMATION 867FA538
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_INFORMATION 867FA538
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_EA 867FA538
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_EA 867FA538
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_FLUSH_BUFFERS 867FA538
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_VOLUME_INFORMATION 867FA538
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_VOLUME_INFORMATION 867FA538
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_DIRECTORY_CONTROL 867FA538
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_FILE_SYSTEM_CONTROL 867FA538
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_DEVICE_CONTROL 867FA538
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SHUTDOWN 867FA538
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_LOCK_CONTROL 867FA538
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CLEANUP 867FA538
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_PNP 867FA538
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B7A85A] avgtdi.sys
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_CREATE 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_CLOSE 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_DEVICE_CONTROL 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_POWER 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_SYSTEM_CONTROL 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_PNP 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_CREATE 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_CLOSE 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_DEVICE_CONTROL 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_POWER 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_SYSTEM_CONTROL 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_PNP 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_CREATE 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_CLOSE 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_DEVICE_CONTROL 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_INTERNAL_DEVICE_CONTROL 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_POWER 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_SYSTEM_CONTROL 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_PNP 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-3 IRP_MJ_CREATE 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-3 IRP_MJ_CLOSE 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-3 IRP_MJ_DEVICE_CONTROL 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-3 IRP_MJ_INTERNAL_DEVICE_CONTROL 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-3 IRP_MJ_POWER 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-3 IRP_MJ_SYSTEM_CONTROL 86AFF1E8
Device \Driver\usbuhci \Device\USBPDO-3 IRP_MJ_PNP 86AFF1E8
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_CREATE 86AA81E8
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_CLOSE 86AA81E8
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_DEVICE_CONTROL 86AA81E8
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_INTERNAL_DEVICE_CONTROL 86AA81E8
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_POWER 86AA81E8
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_SYSTEM_CONTROL 86AA81E8
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_PNP 86AA81E8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B7A85A] avgtdi.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 86F5F1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ 86F5F1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE 86F5F1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS 86F5F1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL 86F5F1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL 86F5F1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN 86F5F1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP 86F5F1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER 86F5F1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SYSTEM_CONTROL 86F5F1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_PNP 86F5F1E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{12DC6EAD-723C-41AA-BB6F-7475AA0A4124} IRP_MJ_CREATE 867FC490
Device \Driver\NetBT \Device\NetBT_Tcpip_{12DC6EAD-723C-41AA-BB6F-7475AA0A4124} IRP_MJ_CLOSE 867FC490
Device \Driver\NetBT \Device\NetBT_Tcpip_{12DC6EAD-723C-41AA-BB6F-7475AA0A4124} IRP_MJ_DEVICE_CONTROL 867FC490
Device \Driver\NetBT \Device\NetBT_Tcpip_{12DC6EAD-723C-41AA-BB6F-7475AA0A4124} IRP_MJ_INTERNAL_DEVICE_CONTROL 867FC490
Device \Driver\NetBT \Device\NetBT_Tcpip_{12DC6EAD-723C-41AA-BB6F-7475AA0A4124} IRP_MJ_CLEANUP 867FC490
Device \Driver\NetBT \Device\NetBT_Tcpip_{12DC6EAD-723C-41AA-BB6F-7475AA0A4124} IRP_MJ_PNP 867FC490
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_NAMED_PIPE 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_EA 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_EA 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_VOLUME_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_VOLUME_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DIRECTORY_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FILE_SYSTEM_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_LOCK_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLEANUP 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_MAILSLOT 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_SECURITY 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_SECURITY 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CHANGE 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_QUOTA 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_QUOTA 868FB178
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 868FB178
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_READ 8665EA78
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_NAMED_PIPE 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_EA 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_EA 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_VOLUME_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_VOLUME_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DIRECTORY_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FILE_SYSTEM_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_LOCK_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLEANUP 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_MAILSLOT 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_SECURITY 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_SECURITY 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CHANGE 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_QUOTA 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_QUOTA 868FB178
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 868FB178
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_NAMED_PIPE 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLOSE 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_READ 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_WRITE 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_INFORMATION 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_INFORMATION 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_EA 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_EA 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FLUSH_BUFFERS 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_VOLUME_INFORMATION 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_VOLUME_INFORMATION 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DIRECTORY_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FILE_SYSTEM_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SHUTDOWN 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_LOCK_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLEANUP 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_MAILSLOT 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_SECURITY 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_SECURITY 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_POWER 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SYSTEM_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CHANGE 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_QUOTA 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_QUOTA 868FB338
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_PNP 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CREATE 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CREATE_NAMED_PIPE 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CLOSE 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_READ 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_WRITE 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_INFORMATION 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_INFORMATION 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_EA 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_EA 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_FLUSH_BUFFERS 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_VOLUME_INFORMATION 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_VOLUME_INFORMATION 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_DIRECTORY_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_FILE_SYSTEM_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_DEVICE_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_INTERNAL_DEVICE_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SHUTDOWN 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_LOCK_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CLEANUP 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CREATE_MAILSLOT 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_SECURITY 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_SECURITY 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_POWER 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SYSTEM_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_DEVICE_CHANGE 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_QUOTA 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_QUOTA 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_PNP 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_NAMED_PIPE 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLOSE 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_READ 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_WRITE 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_INFORMATION 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_INFORMATION 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_EA 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_EA 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FLUSH_BUFFERS 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_VOLUME_INFORMATION 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_VOLUME_INFORMATION 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DIRECTORY_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FILE_SYSTEM_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_INTERNAL_DEVICE_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SHUTDOWN 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_LOCK_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLEANUP 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_MAILSLOT 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_SECURITY 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_SECURITY 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_POWER 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SYSTEM_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CHANGE 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_QUOTA 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_QUOTA 868FB338
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_PNP 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CREATE 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CREATE_NAMED_PIPE 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CLOSE 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_READ 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_WRITE 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_QUERY_INFORMATION 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SET_INFORMATION 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_QUERY_EA 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SET_EA 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_FLUSH_BUFFERS 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_QUERY_VOLUME_INFORMATION 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SET_VOLUME_INFORMATION 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_DIRECTORY_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_FILE_SYSTEM_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_DEVICE_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_INTERNAL_DEVICE_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SHUTDOWN 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_LOCK_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CLEANUP 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CREATE_MAILSLOT 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_QUERY_SECURITY 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SET_SECURITY 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_POWER 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SYSTEM_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_DEVICE_CHANGE 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_QUERY_QUOTA 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SET_QUOTA 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_PNP 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_CREATE 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_CREATE_NAMED_PIPE 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_CLOSE 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_READ 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_WRITE 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_QUERY_INFORMATION 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_SET_INFORMATION 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_QUERY_EA 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_SET_EA 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_FLUSH_BUFFERS 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_QUERY_VOLUME_INFORMATION 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_SET_VOLUME_INFORMATION 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_DIRECTORY_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_FILE_SYSTEM_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_DEVICE_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_INTERNAL_DEVICE_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_SHUTDOWN 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_LOCK_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_CLEANUP 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_CREATE_MAILSLOT 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_QUERY_SECURITY 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_SET_SECURITY 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_POWER 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_SYSTEM_CONTROL 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_DEVICE_CHANGE 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_QUERY_QUOTA 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_SET_QUOTA 868FB338
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 IRP_MJ_PNP 868FB338
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE_NAMED_PIPE 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CLOSE 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_READ 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_WRITE 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_EA 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_EA 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_FLUSH_BUFFERS 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_VOLUME_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_VOLUME_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DIRECTORY_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_FILE_SYSTEM_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DEVICE_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_INTERNAL_DEVICE_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SHUTDOWN 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_LOCK_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CLEANUP 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE_MAILSLOT 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_SECURITY 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_SECURITY 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_POWER 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SYSTEM_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DEVICE_CHANGE 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_QUOTA 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_QUOTA 868FB178
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_PNP 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_CREATE 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_CREATE_NAMED_PIPE 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_CLOSE 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_READ 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_WRITE 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_QUERY_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_SET_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_QUERY_EA 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_SET_EA 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_FLUSH_BUFFERS 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_QUERY_VOLUME_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_SET_VOLUME_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_DIRECTORY_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_FILE_SYSTEM_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_DEVICE_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_INTERNAL_DEVICE_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_SHUTDOWN 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_LOCK_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_CLEANUP 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_CREATE_MAILSLOT 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_QUERY_SECURITY 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_SET_SECURITY 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_POWER 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_SYSTEM_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_DEVICE_CHANGE 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_QUERY_QUOTA 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_SET_QUOTA 868FB178
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_PNP 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_CREATE 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_CREATE_NAMED_PIPE 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_CLOSE 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_READ 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_WRITE 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_QUERY_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_SET_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_QUERY_EA 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_SET_EA 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_FLUSH_BUFFERS 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_QUERY_VOLUME_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_SET_VOLUME_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_DIRECTORY_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_FILE_SYSTEM_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_DEVICE_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_INTERNAL_DEVICE_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_SHUTDOWN 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_LOCK_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_CLEANUP 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_CREATE_MAILSLOT 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_QUERY_SECURITY 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_SET_SECURITY 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_POWER 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_SYSTEM_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_DEVICE_CHANGE 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_QUERY_QUOTA 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_SET_QUOTA 868FB178
Device \Driver\Cdrom \Device\CdRom4 IRP_MJ_PNP 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_CREATE 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_CREATE_NAMED_PIPE 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_CLOSE 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_READ 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_WRITE 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_QUERY_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_SET_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_QUERY_EA 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_SET_EA 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_FLUSH_BUFFERS 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_QUERY_VOLUME_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_SET_VOLUME_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_DIRECTORY_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_FILE_SYSTEM_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_DEVICE_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_INTERNAL_DEVICE_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_SHUTDOWN 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_LOCK_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_CLEANUP 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_CREATE_MAILSLOT 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_QUERY_SECURITY 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_SET_SECURITY 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_POWER 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_SYSTEM_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_DEVICE_CHANGE 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_QUERY_QUOTA 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_SET_QUOTA 868FB178
Device \Driver\Cdrom \Device\CdRom5 IRP_MJ_PNP 868FB178
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CREATE 867FC490
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLOSE 867FC490
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_DEVICE_CONTROL 867FC490
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_INTERNAL_DEVICE_CONTROL 867FC490
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLEANUP 867FC490
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_PNP 867FC490
Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_CREATE 868FB178
Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_CREATE_NAMED_PIPE 868FB178
Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_CLOSE 868FB178
Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_READ 868FB178
Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_WRITE 868FB178
Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_QUERY_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_SET_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_QUERY_EA 868FB178
Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_SET_EA 868FB178
Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_FLUSH_BUFFERS 868FB178
Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_QUERY_VOLUME_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_SET_VOLUME_INFORMATION 868FB178
Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_DIRECTORY_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_FILE_SYSTEM_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_DEVICE_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_INTERNAL_DEVICE_CONTROL 868FB178
Device \Driver\Cdrom \Device\CdRom6 IRP_MJ_SHUTDOWN

#12 foogan

foogan
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 16 May 2007 - 07:09 PM

The results won't post fully, so I'm attaching the TXT file.

Attached Files

  • Attached File  gmer.txt   95.19KB   1 downloads


#13 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 16 May 2007 - 09:09 PM

Other info on that unvise32.exe file indicates a MindVision uninstall file, so okay there.


You posted the beginning of the GMER log, and although most of the rest is uneventful and likely the result of the Alcohol drivers I assume you have loaded there, the end of the GMER log reflects undescibed Module info:

---- Modules - GMER 1.0.12 ----

Module _________ F74BE000-F74D6000 (98304 bytes)

---- EOF - GMER 1.0.12 --


Without any other indications of unwanted yet unseen activity I could not say for certainty that this reflects anything other than some perhaps legit function there. Perhaps related to the StarWindService installed.


One other scan for files/entries other scans may have missed would be wise. How is the system running at this point?


Go Here and download ATF cleaner. Click on the downloaded file to run it, and select "Select All", then click Empty Selected (and close ATF).

If you have them, also click on Firefox/Opera at the top and repeat the steps (and close ATF). Firefox/Opera will need to be closed first for the cleaning to be effective.


Then go here for an online AV scan (requires IE to run).

Scan "Local Disks" and when finished save the scan log and then post the log here.
Ad eundum quo no duck ante iit

#14 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:12:46 PM

Posted 16 May 2007 - 09:14 PM

From the ComboFix log:

2007-05-08 20:06 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll

Simple tie, but the size matches the GMER undocumented module, and that type of activity and that file do suggest SecurROM copy protection software, and takes us back to Starwind, so again likely okay there.
Ad eundum quo no duck ante iit

#15 foogan

foogan
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 18 May 2007 - 05:38 PM

System's still running the same as it was before, smooth as a possum's tail. No recent AVG notifications since I started on your "PC diet regimen."

Here's the results from Panda.. Looks pretty benign to me:


Incident Status Location

Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Foog\Application Data\Mozilla\Firefox\Profiles\21p9dead.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Foog\Application Data\Mozilla\Firefox\Profiles\21p9dead.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Foog\Application Data\Mozilla\Firefox\Profiles\21p9dead.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Foog\Application Data\Mozilla\Firefox\Profiles\21p9dead.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Foog\Application Data\Mozilla\Firefox\Profiles\21p9dead.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Foog\Application Data\Mozilla\Firefox\Profiles\21p9dead.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Foog\Application Data\Mozilla\Firefox\Profiles\21p9dead.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Foog\Application Data\Mozilla\Firefox\Profiles\21p9dead.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Foog\Application Data\Mozilla\Firefox\Profiles\21p9dead.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Foog\Application Data\Mozilla\Firefox\Profiles\21p9dead.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Foog\Application Data\Mozilla\Firefox\Profiles\21p9dead.default\cookies.txt[.com.com/]
Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\Foog\Application Data\Mozilla\Firefox\Profiles\21p9dead.default\cookies.txt[counter.hitslink.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Foog\Application Data\Mozilla\Firefox\Profiles\21p9dead.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Foog\Application Data\Mozilla\Firefox\Profiles\21p9dead.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Foog\Application Data\Mozilla\Firefox\Profiles\21p9dead.default\cookies.txt[.zedo.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Foog\Application Data\Mozilla\Firefox\Profiles\21p9dead.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Foog\Application Data\Mozilla\Firefox\Profiles\21p9dead.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Foog\Application Data\Mozilla\Firefox\Profiles\21p9dead.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Foog\Application Data\Mozilla\Firefox\Profiles\21p9dead.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Foog\Application Data\Mozilla\Firefox\Profiles\21p9dead.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Foog\Application Data\Mozilla\Firefox\Profiles\21p9dead.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Foog\Application Data\Mozilla\Firefox\Profiles\21p9dead.default\cookies.txt[searchportal.information.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Foog\Application Data\Mozilla\Firefox\Profiles\21p9dead.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Foog\Application Data\Mozilla\Firefox\Profiles\21p9dead.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Foog\Application Data\Mozilla\Firefox\Profiles\21p9dead.default\cookies.txt[.cs.sexcounter.com/]
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Foog\Application Data\Mozilla\Firefox\Profiles\21p9dead.default\cookies.txt[.bfast.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Foog\Application Data\Mozilla\Firefox\Profiles\21p9dead.default\cookies.txt[.xiti.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Foog\Application Data\Mozilla\Firefox\Profiles\21p9dead.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Foog\Application Data\Mozilla\Firefox\Profiles\21p9dead.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Foog\Application Data\Mozilla\Firefox\Profiles\21p9dead.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Foog\Application Data\Mozilla\Firefox\Profiles\21p9dead.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Foog\Application Data\Mozilla\Firefox\Profiles\21p9dead.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Foog\Application Data\Mozilla\Firefox\Profiles\21p9dead.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Foog\Application Data\Mozilla\Firefox\Profiles\21p9dead.default\cookies.txt[.overture.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Foog\Application Data\Mozilla\Firefox\Profiles\21p9dead.default\cookies.txt[.247realmedia.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Foog\Application Data\Mozilla\Firefox\Profiles\21p9dead.default\cookies.txt[.atwola.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Foog\Application Data\Mozilla\Firefox\Profiles\21p9dead.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Foog\Application Data\Mozilla\Firefox\Profiles\21p9dead.default\cookies.txt[.go.com/]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Foog\Application Data\Mozilla\Firefox\Profiles\21p9dead.default\cookies.txt[stat.onestat.com/]
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Foog\Application Data\Mozilla\Firefox\Profiles\21p9dead.default\cookies.txt[.yadro.ru/]
Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\Foog\Application Data\Mozilla\Firefox\Profiles\21p9dead.default\cookies.txt[.spylog.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Foog\Application Data\Mozilla\Firefox\Profiles\21p9dead.default\cookies.txt[server.iad.liveperson.net/hc/66305761]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Foog\Application Data\Mozilla\Firefox\Profiles\21p9dead.default\cookies.txt[server.iad.liveperson.net/]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Foog\Desktop\ComboFix.exe[ComboFixT\nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users