There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
Virus & Other Malware Removal
Go to first new post Can anyone help me get rid of abnow.com ...
Go to first new post About Blank Infection????
Go to first new post vista internet secuirty 2012
Go to first new post Hijack log could someone please take a l ...
Go to first new post Network, good; Internet, bad
Go to first new post security sheild
Go to first new post Hijack This log. SVCHOST problem
Go to first new post Black desktop, missing all shortcuts, fi ...
Go to first new post Trojan horse problems
Go to first new post c:\Windows\System\32\drivers\avgtdix.sys
Go to first new post Ramnit virus, nearly cleared
Go to first new post Services.exe consumes very high % of CPU
Go to first new post This setup thing keeps popping up everyd ...
Go to first new post Somethings Amiss....
Go to first new post Windows Update Not Running
Tag Cloud
acer asus bios bsod computer crash desktop drive driver drivers error ethernet excel freeze gaming hard drive hardware hdmi internet java laptop malware memory missing monitor motherboard mouse music network printer problem ram registry router slow software sound toshiba trojan usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Virus & Other Malware Removal >
Solved: Smitfraud-c, Vundo and who knows what else (New)

Page 1 of 3 1 23
Reply  
Thread Tools
Andeee's Avatar
Computer Specs
Junior Member with 22 posts.
  
Join Date: Mar 2007
Experience: Advanced
24-Mar-2007, 08:10 PM #1
Solved: Smitfraud-c, Vundo and who knows what else
Hi guys and gals.

I'm about at my wits end. Have used Smitfraud Removal tool several times, FixVundo, VirtumundoBGone, Spybot and AntiVir. I've denied registry changes using the Tea Timer and now the 'change denied' messages just stream up my screen. Random 'anti-spyware' websites opening in both IE and Firefox. Posted below are HJT log, VundoFix log and Smitfraud removal tool log. Hope someone can help...

Logfile of HijackThis v1.99.1
Scan saved at 23:40:39, on 24/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\FRITZ!DSL\IGDCTRL.EXE
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe
C:\WINDOWS\system32\nganlsfq.exe
C:\Program Files\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Mr. Poo\Desktop\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 203.200.164.117:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\Copernic Agent\CopernicAgentExt.dll
F2 - REG:system.ini: Shell=C:\WINDOWS\Explorer.exe
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O1 - Hosts: 127.255.255.255 www.alcohol-soft.com
O1 - Hosts: 127.255.255.255 images.alcohol-soft.com
O3 - Toolbar: Alcohol Soft - Alcohol 120% Toolbar - {1CE4EE89-2D5C-4361-AF3B-D902AB545381} - (no file)
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Controlled StartUp] C:\Program Files\StartUp Organizer\Ctrl.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\Program Files\Copernic Agent\CopernicAgent.exe
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\Program Files\Copernic Agent\CopernicAgent.exe
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\Program Files\Copernic Agent\CopernicAgent.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} -
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSN Messenger\msgrapp.8.0.0792.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSN Messenger\msgrapp.8.0.0792.00.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Program Files\FRITZ!DSL\IGDCTRL.EXE
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Program Files\Common Files\AVM\de_serv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe


==============================

--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was c:\windows\system32\ddabx.dll

The second filepath entered was c:\windows\system32\xbadd*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 156 'smss.exe'

Killing PID 728 'explorer.exe'
Killing PID 728 'explorer.exe'
Killing PID 728 'explorer.exe'


Killing PID 244 'winlogon.exe'
Killing PID 244 'winlogon.exe'
--------------------------------------------------------------------------------------

c:\windows\system32\ddabx.dll Deleted sucessfully.
c:\windows\system32\xbadd* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------



SmitFraudFix v2.154

Scan done at 23:08:28.67, 24/03/2007
Run from C:\Downloads\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost
127.255.255.255 serial.alcohol-soft.com
127.255.255.255 www.alcohol-soft.com
127.255.255.255 images.alcohol-soft.com

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End
Register for free to hide this ad!
JSntgRvr's Avatar
Moderator & Malware Removal Specialist with 16,279 posts.
  
Join Date: Jul 2003
Location: Puerto Rico
Experience: Advanced
24-Mar-2007, 11:48 PM #2
Hi, Andeee.

Welcome to TSG.

Please download gmer rootkit detector from any of the following links:

Link 1
Link 2
Link 3
  • Unzip it and double click the gmer.exe file
  • Select rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Press scan
  • When it has finished press save & post back the log it makes
  • Repeat the proces with the Autostarts tab and do the same there
Download catchme.exe ( 25kB ) from Here to your desktop.
  • Double click the catchme.exe to run it.
    It shall produce a log for you.
  • Open catchme.log and post its contents in a reply.
__________________
Unanswered threads for 5 days will no longer be part of my subscriptions.
Andeee's Avatar
Computer Specs
Junior Member with 22 posts.
  
Join Date: Mar 2007
Experience: Advanced
25-Mar-2007, 05:34 AM #3
Hi JSntgRvr, thanks for the quick reply. I've been reading the work you've done for other people. Ok, I'vve done all the scans and I'll post the logs below. Just one question... would it be possible for you to explain why I'm performing each step? Like what is a rootkit and what information are you looking for in the logs. I just like to understand so I'll know for the future. Teach a man to fish and all that...

edit: wow these are bit long... I'll attatch them as .txt at the bottom too...

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2007-03-25 09:23:31
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT sptd.sys ZwCreateKey
SSDT sptd.sys ZwEnumerateKey
SSDT sptd.sys ZwEnumerateValueKey
SSDT sptd.sys ZwOpenKey
SSDT sptd.sys ZwQueryKey
SSDT sptd.sys ZwQueryValueKey
SSDT sptd.sys ZwSetValueKey

---- Kernel code sections - GMER 1.0.12 ----

.text USBPORT.SYS!DllUnload BA90762C 5 Bytes JMP 8A16D1B8

---- User code sections - GMER 1.0.12 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[584] kernel32.dll!MultiByteToWideChar 7C809CAD 5 Bytes JMP 1002FF60 C:\WINDOWS\system32\ddcya.dll

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 8A19D1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 8A19D1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 8A19D1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 8A19D1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 8A19D1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 8A19D1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 8A19D1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 8A19D1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 8A19D1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 8A19D1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 8A19D1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 8A19D1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 8A19D1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 8A19D1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 8A19D1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 8A19D1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 8A19D1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 8A19D1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 8A19D1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 8A19D1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 8A19D1D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 8A19D1D8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_CREATE 8A16C1D8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_CLOSE 8A16C1D8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_DEVICE_CONTROL 8A16C1D8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL 8A16C1D8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_POWER 8A16C1D8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_SYSTEM_CONTROL 8A16C1D8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_PNP 8A16C1D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CREATE 8A20F1D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CLOSE 8A20F1D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_READ 8A20F1D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_WRITE 8A20F1D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_FLUSH_BUFFERS 8A20F1D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_DEVICE_CONTROL 8A20F1D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_INTERNAL_DEVICE_CONTROL 8A20F1D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SHUTDOWN 8A20F1D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_POWER 8A20F1D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SYSTEM_CONTROL 8A20F1D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_PNP 8A20F1D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CREATE 8A20F1D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CLOSE 8A20F1D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_READ 8A20F1D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_WRITE 8A20F1D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_FLUSH_BUFFERS 8A20F1D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_DEVICE_CONTROL 8A20F1D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_INTERNAL_DEVICE_CONTROL 8A20F1D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SHUTDOWN 8A20F1D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_POWER 8A20F1D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SYSTEM_CONTROL 8A20F1D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_PNP 8A20F1D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CREATE 8A20F1D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CLOSE 8A20F1D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_READ 8A20F1D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_WRITE 8A20F1D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_FLUSH_BUFFERS 8A20F1D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_DEVICE_CONTROL 8A20F1D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_INTERNAL_DEVICE_CONTROL 8A20F1D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SHUTDOWN 8A20F1D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_POWER 8A20F1D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SYSTEM_CONTROL 8A20F1D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_PNP 8A20F1D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CREATE 8A20F1D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CLOSE 8A20F1D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_READ 8A20F1D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_WRITE 8A20F1D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_FLUSH_BUFFERS 8A20F1D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_DEVICE_CONTROL 8A20F1D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_INTERNAL_DEVICE_CONTROL 8A20F1D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SHUTDOWN 8A20F1D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_POWER 8A20F1D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SYSTEM_CONTROL 8A20F1D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_PNP 8A20F1D8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_CREATE 8A16C1D8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_CLOSE 8A16C1D8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_DEVICE_CONTROL 8A16C1D8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL 8A16C1D8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_POWER 8A16C1D8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_SYSTEM_CONTROL 8A16C1D8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_PNP 8A16C1D8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_CREATE 8A16C1D8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_CLOSE 8A16C1D8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_DEVICE_CONTROL 8A16C1D8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_INTERNAL_DEVICE_CONTROL 8A16C1D8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_POWER 8A16C1D8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_SYSTEM_CONTROL 8A16C1D8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_PNP 8A16C1D8
Device \Driver\usbuhci \Device\USBPDO-3 IRP_MJ_CREATE 8A16C1D8
Device \Driver\usbuhci \Device\USBPDO-3 IRP_MJ_CLOSE 8A16C1D8
Device \Driver\usbuhci \Device\USBPDO-3 IRP_MJ_DEVICE_CONTROL 8A16C1D8
Device \Driver\usbuhci \Device\USBPDO-3 IRP_MJ_INTERNAL_DEVICE_CONTROL 8A16C1D8
Device \Driver\usbuhci \Device\USBPDO-3 IRP_MJ_POWER 8A16C1D8
Device \Driver\usbuhci \Device\USBPDO-3 IRP_MJ_SYSTEM_CONTROL 8A16C1D8
Device \Driver\usbuhci \Device\USBPDO-3 IRP_MJ_PNP 8A16C1D8
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_CREATE 8A1401D8
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_CLOSE 8A1401D8
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_DEVICE_CONTROL 8A1401D8
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_INTERNAL_DEVICE_CONTROL 8A1401D8
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_POWER 8A1401D8
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_SYSTEM_CONTROL 8A1401D8
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_PNP 8A1401D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 8A19F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ 8A19F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE 8A19F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS 8A19F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL 8A19F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL 8A19F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN 8A19F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP 8A19F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER 8A19F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SYSTEM_CONTROL 8A19F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_PNP 8A19F1D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 8A0F61D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 8A0F61D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 8A0F61D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 8A0F61D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 8A0F61D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 8A0F61D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 8A0F61D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 8A0F61D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 8A0F61D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 8A0F61D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 8A0F61D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE 8A19F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_READ 8A19F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_WRITE 8A19F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_FLUSH_BUFFERS 8A19F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_DEVICE_CONTROL 8A19F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_INTERNAL_DEVICE_CONTROL 8A19F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SHUTDOWN 8A19F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CLEANUP 8A19F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_POWER 8A19F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SYSTEM_CONTROL 8A19F1D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_PNP 8A19F1D8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 8A0F61D8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE 8A0F61D8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ 8A0F61D8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 8A0F61D8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 8A0F61D8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 8A0F61D8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 8A0F61D8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 8A0F61D8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 8A0F61D8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 8A0F61D8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 8A0F61D8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE 8A19E1D8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLOSE 8A19E1D8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CONTROL 8A19E1D8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL 8A19E1D8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_POWER 8A19E1D8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SYSTEM_CONTROL 8A19E1D8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_PNP 8A19E1D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE 8A19E1D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CLOSE 8A19E1D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DEVICE_CONTROL 8A19E1D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_INTERNAL_DEVICE_CONTROL 8A19E1D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_POWER 8A19E1D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SYSTEM_CONTROL 8A19E1D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_PNP 8A19E1D8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE 8A19E1D8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLOSE 8A19E1D8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CONTROL 8A19E1D8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_INTERNAL_DEVICE_CONTROL 8A19E1D8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_POWER 8A19E1D8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SYSTEM_CONTROL 8A19E1D8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_PNP 8A19E1D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CREATE 8A19E1D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CLOSE 8A19E1D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_DEVICE_CONTROL 8A19E1D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_INTERNAL_DEVICE_CONTROL 8A19E1D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_POWER 8A19E1D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SYSTEM_CONTROL 8A19E1D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_PNP 8A19E1D8
Device \Driver\NetBT \Device\NetBT_Tcpip_{789F4325-0086-43F7-8413-77F688EDEBBA} IRP_MJ_CREATE 89CA9648
Device \Driver\NetBT \Device\NetBT_Tcpip_{789F4325-0086-43F7-8413-77F688EDEBBA} IRP_MJ_CLOSE 89CA9648
Device \Driver\NetBT \Device\NetBT_Tcpip_{789F4325-0086-43F7-8413-77F688EDEBBA} IRP_MJ_DEVICE_CONTROL 89CA9648
Device \Driver\NetBT \Device\NetBT_Tcpip_{789F4325-0086-43F7-8413-77F688EDEBBA} IRP_MJ_INTERNAL_DEVICE_CONTROL 89CA9648
Device \Driver\NetBT \Device\NetBT_Tcpip_{789F4325-0086-43F7-8413-77F688EDEBBA} IRP_MJ_CLEANUP 89CA9648
Device \Driver\NetBT \Device\NetBT_Tcpip_{789F4325-0086-43F7-8413-77F688EDEBBA} IRP_MJ_PNP 89CA9648
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CREATE 89CA9648
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLOSE 89CA9648
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_DEVICE_CONTROL 89CA9648
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_INTERNAL_DEVICE_CONTROL 89CA9648
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLEANUP 89CA9648
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_PNP
Last edited by Andeee; 25-Mar-2007 at 07:46 AM..
Andeee's Avatar
Computer Specs
Junior Member with 22 posts.
  
Join Date: Mar 2007
Experience: Advanced
25-Mar-2007, 05:34 AM #4
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CREATE 89CA9648
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLOSE 89CA9648
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_DEVICE_CONTROL 89CA9648
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_INTERNAL_DEVICE_CONTROL 89CA9648
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLEANUP 89CA9648
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_PNP 89CA9648
Device \Driver\usbstor \Device\00000094 IRP_MJ_CREATE 89CA5980
Device \Driver\usbstor \Device\00000094 IRP_MJ_CLOSE 89CA5980
Device \Driver\usbstor \Device\00000094 IRP_MJ_READ 89CA5980
Device \Driver\usbstor \Device\00000094 IRP_MJ_WRITE 89CA5980
Device \Driver\usbstor \Device\00000094 IRP_MJ_DEVICE_CONTROL 89CA5980
Device \Driver\usbstor \Device\00000094 IRP_MJ_INTERNAL_DEVICE_CONTROL 89CA5980
Device \Driver\usbstor \Device\00000094 IRP_MJ_POWER 89CA5980
Device \Driver\usbstor \Device\00000094 IRP_MJ_SYSTEM_CONTROL 89CA5980
Device \Driver\usbstor \Device\00000094 IRP_MJ_PNP 89CA5980
Device \Driver\00000062 \Device\0000004e IRP_MJ_POWER [F750EC7E] sptd.sys
Device \Driver\00000062 \Device\0000004e IRP_MJ_SYSTEM_CONTROL [F75282A2] sptd.sys
Device \Driver\00000062 \Device\0000004e IRP_MJ_PNP [F7529228] sptd.sys
Device \Driver\usbstor \Device\00000098 IRP_MJ_CREATE 89CA5980
Device \Driver\usbstor \Device\00000098 IRP_MJ_CLOSE 89CA5980
Device \Driver\usbstor \Device\00000098 IRP_MJ_READ 89CA5980
Device \Driver\usbstor \Device\00000098 IRP_MJ_WRITE 89CA5980
Device \Driver\usbstor \Device\00000098 IRP_MJ_DEVICE_CONTROL 89CA5980
Device \Driver\usbstor \Device\00000098 IRP_MJ_INTERNAL_DEVICE_CONTROL 89CA5980
Device \Driver\usbstor \Device\00000098 IRP_MJ_POWER 89CA5980
Device \Driver\usbstor \Device\00000098 IRP_MJ_SYSTEM_CONTROL 89CA5980
Device \Driver\usbstor \Device\00000098 IRP_MJ_PNP 89CA5980
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_CREATE 8A16C1D8
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_CLOSE 8A16C1D8
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_DEVICE_CONTROL 8A16C1D8
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL 8A16C1D8
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_POWER 8A16C1D8
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_SYSTEM_CONTROL 8A16C1D8
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_PNP 8A16C1D8
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_CREATE 8A16C1D8
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_CLOSE 8A16C1D8
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_DEVICE_CONTROL 8A16C1D8
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL 8A16C1D8
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_POWER 8A16C1D8
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_SYSTEM_CONTROL 8A16C1D8
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_PNP 8A16C1D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_NAMED_PIPE 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLOSE 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_WRITE 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_INFORMATION 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_INFORMATION 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_EA 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_EA 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FLUSH_BUFFERS 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_VOLUME_INFORMATION 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_VOLUME_INFORMATION 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DIRECTORY_CONTROL 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FILE_SYSTEM_CONTROL 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CONTROL 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_INTERNAL_DEVICE_CONTROL 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SHUTDOWN 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_LOCK_CONTROL 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLEANUP 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_MAILSLOT 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_SECURITY 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_SECURITY 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_POWER 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SYSTEM_CONTROL 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CHANGE 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_QUOTA 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_QUOTA 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP 89C931D8
Device \Driver\usbuhci \Device\USBFDO-2 IRP_MJ_CREATE 8A16C1D8
Device \Driver\usbuhci \Device\USBFDO-2 IRP_MJ_CLOSE 8A16C1D8
Device \Driver\usbuhci \Device\USBFDO-2 IRP_MJ_DEVICE_CONTROL 8A16C1D8
Device \Driver\usbuhci \Device\USBFDO-2 IRP_MJ_INTERNAL_DEVICE_CONTROL 8A16C1D8
Device \Driver\usbuhci \Device\USBFDO-2 IRP_MJ_POWER 8A16C1D8
Device \Driver\usbuhci \Device\USBFDO-2 IRP_MJ_SYSTEM_CONTROL 8A16C1D8
Device \Driver\usbuhci \Device\USBFDO-2 IRP_MJ_PNP 8A16C1D8
Device \Driver\NetBT \Device\NetBT_Tcpip_{9A5D13AE-72BF-401D-9DFF-14AC23821F49} IRP_MJ_CREATE 89CA9648
Device \Driver\NetBT \Device\NetBT_Tcpip_{9A5D13AE-72BF-401D-9DFF-14AC23821F49} IRP_MJ_CLOSE 89CA9648
Device \Driver\NetBT \Device\NetBT_Tcpip_{9A5D13AE-72BF-401D-9DFF-14AC23821F49} IRP_MJ_DEVICE_CONTROL 89CA9648
Device \Driver\NetBT \Device\NetBT_Tcpip_{9A5D13AE-72BF-401D-9DFF-14AC23821F49} IRP_MJ_INTERNAL_DEVICE_CONTROL 89CA9648
Device \Driver\NetBT \Device\NetBT_Tcpip_{9A5D13AE-72BF-401D-9DFF-14AC23821F49} IRP_MJ_CLEANUP 89CA9648
Device \Driver\NetBT \Device\NetBT_Tcpip_{9A5D13AE-72BF-401D-9DFF-14AC23821F49} IRP_MJ_PNP 89CA9648
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_NAMED_PIPE 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLOSE 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_WRITE 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_INFORMATION 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_INFORMATION 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_EA 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_EA 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FLUSH_BUFFERS 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_VOLUME_INFORMATION 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_VOLUME_INFORMATION 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DIRECTORY_CONTROL 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FILE_SYSTEM_CONTROL 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CONTROL 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_INTERNAL_DEVICE_CONTROL 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SHUTDOWN 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_LOCK_CONTROL 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLEANUP 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_MAILSLOT 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_SECURITY 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_SECURITY 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_POWER 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SYSTEM_CONTROL 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CHANGE 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_QUOTA 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_QUOTA 89C931D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP 89C931D8
Device \Driver\usbuhci \Device\USBFDO-3 IRP_MJ_CREATE 8A16C1D8
Device \Driver\usbuhci \Device\USBFDO-3 IRP_MJ_CLOSE 8A16C1D8
Device \Driver\usbuhci \Device\USBFDO-3 IRP_MJ_DEVICE_CONTROL 8A16C1D8
Device \Driver\usbuhci \Device\USBFDO-3 IRP_MJ_INTERNAL_DEVICE_CONTROL 8A16C1D8
Device \Driver\usbuhci \Device\USBFDO-3 IRP_MJ_POWER 8A16C1D8
Device \Driver\usbuhci \Device\USBFDO-3 IRP_MJ_SYSTEM_CONTROL 8A16C1D8
Device \Driver\usbuhci \Device\USBFDO-3 IRP_MJ_PNP 8A16C1D8
Device \Driver\usbehci \Device\USBFDO-4 IRP_MJ_CREATE 8A1401D8
Device \Driver\usbehci \Device\USBFDO-4 IRP_MJ_CLOSE 8A1401D8
Device \Driver\usbehci \Device\USBFDO-4 IRP_MJ_DEVICE_CONTROL 8A1401D8
Device \Driver\usbehci \Device\USBFDO-4 IRP_MJ_INTERNAL_DEVICE_CONTROL 8A1401D8
Device \Driver\usbehci \Device\USBFDO-4 IRP_MJ_POWER 8A1401D8
Device \Driver\usbehci \Device\USBFDO-4 IRP_MJ_SYSTEM_CONTROL 8A1401D8
Device \Driver\usbehci \Device\USBFDO-4 IRP_MJ_PNP 8A1401D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CREATE 8A19F1D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_READ 8A19F1D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_WRITE 8A19F1D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_FLUSH_BUFFERS 8A19F1D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_DEVICE_CONTROL 8A19F1D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_INTERNAL_DEVICE_CONTROL 8A19F1D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SHUTDOWN 8A19F1D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CLEANUP 8A19F1D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_POWER 8A19F1D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SYSTEM_CONTROL 8A19F1D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_PNP 8A19F1D8
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1 IRP_MJ_CREATE 8A0F01D8
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1 IRP_MJ_CLOSE 8A0F01D8
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1 IRP_MJ_DEVICE_CONTROL 8A0F01D8
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1 IRP_MJ_INTERNAL_DEVICE_CONTROL 8A0F01D8
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1 IRP_MJ_POWER 8A0F01D8
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1 IRP_MJ_SYSTEM_CONTROL 8A0F01D8
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1 IRP_MJ_PNP 8A0F01D8
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1Port2Path0Target0Lun0 IRP_MJ_CREATE 8A0F01D8
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1Port2Path0Target0Lun0 IRP_MJ_CLOSE 8A0F01D8
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1Port2Path0Target0Lun0 IRP_MJ_DEVICE_CONTROL 8A0F01D8
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1Port2Path0Target0Lun0 IRP_MJ_INTERNAL_DEVICE_CONTROL 8A0F01D8
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1Port2Path0Target0Lun0 IRP_MJ_POWER 8A0F01D8
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1Port2Path0Target0Lun0 IRP_MJ_SYSTEM_CONTROL 8A0F01D8
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1Port2Path0Target0Lun0 IRP_MJ_PNP 8A0F01D8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE 89C73980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLOSE 89C73980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ 89C73980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_INFORMATION 89C73980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SET_INFORMATION 89C73980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_VOLUME_INFORMATION 89C73980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DIRECTORY_CONTROL 89C73980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL 89C73980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL 89C73980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SHUTDOWN 89C73980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_LOCK_CONTROL 89C73980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLEANUP 89C73980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_PNP 89C73980

---- Registry - GMER 1.0.12 ----

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{56048555-EFA2-DFC9-A0B3-7FB7BB209CFB}\InProcServer32@eajilbndjm 0x68 0x61 0x6C 0x6C ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version@Version 0x6B 0x4A 0x8F 0x84 ...
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG 04.00.00.01SERVER F3793E0EA39140E6B3BE6AD229D6EC016DDF0CB4B482C47A2A97CF93F98467C3B7B0BF00292 472A26E23F82AA16759A8D0382761FA060C3E754D5921D369F53245159DB0FA403EE688FAF5 CF5FA1E803400715F7D8BF373DD8DBF2A93CA7642E1E40A9C7BB182E3A103A298DA060AB86F 7B63284CC54797FDCC8AE980ECE2BEE39F0CB3547C39CA68877EC715FE3032DA7586ED4894C 58107F3E309E59CE17B2FD88FBA6A6BCBA38E8FEBC9E127BECC74CFEBC9E127BECC74CFEBC9 E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C8EDD5E5BE2F6E667 A6A0AC4980AC7933FEBC9E127BECC74CBA7FD869164D6794FA0097BAB194A5C4A85C86CF9A8 E16EC910EE96DB944CAB1781EC0DE66015CD574222B16D417A16CFE20C99160E6982409C02E 90F3B4DE652C4858187B55B1BDDE70C24564A4899DC18306F433CFC1627D4B82B423E74935A 5D7228C5AD3EE36398AA58EAA02357A2C77023BE6F037D6001850BAC28C237CEE49CBDB4750 3EE7A89F616D53C57A1999824C5FAFC8A125C79FC537B1A1848C3AAC43586B6FC76FF6F5C49 2EFDB38038EBEB40DA8A62FE12F72D3F433008DA8D826BA0751AD3EDE11666460F704CD372F 5AD0A4D130121CB634B2F06E50E088456DAA25EB59D33907DE98EE42D29F274519FB3B8B5E0 04F809ADBDD6F8F24D91A504E9D8F94BFFA0E5FFD0A0E2F9
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG 08.00.00.01WORKSTATION 48E28FA9022781DA14DF6D17088DC7E74D77B629B546130F1F255AE123B69E49F9F6A7EBF9E 1DDC742692C92909676ECD26252CAD7A592DAD5A9E44414AE84136982CF17EDF7B2A60ECD3D 73CC5E5BF074367AEB04C9A1E709FC334B4CBB727CDFC1777A95E53186E26D1878A059BB44D 8A04ADDE94037E8BDB4A5F6E8A234B960D164671C489A3FFEBC9E127BECC74CFEBC9E127BEC C74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C8EDD5E5 BE2F6E667A6A0AC4980AC7933FEBC9E127BECC74CBA7FD869164D67948A66F91595CD337AAA F6E15160032A53DD4190DF853DA08C23C12D887D35115B735448A883A967EC65CB21639FBFF 21A2512BBCE866EA5A2325D52BF44F023FDF9ED059FB6D8243939E5E7D2DF2AA463B128572D FA7C64102FCCA3F9EF3E3A6259A0889308FA30AB5DBBF4898537F81ED923A4D4F35A2C85ACF 688A0DCA8D81803BC7D21415165573E28D775E60240FCA586B9A6F319E17470AB3BA55CDB99 7419F764671EBFB111FB687587CEC9DD745339FE8273F27C9576984AFA34A8A80E73EC908B5 3D29670EC208736FBF0473FD307B4D15FC28A646CD319189C04C8429C97AAB60537ABD418D3 99F9237E0BDCCD9F6AFD96082A1E34555FF9C3864E31555AAE96CE3E1BDD3A708C51699D450 D1A9507746DE611476478269F49EDA23E907A6AD9BD5F23F
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OOCC06.0 0.00.01WSSV 6C6C6D1BA2223A62C4500C9BC79D88C41A3D66FD4B723B394781EA602EA720A2C2E923D987C D01C26CD8E26FBDDDF5B7A773CD10062EFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127B ECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C8EDD5E5BE2F6E667A6A0A C4980AC7933FEBC9E127BECC74CA2D97226D213B55559DBD605F8605A2ADCF8E96C4159FDF5 1FE2CEC7C9D7937487AEDE38187E1AFEFE3D24210641258149AF77CA44E5616BADED6824269 5ECB4EE3F7D0A45F5F26D916D41A0F25DA8E1F77F9A40738C0CCBC87D7EED177EFC9529C566 E811491F30C1F8A4BF2E098E6F9DE7F881D561E38049A181F2D58909EA5487765A87ECDFA49 6F1B7DD3B59B433C46A27E5023A82DCDE6DD5A1AFED866EE6C58009CB1B280D666FDB7B3328 AC164B8EB4E923B337130DF85611862722BD26CA49C213CFA210DF88E3423E94BB6962DEA0A D7CAC053DA9E0CE784FF5BA592F628C782A4DA9B802DD157A9E7FDBDF91E95E73DFC7A057DE 430036935FE4A8F1DC76C0EC18CEF3238DAB152610B91030C2D525B76CF7402C439FCA6F2A6 7723190AAD54F79D594E94157A4BBAFB7F66EFE63CC7E45263EE58BD6D915623E6506543E94 56FD3951569FB85EDA8DE9F24BB9571CC4C200F8AFC3C12E4BD997935A86BA801D7723C536D 6691F939B1C481F127565AE170B7D071F71B3E7A2D8F0EE8
Reg \Registry\MACHINE\SOFTWARE\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version@Version 0x6B 0x4A 0x8F 0x84 ...

---- Files - GMER 1.0.12 ----

ADS C:\Adobe Photoshop In A Book\Fonts\AFMs\gdio____.afm:KAVICHS
ADS C:\Adobe Photoshop In A Book\Fonts\AFMs\gdi_____.afm:KAVICHS
ADS C:\Adobe Photoshop In A Book\Fonts\AFMs\gdrg____.afm:KAVICHS
ADS C:\Adobe Photoshop In A Book\Fonts\AFMs\gdsbi___.afm:KAVICHS
ADS C:\Adobe Photoshop In A Book\Fonts\AFMs\gdsbs___.afm:KAVICHS
ADS C:\Adobe Photoshop In A Book\Fonts\AFMs\gdsb____.afm:KAVICHS
ADS C:\Adobe Photoshop In A Book\Fonts\AFMs\gdsc____.afm:KAVICHS
ADS C:\Adobe Photoshop In A Book\Fonts\AFMs\gdsis___.afm:KAVICHS
ADS C:\Adobe Photoshop In A Book\Fonts\AFMs\gdttl___.afm:KAVICHS
ADS C:\Adobe Photoshop In A Book\Fonts\AFMs\jsds____.afm:KAVICHS
ADS C:\Adobe Photoshop In A Book\Fonts\AFMs\jsi_____.afm:KAVICHS
ADS ...

---- EOF - GMER 1.0.12 ----
Andeee's Avatar
Computer Specs
Junior Member with 22 posts.
  
Join Date: Mar 2007
Experience: Advanced
25-Mar-2007, 05:35 AM #5
GMER 1.0.12.12011 - http://www.gmer.net
Autostart scan 2007-03-25 09:24:40
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@BootExecute = PDBoot.exe autocheck autochk /r \??\E: autocheck autochk * ?????? SsiEfr.e

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon >>>
@UserinitC:\WINDOWS\system32\userinit.exe, = C:\WINDOWS\system32\userinit.exe,
@ShellC:\WINDOWS\Explorer.exe = C:\WINDOWS\Explorer.exe
@UIHostC:\Documents and Settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe = C:\Documents and Settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
ddabx@DLLName = C:\WINDOWS\system32\ddabx.dll /*file not found*/
ddcya@DLLName = C:\WINDOWS\system32\ddcya.dll
WRNotifier@DLLName = WRLogonNTF.dll /*file not found*/

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
AntiVirScheduler /*AntiVir PersonalEdition Classic Scheduler*/@ = C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
AntiVirService /*AntiVir PersonalEdition Classic Guard*/@ = C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
AVM IGD CTRL Service /*AVM IGD CTRL Service*/@ = C:\Program Files\FRITZ!DSL\IGDCTRL.EXE
FolderSize /*Folder Size*/@ = "C:\Program Files\FolderSize\FolderSizeSvc.exe"
PDAgent /*PDAgent*/@ = "C:\Program Files\Raxco\PerfectDisk\PDAgent.exe"
RichVideo /*Cyberlink RichVideo Service(CRVS)*/@ = "C:\Program Files\CyberLink\Shared files\RichVideo.exe" ??????????????????????????????????????????????????????
RSVP /*QoS RSVP*/@ = %SystemRoot%\system32\rsvp.exe
SimpTcp /*Simple TCP/IP Services*/@ = %SystemRoot%\system32\tcpsvcs.exe
Spooler /*Print Spooler*/@ = %SystemRoot%\system32\spoolsv.exe
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\system32\wdfmgr.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@avgnt"C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min = "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
@NvCplDaemonRUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@Controlled StartUpC:\Program Files\StartUp Organizer\Ctrl.exe = C:\Program Files\StartUp Organizer\Ctrl.exe
@SpybotSD TeaTimerC:\Program Files\Spybot - Search & Destroy\TeaTimer.exe = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad@ UPnPMonitor = C:\WINDOWS\system32\upnpui.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks@{ 182B90A3-F372-438A-800C-6814B4DE417B} = C:\WINDOWS\system32\qomkjjk.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/%SystemRoot%\system32\extmgr.dll = %SystemRoot%\system32\extmgr.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Program Files\WinRAR\rarext.dll = C:\Program Files\WinRAR\rarext.dll
@{B327765E-D724-4347-8B16-78AE18552FC3} /*NeroDigitalIconHandler*/C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll = C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll
@{7F1CF152-04F8-453A-B34C-E609530A9DC8} /*NeroDigitalPropSheetHandler*/C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll = C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll
@{0561EC90-CE54-4f0c-9C55-E226110A740C} /*Haali Column Provider*/C:\Program Files\Combined Community Codec Pack\Filters\Haali\mmfinfo.dll = C:\Program Files\Combined Community Codec Pack\Filters\Haali\mmfinfo.dll
@{E4D8441D-F89C-4b5c-90AC-A857E1768F1F} /*Haali Matroska Thumbnail Exctractor*/(null) =
@{e57ce731-33e8-4c51-8354-bb4de9d215d1} /*Universal Plug and Play Devices*/C:\WINDOWS\system32\upnpui.dll = C:\WINDOWS\system32\upnpui.dll
@{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} /*OpenOffice.org Column Handler*/"C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll" = "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"
@{087B3AE3-E237-4467-B8DB-5A38AB959AC9} /*OpenOffice.org Infotip Handler*/"C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll" = "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"
@{63542C48-9552-494A-84F7-73AA6A7C99C1} /*OpenOffice.org Property Sheet Handler*/"C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll" = "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"
@{3B092F0C-7696-40E3-A80F-68D74DA84210} /*OpenOffice.org Thumbnail Viewer*/"C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll" = "C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"
@{32020A01-506E-484D-A2A8-BE3CF17601C3} /*AlcoholShellEx*/C:\PROGRA~1\ALCOHO~1\ALCOHO~1\axshlex.dll = C:\PROGRA~1\ALCOHO~1\ALCOHO~1\axshlex.dll
@{7C9D5882-CB4A-4090-96C8-430BFE8B795B} /*Webroot Spy Sweeper Context Menu Integration*/(null) =
@{D9872D13-7651-4471-9EEE-F0A00218BEBB} /*Multiscan*/(null) =
@{B8323370-FF27-11D2-97B6-204C4F4F5020} /*SmartFTP Shell Extension DLL*/C:\Program Files\SmartFTP Client 2.0\smarthook.dll = C:\Program Files\SmartFTP Client 2.0\smarthook.dll
@{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0} /*TuneUp Shredder Shell Context Menu Extension*/"C:\Program Files\TuneUp Utilities 2006\sdshelex.dll" = "C:\Program Files\TuneUp Utilities 2006\sdshelex.dll"
@{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} /*PowerISO*/C:\Program Files\PowerISO\PowerISOShell.dll = C:\Program Files\PowerISO\PowerISOShell.dll
@{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D} /*Messenger Sharing Folders*/C:\Program Files\MSN Messenger\fsshext.8.0.0792.00.dll = C:\Program Files\MSN Messenger\fsshext.8.0.0792.00.dll
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Program Files\Real\RealPlayer\rpshell.dll = C:\Program Files\Real\RealPlayer\rpshell.dll
@{8FF88D21-7BD0-11D1-BFB7-00AA00262A11} /*WinAce Archiver 2.65 Context Menu Shell Extension*/C:\Program Files\WinAce\arcext.dll = C:\Program Files\WinAce\arcext.dll
@{8FF88D25-7BD0-11D1-BFB7-00AA00262A11} /*WinAce Archiver 2.65 DragDrop Shell Extension*/C:\Program Files\WinAce\arcext.dll = C:\Program Files\WinAce\arcext.dll
@{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} /*WinAce Archiver 2.65 Context Menu Shell Extension*/C:\Program Files\WinAce\arcext.dll = C:\Program Files\WinAce\arcext.dll
@{8FF88D23-7BD0-11D1-BFB7-00AA00262A11} /*WinAce Archiver 2.65 Property Sheet Shell Extension*/C:\Program Files\WinAce\arcext.dll = C:\Program Files\WinAce\arcext.dll
@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@{A70C977A-BF00-412C-90B7-034C51DA2439} /*NvCpl DesktopContext Class*/C:\WINDOWS\system32\nvcpl.dll = C:\WINDOWS\system32\nvcpl.dll
@{1CDB2949-8F65-4355-8456-263E7C208A5D} /*Desktop Explorer*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A47} /*Desktop Explorer Menu*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A48} /*nView Desktop Context Menu*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{FFB699E0-306A-11d3-8BD1-00104B6F7516} /*Play on my TV helper*/C:\WINDOWS\system32\nvcpl.dll = C:\WINDOWS\system32\nvcpl.dll
@{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} /*Adobe.Acrobat.ContextMenu*/C:\Program Files\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll = C:\Program Files\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll
@{45AC2688-0253-4ED8-97DE-B5370FA7D48A} /*Shell Extension for Malware scanning*/C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll = C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
PowerISO@{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} = C:\Program Files\PowerISO\PowerISOShell.dll
Shell Extension for Malware scanning@{45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers@{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208} = C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\PowerISO@{967B2 D40-8B7D-4127-9049-61EA0C2C6DCE} = C:\Program Files\PowerISO\PowerISOShell.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
Adobe.Acrobat.ContextMenu@{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = C:\Program Files\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll
PowerISO@{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} = C:\Program Files\PowerISO\PowerISOShell.dll
Shell Extension for Malware scanning@{45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers@{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208} = C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll = C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
@{2C2D18D1-A9C5-4908-AE51-0AF1221FBDCD}C:\WINDOWS\system32\ddcya.dll = C:\WINDOWS\system32\ddcya.dll
@{31FF080D-12A3-439A-A2EF-4BA95A3148E8}C:\Program Files\GetRight\xx2gr.dll /*file not found*/ = C:\Program Files\GetRight\xx2gr.dll /*file not found*/
@{4A6B7681-0A38-42B5-AD31-BA478868986f}C:\WINDOWS\system32\mgdjpogd.dll /*file not found*/ = C:\WINDOWS\system32\mgdjpogd.dll /*file not found*/
@{53707962-6F74-2D53-2644-206D7942484F}C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll = C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
@{AE7CD045-E861-484f-8273-0445EE161910}C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
@{C8FFF7A3-28B5-44F3-B576-2142F72443EA}C:\WINDOWS\system32\ddabx.dll /*file not found*/ = C:\WINDOWS\system32\ddabx.dll /*file not found*/
@{F20E2857-D9C2-4215-A528-B55AF98B0E4D}C:\WINDOWS\system32\vtsqr.dll /*file not found*/ = C:\WINDOWS\system32\vtsqr.dll /*file not found*/

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINDOWS\system32\scrnsave.scr

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
@Local PageC:\windows\system32\blank.htm = C:\windows\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
copernicagent@CLSID = C:\PROGRA~1\Copernic Agent\CopernicAgentExt.dll
copernicagentcache@CLSID = C:\PROGRA~1\Copernic Agent\CopernicAgentExt.dll
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
livecall@CLSID = C:\PROGRA~1\MSN Messenger\msgrapp.8.0.0792.00.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
msnim@CLSID = C:\PROGRA~1\MSN Messenger\msgrapp.8.0.0792.00.dll
skype4com@CLSID = C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll

HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\system32\wiascr.dll

---- EOF - GMER 1.0.12 ----
Andeee's Avatar
Computer Specs
Junior Member with 22 posts.
  
Join Date: Mar 2007
Experience: Advanced
25-Mar-2007, 05:35 AM #6
catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Andeee's Avatar
Computer Specs
Junior Member with 22 posts.
  
Join Date: Mar 2007
Experience: Advanced
25-Mar-2007, 05:38 AM #7
Attatchments...
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
JSntgRvr's Avatar
Moderator & Malware Removal Specialist with 16,279 posts.
  
Join Date: Jul 2003
Location: Puerto Rico
Experience: Advanced
25-Mar-2007, 12:35 PM #8
Hi, Andeee

The system still have a Vundo infection, but you are using old tools. Please remove all tool you have downloaded and only use the one I will give you.

Please rename Hijackthis.exe to Mypoppy.exe. Some Vundo variants will recognize Hijackthis and will hide.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis (Mypoppy) log.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.
__________________
Unanswered threads for 5 days will no longer be part of my subscriptions.
Andeee's Avatar
Computer Specs
Junior Member with 22 posts.
  
Join Date: Mar 2007
Experience: Advanced
25-Mar-2007, 02:33 PM #9
OK. Did what you said. Must say though, the version of VundoFix was the same as one I have already used.

Anyway, here are the logs...

Ah, as I was getting the logs, registry changes I blacklisted in Search and Destroy Tea Timer started up again.

VundoFix V6.3.17

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 18:17:18 25/03/2007

Listing files found while scanning....

C:\WINDOWS\system32\bbeeg.bak1
C:\WINDOWS\system32\bbeeg.ini
C:\WINDOWS\system32\ddabx.dll
C:\WINDOWS\system32\geebb.dll
C:\WINDOWS\system32\kvkotauw.exe

Beginning removal...

Attempting to delete C:\WINDOWS\system32\bbeeg.bak1
C:\WINDOWS\system32\bbeeg.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\bbeeg.ini
C:\WINDOWS\system32\bbeeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\geebb.dll
C:\WINDOWS\system32\geebb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\kvkotauw.exe
C:\WINDOWS\system32\kvkotauw.exe Has been deleted!

Performing Repairs to the registry.
Done!


Logfile of HijackThis v1.99.1
Scan saved at 18:24:26, on 25/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\FRITZ!DSL\IGDCTRL.EXE
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\rsvp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Mr. Poo\Desktop\MyPoppy.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 203.200.164.117:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\Copernic Agent\CopernicAgentExt.dll
F2 - REG:system.ini: Shell=C:\WINDOWS\Explorer.exe
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O1 - Hosts: 127.255.255.255 www.alcohol-soft.com
O1 - Hosts: 127.255.255.255 images.alcohol-soft.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0DB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - (no file)
O2 - BHO: (no name) - {25392DB0-95A8-41D4-B055-30F9334AF5DE} - (no file)
O2 - BHO: (no name) - {2C2D18D1-A9C5-4908-AE51-0AF1221FBDCD} - C:\WINDOWS\system32\ddcya.dll (file missing)
O2 - BHO: (no name) - {2FA87755-46B9-46E4-8429-5246B2BDA744} - C:\WINDOWS\system32\geebb.dll (file missing)
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll (file missing)
O2 - BHO: (no name) - {4A6B7681-0A38-42B5-AD31-BA478868986f} - C:\WINDOWS\system32\mgdjpogd.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {703B8318-EE39-44F1-A444-518FF0647B67} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {BD0A5A07-7F51-43B3-8B8B-7078501A5600} - (no file)
O2 - BHO: (no name) - {C8FFF7A3-28B5-44F3-B576-2142F72443EA} - C:\WINDOWS\system32\ddabx.dll (file missing)
O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - (no file)
O2 - BHO: (no name) - {F20E2857-D9C2-4215-A528-B55AF98B0E4D} - C:\WINDOWS\system32\vtsqr.dll (file missing)
O3 - Toolbar: Alcohol Soft - Alcohol 120% Toolbar - {1CE4EE89-2D5C-4361-AF3B-D902AB545381} - (no file)
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Controlled StartUp] C:\Program Files\StartUp Organizer\Ctrl.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\Program Files\Copernic Agent\CopernicAgent.exe
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\Program Files\Copernic Agent\CopernicAgent.exe
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\Program Files\Copernic Agent\CopernicAgent.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} -
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSN Messenger\msgrapp.8.0.0792.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSN Messenger\msgrapp.8.0.0792.00.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
O20 - Winlogon Notify: ddabx - C:\WINDOWS\system32\ddabx.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Program Files\FRITZ!DSL\IGDCTRL.EXE
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Program Files\Common Files\AVM\de_serv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
Andeee's Avatar
Computer Specs
Junior Member with 22 posts.
  
Join Date: Mar 2007
Experience: Advanced
25-Mar-2007, 03:23 PM #10
After the reset the following viruses were found:

TR/Spy.VBStat.B.1
TR/Vundo.Gen
TR/Agent.ACL
TR/Dldr.ConHook.Gen
Andeee's Avatar
Computer Specs
Junior Member with 22 posts.
  
Join Date: Mar 2007
Experience: Advanced
25-Mar-2007, 07:51 PM #11
Quote:
Originally Posted by JSntgRvr
Hi, Andeee

[*]You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
It didn't do this...

Quote:
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.
Or this...
JSntgRvr's Avatar
Moderator & Malware Removal Specialist with 16,279 posts.
  
Join Date: Jul 2003
Location: Puerto Rico
Experience: Advanced
25-Mar-2007, 07:51 PM #12
Hi, Andeee.

Please remove Spybot Search and Destroy from your computer until we finish the clean-up. You can download the utility once we are done.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {0DB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - (no file)
O2 - BHO: (no name) - {25392DB0-95A8-41D4-B055-30F9334AF5DE} - (no file)
O2 - BHO: (no name) - {2C2D18D1-A9C5-4908-AE51-0AF1221FBDCD} - C:\WINDOWS\system32\ddcya.dll (file missing)
O2 - BHO: (no name) - {2FA87755-46B9-46E4-8429-5246B2BDA744} - C:\WINDOWS\system32\geebb.dll (file missing)
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll (file missing)
O2 - BHO: (no name) - {4A6B7681-0A38-42B5-AD31-BA478868986f} - C:\WINDOWS\system32\mgdjpogd.dll (file missing)
O2 - BHO: (no name) - {BD0A5A07-7F51-43B3-8B8B-7078501A5600} - (no file)
O2 - BHO: (no name) - {C8FFF7A3-28B5-44F3-B576-2142F72443EA} - C:\WINDOWS\system32\ddabx.dll (file missing)
O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - (no file)
O2 - BHO: (no name) - {F20E2857-D9C2-4215-A528-B55AF98B0E4D} - C:\WINDOWS\system32\vtsqr.dll (file missing)
O3 - Toolbar: Alcohol Soft - Alcohol 120% Toolbar - {1CE4EE89-2D5C-4361-AF3B-D902AB545381} - (no file)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} -
O20 - Winlogon Notify: ddabx - C:\WINDOWS\system32\ddabx.dll (file missing)


Now close all windows and browsers, other than HiJackThis, then click Fix Checked.

Close Hijackthis.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  1. Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  2. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  3. On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  4. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  6. Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly

Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.

Boot into Safe Mode:

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Perform the following steps in safe mode:
  1. IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  2. Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  4. AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  5. If you have any infections you will prompted, then select "Apply all actions"
  6. Next select the "Reports" icon at the top.
  7. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  8. Close AVG Anti-Spyware .
Restart back into Windows normally now.

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post a fresh Hijackthis log along with the AVG Anti-spyware and ActiveScan reports.
__________________
Unanswered threads for 5 days will no longer be part of my subscriptions.
Andeee's Avatar
Computer Specs
Junior Member with 22 posts.
  
Join Date: Mar 2007
Experience: Advanced
26-Mar-2007, 05:26 AM #13
Still Infected
  • Removed Spybot
  • Removed listed entries with HiJackThis (still named Mypoppy.exe)
  • Ran ATF cleaner (including all Opera amd Firefox entries)
  • Downloaded AVG Anti Spyware
  • Noticed re-infection (pop-up from IE, Antivir Active Scan reporting many trojans)
  • Rebooted into safemode
  • Ran AVG Anti Spyware
  • Rebooted
  • Attempted to run Panda's Activescan. Failed.
    Error on downloading ActiveScanAn error has occurred downloading Panda ActiveScan. Please repeat the process. If the error occurs again, restart your system and try againPossible causes of this error are:

    Not allowing the application's ActiveX control to be downloaded.

    Problems with the Internet connection.

    The error could be due to a download error or an installation error due to lack of hard disk space, privileges etc.,... Try again
  • Altered security settings to allow more (safe) ActiveX scripts to run (on prompt)
  • Attempeted Activescan again. Failed again.
  • Ran through list again with variations (i.e. Running VundoFix first, the booting directly into SafeMode. Removing entries with HiJackThis, running ATF, then AVG, rebooting into normal mode the attempting Panda again, which failed again).

Posted below are the first set of logs, then the last set of logs in a second post.
Logfile of HijackThis v1.99.1
Scan saved at 08:36:38, on 26/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\FRITZ!DSL\IGDCTRL.EXE
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\System32\svchost.exe
C:\Notepad2.exe
C:\Documents and Settings\Mr. Poo\Desktop\MyPoppy.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 203.200.164.117:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\Copernic Agent\CopernicAgentExt.dll
F2 - REG:system.ini: Shell=C:\WINDOWS\Explorer.exe
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O1 - Hosts: 127.255.255.255 www.alcohol-soft.com
O1 - Hosts: 127.255.255.255 images.alcohol-soft.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {A896AC23-0995-4ECB-BA44-DE630F21F2F1} - C:\WINDOWS\system32\mljjg.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Controlled StartUp] C:\Program Files\StartUp Organizer\Ctrl.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\Program Files\Copernic Agent\CopernicAgent.exe
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\Program Files\Copernic Agent\CopernicAgent.exe
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\Program Files\Copernic Agent\CopernicAgent.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSN Messenger\msgrapp.8.0.0792.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSN Messenger\msgrapp.8.0.0792.00.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
O20 - Winlogon Notify: mljjg - C:\WINDOWS\system32\mljjg.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Program Files\FRITZ!DSL\IGDCTRL.EXE
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Program Files\Common Files\AVM\de_serv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe



---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 08:17:07 26/03/2007

+ Scan result:



HKU\S-1-5-21-842925246-1606980848-682003330-1001\SOFTWARE\Microsoft\Windows\ShellNoRoam\BagMRU\0\2\17\0\0\12\\NodeSlot -> Adware.BetterInternet : Cleaned with backup (quarantined).
:mozilla.27:C:\Documents and Settings\Mr. Poo\Application Data\Mozilla\Firefox\Profiles\ds76xuda.default\cookies-1.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.28:C:\Documents and Settings\Mr. Poo\Application Data\Mozilla\Firefox\Profiles\ds76xuda.default\cookies-1.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.168:C:\Documents and Settings\Mr. Poo\Application Data\Mozilla\Firefox\Profiles\ds76xuda.default\cookies-1.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.73:C:\Documents and Settings\Mr. Poo\Application Data\Mozilla\Firefox\Profiles\ds76xuda.default\cookies-1.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.74:C:\Documents and Settings\Mr. Poo\Application Data\Mozilla\Firefox\Profiles\ds76xuda.default\cookies-1.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.75:C:\Documents and Settings\Mr. Poo\Application Data\Mozilla\Firefox\Profiles\ds76xuda.default\cookies-1.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.44:C:\Documents and Settings\Mr. Poo\Application Data\Mozilla\Firefox\Profiles\ds76xuda.default\cookies-1.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.45:C:\Documents and Settings\Mr. Poo\Application Data\Mozilla\Firefox\Profiles\ds76xuda.default\cookies-1.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.46:C:\Documents and Settings\Mr. Poo\Application Data\Mozilla\Firefox\Profiles\ds76xuda.default\cookies-1.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.100:C:\Documents and Settings\Mr. Poo\Application Data\Mozilla\Firefox\Profiles\ds76xuda.default\cookies-1.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.101:C:\Documents and Settings\Mr. Poo\Application Data\Mozilla\Firefox\Profiles\ds76xuda.default\cookies-1.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.102:C:\Documents and Settings\Mr. Poo\Application Data\Mozilla\Firefox\Profiles\ds76xuda.default\cookies-1.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.113:C:\Documents and Settings\Mr. Poo\Application Data\Mozilla\Firefox\Profiles\ds76xuda.default\cookies-1.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.61:C:\Documents and Settings\Mr. Poo\Application Data\Mozilla\Firefox\Profiles\ds76xuda.default\cookies-1.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.62:C:\Documents and Settings\Mr. Poo\Application Data\Mozilla\Firefox\Profiles\ds76xuda.default\cookies-1.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.63:C:\Documents and Settings\Mr. Poo\Application Data\Mozilla\Firefox\Profiles\ds76xuda.default\cookies-1.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.66:C:\Documents and Settings\Mr. Poo\Application Data\Mozilla\Firefox\Profiles\ds76xuda.default\cookies-1.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.76:C:\Documents and Settings\Mr. Poo\Application Data\Mozilla\Firefox\Profiles\ds76xuda.default\cookies-1.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.67:C:\Documents and Settings\Mr. Poo\Application Data\Mozilla\Firefox\Profiles\ds76xuda.default\cookies-1.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.103:C:\Documents and Settings\Mr. Poo\Application Data\Mozilla\Firefox\Profiles\ds76xuda.default\cookies-1.txt -> TrackingCookie.Valueclick : Cleaned.
:mozilla.135:C:\Documents and Settings\Mr. Poo\Application Data\Mozilla\Firefox\Profiles\ds76xuda.default\cookies-1.txt -> TrackingCookie.Yieldmanager : Cleaned.


::Report end
Last edited by Andeee; 26-Mar-2007 at 06:24 AM..
Andeee's Avatar
Computer Specs
Junior Member with 22 posts.
  
Join Date: Mar 2007
Experience: Advanced
26-Mar-2007, 05:27 AM #14
Last Scan Logs
Here are the second set of logs. Please see previous post.

Logfile of HijackThis v1.99.1
Scan saved at 09:59:58, on 26/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\FRITZ!DSL\IGDCTRL.EXE
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\Mr. Poo\Desktop\MyPoppy.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 203.200.164.117:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\Copernic Agent\CopernicAgentExt.dll
F2 - REG:system.ini: Shell=C:\WINDOWS\Explorer.exe
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O1 - Hosts: 127.255.255.255 www.alcohol-soft.com
O1 - Hosts: 127.255.255.255 images.alcohol-soft.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {AE0460B6-73F6-4206-8A6D-3113B8C5B021} - C:\WINDOWS\system32\mljji.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Controlled StartUp] C:\Program Files\StartUp Organizer\Ctrl.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\Program Files\Copernic Agent\CopernicAgent.exe
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\Program Files\Copernic Agent\CopernicAgent.exe
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\Program Files\Copernic Agent\CopernicAgent.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSN Messenger\msgrapp.8.0.0792.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSN Messenger\msgrapp.8.0.0792.00.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
O20 - Winlogon Notify: mljji - C:\WINDOWS\system32\mljji.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Program Files\FRITZ!DSL\IGDCTRL.EXE
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Program Files\Common Files\AVM\de_serv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 09:10:05 26/03/2007

+ Scan result:



Nothing found.


::Report end
Last edited by Andeee; 26-Mar-2007 at 06:25 AM..
Andeee's Avatar
Computer Specs
Junior Member with 22 posts.
  
Join Date: Mar 2007
Experience: Advanced
26-Mar-2007, 06:44 AM #15
For the sake of completeness, here are the VundoFix logs from the retries. Note that it still reports my Java as being v1.5.0.6 while HJT reports it (correctly) as being v1.6.0.

Please see also previous posts.


VundoFix V6.3.17

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 02:04:39 26/03/2007

Listing files found while scanning....

C:\WINDOWS\system32\fgjlm.bak1
C:\WINDOWS\system32\fgjlm.ini
C:\WINDOWS\system32\mljgf.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\fgjlm.bak1
C:\WINDOWS\system32\fgjlm.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\fgjlm.ini
C:\WINDOWS\system32\fgjlm.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\mljgf.dll
C:\WINDOWS\system32\mljgf.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.17

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 08:36:50 26/03/2007

Listing files found while scanning....

C:\WINDOWS\system32\crtsmjgc.exe
C:\WINDOWS\system32\gjjlm.bak1
C:\WINDOWS\system32\gjjlm.ini
C:\WINDOWS\system32\mljjg.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\crtsmjgc.exe
C:\WINDOWS\system32\crtsmjgc.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\gjjlm.bak1
C:\WINDOWS\system32\gjjlm.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\gjjlm.ini
C:\WINDOWS\system32\gjjlm.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\mljjg.dll
C:\WINDOWS\system32\mljjg.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.17

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 09:38:51 26/03/2007

Listing files found while scanning....

C:\WINDOWS\system32\srqss.bak1
C:\WINDOWS\system32\srqss.ini
C:\WINDOWS\system32\ssqrs.dll
C:\WINDOWS\system32\yxmyempu.exe

Beginning removal...

Attempting to delete C:\WINDOWS\system32\srqss.bak1
C:\WINDOWS\system32\srqss.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\srqss.ini
C:\WINDOWS\system32\srqss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqrs.dll
C:\WINDOWS\system32\ssqrs.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yxmyempu.exe
C:\WINDOWS\system32\yxmyempu.exe Has been deleted!

Performing Repairs to the registry.
Done!
Email This Email  Print This Print  Tweet This Send to Facebook Send to MySpace Send to StumbleUpon Digg This | More Services More
Reply
Page 1 of 3 1 23

THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!

« Previous Thread | Virus & Other Malware Removal | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.
Thread Tools



Facebook Facebook Twitter Twitter TechGuy.tv TechGuy.tv Mobile TSG Mobile
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -4. The time now is 02:33 AM.
Copyright © 1996 - 2011 TechGuy, Inc. All rights reserved.

 Powered by Cermak Technologies, Inc.