Someone has control of my computer

I recently got Internet access at home through Xanadoo (I like it). But, my daughter and her boyfriend were using the system and it seems they went to some sites that downloaded files to my computer.

The Problem: I cannot download any files (all I get is the file as though it was opened in a text exitor).

I cannot right click on anything.

I cannot change my Privacy Options (I make changes and the revert back to a custom setting)

I have AVG Virus software that keeps finding files of the same name each time I start up.

I tried to reinstall my Windows 2000 and I get an error box with no dialog

I get error messges that syhost.exe and mshta.exe have incurred errors and will be shut down and that I will have to restart them (I do not).

I would like to get some kind of hard drive wipe program so I can start over but cannot download via IE6, however I can FTP so if I could find a site to ftp something from that would be good.

I need advice and I hope someone here will have mercy on my and provide some helpful advice.

Thanks

Mitchell Cooley

 

Are you looking to wipe the drive, or just reformat it? Pretty much either will accomplish the task, of removing said malware from your system

If you want to wipe the drive, here are a few utilities you can try, depening on your level of skill and desired wipe:
eraser
http://www.heidi.ie/eraser/

Boot Nuke
http://dban.sourceforge.net/

SDelete
http://www.sysinternals.com/ntw2k/source/sdelete.shtml

If on the other hand, you're interested in removing the malware, we can proceed as instructed below.

You can run an online scan too, before running the other aps listed below:
Go to this page, Panda ActiveScan

• Click the 'Scan your PC' button. ( You may have to disable any pop up blockers)
• Then press the green 'Check Now' button.
• Enter your country and state along with a valid email address.
• Allow the ActiveX install, it may be a few minutes for all components. (For XP SP 2 watch for the yellow bar at the top of IE)
• Once installation is complete you will need to select a device to scan. Please select 'My Computer' and the scan will begin.
• Once the scan is done, click the 'See report' button, then the 'save report' button. Be sure to save the log file created in a place easy for you to find.

Here is how we like to begin our analysis of your pc:

For starters, if you do not have them yet, please DL and run AdAware & Spybot Search & Destroy.AdAware and Spybot Search & Destroy are 2 of the most trusted apps in the security area. They are both free, compliment each other nicely, and do not use a lot of resources. They can be found here:

Spybot Search & Destroy v.1.4
AdAware SE 1.r6

With AdAware and Spybot: DL, check for updates, then scan, repair/remove/quarantine anything found. Reboot before next scan with whichever app is next. The reason for running these apps, is to clean up some of the other 'crapware' on your pc, which, in turn, will make deciphering your HJT log, easier.

Then we use HiJackThis v:1.99.1zip.
DL the zip file to your desktop, then create a new folder on your C drive, called 'HJT' or 'HijackThis'. Then unzip the files to the new folder. When you run HijackThis.exe from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary which is easily accessible.

Run the program, and press Scan. You will notice the Scan button will turn into a "Save Log" button. Save the log and Post that log onto this topic. DO NOT DELETE or modify anything yet, as some of it is needed to keep your system in proper working order.

 

Active Scan result

I went to active scan and got a list of spyware programs on my computer and one virus was disinfected.

I wanted to get the download to clear out the spyware but I cannot download files via my internet explorer - something in my system will not let me. all I get is another browser full of gibberish. The only way I can download files right now is via DOS FTP.

How am I going to get rid of this spyware and other trash on my computer???

 

Have you tried DLing from another computer? All the apps above fit onto a floppy or disc.

Btw, Panda does not disinfect or fix anything, it just points to things they think are bad.

Did you save the report? Post it here if you did, [SIZE= "3"]but edit out any cookie, Recyler and System Volume Information Folder references please, they are not threats.[/SIZE]

 

Try the following before you hit the library.

Hit your 'Start' button, select 'Control Panel' and click on 'Add or Remove Programs'. Then find the following programs and click the 'Change|Remove' button for each, if they are listed
Timesink
MyWebSearch


Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Also, enable the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Open 'My Computer' and select the 'Search' feature. Then click the 'All files and folders' button. Click the 'More advanced search options' button and be sure the 'Search system folders', 'Search hidden files and folders' and 'Search subfolders' boxes are check marked then search for and delete, if found, (some may not be present after previous steps) the following files/folders:


To exit Safe Mode, click the Start button, click Turn Off Computer, click Restart.
c:\winnt\System.exe<<<--this file
c:\winnt\TSAd.dll <<<--this file
C:\WINNT\system32\i<<<--this file
C:\WINNT\VcpDLL.dll<<<--this file
C:\programfiles\timesink<<<<---this folder
C:\ProgramFiles\MyWebSearchWB<<<<---this folder

Reboot the system, see what transpires.

 

Try accessing Add\Rem in safe mode

 

Ok, looks like you got yourself a nasty one, HackerDefender.

Can you now DL anything using IE? I'm thinking maybe not, tho usually with this infection IE works.


Ok, the Spybot TeaTimer box problem is actually a problem with the code work of the developers of Spybot. A fix they have not bothered to fix after a year and a half.

You can follow the fix listed here. It works like a charm, I installed it on my test box here with no problems.

Special tool for HackDef removal:
Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
• Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

 

all righty then......

I will find that file and get things going. I may not report back until I get off work in the morning --- gotta print the newspaper.

Mitchell

 

I got the sdfix.exe file and here are the results:


SDFix: Version 1.45
****************

Tue 12/05/2006 - 3:50:46.06

Microsoft Windows 2000 [Version 5.00.2195]

Running From: C:\SDFix

Stage One - Safe Mode
Checking Services...

Service Name:

Client Server Runtime Proces
Generic Host Process for Win32 Service
mousehs

File Path:

"C:\WINNT\csrss.exe"
"C:\WINNT\svchost.exe"
C:\WINNT\System32\mousehs.exe

Client Server Runtime Proces Deleted...
Generic Host Process for Win32 Service Deleted...
mousehs Deleted...

Starting Registry Repairs...

backup.ftp Found...

"C:\WINNT\system32\Microsoft\backup.ftp" Found...
"C:\WINNT\system32\Microsoft\backup.tftp" Found...

Checking ftp.exe and tftp.exe

Calculating checksums...

Microsoft ftp.exe = 4B155B6C 44C4CD59 E5380E9A DE36A8A2 1B39381D
Microsoft tftp.exe = C075CD1B E3E03A87 8EF96B81 30898424 10B3B181

Checking System32\Microsoft\backup.ftp:
FA4C78C2 1DE7FB4E 32215D43 86B61CE5 54F84DA5

Unknown ftp.exe File!

Checking System32\Microsoft\backup.tftp:
27A4C40B F8C284B6 D2F86990 F3832B20 3308741E

Unknown tftp.exe File

Checking System32\ftp.exe:
FA4C78C2 1DE7FB4E 32215D43 86B61CE5 54F84DA5

Unknown ftp.exe File!

Checking System32\tftp.exe:
27A4C40B F8C284B6 D2F86990 F3832B20 3308741E

Unknown tftp.exe File!

Checking System32\dllcache\ftp.exe:
CE3E834C BC97CF47 6F5215BA 8C202613 92AC11EC

Unknown ftp.exe File!

Checking System32\dllcache\tftp.exe:
EBFB5337 F1C4E54B 97CC7E8C 1167CDF6 B96FA13A

Unknown tftp.exe File!


Files copied to SDFix\Backups folder,
Restoring files using backup.ftp and backup.tftp files...

Current Checksums...

Checking System32\Microsoft\backup.ftp:
FA4C78C2 1DE7FB4E 32215D43 86B61CE5 54F84DA5

Unknown ftp.exe File!

Checking System32\Microsoft\backup.tftp:
27A4C40B F8C284B6 D2F86990 F3832B20 3308741E

Unknown tftp.exe File

Checking System32\ftp.exe:
FA4C78C2 1DE7FB4E 32215D43 86B61CE5 54F84DA5

Unknown ftp.exe File!

Checking System32\tftp.exe:
27A4C40B F8C284B6 D2F86990 F3832B20 3308741E

Unknown tftp.exe File!

Checking System32\dllcache\ftp.exe:
FA4C78C2 1DE7FB4E 32215D43 86B61CE5 54F84DA5

Unknown ftp.exe File!

Checking System32\dllcache\tftp.exe:
27A4C40B F8C284B6 D2F86990 F3832B20 3308741E

Unknown tftp.exe File!


Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two - Normal Mode

Checking For Malware:
--------------------

C:\WINNT\system32\i
C:\WINNT\system32\Microsoft\backup.ftp
C:\WINNT\system32\Microsoft\backup.tftp

Backing Up and Removing any Files Found...

Final Check:

Services:
---------


Files:
------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking for files with Hidden Attributes:

C:\pagefile.sys

FINISHED!


and here is the new hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 4:01:26 AM, on 12/5/2006
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\notepad.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\hjt\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: My Web Search Bar BHO - {8EAB99C1-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL (file missing)
O3 - Toolbar: WeatherBug Browser Bar - powered by MyWebSearch - {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164750140072
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: User Mode Driver-Manager - Unknown owner - C:\WINNT\wdfmgrr.exe (file missing)
O23 - Service: Windows System Controller - Unknown owner - C:\WINNT\System.exe (file missing)

I await your command....

Mitchell

 

OK, very good, looks like we got all of those, lets proceed with HJT fixing.

Also let me know if you're experiencing any troubles at this point.

Before we proceed we need to disable Spybot's TeaTimer. It will interfere with any fixes we make. Disable TeaTimer by doing the following:

• Run Spybot-S&D
• Go to the Mode menu, and make sure Advanced Mode is selected
• On the left hand side, choose Tools -> Resident
• Uncheck Resident TeaTimer and OK any prompts

You can reenable TeaTimer once your system is clean.


Hit your 'Start' button, select 'Control Panel' and click on 'Add or Remove Programs'. Then find the following programs and click the 'Change|Remove' button for each, if they are listed
AWS\Weatherbug
MyWebSearch


Open Hijackthis, select the [Do a system scan only] button and look over the following entries I have listed, check the boxes next to them and press the [Fix Checked ]button. When you are doing this, make sure you have No IE windows, nor any other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

O2 - BHO: My Web Search Bar BHO - {8EAB99C1-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL (file missing)

O3 - Toolbar: WeatherBug Browser Bar - powered by MyWebSearch - {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL (file missing)


O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1


O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)

O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)


O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/mini...ansporter.cab?


O23 - Service: User Mode Driver-Manager - Unknown owner - C:\WINNT\wdfmgrr.exe (file missing)

O23 - Service: Windows System Controller - Unknown owner - C:\WINNT\System.exe (file missing)

Reboot, into safe mode, this way:
Turn on your computer.
Press the <F8> key, as soon as you see the message: For troubleshooting and advanced startup options for Windows 2000, press F8.
The Windows 2000 Advanced Options Menu appears.
Safe Mode should be highlighted by default, if not, using the arrow keys, highlight it and press the <Enter> key.

Also, enable the 'Show Hidden Folders' option, like this:
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

And search for then delete, if found, the following files/folders(some may not be present after previous steps):
C:\Program Files\MyWebSearchWB<<<<---this folder
C:\Program Files\AWS<<<<---this folder
C:\WINNT\wdfmgrr.exe <<<--this file
C:\WINNT\System.exe <<<--this file

To exit Safe Mode, click the Start button, click Shutdown, click Restart The Computer, and click Yes.

Post a new HJT log back into this thread please.

 

• 
  
  
  Done.
  
  Other problems I am having: cannot access add/remove programs in normal or safe mode - get error "mshta.exe has generated errors...will need to restart "
  Still cannot rightclick on anything in Iexplorer.
  get error now and then that svchost.exe has generated errors....will need to restart "
  Cannot change privacy settings in IExplorer. it is set to custom and when I select default it will change but when I reopen the internet options tab it is back to custom. annoying
  
  HJT Log file:
  
  Logfile of HijackThis v1.99.1
  Scan saved at 1:20:00 PM, on 12/5/2006
  Platform: Windows 2000 (WinNT 5.00.2195)
  MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
  
  Running processes:
  C:\WINNT\System32\smss.exe
  C:\WINNT\system32\winlogon.exe
  C:\WINNT\system32\services.exe
  C:\WINNT\system32\lsass.exe
  C:\WINNT\system32\svchost.exe
  C:\WINNT\system32\spoolsv.exe
  C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
  C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
  C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
  C:\WINNT\System32\svchost.exe
  C:\WINNT\system32\regsvc.exe
  C:\WINNT\system32\MSTask.exe
  C:\WINNT\System32\WBEM\WinMgmt.exe
  C:\WINNT\Explorer.exe
  C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
  C:\Program Files\WinZip\WZQKPICK.EXE
  C:\hjt\HijackThis.exe
  
  O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
  O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
  O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
  O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
  O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
  O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164750140072
  O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
  O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
  O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
  O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
  O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
  
  Thanks
  
  Mitchell

 

Ok, lets get another online scan, a rootkit scan and do some maintenance on the machine. Do the scan first then the other.

Download GMER from here

• Right Click the Zip and Select "Extract All "
• Double-click gmer.exe to launch the program.
• Click on the Rootkit Tab and on the right side, untick the Registry box, then click Scan.

Once the scan is done, hit the [copy] button, then open notepad and paste the results here for me to see.

If anything is found, please stop, do not continue with next steps and post the results here for me to review.

Please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner icon.
Accept the Kaspersky agreement and the program will load.
You will then be prompted to install an ActiveX component from Kaspersky, click Yes

The program will then begin downloading the latest definition files. This will take a few minutes, even with hi-speed.
Once the files have been downloaded click on Next

Now click on [Scan Settings] button.
In the scan settings make sure that the following are selected:

• Scan using the following Anti-Virus database:
• Extended (if available otherwise Standard)

• Scan Options:
  Scan Archives
  Scan Mail Bases

Click OK

Now under the Please select a target to scan:
Select My Computer

The program will begin the scanning process.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Then click on the [Save as Text] button
Save the file to your desktop.

Copy and paste that information in your next post for me to review.


Maintenance, which you may be prompted for your install CD:

ScanReg
ChkDsk

The system is a mess and needs some cleaning up

 

• 
  
  
  Got gmer via DOS ftp and ran as you instructed. Here are the results:
  
  GMER 1.0.11.11390 - http://www.gmer.net
  Rootkit 2006-12-05 21:32:39
  Windows 5.0.2195
  
  
  ---- Devices - GMER 1.0.11 ----
  
  Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F759A85A] avgtdi.sys
  Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F759A85A] avgtdi.sys
  Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F759A85A] avgtdi.sys
  Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F759A85A] avgtdi.sys
  Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F759A85A] avgtdi.sys
  
  ---- EOF - GMER 1.0.11 ----
  I will wait to finish the rest of the instructions..
  
  Mitchell