1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

vmmdiag32.exe haxdoor virus

Discussion in 'Malware and Virus Removal Archive' started by Frysk, 2006/11/06.

Thread Status:
Not open for further replies.
Page 1 of 2
  1. 2006/11/06
    Frysk

    Frysk Inactive Thread Starter

    Joined:
    2006/11/06
    Messages:
    21
    Likes Received:
    0
    Hello

    I have read the other threads concerning the vmmdiag32.exe virus,
    but it seems everyone's problem (mine included) is slightly different.
    I tried to follow advice given to others, but the vmmdiag32.exe
    file always reappears. So here goes...

    Here is a fresh HJThis log (was in safe mode):
    (More info below it.)


    Logfile of HijackThis v1.99.1
    Scan saved at 4:53:16 PM, on 6/11/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\windows\System32\smss.exe
    C:\windows\system32\csrss.exe
    C:\windows\system32\winlogon.exe
    C:\windows\system32\services.exe
    C:\windows\system32\lsass.exe
    C:\windows\system32\svchost.exe
    C:\windows\system32\svchost.exe
    C:\windows\explorer.exe
    C:\windows\System32\cmd.exe
    C:\windows\system32\notepad.exe
    C:\Program Files\HJThis\HJThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
    R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
    F2 - REG:system.ini: Shell=explorer.exe vmmdiag32.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [avast!] C:\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Uninstall.exe
    O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQ\ICQLite.exe
    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQ\ICQLite.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.1.87.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139533146875
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
    O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{72DE85CB-F735-439C-BB8B-6E7A1066E9B2}: NameServer = 85.255.116.174,85.255.112.82
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A898C316-9996-4BA0-96B8-F683FF15E646}: NameServer = 85.255.116.174,85.255.112.82
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CD4FF7CB-076E-4D06-B4C6-64215CA2E3CC}: NameServer = 85.255.116.174,85.255.112.82
    O17 - HKLM\System\CCS\Services\Tcpip\..\{ED468E6B-E035-4D12-9CBF-32DE6CA0E367}: NameServer = 85.255.116.174,85.255.112.82
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.174 85.255.112.82
    O17 - HKLM\System\CS1\Services\Tcpip\..\{72DE85CB-F735-439C-BB8B-6E7A1066E9B2}: NameServer = 85.255.116.174,85.255.112.82
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.174 85.255.112.82
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Avast4\aswUpdSv.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe




    I also downloaded and ran Haxfix.exe, to get a logfile.
    Here it is:

    HAXFIX logfile - by Marckie
    ______________
    version 4.28
    Mon 06/11/2006 16:38:55.51

    checking for haxdoor
    --------------------
    checking for a3d files....
    a3d files not found

    checking for matching notify keys....
    no matching notify keys found

    checking for matching services....
    no matching services found

    checking for matching safeboot services....
    no matching safeboot services found

    checking for other haxdoorfiles....


    Checking for goldun
    -------------------

    checking for SSODL keys....
    no ssodl keys found

    checking for notify keys....
    no notify keys found

    checking for services....
    no services found

    checking for other goldunfiles....
    vmmdiag32.exe found
    wmdconf32.dll found


    Finished


    Thankyou for looking, and I eagerly await a reply.
     
    Frysk,
    #1
  2. 2006/11/06
    Frysk

    Frysk Inactive Thread Starter

    Joined:
    2006/11/06
    Messages:
    21
    Likes Received:
    0
    I ran killbox and it seemed to have worked,
    no problem at startup (although it was still a little slower than normal).
    The file was gone also.
    Then Avast popped up with the file listed again, still in system32 folder.
    Don't know what to do.
    Here is another HijackThis log:


    Logfile of HijackThis v1.99.1
    Scan saved at 10:25:39 PM, on 6/11/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\windows\System32\smss.exe
    C:\windows\system32\csrss.exe
    C:\windows\system32\winlogon.exe
    C:\windows\system32\services.exe
    C:\windows\system32\lsass.exe
    C:\windows\System32\Ati2evxx.exe
    C:\windows\system32\svchost.exe
    C:\windows\System32\svchost.exe
    C:\windows\System32\svchost.exe
    C:\windows\System32\svchost.exe
    C:\windows\system32\spoolsv.exe
    C:\Avast4\aswUpdSv.exe
    C:\Avast4\ashServ.exe
    C:\windows\system32\Ati2evxx.exe
    C:\windows\Explorer.EXE
    C:\Avast4\ashDisp.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\windows\SOUNDMAN.EXE
    C:\windows\System32\svchost.exe
    C:\WINDOWS\System32\wdfmgr.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Avast4\ashWebSv.exe
    C:\Avast4\ashMaiSv.exe
    c:\msupd01.exe
    C:\Program Files\HJThis\HJThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
    R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
    F2 - REG:system.ini: Shell=explorer.exe vmmdiag32.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [avast!] C:\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Uninstall.exe
    O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQ\ICQLite.exe
    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQ\ICQLite.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.1.87.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139533146875
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
    O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{72DE85CB-F735-439C-BB8B-6E7A1066E9B2}: NameServer = 85.255.116.174,85.255.112.82
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A898C316-9996-4BA0-96B8-F683FF15E646}: NameServer = 85.255.116.174,85.255.112.82
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CD4FF7CB-076E-4D06-B4C6-64215CA2E3CC}: NameServer = 85.255.116.174,85.255.112.82
    O17 - HKLM\System\CCS\Services\Tcpip\..\{ED468E6B-E035-4D12-9CBF-32DE6CA0E367}: NameServer = 85.255.116.174,85.255.112.82
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.174 85.255.112.82
    O17 - HKLM\System\CS1\Services\Tcpip\..\{72DE85CB-F735-439C-BB8B-6E7A1066E9B2}: NameServer = 85.255.116.174,85.255.112.82
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.174 85.255.112.82
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Avast4\aswUpdSv.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
     
    Frysk,
    #2


  3. to hide this advert.

  4. 2006/11/06
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    Hello and welcome to WindowsBBS Forums.

    Killbox won't get it right off, we need to remove the files first, using the second step of HaxFix.

    • Double click on My Computer -> C:\ -> Program Files > haxfix and double click on fix.bat (or double click on fix.bat desktop icon)
    • Close all other open windows since this step requires a reboot
    • Select option 2. Run auto fix by typing 2 and then pressing Enter
    If an infection is found, you'll get a message to close all other open windows.

    • Close all open windows except the red dos window from haxfix and then press Enter
    • The computer will reboot
    • After reboot a logfile will open > (c:\haxfix.txt)
    • Post the contents of that logfile along with a new HijackThis log.
     
    TeMerc,
    #3
  5. 2006/11/06
    Frysk

    Frysk Inactive Thread Starter

    Joined:
    2006/11/06
    Messages:
    21
    Likes Received:
    0
    Hi and thanks for your reply.

    Haxfix log:

    HAXFIX logfile - by Marckie
    --------------
    version 4.28
    Tue 07/11/2006 3:32:05.03

    --- Auto Haxdoorfix ---


    searching for files:

    no infections found


    --- Goldunfix ---


    searching for files:
    vmmdiag32.exe
    wmdconf32.dll

    searching for SSODLkeys:
    no SSODLkeys found

    searching for notifykeys:
    no notifykeys found

    searching for services:
    no services found


    .....rebooting the computer.....


    searching for ssodlkeys

    not needed


    searching for notifykeys

    not needed


    searching for services

    not needed


    searching for safeboot services

    not needed


    searching for files

    vmmdiag32.exe exists
    deleting vmmdiag32.exe
    vmmdiag32.exe has been deleted

    wmdconf32.dll exists
    deleting wmdconf32.dll
    wmdconf32.dll has been deleted


    checking for other files

    No other files found


    checking for a3d files

    no a3d files found


    Finished





    HijackThis! log:


    Logfile of HijackThis v1.99.1
    Scan saved at 3:35:24 AM, on 7/11/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\windows\System32\smss.exe
    C:\windows\system32\csrss.exe
    C:\windows\system32\winlogon.exe
    C:\windows\system32\services.exe
    C:\windows\system32\lsass.exe
    C:\windows\System32\Ati2evxx.exe
    C:\windows\system32\svchost.exe
    C:\windows\System32\svchost.exe
    C:\windows\System32\svchost.exe
    C:\windows\System32\svchost.exe
    C:\windows\system32\spoolsv.exe
    C:\windows\system32\Ati2evxx.exe
    C:\windows\Explorer.exe
    C:\windows\System32\alg.exe
    C:\Avast4\aswUpdSv.exe
    C:\Avast4\ashServ.exe
    C:\Avast4\ashDisp.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\windows\SOUNDMAN.EXE
    C:\msupd0112832828.exe
    C:\msupd0112842546.exe
    C:\msupd0112842546.exe
    C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Uninstall.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\windows\System32\svchost.exe
    C:\WINDOWS\System32\wdfmgr.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Avast4\ashMaiSv.exe
    C:\Avast4\ashWebSv.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe
    C:\windows\System32\wuauclt.exe
    c:\msupd01.exe
    C:\Program Files\HJThis\HJThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
    R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
    F2 - REG:system.ini: Shell=explorer.exe vmmdiag32.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [avast!] C:\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKCU\..\Run: [WinMedia] C:\msupd0112832828.exe
    O4 - HKCU\..\Run: [Winstd] c:\msupd0112842546.exe
    O4 - HKCU\..\Run: [Winstt] C:\msupd0112842546.exe
    O4 - HKCU\..\Run: [Winsth] C:\msupd0112842546.exe
    O4 - HKCU\..\Run: [Winsti] C:\msupd0112842546.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Uninstall.exe
    O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQ\ICQLite.exe
    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQ\ICQLite.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.1.87.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139533146875
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
    O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{72DE85CB-F735-439C-BB8B-6E7A1066E9B2}: NameServer = 85.255.116.174,85.255.112.82
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A898C316-9996-4BA0-96B8-F683FF15E646}: NameServer = 85.255.116.174,85.255.112.82
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CD4FF7CB-076E-4D06-B4C6-64215CA2E3CC}: NameServer = 85.255.116.174,85.255.112.82
    O17 - HKLM\System\CCS\Services\Tcpip\..\{ED468E6B-E035-4D12-9CBF-32DE6CA0E367}: NameServer = 85.255.116.174,85.255.112.82
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.174 85.255.112.82
    O17 - HKLM\System\CS1\Services\Tcpip\..\{72DE85CB-F735-439C-BB8B-6E7A1066E9B2}: NameServer = 85.255.116.174,85.255.112.82
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.174 85.255.112.82
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Avast4\aswUpdSv.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
     
    Frysk,
    #4
  6. 2006/11/06
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    OK, lets get a rootkit scan, please do as instructed below.

    Download GMER from here
    • Right Click the Zip and Select "Extract All " and extract the files to the 'windows' folder
    • Then double-click gmer.exe to launch the program.
    • Click on the Rootkit Tab and on the right side, untick the Registry box, then click Scan.
    Once the scan is done, hit the copy button, then open notepad and paste the results here for me to see.
     
    TeMerc,
    #5
  7. 2006/11/06
    Frysk

    Frysk Inactive Thread Starter

    Joined:
    2006/11/06
    Messages:
    21
    Likes Received:
    0
    Okay, that is done.
    I had to do it in safe mode, as I have some new problem during normal startup now. Something requests access to the Internet that shouldn't, and I got an error msg and the computer froze.

    The gmer log is too big for this forum, I will split it into two posts.
    The split is in the middle of the 'devices' section of the log.
    Here is the first half:


    GMER 1.0.12.11879 - http://www.gmer.net
    Rootkit scan 2006-11-07 11:39:26
    Windows 5.1.2600 Service Pack 1


    ---- System - GMER 1.0.12 ----

    SSDT d347bus.sys ZwClose
    SSDT d347bus.sys ZwCreateKey
    SSDT d347bus.sys ZwCreatePagingFile
    SSDT d347bus.sys ZwEnumerateKey
    SSDT d347bus.sys ZwEnumerateValueKey
    SSDT d347bus.sys ZwOpenKey
    SSDT d347bus.sys ZwQueryKey
    SSDT d347bus.sys ZwQueryValueKey
    SSDT d347bus.sys ZwSetSystemPowerState

    ---- Kernel code sections - GMER 1.0.12 ----

    .text ntoskrnl.exe!ZwCallbackReturn + 10100 804FE03C 4 Bytes
    .text ntoskrnl.exe!ZwCallbackReturn + 10164 804FE07C 4 Bytes
    .text ntoskrnl.exe!ZwCallbackReturn + 10180 804FE08C 4 Bytes
    .text ntoskrnl.exe!ZwCallbackReturn + 10284 804FE0F4 4 Bytes
    .text ntoskrnl.exe!ZwCallbackReturn + 10292 804FE0FC 4 Bytes
    .text ...
    .text ntdll.dll!NtCreateThread 77F75A4E 5 Bytes JMP 008E5B5A
    .text ntdll.dll!NtEnumerateKey 77F75B5C 5 Bytes JMP 008E5D3A
    .text ntdll.dll!NtEnumerateValueKey 77F75B7A 5 Bytes JMP 008E5EB0
    .text ntdll.dll!NtQueryDirectoryFile 77F75FAE 5 Bytes JMP 008E61EE
    .text ntdll.dll!NtQuerySystemInformation 77F76152 5 Bytes JMP 008E60ED
    .text ntdll.dll!NtQueryValueKey 77F7618E 5 Bytes JMP 008E5FC3
    .text ntdll.dll!NtSetValueKey 77F765A8 5 Bytes JMP 008E5C2D

    ---- User code sections - GMER 1.0.12 ----

    .text C:\WINDOWS\system32\winlogon.exe[244] ntdll.dll!NtCreateThread 77F75A4E 5 Bytes JMP 00C95B5A
    .text C:\WINDOWS\system32\winlogon.exe[244] ntdll.dll!NtEnumerateKey 77F75B5C 5 Bytes JMP 00C95D3A
    .text C:\WINDOWS\system32\winlogon.exe[244] ntdll.dll!NtEnumerateValueKey 77F75B7A 5 Bytes JMP 00C95EB0
    .text C:\WINDOWS\system32\winlogon.exe[244] ntdll.dll!NtQueryDirectoryFile 77F75FAE 5 Bytes JMP 00C961EE
    .text C:\WINDOWS\system32\winlogon.exe[244] ntdll.dll!NtQuerySystemInformation 77F76152 5 Bytes JMP 00C960ED
    .text C:\WINDOWS\system32\winlogon.exe[244] ntdll.dll!NtQueryValueKey 77F7618E 5 Bytes JMP 00C95FC3
    .text C:\WINDOWS\system32\winlogon.exe[244] ntdll.dll!NtSetValueKey 77F765A8 5 Bytes JMP 00C95C2D
    .text C:\WINDOWS\explorer.exe[796] ntdll.dll!NtCreateThread 77F75A4E 5 Bytes JMP 007B5B5A
    .text C:\WINDOWS\explorer.exe[796] ntdll.dll!NtEnumerateKey 77F75B5C 5 Bytes JMP 007B5D3A
    .text C:\WINDOWS\explorer.exe[796] ntdll.dll!NtEnumerateValueKey 77F75B7A 5 Bytes JMP 007B5EB0
    .text C:\WINDOWS\explorer.exe[796] ntdll.dll!NtQueryDirectoryFile 77F75FAE 5 Bytes JMP 007B61EE
    .text C:\WINDOWS\explorer.exe[796] ntdll.dll!NtQuerySystemInformation 77F76152 5 Bytes JMP 007B60ED
    .text C:\WINDOWS\explorer.exe[796] ntdll.dll!NtQueryValueKey 77F7618E 5 Bytes JMP 007B5FC3
    .text C:\WINDOWS\explorer.exe[796] ntdll.dll!NtSetValueKey 77F765A8 5 Bytes JMP 007B5C2D
    .text C:\WINDOWS\gmer.exe[1096] ntdll.dll!NtCreateThread 77F75A4E 5 Bytes JMP 008E5B5A
    .text C:\WINDOWS\gmer.exe[1096] ntdll.dll!NtEnumerateKey 77F75B5C 5 Bytes JMP 008E5D3A
    .text C:\WINDOWS\gmer.exe[1096] ntdll.dll!NtEnumerateValueKey 77F75B7A 5 Bytes JMP 008E5EB0
    .text C:\WINDOWS\gmer.exe[1096] ntdll.dll!NtQueryDirectoryFile 77F75FAE 5 Bytes JMP 008E61EE
    .text C:\WINDOWS\gmer.exe[1096] ntdll.dll!NtQuerySystemInformation 77F76152 5 Bytes JMP 008E60ED
    .text C:\WINDOWS\gmer.exe[1096] ntdll.dll!NtQueryValueKey 77F7618E 5 Bytes JMP 008E5FC3
    .text C:\WINDOWS\gmer.exe[1096] ntdll.dll!NtSetValueKey 77F765A8 5 Bytes JMP 008E5C2D

    ---- Devices - GMER 1.0.12 ----

    Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 86751FB0
    Device \FileSystem\Fastfat \FatCdrom IRP_MJ_READ 8662D030
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 86732BF0
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_NAMED_PIPE 86732BF0
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 86732BF0
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 86732BF0
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 86732BF0
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_INFORMATION 86732BF0
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_INFORMATION 86732BF0
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_EA 86732BF0
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_EA 86732BF0
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 86732BF0
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_VOLUME_INFORMATION 86732BF0
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_VOLUME_INFORMATION 86732BF0
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DIRECTORY_CONTROL 86732BF0
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FILE_SYSTEM_CONTROL 86732BF0
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 86732BF0
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 86732BF0
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 86732BF0
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_LOCK_CONTROL 86732BF0
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLEANUP 86732BF0
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_MAILSLOT 86732BF0
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_SECURITY 86732BF0
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_SECURITY 86732BF0
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 86732BF0
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 86732BF0
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CHANGE 86732BF0
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_QUOTA 86732BF0
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_QUOTA 86732BF0
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 86732BF0
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE_NAMED_PIPE 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CLOSE 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_READ 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_WRITE 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_INFORMATION 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_INFORMATION 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_EA 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_EA 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_FLUSH_BUFFERS 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_VOLUME_INFORMATION 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_VOLUME_INFORMATION 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DIRECTORY_CONTROL 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_FILE_SYSTEM_CONTROL 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DEVICE_CONTROL 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_INTERNAL_DEVICE_CONTROL 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SHUTDOWN 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_LOCK_CONTROL 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CLEANUP 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE_MAILSLOT 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_SECURITY 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_SECURITY 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_POWER 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SYSTEM_CONTROL 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DEVICE_CHANGE 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_QUOTA 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_QUOTA 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_PNP 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_NAMED_PIPE 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLOSE 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_READ 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_WRITE 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_INFORMATION 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_INFORMATION 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_EA 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_EA 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FLUSH_BUFFERS 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_VOLUME_INFORMATION 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_VOLUME_INFORMATION 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DIRECTORY_CONTROL 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FILE_SYSTEM_CONTROL 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CONTROL 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SHUTDOWN 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_LOCK_CONTROL 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLEANUP 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_MAILSLOT 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_SECURITY 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_SECURITY 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_POWER 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SYSTEM_CONTROL 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CHANGE 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_QUOTA 86732CF8
     
    Frysk,
    #6
  8. 2006/11/06
    Frysk

    Frysk Inactive Thread Starter

    Joined:
    2006/11/06
    Messages:
    21
    Likes Received:
    0
    And here is the second half:


    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_QUOTA 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_PNP 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_NAMED_PIPE 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLOSE 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_READ 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_WRITE 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_INFORMATION 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_INFORMATION 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_EA 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_EA 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FLUSH_BUFFERS 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_VOLUME_INFORMATION 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_VOLUME_INFORMATION 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DIRECTORY_CONTROL 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FILE_SYSTEM_CONTROL 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CONTROL 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_INTERNAL_DEVICE_CONTROL 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SHUTDOWN 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_LOCK_CONTROL 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLEANUP 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_MAILSLOT 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_SECURITY 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_SECURITY 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_POWER 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SYSTEM_CONTROL 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CHANGE 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_QUOTA 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_QUOTA 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_PNP 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_CREATE 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_CREATE_NAMED_PIPE 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_CLOSE 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_READ 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_WRITE 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_QUERY_INFORMATION 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_SET_INFORMATION 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_QUERY_EA 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_SET_EA 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_FLUSH_BUFFERS 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_QUERY_VOLUME_INFORMATION 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_SET_VOLUME_INFORMATION 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_DIRECTORY_CONTROL 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_FILE_SYSTEM_CONTROL 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_DEVICE_CONTROL 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_INTERNAL_DEVICE_CONTROL 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_SHUTDOWN 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_LOCK_CONTROL 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_CLEANUP 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_CREATE_MAILSLOT 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_QUERY_SECURITY 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_SET_SECURITY 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_POWER 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_SYSTEM_CONTROL 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_DEVICE_CHANGE 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_QUERY_QUOTA 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_SET_QUOTA 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_PNP 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_CREATE 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_CREATE_NAMED_PIPE 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_CLOSE 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_READ 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_WRITE 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_QUERY_INFORMATION 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_SET_INFORMATION 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_QUERY_EA 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_SET_EA 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_FLUSH_BUFFERS 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_QUERY_VOLUME_INFORMATION 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_SET_VOLUME_INFORMATION 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_DIRECTORY_CONTROL 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_FILE_SYSTEM_CONTROL 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_DEVICE_CONTROL 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_INTERNAL_DEVICE_CONTROL 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_SHUTDOWN 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_LOCK_CONTROL 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_CLEANUP 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_CREATE_MAILSLOT 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_QUERY_SECURITY 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_SET_SECURITY 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_POWER 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_SYSTEM_CONTROL 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_DEVICE_CHANGE 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_QUERY_QUOTA 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_SET_QUOTA 86732CF8
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_PNP 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_CREATE 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_CREATE_NAMED_PIPE 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_CLOSE 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_READ 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_WRITE 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_QUERY_INFORMATION 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_SET_INFORMATION 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_QUERY_EA 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_SET_EA 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_FLUSH_BUFFERS 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_QUERY_VOLUME_INFORMATION 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_SET_VOLUME_INFORMATION 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_DIRECTORY_CONTROL 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_FILE_SYSTEM_CONTROL 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_DEVICE_CONTROL 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_INTERNAL_DEVICE_CONTROL 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_SHUTDOWN 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_LOCK_CONTROL 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_CLEANUP 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_CREATE_MAILSLOT 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_QUERY_SECURITY 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_SET_SECURITY 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_POWER 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_SYSTEM_CONTROL 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_DEVICE_CHANGE 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_QUERY_QUOTA 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_SET_QUOTA 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_PNP 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_CREATE 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_CREATE_NAMED_PIPE 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_CLOSE 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_READ 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_WRITE 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_QUERY_INFORMATION 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_SET_INFORMATION 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_QUERY_EA 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_SET_EA 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_FLUSH_BUFFERS 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_QUERY_VOLUME_INFORMATION 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_SET_VOLUME_INFORMATION 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_DIRECTORY_CONTROL 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_FILE_SYSTEM_CONTROL 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_DEVICE_CONTROL 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_INTERNAL_DEVICE_CONTROL 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_SHUTDOWN 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_LOCK_CONTROL 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_CLEANUP 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_CREATE_MAILSLOT 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_QUERY_SECURITY 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_SET_SECURITY 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_POWER 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_SYSTEM_CONTROL 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_DEVICE_CHANGE 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_QUERY_QUOTA 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_SET_QUOTA 86732CF8
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_PNP 86732CF8
    Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_READ 866468C8
    Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_READ 866341F8
    Device \FileSystem\Fastfat \Fat IRP_MJ_READ 8662D030
    Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer IRP_MJ_READ 86637510
    Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer IRP_MJ_READ 86637510
    Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer IRP_MJ_READ 86637510
    Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer IRP_MJ_READ 86637510
    Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer IRP_MJ_READ 86637510
    Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ 86621258

    ---- Modules - GMER 1.0.12 ----

    Module _________ F7762000

    ---- Files - GMER 1.0.12 ----

    ADS C:\System Volume Information\_restore{CBDFF53C-DCCD-444C-91C9-66C120DCAF21}\RP402\A0135190.exe:SummaryInformation
    ADS C:\System Volume Information\_restore{CBDFF53C-DCCD-444C-91C9-66C120DCAF21}\RP402\A0135190.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
    File C:\WINDOWS\system32\csver.exe
    File C:\WINDOWS\system32\dmjtj.exe

    ---- EOF - GMER 1.0.12 ----
     
    Frysk,
    #7
  9. 2006/11/06
    Frysk

    Frysk Inactive Thread Starter

    Joined:
    2006/11/06
    Messages:
    21
    Likes Received:
    0
    And here is a fresh HijackThis! log (in safe mode).
    The "msupd0112842546.exe" file is the one that gave me problems
    during normal startup - tried to access the internet, and pop-up error.


    Logfile of HijackThis v1.99.1
    Scan saved at 11:50:11 AM, on 7/11/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\windows\System32\smss.exe
    C:\windows\system32\csrss.exe
    C:\windows\system32\winlogon.exe
    C:\windows\system32\services.exe
    C:\windows\system32\lsass.exe
    C:\windows\system32\svchost.exe
    C:\windows\system32\svchost.exe
    C:\windows\Explorer.exe
    C:\Program Files\HJThis\HJThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
    R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
    F2 - REG:system.ini: Shell=Explorer.exe vmmdiag32.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [avast!] C:\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKCU\..\Run: [WinMedia] C:\msupd0112832828.exe
    O4 - HKCU\..\Run: [Winstd] c:\msupd0112842546.exe
    O4 - HKCU\..\Run: [Winstt] C:\msupd0112842546.exe
    O4 - HKCU\..\Run: [Winsth] C:\msupd0112842546.exe
    O4 - HKCU\..\Run: [Winsti] C:\msupd0112842546.exe
    O4 - HKCU\..\Run: [Winstb] C:\msupd0112842546.exe
    O4 - HKCU\..\Run: [Winsts] C:\msupd0112842546.exe
    O4 - HKCU\..\Run: [Winstn] C:\msupd0112842546.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Uninstall.exe
    O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQ\ICQLite.exe
    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQ\ICQLite.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.1.87.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139533146875
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
    O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{72DE85CB-F735-439C-BB8B-6E7A1066E9B2}: NameServer = 85.255.116.174,85.255.112.82
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A898C316-9996-4BA0-96B8-F683FF15E646}: NameServer = 85.255.116.174,85.255.112.82
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CD4FF7CB-076E-4D06-B4C6-64215CA2E3CC}: NameServer = 85.255.116.174,85.255.112.82
    O17 - HKLM\System\CCS\Services\Tcpip\..\{ED468E6B-E035-4D12-9CBF-32DE6CA0E367}: NameServer = 85.255.116.174,85.255.112.82
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.174 85.255.112.82
    O17 - HKLM\System\CS1\Services\Tcpip\..\{72DE85CB-F735-439C-BB8B-6E7A1066E9B2}: NameServer = 85.255.116.174,85.255.112.82
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.174 85.255.112.82
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Avast4\aswUpdSv.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
     
    Frysk,
    #8
  10. 2006/11/06
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    OK, GMER found two files which were hidden. It did not however find any services, so I'd like to double check for one and try to delete those files.

    The first thing I need you to do is download the file from here:

    Getservice

    Extract the file to the c:\ drive. Then navigate to the c:\getservices and double-click on the getservices.bat file. A notepad will open up. Please paste the contents of that notepad as a reply to this post.

    1) Please download the Killbox.
    Save it to the desktop and run it.

    2) Select "Delete on Reboot ", and then select "All files ".

    3) Copy the file names below to the clipboard by highlighting them and pressing Control-C:
    C:\WINDOWS\system32\csver.exe
    C:\WINDOWS\system32\dmjtj.exe

    4) Return to Killbox, go to the File menu, and choose "Paste from Clipboard ".

    5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

    Let me kow what if any errors you get. Then run GMER again and post that log, no HJT log tho, not yet.
     
    TeMerc,
    #9
  11. 2006/11/06
    Frysk

    Frysk Inactive Thread Starter

    Joined:
    2006/11/06
    Messages:
    21
    Likes Received:
    0
    Okay I couldn't paste from clipboard.
    I know how to do it, and did it correctly, it just doesn't work.
    It also wouldn't let me type in more than one filename,
    so I repeated the process for the second file.

    For both of them I got the error message:
    PendingFileRenameOperations Registry Data has been removed by External Process!

    Then ran gmer again (with registry UNchecked).
    It must be longer than before, and needs to be split into three posts:


    GMER 1.0.12.11879 - http://www.gmer.net
    Rootkit scan 2006-11-07 12:46:43
    Windows 5.1.2600 Service Pack 1


    ---- System - GMER 1.0.12 ----

    SSDT d347bus.sys ZwClose
    SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
    SSDT d347bus.sys ZwCreateKey
    SSDT d347bus.sys ZwCreatePagingFile
    SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
    SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
    SSDT d347bus.sys ZwEnumerateKey
    SSDT d347bus.sys ZwEnumerateValueKey
    SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
    SSDT d347bus.sys ZwOpenKey
    SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
    SSDT d347bus.sys ZwQueryKey
    SSDT d347bus.sys ZwQueryValueKey
    SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
    SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
    SSDT d347bus.sys ZwSetSystemPowerState
    SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey

    ---- Kernel code sections - GMER 1.0.12 ----

    .text ntoskrnl.exe!ZwCallbackReturn + 10100 804FE03C 4 Bytes
    .text ntoskrnl.exe!ZwCallbackReturn + 10124 804FE054 4 Bytes
    .text ntoskrnl.exe!ZwCallbackReturn + 10164 804FE07C 4 Bytes
    .text ntoskrnl.exe!ZwCallbackReturn + 10180 804FE08C 4 Bytes
    .text ntoskrnl.exe!ZwCallbackReturn + 10252 804FE0D4 4 Bytes
    .text ...
    .text ntdll.dll!NtCreateThread 77F75A4E 5 Bytes JMP 008E5B5A
    .text ntdll.dll!NtEnumerateKey 77F75B5C 5 Bytes JMP 008E5D3A
    .text ntdll.dll!NtEnumerateValueKey 77F75B7A 5 Bytes JMP 008E5EB0
    .text ntdll.dll!NtQueryDirectoryFile 77F75FAE 5 Bytes JMP 008E61EE
    .text ntdll.dll!NtQuerySystemInformation 77F76152 5 Bytes JMP 008E60ED
    .text ntdll.dll!NtQueryValueKey 77F7618E 5 Bytes JMP 008E5FC3
    .text ntdll.dll!NtSetValueKey 77F765A8 5 Bytes JMP 008E5C2D

    ---- User code sections - GMER 1.0.12 ----

    .text C:\WINDOWS\explorer.exe[668] ntdll.dll!NtCreateThread 77F75A4E 5 Bytes JMP 00B17600
    .text C:\WINDOWS\explorer.exe[668] ntdll.dll!NtEnumerateKey 77F75B5C 5 Bytes JMP 007B5D3A
    .text C:\WINDOWS\explorer.exe[668] ntdll.dll!NtEnumerateValueKey 77F75B7A 5 Bytes JMP 007B5EB0
    .text C:\WINDOWS\explorer.exe[668] ntdll.dll!NtQueryDirectoryFile 77F75FAE 5 Bytes JMP 007B61EE
    .text C:\WINDOWS\explorer.exe[668] ntdll.dll!NtQuerySystemInformation 77F76152 5 Bytes JMP 007B60ED
    .text C:\WINDOWS\explorer.exe[668] ntdll.dll!NtQueryValueKey 77F7618E 5 Bytes JMP 007B5FC3
    .text C:\WINDOWS\explorer.exe[668] ntdll.dll!NtResumeThread 77F76341 5 Bytes JMP 00B17650
    .text C:\WINDOWS\explorer.exe[668] ntdll.dll!NtSetValueKey 77F765A8 5 Bytes JMP 007B5C2D
    .text C:\WINDOWS\gmer.exe[684] ntdll.dll!NtCreateThread 77F75A4E 5 Bytes JMP 008E5B5A
    .text C:\WINDOWS\gmer.exe[684] ntdll.dll!NtEnumerateKey 77F75B5C 5 Bytes JMP 008E5D3A
    .text C:\WINDOWS\gmer.exe[684] ntdll.dll!NtEnumerateValueKey 77F75B7A 5 Bytes JMP 008E5EB0
    .text C:\WINDOWS\gmer.exe[684] ntdll.dll!NtQueryDirectoryFile 77F75FAE 5 Bytes JMP 008E61EE
    .text C:\WINDOWS\gmer.exe[684] ntdll.dll!NtQuerySystemInformation 77F76152 5 Bytes JMP 008E60ED
    .text C:\WINDOWS\gmer.exe[684] ntdll.dll!NtQueryValueKey 77F7618E 5 Bytes JMP 008E5FC3
    .text C:\WINDOWS\gmer.exe[684] ntdll.dll!NtSetValueKey 77F765A8 5 Bytes JMP 008E5C2D
    .text C:\WINDOWS\system32\winlogon.exe[716] ntdll.dll!NtCreateThread 77F75A4E 5 Bytes JMP 00C85B5A
    .text C:\WINDOWS\system32\winlogon.exe[716] ntdll.dll!NtEnumerateKey 77F75B5C 5 Bytes JMP 00C85D3A
    .text C:\WINDOWS\system32\winlogon.exe[716] ntdll.dll!NtEnumerateValueKey 77F75B7A 5 Bytes JMP 00C85EB0
    .text C:\WINDOWS\system32\winlogon.exe[716] ntdll.dll!NtQueryDirectoryFile 77F75FAE 5 Bytes JMP 00C861EE
    .text C:\WINDOWS\system32\winlogon.exe[716] ntdll.dll!NtQuerySystemInformation 77F76152 5 Bytes JMP 00C860ED
    .text C:\WINDOWS\system32\winlogon.exe[716] ntdll.dll!NtQueryValueKey 77F7618E 5 Bytes JMP 00C85FC3
    .text C:\WINDOWS\system32\winlogon.exe[716] ntdll.dll!NtSetValueKey 77F765A8 5 Bytes JMP 00C85C2D
    .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[1056] ntdll.dll!NtCreateThread 77F75A4E 5 Bytes JMP 00385B5A
    .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[1056] ntdll.dll!NtEnumerateKey 77F75B5C 5 Bytes JMP 00385D3A
    .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[1056] ntdll.dll!NtEnumerateValueKey 77F75B7A 5 Bytes JMP 00385EB0
    .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[1056] ntdll.dll!NtQueryDirectoryFile 77F75FAE 5 Bytes JMP 003861EE
    .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[1056] ntdll.dll!NtQuerySystemInformation 77F76152 5 Bytes JMP 003860ED
    .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[1056] ntdll.dll!NtQueryValueKey 77F7618E 5 Bytes JMP 00385FC3
    .text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[1056] ntdll.dll!NtSetValueKey 77F765A8 5 Bytes JMP 00385C2D
    .text C:\Avast4\ashDisp.exe[1520] ntdll.dll!NtCreateThread 77F75A4E 5 Bytes JMP 008F5B5A
    .text C:\Avast4\ashDisp.exe[1520] ntdll.dll!NtEnumerateKey 77F75B5C 5 Bytes JMP 008F5D3A
    .text C:\Avast4\ashDisp.exe[1520] ntdll.dll!NtEnumerateValueKey 77F75B7A 5 Bytes JMP 008F5EB0
    .text C:\Avast4\ashDisp.exe[1520] ntdll.dll!NtQueryDirectoryFile 77F75FAE 5 Bytes JMP 008F61EE
    .text C:\Avast4\ashDisp.exe[1520] ntdll.dll!NtQuerySystemInformation 77F76152 5 Bytes JMP 008F60ED
    .text C:\Avast4\ashDisp.exe[1520] ntdll.dll!NtQueryValueKey 77F7618E 5 Bytes JMP 008F5FC3
    .text C:\Avast4\ashDisp.exe[1520] ntdll.dll!NtSetValueKey 77F765A8 5 Bytes JMP 008F5C2D
    .text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[1544] ntdll.dll!NtCreateThread 77F75A4E 5 Bytes JMP 003F5B5A
    .text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[1544] ntdll.dll!NtEnumerateKey 77F75B5C 5 Bytes JMP 003F5D3A
    .text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[1544] ntdll.dll!NtEnumerateValueKey 77F75B7A 5 Bytes JMP 003F5EB0
    .text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[1544] ntdll.dll!NtQueryDirectoryFile 77F75FAE 5 Bytes JMP 003F61EE
    .text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[1544] ntdll.dll!NtQuerySystemInformation 77F76152 5 Bytes JMP 003F60ED
    .text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[1544] ntdll.dll!NtQueryValueKey 77F7618E 5 Bytes JMP 003F5FC3
    .text C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe[1544] ntdll.dll!NtSetValueKey 77F765A8 5 Bytes JMP 003F5C2D
    .text C:\WINDOWS\soundman.exe[1556] ntdll.dll!NtCreateThread 77F75A4E 5 Bytes JMP 00975B5A
    .text C:\WINDOWS\soundman.exe[1556] ntdll.dll!NtEnumerateKey 77F75B5C 5 Bytes JMP 00975D3A
    .text C:\WINDOWS\soundman.exe[1556] ntdll.dll!NtEnumerateValueKey 77F75B7A 5 Bytes JMP 00975EB0
    .text C:\WINDOWS\soundman.exe[1556] ntdll.dll!NtQueryDirectoryFile 77F75FAE 5 Bytes JMP 009761EE
    .text C:\WINDOWS\soundman.exe[1556] ntdll.dll!NtQuerySystemInformation 77F76152 5 Bytes JMP 009760ED
    .text C:\WINDOWS\soundman.exe[1556] ntdll.dll!NtQueryValueKey 77F7618E 5 Bytes JMP 00975FC3
    .text C:\WINDOWS\soundman.exe[1556] ntdll.dll!NtSetValueKey 77F765A8 5 Bytes JMP 00975C2D
    .text C:\Program Files\Microsoft Hardware\Mouse\point32.exe[1616] ntdll.dll!NtCreateThread 77F75A4E 5 Bytes JMP 008B5B5A
    .text C:\Program Files\Microsoft Hardware\Mouse\point32.exe[1616] ntdll.dll!NtEnumerateKey 77F75B5C 5 Bytes JMP 008B5D3A
    .text C:\Program Files\Microsoft Hardware\Mouse\point32.exe[1616] ntdll.dll!NtEnumerateValueKey 77F75B7A 5 Bytes JMP 008B5EB0
    .text C:\Program Files\Microsoft Hardware\Mouse\point32.exe[1616] ntdll.dll!NtQueryDirectoryFile 77F75FAE 5 Bytes JMP 008B61EE
    .text C:\Program Files\Microsoft Hardware\Mouse\point32.exe[1616] ntdll.dll!NtQuerySystemInformation 77F76152 5 Bytes JMP 008B60ED
    .text C:\Program Files\Microsoft Hardware\Mouse\point32.exe[1616] ntdll.dll!NtQueryValueKey 77F7618E 5 Bytes JMP 008B5FC3
    .text C:\Program Files\Microsoft Hardware\Mouse\point32.exe[1616] ntdll.dll!NtSetValueKey 77F765A8 5 Bytes JMP 008B5C2D
    .text C:\msupd0112842546.exe[1872] ntdll.dll!NtCreateThread 77F75A4E 5 Bytes JMP 003B5B5A
    .text C:\msupd0112842546.exe[1872] ntdll.dll!NtEnumerateKey 77F75B5C 5 Bytes JMP 003B5D3A
    .text C:\msupd0112842546.exe[1872] ntdll.dll!NtEnumerateValueKey 77F75B7A 5 Bytes JMP 003B5EB0
    .text C:\msupd0112842546.exe[1872] ntdll.dll!NtQueryDirectoryFile 77F75FAE 5 Bytes JMP 003B61EE
    .text C:\msupd0112842546.exe[1872] ntdll.dll!NtQuerySystemInformation 77F76152 5 Bytes JMP 003B60ED
    .text C:\msupd0112842546.exe[1872] ntdll.dll!NtQueryValueKey 77F7618E 5 Bytes JMP 003B5FC3
    .text C:\msupd0112842546.exe[1872] ntdll.dll!NtSetValueKey 77F765A8 5 Bytes JMP 003B5C2D
    .text C:\msupd0112832828.exe[1916] ntdll.dll!NtCreateThread 77F75A4E 5 Bytes JMP 003B5B5A
    .text C:\msupd0112832828.exe[1916] ntdll.dll!NtEnumerateKey 77F75B5C 5 Bytes JMP 003B5D3A
    .text C:\msupd0112832828.exe[1916] ntdll.dll!NtEnumerateValueKey 77F75B7A 5 Bytes JMP 003B5EB0
    .text C:\msupd0112832828.exe[1916] ntdll.dll!NtQueryDirectoryFile 77F75FAE 5 Bytes JMP 003B61EE
    .text C:\msupd0112832828.exe[1916] ntdll.dll!NtQuerySystemInformation 77F76152 5 Bytes JMP 003B60ED
    .text C:\msupd0112832828.exe[1916] ntdll.dll!NtQueryValueKey 77F7618E 5 Bytes JMP 003B5FC3
    .text C:\msupd0112832828.exe[1916] ntdll.dll!NtSetValueKey 77F765A8 5 Bytes JMP 003B5C2D
    .text C:\msupd0112842546.exe[1984] ntdll.dll!NtCreateThread 77F75A4E 5 Bytes JMP 003B5B5A
    .text C:\msupd0112842546.exe[1984] ntdll.dll!NtEnumerateKey 77F75B5C 5 Bytes JMP 003B5D3A
    .text C:\msupd0112842546.exe[1984] ntdll.dll!NtEnumerateValueKey 77F75B7A 5 Bytes JMP 003B5EB0
    .text C:\msupd0112842546.exe[1984] ntdll.dll!NtQueryDirectoryFile 77F75FAE 5 Bytes JMP 003B61EE
    .text C:\msupd0112842546.exe[1984] ntdll.dll!NtQuerySystemInformation 77F76152 5 Bytes JMP 003B60ED
    .text C:\msupd0112842546.exe[1984] ntdll.dll!NtQueryValueKey 77F7618E 5 Bytes JMP 003B5FC3
    .text C:\msupd0112842546.exe[1984] ntdll.dll!NtSetValueKey 77F765A8 5 Bytes JMP 003B5C2D
    .text C:\WINDOWS\system32\ati2evxx.exe[2000] ntdll.dll!NtCreateThread 77F75A4E 5 Bytes JMP 008C5B5A
    .text C:\WINDOWS\system32\ati2evxx.exe[2000] ntdll.dll!NtEnumerateKey 77F75B5C 5 Bytes JMP 008C5D3A
    .text C:\WINDOWS\system32\ati2evxx.exe[2000] ntdll.dll!NtEnumerateValueKey 77F75B7A 5 Bytes JMP 008C5EB0
    .text C:\WINDOWS\system32\ati2evxx.exe[2000] ntdll.dll!NtQueryDirectoryFile 77F75FAE 5 Bytes JMP 008C61EE
    .text C:\WINDOWS\system32\ati2evxx.exe[2000] ntdll.dll!NtQuerySystemInformation 77F76152 5 Bytes JMP 008C60ED
    .text C:\WINDOWS\system32\ati2evxx.exe[2000] ntdll.dll!NtQueryValueKey 77F7618E 5 Bytes JMP 008C5FC3
    .text C:\WINDOWS\system32\ati2evxx.exe[2000] ntdll.dll!NtSetValueKey 77F765A8 5 Bytes JMP 008C5C2D
    .text C:\msupd0112842546.exe[2008] ntdll.dll!NtCreateThread 77F75A4E 5 Bytes JMP 003B5B5A
    .text C:\msupd0112842546.exe[2008] ntdll.dll!NtEnumerateKey 77F75B5C 5 Bytes JMP 003B5D3A
    .text C:\msupd0112842546.exe[2008] ntdll.dll!NtEnumerateValueKey 77F75B7A 5 Bytes JMP 003B5EB0
    .text C:\msupd0112842546.exe[2008] ntdll.dll!NtQueryDirectoryFile 77F75FAE 5 Bytes JMP 003B61EE
    .text C:\msupd0112842546.exe[2008] ntdll.dll!NtQuerySystemInformation 77F76152 5 Bytes JMP 003B60ED
    .text C:\msupd0112842546.exe[2008] ntdll.dll!NtQueryValueKey 77F7618E 5 Bytes JMP 003B5FC3
    .text C:\msupd0112842546.exe[2008] ntdll.dll!NtSetValueKey 77F765A8 5 Bytes JMP 003B5C2D
    .text C:\msupd0112842546.exe[2020] ntdll.dll!NtCreateThread 77F75A4E 5 Bytes JMP 003B5B5A
    .text C:\msupd0112842546.exe[2020] ntdll.dll!NtEnumerateKey 77F75B5C 5 Bytes JMP 003B5D3A
    .text C:\msupd0112842546.exe[2020] ntdll.dll!NtEnumerateValueKey 77F75B7A 5 Bytes JMP 003B5EB0
    .text C:\msupd0112842546.exe[2020] ntdll.dll!NtQueryDirectoryFile 77F75FAE 5 Bytes JMP 003B61EE
    .text C:\msupd0112842546.exe[2020] ntdll.dll!NtQuerySystemInformation 77F76152 5 Bytes JMP 003B60ED
    .text C:\msupd0112842546.exe[2020] ntdll.dll!NtQueryValueKey 77F7618E 5 Bytes JMP 003B5FC3
    .text C:\msupd0112842546.exe[2020] ntdll.dll!NtSetValueKey 77F765A8 5 Bytes JMP 003B5C2D
    .text C:\msupd0112842546.exe[2052] ntdll.dll!NtCreateThread 77F75A4E 5 Bytes JMP 003B5B5A
    .text C:\msupd0112842546.exe[2052] ntdll.dll!NtEnumerateKey 77F75B5C 5 Bytes JMP 003B5D3A
    .text C:\msupd0112842546.exe[2052] ntdll.dll!NtEnumerateValueKey 77F75B7A 5 Bytes JMP 003B5EB0
    .text C:\msupd0112842546.exe[2052] ntdll.dll!NtQueryDirectoryFile 77F75FAE 5 Bytes JMP 003B61EE
    .text C:\msupd0112842546.exe[2052] ntdll.dll!NtQuerySystemInformation 77F76152 5 Bytes JMP 003B60ED
    .text C:\msupd0112842546.exe[2052] ntdll.dll!NtQueryValueKey 77F7618E 5 Bytes JMP 003B5FC3
    .text C:\msupd0112842546.exe[2052] ntdll.dll!NtSetValueKey 77F765A8 5 Bytes JMP 003B5C2D
    .text C:\msupd0112842546.exe[2064] ntdll.dll!NtCreateThread 77F75A4E 5 Bytes JMP 003B5B5A
    .text C:\msupd0112842546.exe[2064] ntdll.dll!NtEnumerateKey 77F75B5C 5 Bytes JMP 003B5D3A
    .text C:\msupd0112842546.exe[2064] ntdll.dll!NtEnumerateValueKey 77F75B7A 5 Bytes JMP 003B5EB0
    .text C:\msupd0112842546.exe[2064] ntdll.dll!NtQueryDirectoryFile 77F75FAE 5 Bytes JMP 003B61EE
    .text C:\msupd0112842546.exe[2064] ntdll.dll!NtQuerySystemInformation 77F76152 5 Bytes JMP 003B60ED
    .text C:\msupd0112842546.exe[2064] ntdll.dll!NtQueryValueKey 77F7618E 5 Bytes JMP 003B5FC3
    .text C:\msupd0112842546.exe[2064] ntdll.dll!NtSetValueKey 77F765A8 5 Bytes JMP 003B5C2D
    .text C:\msupd0112842546.exe[2080] ntdll.dll!NtCreateThread 77F75A4E 5 Bytes JMP 003B5B5A
    .text C:\msupd0112842546.exe[2080] ntdll.dll!NtEnumerateKey 77F75B5C 5 Bytes JMP 003B5D3A
    .text C:\msupd0112842546.exe[2080] ntdll.dll!NtEnumerateValueKey 77F75B7A 5 Bytes JMP 003B5EB0
    .text C:\msupd0112842546.exe[2080] ntdll.dll!NtQueryDirectoryFile 77F75FAE 5 Bytes JMP 003B61EE
    .text C:\msupd0112842546.exe[2080] ntdll.dll!NtQuerySystemInformation 77F76152 5 Bytes JMP 003B60ED
    .text C:\msupd0112842546.exe[2080] ntdll.dll!NtQueryValueKey 77F7618E 5 Bytes JMP 003B5FC3
    .text C:\msupd0112842546.exe[2080] ntdll.dll!NtSetValueKey 77F765A8 5 Bytes JMP 003B5C2D
    .text C:\msupd01.exe[2456] ntdll.dll!NtCreateThread 77F75A4E 5 Bytes JMP 003B5B5A
    .text C:\msupd01.exe[2456] ntdll.dll!NtEnumerateKey 77F75B5C 5 Bytes JMP 003B5D3A
    .text C:\msupd01.exe[2456] ntdll.dll!NtEnumerateValueKey 77F75B7A 5 Bytes JMP 003B5EB0
    .text C:\msupd01.exe[2456] ntdll.dll!NtQueryDirectoryFile 77F75FAE 5 Bytes JMP 003B61EE
    .text C:\msupd01.exe[2456] ntdll.dll!NtQuerySystemInformation 77F76152 5 Bytes JMP 003B60ED
    .text C:\msupd01.exe[2456] ntdll.dll!NtQueryValueKey 77F7618E 5 Bytes JMP 003B5FC3
    .text C:\msupd01.exe[2456] ntdll.dll!NtSetValueKey 77F765A8 5 Bytes JMP 003B5C2D

    ---- Devices - GMER 1.0.12 ----

    Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 867AE0D0
    Device \FileSystem\Fastfat \FatCdrom IRP_MJ_READ 85D38620
    Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [BAF0A170] vsdatant.sys
    Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [BAF0A170] vsdatant.sys
     
    Frysk,
    #10
  12. 2006/11/06
    Frysk

    Frysk Inactive Thread Starter

    Joined:
    2006/11/06
    Messages:
    21
    Likes Received:
    0
    Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [BAF0A170] vsdatant.sys
    Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [BAF0A170] vsdatant.sys
    Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [BAF0A170] vsdatant.sys
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [BAF0A170] vsdatant.sys
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [BAF0A170] vsdatant.sys
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [BAF0A170] vsdatant.sys
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [BAF0A170] vsdatant.sys
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [BAF0A170] vsdatant.sys
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 86416818
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_NAMED_PIPE 86416818
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 86416818
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 86416818
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 86416818
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_INFORMATION 86416818
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_INFORMATION 86416818
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_EA 86416818
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_EA 86416818
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 86416818
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_VOLUME_INFORMATION 86416818
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_VOLUME_INFORMATION 86416818
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DIRECTORY_CONTROL 86416818
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FILE_SYSTEM_CONTROL 86416818
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 86416818
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 86416818
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 86416818
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_LOCK_CONTROL 86416818
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLEANUP 86416818
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_MAILSLOT 86416818
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_SECURITY 86416818
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_SECURITY 86416818
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 86416818
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 86416818
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CHANGE 86416818
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_QUOTA 86416818
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_QUOTA 86416818
    Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 86416818
    Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_READ 864208A8
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE_NAMED_PIPE 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CLOSE 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_READ 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_WRITE 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_INFORMATION 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_INFORMATION 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_EA 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_EA 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_FLUSH_BUFFERS 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_VOLUME_INFORMATION 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_VOLUME_INFORMATION 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DIRECTORY_CONTROL 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_FILE_SYSTEM_CONTROL 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DEVICE_CONTROL 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_INTERNAL_DEVICE_CONTROL 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SHUTDOWN 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_LOCK_CONTROL 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CLEANUP 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE_MAILSLOT 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_SECURITY 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_SECURITY 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_POWER 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SYSTEM_CONTROL 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DEVICE_CHANGE 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_QUOTA 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_QUOTA 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_PNP 86416B98
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE 86416B98
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_NAMED_PIPE 86416B98
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLOSE 86416B98
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_READ 86416B98
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_WRITE 86416B98
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_INFORMATION 86416B98
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_INFORMATION 86416B98
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_EA 86416B98
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_EA 86416B98
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FLUSH_BUFFERS 86416B98
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_VOLUME_INFORMATION 86416B98
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_VOLUME_INFORMATION 86416B98
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DIRECTORY_CONTROL 86416B98
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FILE_SYSTEM_CONTROL 86416B98
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CONTROL 86416B98
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL 86416B98
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SHUTDOWN 86416B98
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_LOCK_CONTROL 86416B98
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLEANUP 86416B98
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_MAILSLOT 86416B98
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_SECURITY 86416B98
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_SECURITY 86416B98
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_POWER 86416B98
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SYSTEM_CONTROL 86416B98
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CHANGE 86416B98
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_QUOTA 86416B98
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_QUOTA 86416B98
    Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_PNP 86416B98
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE 86416B98
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_NAMED_PIPE 86416B98
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLOSE 86416B98
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_READ 86416B98
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_WRITE 86416B98
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_INFORMATION 86416B98
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_INFORMATION 86416B98
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_EA 86416B98
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_EA 86416B98
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FLUSH_BUFFERS 86416B98
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_VOLUME_INFORMATION 86416B98
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_VOLUME_INFORMATION 86416B98
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DIRECTORY_CONTROL 86416B98
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FILE_SYSTEM_CONTROL 86416B98
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CONTROL 86416B98
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_INTERNAL_DEVICE_CONTROL 86416B98
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SHUTDOWN 86416B98
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_LOCK_CONTROL 86416B98
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLEANUP 86416B98
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_MAILSLOT 86416B98
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_SECURITY 86416B98
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_SECURITY 86416B98
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_POWER 86416B98
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SYSTEM_CONTROL 86416B98
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CHANGE 86416B98
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_QUOTA 86416B98
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_QUOTA 86416B98
    Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_PNP 86416B98
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_CREATE 86416B98
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_CREATE_NAMED_PIPE 86416B98
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_CLOSE 86416B98
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_READ 86416B98
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_WRITE 86416B98
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_QUERY_INFORMATION 86416B98
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_SET_INFORMATION 86416B98
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_QUERY_EA 86416B98
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_SET_EA 86416B98
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_FLUSH_BUFFERS 86416B98
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_QUERY_VOLUME_INFORMATION 86416B98
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_SET_VOLUME_INFORMATION 86416B98
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_DIRECTORY_CONTROL 86416B98
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_FILE_SYSTEM_CONTROL 86416B98
     
    Frysk,
    #11
  13. 2006/11/06
    Frysk

    Frysk Inactive Thread Starter

    Joined:
    2006/11/06
    Messages:
    21
    Likes Received:
    0
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_DEVICE_CONTROL 86416B98
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_INTERNAL_DEVICE_CONTROL 86416B98
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_SHUTDOWN 86416B98
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_LOCK_CONTROL 86416B98
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_CLEANUP 86416B98
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_CREATE_MAILSLOT 86416B98
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_QUERY_SECURITY 86416B98
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_SET_SECURITY 86416B98
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_POWER 86416B98
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_SYSTEM_CONTROL 86416B98
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_DEVICE_CHANGE 86416B98
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_QUERY_QUOTA 86416B98
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_SET_QUOTA 86416B98
    Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_PNP 86416B98
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_CREATE 86416B98
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_CREATE_NAMED_PIPE 86416B98
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_CLOSE 86416B98
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_READ 86416B98
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_WRITE 86416B98
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_QUERY_INFORMATION 86416B98
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_SET_INFORMATION 86416B98
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_QUERY_EA 86416B98
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_SET_EA 86416B98
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_FLUSH_BUFFERS 86416B98
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_QUERY_VOLUME_INFORMATION 86416B98
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_SET_VOLUME_INFORMATION 86416B98
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_DIRECTORY_CONTROL 86416B98
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_FILE_SYSTEM_CONTROL 86416B98
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_DEVICE_CONTROL 86416B98
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_INTERNAL_DEVICE_CONTROL 86416B98
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_SHUTDOWN 86416B98
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_LOCK_CONTROL 86416B98
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_CLEANUP 86416B98
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_CREATE_MAILSLOT 86416B98
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_QUERY_SECURITY 86416B98
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_SET_SECURITY 86416B98
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_POWER 86416B98
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_SYSTEM_CONTROL 86416B98
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_DEVICE_CHANGE 86416B98
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_QUERY_QUOTA 86416B98
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_SET_QUOTA 86416B98
    Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_PNP 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_CREATE 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_CREATE_NAMED_PIPE 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_CLOSE 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_READ 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_WRITE 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_QUERY_INFORMATION 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_SET_INFORMATION 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_QUERY_EA 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_SET_EA 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_FLUSH_BUFFERS 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_QUERY_VOLUME_INFORMATION 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_SET_VOLUME_INFORMATION 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_DIRECTORY_CONTROL 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_FILE_SYSTEM_CONTROL 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_DEVICE_CONTROL 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_INTERNAL_DEVICE_CONTROL 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_SHUTDOWN 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_LOCK_CONTROL 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_CLEANUP 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_CREATE_MAILSLOT 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_QUERY_SECURITY 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_SET_SECURITY 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_POWER 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_SYSTEM_CONTROL 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_DEVICE_CHANGE 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_QUERY_QUOTA 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_SET_QUOTA 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e IRP_MJ_PNP 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_CREATE 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_CREATE_NAMED_PIPE 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_CLOSE 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_READ 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_WRITE 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_QUERY_INFORMATION 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_SET_INFORMATION 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_QUERY_EA 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_SET_EA 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_FLUSH_BUFFERS 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_QUERY_VOLUME_INFORMATION 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_SET_VOLUME_INFORMATION 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_DIRECTORY_CONTROL 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_FILE_SYSTEM_CONTROL 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_DEVICE_CONTROL 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_INTERNAL_DEVICE_CONTROL 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_SHUTDOWN 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_LOCK_CONTROL 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_CLEANUP 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_CREATE_MAILSLOT 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_QUERY_SECURITY 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_SET_SECURITY 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_POWER 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_SYSTEM_CONTROL 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_DEVICE_CHANGE 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_QUERY_QUOTA 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_SET_QUOTA 86416B98
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b IRP_MJ_PNP 86416B98
    Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_READ 86212700
    Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [BAF0A170] vsdatant.sys
    Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [BAF0A170] vsdatant.sys
    Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [BAF0A170] vsdatant.sys
    Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [BAF0A170] vsdatant.sys
    Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [BAF0A170] vsdatant.sys
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [BAF0A170] vsdatant.sys
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [BAF0A170] vsdatant.sys
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [BAF0A170] vsdatant.sys
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [BAF0A170] vsdatant.sys
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [BAF0A170] vsdatant.sys
    Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 85DA43C0
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [BAF0A170] vsdatant.sys
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [BAF0A170] vsdatant.sys
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [BAF0A170] vsdatant.sys
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [BAF0A170] vsdatant.sys
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [BAF0A170] vsdatant.sys
    Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 85DA43C0
    Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_READ 866C6B18
    Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_READ 86259CF0
    Device \FileSystem\Fastfat \Fat IRP_MJ_READ 85D38620
    Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer IRP_MJ_READ 864DDB10
    Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer IRP_MJ_READ 864DDB10
    Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer IRP_MJ_READ 864DDB10
    Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer IRP_MJ_READ 864DDB10
    Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer IRP_MJ_READ 864DDB10
    Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ 864373D8

    ---- Modules - GMER 1.0.12 ----

    Module _________ F7762000

    ---- Files - GMER 1.0.12 ----

    ADS C:\System Volume Information\_restore{CBDFF53C-DCCD-444C-91C9-66C120DCAF21}\RP402\A0135190.exe:SummaryInformation
    ADS C:\System Volume Information\_restore{CBDFF53C-DCCD-444C-91C9-66C120DCAF21}\RP402\A0135190.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
    File C:\WINDOWS\system32\csski.exe
    File C:\WINDOWS\system32\dmfsp.exe

    ---- EOF - GMER 1.0.12 ----
     
    Frysk,
    #12
  14. 2006/11/06
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    Ok, sorry bout that last post, I pasted the wrong fix first.

    We need to remove the Alcan infection, then WareOut and then HaxFix should work.


    1. Please download, install, and update Ewido anti-spyware
    1. Load Ewido and then click the Update tab at the top. Under Manual Update click Start update.
    2. After the update finishes (the status bar at the bottom will display "Update successful ")
    3. Close Ewido. Do not run it yet.

    2. Please download Brute Force Uninstaller to your desktop.
    • Right click the BFU folder on your desktop, and choose Extract All
    • Click "Next "
    • In the box to choose where to extract the files to, click "Browse "
    • Click on the + sign next to "My Computer "
    • Click on "Local Disk (C: ) or whatever your primary drive is
    • Click "Make New Folder "
    • Type in BFU
    • Click "Next ", and Uncheck the "Show Extracted Files" box and then click "Finish ".
    3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As ") in order to download Alcan worm remover.
    Save it in the same folder you made earlier (c:\BFU).

    Do not do anything with these yet!

    4. Please reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode on the screen that appears.

    5. Once in Safe Mode, please go to Start > My Computer and navigate to the C:\BFU folder.
    • Start the Brute Force Uninstaller by doubleclicking BFU.exe
    • Next to the scriptline to execute field click the folder icon [​IMG] and select alcanshorty.bfu
    • Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
    • Wait for the complete script execution box to pop up and press OK.
    • Press exit to terminate the BFU program.

    6. Ewido Scan
    • Then run Ewido and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
    • Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
    • Click on "Save Report ", then "Save Report As ". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
    • Restart back into Normal Mode.

    Please perform another scan with Hijack This, and then post the contents of the Ewido text report that you saved and a new HijackThis log. (Please edit out any cookie, Recyler and System Volume Information Folder references from the Ewido log)
     
    TeMerc,
    #13
  15. 2006/11/06
    Frysk

    Frysk Inactive Thread Starter

    Joined:
    2006/11/06
    Messages:
    21
    Likes Received:
    0
    Thankyou for your directions.

    I followed all the instructions and the scan took just over two hours.
    It found 12 or so different problems, and about 160 threads to them.
    Unfortunately, when I allowed it to apply all actions,
    it prompted an immediate restart (which I allowed), and didn't reappear
    after the restart, so I don't have a log file. I couldn't find one when
    I ran the program again either.

    Here is a HijackThis! log, and I await your instructions. :)

    (This is not in the log any more:
    F2 - REG:system.ini: Shell=explorer.exe vmmdiag32.exe
    but I expect it will return)


    Logfile of HijackThis v1.99.1
    Scan saved at 4:08:34 PM, on 7/11/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\windows\System32\smss.exe
    C:\windows\system32\csrss.exe
    C:\windows\system32\winlogon.exe
    C:\windows\system32\services.exe
    C:\windows\system32\lsass.exe
    C:\windows\System32\Ati2evxx.exe
    C:\windows\system32\svchost.exe
    C:\windows\System32\svchost.exe
    C:\windows\System32\svchost.exe
    C:\windows\System32\svchost.exe
    C:\windows\system32\spoolsv.exe
    C:\windows\system32\Ati2evxx.exe
    C:\windows\Explorer.exe
    C:\windows\System32\alg.exe
    C:\Avast4\aswUpdSv.exe
    C:\Avast4\ashServ.exe
    C:\Avast4\ashDisp.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\windows\SOUNDMAN.EXE
    C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe
    C:\windows\System32\svchost.exe
    C:\WINDOWS\System32\wdfmgr.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Avast4\ashMaiSv.exe
    C:\Avast4\ashWebSv.exe
    C:\windows\System32\wuauclt.exe
    C:\Program Files\HJThis\HJThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
    R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [avast!] C:\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [Winstt] C:\msupd0112842546.exe
    O4 - HKCU\..\Run: [Winsti] C:\msupd0112842546.exe
    O4 - HKCU\..\Run: [Winsts] C:\msupd0112842546.exe
    O4 - HKCU\..\Run: [Winstr] C:\msupd0112842546.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQ\ICQLite.exe
    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQ\ICQLite.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.1.87.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139533146875
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
    O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{72DE85CB-F735-439C-BB8B-6E7A1066E9B2}: NameServer = 85.255.116.174,85.255.112.82
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A898C316-9996-4BA0-96B8-F683FF15E646}: NameServer = 85.255.116.174,85.255.112.82
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CD4FF7CB-076E-4D06-B4C6-64215CA2E3CC}: NameServer = 85.255.116.174,85.255.112.82
    O17 - HKLM\System\CCS\Services\Tcpip\..\{ED468E6B-E035-4D12-9CBF-32DE6CA0E367}: NameServer = 85.255.116.174,85.255.112.82
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.174 85.255.112.82
    O17 - HKLM\System\CS1\Services\Tcpip\..\{72DE85CB-F735-439C-BB8B-6E7A1066E9B2}: NameServer = 85.255.116.174,85.255.112.82
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.174 85.255.112.82
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Avast4\aswUpdSv.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
     
    Frysk,
    #14
  16. 2006/11/07
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    Ok, lets move along with the WareOut fix, see what it finds.

    You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

    Please download FixWareout from one of these sites:
    Subratam
    Bleeping Computing

    Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
    The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

    Once rebooted please post the text that will open (report.txt) and a new Hijackthis log file into this thread.
    If you get a file output similar to below:



    Go here and run the fix appropriate to your version of Windows:

    http://www.tech-forums.net/computer/topic/29806.html

    Then re-run Fixwareout please, thanks.
     
    TeMerc,
    #15
  17. 2006/11/07
    Frysk

    Frysk Inactive Thread Starter

    Joined:
    2006/11/06
    Messages:
    21
    Likes Received:
    0
    Done and done.
    I didn't follow the last step as my file output was different to the example.



    Fixwareout ver 1.003
    Last edited 8/11/2006
    Post this report in the forums please

    Reg Entries that were deleted
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}583DBD134E85-56C8-0E64-305F-B353E7DC{
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\cdbmd
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\0mdm
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1mdm
    ...

    Microsoft (R) Windows Script Host Version 5.6
    Random Runs removed from HKLM
    "dmbdc.exe "=-
    ...

    PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

    ªªªªª Searching by size/names...

    ªªªªª
    Search five digit cs, dm and jb files.
    This WILL/CAN also list Legit Files, Submit them at Virustotal
    C:\WINDOWS\SYSTEM32\CSLDV.EXE 51,764 2006-11-06
    C:\WINDOWS\SYSTEM32\DMBDC.EXE 60,934 2002-08-29

    Other suspects.
    Directory of C:\windows\system32

    ªªªªª Misc files.

    ªªªªª Checking for older varients covered by the Rem3 tool.




    Logfile of HijackThis v1.99.1
    Scan saved at 4:50:51 PM, on 7/11/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\windows\System32\smss.exe
    C:\windows\system32\winlogon.exe
    C:\windows\system32\services.exe
    C:\windows\system32\lsass.exe
    C:\windows\System32\Ati2evxx.exe
    C:\windows\system32\svchost.exe
    C:\windows\System32\svchost.exe
    C:\windows\system32\spoolsv.exe
    C:\Avast4\aswUpdSv.exe
    C:\Avast4\ashServ.exe
    C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
    C:\windows\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\windows\system32\Ati2evxx.exe
    C:\windows\Explorer.EXE
    C:\Avast4\ashWebSv.exe
    C:\Avast4\ashMaiSv.exe
    C:\windows\System32\wuauclt.exe
    C:\Avast4\ashDisp.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\windows\SOUNDMAN.EXE
    C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\HJThis\HJThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
    R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [avast!] C:\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [Winstt] C:\msupd0112842546.exe
    O4 - HKCU\..\Run: [Winsti] C:\msupd0112842546.exe
    O4 - HKCU\..\Run: [Winsts] C:\msupd0112842546.exe
    O4 - HKCU\..\Run: [Winstr] C:\msupd0112842546.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQ\ICQLite.exe
    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQ\ICQLite.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.1.87.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139533146875
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
    O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{72DE85CB-F735-439C-BB8B-6E7A1066E9B2}: NameServer = 85.255.116.174,85.255.112.82
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A898C316-9996-4BA0-96B8-F683FF15E646}: NameServer = 85.255.116.174,85.255.112.82
    O17 - HKLM\System\CCS\Services\Tcpip\..\{CD4FF7CB-076E-4D06-B4C6-64215CA2E3CC}: NameServer = 85.255.116.174,85.255.112.82
    O17 - HKLM\System\CCS\Services\Tcpip\..\{ED468E6B-E035-4D12-9CBF-32DE6CA0E367}: NameServer = 85.255.116.174,85.255.112.82
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.174 85.255.112.82
    O17 - HKLM\System\CS1\Services\Tcpip\..\{72DE85CB-F735-439C-BB8B-6E7A1066E9B2}: NameServer = 85.255.116.174,85.255.112.82
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.174 85.255.112.82
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Avast4\aswUpdSv.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
     
    Frysk,
    #16
  18. 2006/11/07
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    OK, that seemed to remove some more and the HJT log looks better, lets finish out now with the HaxFix, which you already have using the instructions. Post the log back here.
     
    TeMerc,
    #17
  19. 2006/11/07
    Frysk

    Frysk Inactive Thread Starter

    Joined:
    2006/11/06
    Messages:
    21
    Likes Received:
    0
    Haxfix didn't find anything in the automatic fix.
    I then ran option 1 to get the following log file:


    HAXFIX logfile - by Marckie
    ______________
    version 4.28
    Tue 07/11/2006 17:59:51.00

    checking for haxdoor
    --------------------
    checking for a3d files....
    a3d files not found

    checking for matching notify keys....
    no matching notify keys found

    checking for matching services....
    no matching services found

    checking for matching safeboot services....
    no matching safeboot services found

    checking for other haxdoorfiles....


    Checking for goldun
    -------------------

    checking for SSODL keys....
    no ssodl keys found

    checking for notify keys....
    no notify keys found

    checking for services....
    no services found

    checking for other goldunfiles....


    Finished
     
    Frysk,
    #18
  20. 2006/11/07
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    Ok, lets run ComboFix first then HJT post both logs back here for me and I'll get to them in the morning. Time for some Zs for moi.:D
     
    TeMerc,
    #19
  21. 2006/11/07
    Frysk

    Frysk Inactive Thread Starter

    Joined:
    2006/11/06
    Messages:
    21
    Likes Received:
    0
    Okay I'll get to it.
    Thanks very much for all your help thus far.
    Goodnight, and may you dream of unicorns and butterflies.
    ... and unicorn-butterflies.
     
    Frysk,
    #20
Page 1 of 2
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...