1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

XP: Taskbar/Start Menu gone, desktop icons unmovable, more sypmtoms inside

Discussion in 'Malware and Virus Removal Archive' started by Flapdoodle, 2007/10/09.

Page 2 of 3
  1. 2007/10/10
    Flapdoodle

    Flapdoodle Inactive Thread Starter

    Joined:
    2007/10/09
    Messages:
    25
    Likes Received:
    0
    check.txt:

    Volume in drive C has no label.
    Volume Serial Number is C88E-D82C
     
    Flapdoodle,
    #21
  2. 2007/10/10
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Something not right. Please right click the check.bat file and select Edit to open it with notepad. Verify it's contents are exactly as below.

    @echo off
    dir %systemdrive%\svchost.exe /a h /s > check.txt
    start notepad check.txt
    cls
    exit

    If not, fix it and save the changes, then run it again after deleting check.txt
     
    noahdfear,
    #22


  3. to hide this advert.

  4. 2007/10/10
    Flapdoodle

    Flapdoodle Inactive Thread Starter

    Joined:
    2007/10/09
    Messages:
    25
    Likes Received:
    0
    That's exactly in the .bat file. Comes up with the same result. The command prompt window doesn't automatically close either, if that makes a difference.
     
    Flapdoodle,
    #23
  5. 2007/10/10
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Is the check.txt file opening on it's own?
     
    noahdfear,
    #24
  6. 2007/10/10
    Flapdoodle

    Flapdoodle Inactive Thread Starter

    Joined:
    2007/10/09
    Messages:
    25
    Likes Received:
    0
    Nope, but it gets created still.
     
    Flapdoodle,
    #25
  7. 2007/10/10
    Flapdoodle

    Flapdoodle Inactive Thread Starter

    Joined:
    2007/10/09
    Messages:
    25
    Likes Received:
    0
    Ah, hold on...I think I just wasn't waiting long enough before closing the prompt window. It seems to take a while. Revised check.txt incoming in a few.

    Volume in drive C has no label.
    Volume Serial Number is C88E-D82C

    Directory of C:\WINDOWS\$NtServicePackUninstall$

    08/23/2001 10:00 AM 12,800 svchost.exe
    1 File(s) 12,800 bytes

    Directory of C:\WINDOWS\ServicePackFiles\i386

    08/04/2004 02:56 AM 14,336 svchost.exe
    1 File(s) 14,336 bytes

    Directory of C:\WINDOWS\system32

    08/04/2004 02:56 AM 14,336 svchost.exe
    1 File(s) 14,336 bytes
     
    Flapdoodle,
    #26
  8. 2007/10/10
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    I thought that might be it ....... it's searching your entire drive for all copies if svchost.exe ;)

    Please edit the verify.bat with the following text, then run it and post the log.

    @echo off
    if exist verify.txt del /q verify.txt
    FileDigitalSignVerify.EXE C:\WINDOWS\system32\svchost.exe | findstr /b 0x >>verify.txt
    FileDigitalSignVerify.EXE C:\WINDOWS\ServicePackFiles\i386\svchost.exe | findstr /b 0x >>verify.txt
    FileDigitalSignVerify.EXE C:\WINDOWS\$NtServicePackUninstall$\svchost.exe | findstr /b 0x >>verify.txt
    start notepad verify.txt
    cls
    exit
     
    noahdfear,
    #27
  9. 2007/10/10
    Flapdoodle

    Flapdoodle Inactive Thread Starter

    Joined:
    2007/10/09
    Messages:
    25
    Likes Received:
    0
    verify.txt

    0x800b0100 - C:\WINDOWS\system32\svchost.exe

    0x800b0100 - C:\WINDOWS\ServicePackFiles\i386\svchost.exe

    0x800b0100 - C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
     
    Flapdoodle,
    #28
  10. 2007/10/10
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Wow ....... none of those passed signature verification. Any chance you have another XP SP2 machine around there you could get a new copy from?

    Please upload the C:\WINDOWS\system32\svchost.exe file to my submission channel. Leave a link back to this topic.
     
    noahdfear,
    #29
  11. 2007/10/10
    Flapdoodle

    Flapdoodle Inactive Thread Starter

    Joined:
    2007/10/09
    Messages:
    25
    Likes Received:
    0
    No idea where our install disks are, which is why I was reluctant to reformat, but there's another computer I could copy/paste from if that's what you mean. Just copy svchost.exe from the other computer to this one and there won't be any trouble?
     
    Flapdoodle,
    #30
  12. 2007/10/10
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    If the other computer is updated to SP2 then you should be able to copy the file from there. Just make sure it's the same size and date.

    08/04/2004 14,336 bytes (14kb) svchost.exe

    Problem will be, if there is one, that the file is in use and won't allow you to do anything with it. Try to rename the one in system32 to svchost.old then copy the new one in it's place and reboot.
     
    noahdfear,
    #31
  13. 2007/10/10
    Flapdoodle

    Flapdoodle Inactive Thread Starter

    Joined:
    2007/10/09
    Messages:
    25
    Likes Received:
    0
    Okay, copied the file and rebooted. Ran verify.bat again, results:

    0x800b0100 - C:\WINDOWS\system32\svchost.exe

    0x800b0100 - C:\WINDOWS\ServicePackFiles\i386\svchost.exe

    0x800b0100 - C:\WINDOWS\$NtServicePackUninstall$\svchost.exe

    0x800b0100 - C:\svchost.exe

    Seems to be the same as before. The last line was the copied file, straight from the flash drive.
     
    Flapdoodle,
    #32
  14. 2007/10/10
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Hmmm ........ lets see what MS's verifier says. Click Start>Run and type sigverif then hit Enter to open the File Signature Verification tool. Click Advanced. Select 'Look for other files .......' then change the 'Scan this file type' to *.exe and look in C:\Windows\system32
    Click OK then Start. When complete, click Advanced>Logging tab>View log and post it's contents.

    I'll check back in tomorrow ....... gotta get some sleep.
     
    noahdfear,
    #33
  15. 2007/10/11
    Flapdoodle

    Flapdoodle Inactive Thread Starter

    Joined:
    2007/10/09
    Messages:
    25
    Likes Received:
    0
    The logfile was longer than the allowed posting limit, so I cut out a bunch of the early files.
    Code:
    Log file generated on 10/10/2007 at 11:54 PM
OS Platform:  Windows 2000 (x86), Version:  5.1, Build: 2600, CSDVersion:  Service Pack 2
Scan Results:  Total Files: 349, Signed: 9, Unsigned: 340, Not Scanned: 0

User-specified search path:  *.exe
User-specified search pattern:  C:\WINDOWS\system32

File                      Modified       Version             Status              Catalog              Signed By
------------------      ------------   -----------        ------------        -----------          -------------------
[c:\windows\system32]            
autofmt.exe              8/4/2004       5.1.2600.2180       Not Signed          N/A                 
autolfn.exe              8/4/2004       5.1.2600.2180       Not Signed          N/A                 
blastcln.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
bootcfg.exe              8/23/2001      5.1.2600.0          Not Signed          N/A                 
bootok.exe               8/23/2001      5.1.2600.0          Not Signed          N/A                 
bootvrfy.exe             8/23/2001      5.1.2600.0          Not Signed          N/A                 
cacls.exe                8/23/2001      5.1.2600.0          Not Signed          N/A                 
calc.exe                 8/23/2001      5.1.2600.0          Not Signed          N/A                 
capabilitytable.exe      6/3/2005       2.2.1.464           Not Signed          N/A                 
charmap.exe              8/23/2001      5.1.2600.0          Not Signed          N/A                 
chkdsk.exe               8/23/2001      5.1.2600.0          Not Signed          N/A                 
chkntfs.exe              8/23/2001      5.1.2600.0          Not Signed          N/A                 
cidaemon.exe             8/23/2001      5.1.2600.0          Not Signed          N/A                 
cipher.exe               8/4/2004       5.1.2600.2180       Not Signed          N/A                 
cisvc.exe                8/4/2004       5.1.2600.2180       Not Signed          N/A                 
ckcnv.exe                8/23/2001      6.0.2600.0          Not Signed          N/A                 
cleanmgr.exe             8/4/2004       6.0.2900.2180       Not Signed          N/A                 
cliconfg.exe             8/4/2004       2000.85.1117.0      Not Signed          N/A                 
clipbrd.exe              8/4/2004       5.1.2600.2180       Not Signed          N/A                 
clipsrv.exe              8/4/2004       5.1.2600.2180       Not Signed          N/A                 
cmd.exe                  8/4/2004       5.1.2600.2180       Not Signed          N/A                 
cmdl32.exe               8/4/2004       7.2.2600.2180       Not Signed          N/A                 
cmmon32.exe              8/4/2004       7.2.2600.2180       Not Signed          N/A                 
cmstp.exe                8/4/2004       7.2.2600.2180       Not Signed          N/A                 
comp.exe                 8/23/2001      5.1.2600.0          Not Signed          N/A                 
compact.exe              8/23/2001      5.1.2600.0          Not Signed          N/A                 
comsdupd.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
conime.exe               8/4/2004       5.1.2600.2180       Not Signed          N/A                 
control.exe              8/23/2001      5.1.2600.0          Not Signed          N/A                 
convert.exe              8/23/2001      5.1.2600.0          Not Signed          N/A                 
cscript.exe              8/4/2004       5.6.0.8820          Not Signed          N/A                 
csrss.exe                8/4/2004       5.1.2600.2180       Not Signed          N/A                 
ctfmon.exe               8/4/2004       5.1.2600.2180       Not Signed          N/A                 
dcomcnfg.exe             8/23/2001      2001.12.4414.42     Not Signed          N/A                 
ddeshare.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
debug.exe                8/23/2001      None                Not Signed          N/A                 
defrag.exe               8/4/2004       5.1.2600.2180       Not Signed          N/A                 
dfrgfat.exe              8/4/2004       5.1.2600.2180       Not Signed          N/A                 
dfrgntfs.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
diantz.exe               8/4/2004       5.1.2600.2180       Not Signed          N/A                 
diskpart.exe             8/4/2004       5.1.3565.0          Not Signed          N/A                 
diskperf.exe             8/23/2001      5.1.2600.0          Not Signed          N/A                 
divxsm.exe               11/22/2005     None                Not Signed          N/A                 
dllhost.exe              8/4/2004       5.1.2600.2180       Not Signed          N/A                 
dllhst3g.exe             8/23/2001      5.1.2600.0          Not Signed          N/A                 
dmadmin.exe              8/4/2004       2600.2180.503.0     Not Signed          N/A                 
dmremote.exe             8/4/2004       2600.2180.503.0     Not Signed          N/A                 
doskey.exe               8/23/2001      5.1.2600.0          Not Signed          N/A                 
dosx.exe                 8/4/2004       None                Not Signed          N/A                 
dplaysvr.exe             8/4/2004       5.3.2600.2180       Not Signed          N/A                 
dpnsvr.exe               8/4/2004       5.3.2600.2180       Not Signed          N/A                 
dpvsetup.exe             8/4/2004       5.3.2600.2180       Not Signed          N/A                 
driverquery.exe          8/23/2001      5.1.2600.0          Not Signed          N/A                 
drwatson.exe             8/23/2001      3.10.0.103          Not Signed          N/A                 
drwtsn32.exe             8/23/2001      5.1.2600.0          Not Signed          N/A                 
dumprep.exe              8/4/2004       5.1.2600.2180       Not Signed          N/A                 
dvdplay.exe              8/23/2001      1.0.0.2             Not Signed          N/A                 
dvdupgrd.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
dwwin.exe                8/4/2004       10.0.5815.0         Not Signed          N/A                 
dxdiag.exe               8/4/2004       5.3.2600.2180       Not Signed          N/A                 
dxdllreg.exe             12/12/2002     4.9.0.902           Not Signed          N/A                 
edlin.exe                8/23/2001      None                Not Signed          N/A                 
esentutl.exe             8/23/2001      5.1.2600.0          Not Signed          N/A                 
eudcedit.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
eventcreate.exe          8/4/2004       5.1.2600.2180       Not Signed          N/A                 
eventtriggers.exe        8/23/2001      5.1.2600.0          Not Signed          N/A                 
eventvwr.exe             8/23/2001      5.1.2600.0          Not Signed          N/A                 
exe2bin.exe              8/23/2001      None                Not Signed          N/A                 
expand.exe               8/23/2001      5.1.2600.0          Not Signed          N/A                 
extrac32.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
fastopen.exe             8/23/2001      None                Not Signed          N/A                 
faxpatch.exe             8/4/2004       5.2.2600.2180       Not Signed          N/A                 
fc.exe                   8/23/2001      5.1.2600.0          Not Signed          N/A                 
find.exe                 8/23/2001      5.1.2600.0          Not Signed          N/A                 
findstr.exe              8/4/2004       5.1.2600.2180       Not Signed          N/A                 
finger.exe               8/23/2001      5.1.2600.0          Not Signed          N/A                 
fixmapi.exe              8/23/2001      5.5.2600.0          Not Signed          N/A                 
fltmc.exe                8/21/2006      2:5.1               Signed              KB922582.cat        Microsoft Windows Component Publisher
fontview.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
forcedos.exe             8/23/2001      5.1.2600.0          Not Signed          N/A                 
freecell.exe             8/23/2001      5.1.2600.0          Not Signed          N/A                 
fsquirt.exe              8/4/2004       5.1.2600.2180       Not Signed          N/A                 
fsutil.exe               8/23/2001      5.1.2600.0          Not Signed          N/A                 
ftp.exe                  8/4/2004       5.1.2600.2180       Not Signed          N/A                 
gdi.exe                  8/23/2001      3.10.0.103          Not Signed          N/A                 
getmac.exe               8/23/2001      5.1.2600.0          Not Signed          N/A                 
gpresult.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
gpupdate.exe             8/23/2001      5.1.2600.0          Not Signed          N/A                 
grpconv.exe              8/4/2004       5.1.2600.2180       Not Signed          N/A                 
help.exe                 8/23/2001      5.1.2600.0          Not Signed          N/A                 
hostname.exe             8/23/2001      5.1.2600.0          Not Signed          N/A                 
ie4uinit.exe             8/4/2004       6.0.2900.2180       Not Signed          N/A                 
iexpress.exe             8/4/2004       6.0.2900.2180       Not Signed          N/A                 
imapi.exe                8/4/2004       5.1.2600.2180       Not Signed          N/A                 
ipconfig.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
ipsec6.exe               8/23/2001      5.1.2600.0          Not Signed          N/A                 
ipv6.exe                 8/4/2004       5.1.2600.2180       Not Signed          N/A                 
ipxroute.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
irftp.exe                8/4/2004       5.1.2600.2180       Not Signed          N/A                 
java.exe                 6/3/2005       5.0.40.5            Not Signed          N/A                 
javaw.exe                6/3/2005       5.0.40.5            Not Signed          N/A                 
javaws.exe               6/3/2005       5.0.40.5            Not Signed          N/A                 
keystone.exe             2/24/2005      6.14.10.10035       Not Signed          N/A                 
krnl386.exe              8/4/2004       3.10.0.103          Not Signed          N/A                 
label.exe                8/23/2001      5.1.2600.0          Not Signed          N/A                 
lights.exe               8/23/2001      5.1.2600.0          Not Signed          N/A                 
lnkstub.exe              8/23/2001      5.1.2600.0          Not Signed          N/A                 
locator.exe              8/4/2004       5.1.2600.2180       Not Signed          N/A                 
lodctr.exe               8/23/2001      5.1.2600.0          Not Signed          N/A                 
logagent.exe             8/4/2004       9.0.0.3250          Not Signed          N/A                 
logman.exe               8/4/2004       5.1.2600.2180       Not Signed          N/A                 
logoff.exe               8/23/2001      5.1.2600.0          Not Signed          N/A                 
logonui.exe              8/4/2004       6.0.2900.2180       Not Signed          N/A                 
lpq.exe                  8/23/2001      5.1.2600.0          Not Signed          N/A                 
lpr.exe                  8/23/2001      5.1.2600.0          Not Signed          N/A                 
lsass.exe                8/4/2004       5.1.2600.2180       Not Signed          N/A                 
lxrsii1s.exe             5/19/2005      None                Not Signed          N/A                 
lxrunplug.exe            7/15/2005      1.0.0.1             Not Signed          N/A                 
magnify.exe              8/4/2004       5.1.2600.2180       Not Signed          N/A                 
makecab.exe              8/4/2004       5.1.2600.2180       Not Signed          N/A                 
mem.exe                  8/23/2001      None                Not Signed          N/A                 
migpwd.exe               8/23/2001      5.1.2600.0          Not Signed          N/A                 
mmc.exe                  8/4/2004       5.1.2600.2180       Not Signed          N/A                 
mnmsrvc.exe              8/4/2004       5.1.2600.2180       Not Signed          N/A                 
mobsync.exe              8/4/2004       5.1.2600.2180       Not Signed          N/A                 
mountvol.exe             8/23/2001      5.1.2600.0          Not Signed          N/A                 
mplay32.exe              8/4/2004       5.1.2600.2180       Not Signed          N/A                 
mpnotify.exe             8/23/2001      5.1.2600.0          Not Signed          N/A                 
mqbkup.exe               8/4/2004       5.1.0.1108          Not Signed          N/A                 
mqsvc.exe                8/4/2004       5.1.0.1108          Not Signed          N/A                 
mqtgsvc.exe              8/4/2004       5.1.0.1108          Not Signed          N/A                 
mrinfo.exe               8/23/2001      5.1.2600.0          Not Signed          N/A                 
mrt.exe                  9/28/2007      None                Signed              N/A                 Microsoft Corporation
mscdexnt.exe             8/23/2001      None                Not Signed          N/A                 
msdtc.exe                8/4/2004       2001.12.4414.258    Not Signed          N/A                 
msg.exe                  8/23/2001      5.1.2600.0          Not Signed          N/A                 
mshearts.exe             8/23/2001      5.1.2600.0          Not Signed          N/A                 
mshta.exe                8/4/2004       6.0.2900.2180       Not Signed          N/A                 
msiexec.exe              5/4/2005       3.1.4000.1823       Not Signed          N/A                 
mspaint.exe              8/4/2004       5.1.2600.2180       Not Signed          N/A                 
msswchx.exe              8/23/2001      5.1.2600.0          Not Signed          N/A                 
mstinit.exe              8/4/2004       5.1.2600.2180       Not Signed          N/A                 
mstsc.exe                8/4/2004       5.1.2600.2180       Not Signed          N/A                 
narrator.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
nbtstat.exe              8/23/2001      5.1.2600.0          Not Signed          N/A                 
nddeapir.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
nerocheck.exe            7/9/2001       1.0.0.2             Not Signed          N/A                 
net.exe                  8/4/2004       5.1.2600.2180       Not Signed          N/A                 
net1.exe                 8/4/2004       5.1.2600.2180       Not Signed          N/A                 
netdde.exe               8/4/2004       5.1.2600.2180       Not Signed          N/A                 
netsetup.exe             8/4/2004       6.0.2600.0          Not Signed          N/A                 
netsh.exe                8/4/2004       5.1.2600.2180       Not Signed          N/A                 
netstat.exe              8/4/2004       5.1.2600.2180       Not Signed          N/A                 
nlsfunc.exe              8/23/2001      None                Not Signed          N/A                 
notepad.exe              8/4/2004       5.1.2600.2180       Not Signed          N/A                 
nslookup.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
ntbackup.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
ntkrnlpa.exe             2/28/2007      2:5.1               Signed              KB931784.cat        Microsoft Windows Component Publisher
ntoskrnl.exe             2/28/2007      2:5.1               Signed              KB931784.cat        Microsoft Windows Component Publisher
ntsd.exe                 8/23/2001      5.1.2600.0          Not Signed          N/A                 
ntvdm.exe                8/4/2004       5.1.2600.2180       Not Signed          N/A                 
nvappbar.exe             2/24/2005      6.14.10.10035       Not Signed          N/A                 
nvcolor.exe              2/24/2005      6.14.10.7184        Not Signed          N/A                 
nvdspsch.exe             2/24/2005      6.14.10.10035       Not Signed          N/A                 
nvsvc32.exe              2/24/2005      6.14.10.7184        Not Signed          N/A                 
nvuaudio.exe             6/3/2005       1.0.1.37            Not Signed          N/A                 
nvudisp.exe              6/3/2005       1.0.1.37            Not Signed          N/A                 
nvuide.exe               6/3/2005       1.0.1.37            Not Signed          N/A                 
nvuninst.exe             6/3/2005       1.0.1.37            Not Signed          N/A                 
nvunrm.exe               6/3/2005       1.0.1.37            Not Signed          N/A                 
nvusmb.exe               5/13/2005      1.0.1.37            Not Signed          N/A                 
nw16.exe                 8/23/2001      None                Not Signed          N/A                 
nwiz.exe                 2/24/2005      6.14.10.10035       Not Signed          N/A                 
nwscript.exe             8/23/2001      5.1.2600.0          Not Signed          N/A                 
odbcad32.exe             8/4/2004       3.525.1117.0        Not Signed          N/A                 
odbcconf.exe             8/4/2004       3.525.1117.0        Not Signed          N/A                 
openfiles.exe            8/4/2004       5.1.2600.2180       Not Signed          N/A                 
osk.exe                  8/4/2004       5.1.2600.2180       Not Signed          N/A                 
osuninst.exe             8/23/2001      5.1.2600.0          Not Signed          N/A                 
packager.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
pathping.exe             8/23/2001      5.1.2600.0          Not Signed          N/A                 
pentnt.exe               8/23/2001      5.1.2600.0          Not Signed          N/A                 
perfmon.exe              8/4/2004       5.1.2600.2180       Not Signed          N/A                 
ping.exe                 8/4/2004       5.1.2600.2180       Not Signed          N/A                 
ping6.exe                8/23/2001      5.1.2600.0          Not Signed          N/A                 
powercfg.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
print.exe                8/23/2001      5.1.2600.0          Not Signed          N/A                 
progman.exe              8/4/2004       5.1.2600.2180       Not Signed          N/A                 
proquota.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
proxycfg.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
qappsrv.exe              8/23/2001      5.1.2600.0          Not Signed          N/A                 
qprocess.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
qwinsta.exe              8/23/2001      5.1.2600.0          Not Signed          N/A                 
rasautou.exe             8/23/2001      5.1.2600.0          Not Signed          N/A                 
rasdial.exe              8/23/2001      5.1.2600.0          Not Signed          N/A                 
rasphone.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
rcimlby.exe              8/4/2004       5.1.2600.2180       Not Signed          N/A                 
rcp.exe                  8/4/2004       5.1.2600.2180       Not Signed          N/A                 
rdpclip.exe              8/4/2004       5.1.2600.2180       Not Signed          N/A                 
rdsaddin.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
rdshost.exe              8/4/2004       5.1.2600.2180       Not Signed          N/A                 
recover.exe              8/23/2001      5.1.2600.0          Not Signed          N/A                 
redir.exe                8/4/2004       None                Not Signed          N/A                 
reg.exe                  8/4/2004       5.1.2600.2180       Not Signed          N/A                 
regedt32.exe             8/23/2001      5.1.2600.0          Not Signed          N/A                 
regini.exe               8/23/2001      5.1.2600.0          Not Signed          N/A                 
regsvr32.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
regwiz.exe               8/23/2001      3.0.0.0             Not Signed          N/A                 
relog.exe                8/23/2001      5.1.2600.0          Not Signed          N/A                 
replace.exe              8/23/2001      5.1.2600.0          Not Signed          N/A                 
reset.exe                8/23/2001      5.1.2600.0          Not Signed          N/A                 
rexec.exe                8/4/2004       5.1.2600.2180       Not Signed          N/A                 
route.exe                8/23/2001      5.1.2600.0          Not Signed          N/A                 
routemon.exe             8/23/2001      5.1.2600.0          Not Signed          N/A                 
rsh.exe                  8/4/2004       5.1.2600.2180       Not Signed          N/A                 
rsm.exe                  8/23/2001      5.0.2074.0          Not Signed          N/A                 
rsmsink.exe              8/23/2001      5.1.2400.1          Not Signed          N/A                 
rsmui.exe                8/23/2001      5.1.2400.1          Not Signed          N/A                 
rsnotify.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
rsopprov.exe             8/23/2001      5.1.2600.0          Not Signed          N/A                 
rsvp.exe                 8/23/2001      5.1.2600.0          Not Signed          N/A                 
rtcshare.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
runas.exe                8/23/2001      5.1.2600.0          Not Signed          N/A                 
rundll32.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
runonce.exe              8/4/2004       6.0.2900.2180       Not Signed          N/A                 
rwinsta.exe              8/23/2001      5.1.2600.0          Not Signed          N/A                 
savedump.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
sc.exe                   8/23/2001      5.1.2600.0          Not Signed          N/A                 
scardsvr.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
schtasks.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
sdbinst.exe              8/4/2004       5.1.2600.2180       Not Signed          N/A                 
secedit.exe              8/4/2004       5.1.2600.2180       Not Signed          N/A                 
services.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
sessmgr.exe              8/4/2004       5.1.2600.2180       Not Signed          N/A                 
sethc.exe                8/4/2004       5.1.2600.2180       Not Signed          N/A                 
setup.exe                8/4/2004       5.1.2600.2180       Not Signed          N/A                 
setver.exe               8/23/2001      None                Not Signed          N/A                 
sfc.exe                  8/23/2001      5.1.2600.0          Not Signed          N/A                 
shadow.exe               8/23/2001      5.1.2600.0          Not Signed          N/A                 
share.exe                8/23/2001      None                Not Signed          N/A                 
shmgrate.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
shrpubw.exe              8/4/2004       5.1.2600.2180       Not Signed          N/A                 
shutdown.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
sigverif.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
skeys.exe                8/4/2004       5.1.2600.2180       Not Signed          N/A                 
slrundll.exe             8/4/2004       3.80.1.0            Not Signed          N/A                 
slserv.exe               8/4/2004       3.80.1.0            Not Signed          N/A                 
smbinst.exe              8/4/2004       5.1.2600.2180       Not Signed          N/A                 
smlogsvc.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
smss.exe                 8/4/2004       5.1.2600.2180       Not Signed          N/A                 
sndrec32.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
sndvol32.exe             8/23/2001      5.1.2600.0          Not Signed          N/A                 
sol.exe                  8/23/2001      5.1.2600.0          Not Signed          N/A                 
sort.exe                 8/23/2001      5.1.2600.0          Not Signed          N/A                 
spdwnwxp.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
spider.exe               8/4/2004       5.1.2600.2180       Not Signed          N/A                 
spiisupd.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
spnpinst.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
spoolsv.exe              6/10/2005      5.1.2600.2696       Not Signed          N/A                 
sprestrt.exe             8/23/2001      5.1.2600.0          Not Signed          N/A                 
spupdsvc.exe             6/28/2005      None                Signed              N/A                 Microsoft Corporation
spupdwxp.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
stimon.exe               8/4/2004       5.1.2600.2180       Not Signed          N/A                 
subst.exe                8/23/2001      5.1.2600.0          Not Signed          N/A                 
svchost.exe              8/4/2004       5.1.2600.2180       Not Signed          N/A                 
syncapp.exe              8/23/2001      5.1.2600.0          Not Signed          N/A                 
sysedit.exe              8/23/2001      3.10.0.103          Not Signed          N/A                 
syskey.exe               8/23/2001      5.1.2600.0          Not Signed          N/A                 
sysocmgr.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
systeminfo.exe           8/23/2001      5.1.2600.0          Not Signed          N/A                 
systray.exe              8/23/2001      5.1.2600.0          Not Signed          N/A                 
taskkill.exe             8/23/2001      5.1.2600.0          Not Signed          N/A                 
tasklist.exe             8/23/2001      5.1.2600.0          Not Signed          N/A                 
taskman.exe              8/23/2001      5.1.2600.0          Not Signed          N/A                 
taskmgr.exe              8/4/2004       5.1.2600.2180       Not Signed          N/A                 
tcmsetup.exe             8/23/2001      5.1.2600.0          Not Signed          N/A                 
tcpsvcs.exe              8/23/2001      5.1.2600.0          Not Signed          N/A                 
telnet.exe               5/10/2005      5.1.2600.2674       Not Signed          N/A                 
tftp.exe                 8/23/2001      5.1.2600.0          Not Signed          N/A                 
tlntadmn.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
tlntsess.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
tlntsvr.exe              8/4/2004       5.1.2600.2180       Not Signed          N/A                 
tourstart.exe            8/4/2004       6.0.2900.2180       Not Signed          N/A                 
tracerpt.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
tracert.exe              8/4/2004       5.1.2600.2180       Not Signed          N/A                 
tracert6.exe             8/23/2001      5.1.2600.0          Not Signed          N/A                 
tscon.exe                8/23/2001      5.1.2600.0          Not Signed          N/A                 
tscupgrd.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
tsdiscon.exe             8/23/2001      5.1.2600.0          Not Signed          N/A                 
tskill.exe               8/23/2001      5.1.2600.0          Not Signed          N/A                 
tsshutdn.exe             8/23/2001      5.1.2600.0          Not Signed          N/A                 
tweakui.exe              3/19/2002      2.0.0.0             Not Signed          N/A                 
typeperf.exe             8/23/2001      5.1.2600.0          Not Signed          N/A                 
tzchange.exe             7/18/2007      2:5.1               Signed              KB933360.cat        Microsoft Windows Component Publisher
unlodctr.exe             8/23/2001      5.1.2600.0          Not Signed          N/A                 
upnpcont.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
ups.exe                  8/4/2004       5.1.2600.2180       Not Signed          N/A                 
user.exe                 8/23/2001      3.10.0.103          Not Signed          N/A                 
userinit.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
usrmlnka.exe             8/23/2001      4.11.21.0           Not Signed          N/A                 
usrprbda.exe             8/23/2001      4.11.21.0           Not Signed          N/A                 
usrshuta.exe             8/23/2001      4.11.21.0           Not Signed          N/A                 
utilman.exe              8/4/2004       5.1.2600.2180       Not Signed          N/A                 
verclsid.exe             3/16/2006      5.1.2600.2869       Not Signed          N/A                 
verifier.exe             8/23/2001      5.1.2600.0          Not Signed          N/A                 
vssadmin.exe             8/23/2001      5.1.2600.0          Not Signed          N/A                 
vssvc.exe                8/4/2004       5.1.2600.2180       Not Signed          N/A                 
vwipxspx.exe             8/23/2001      None                Not Signed          N/A                 
w32tm.exe                8/23/2001      5.1.2600.0          Not Signed          N/A                 
wextract.exe             8/4/2004       6.0.2900.2180       Not Signed          N/A                 
wgatray.exe              6/19/2006      None                Signed              N/A                 Microsoft Corporation
wiaacmgr.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
winchat.exe              8/23/2001      5.1.2600.0          Not Signed          N/A                 
winhlp32.exe             8/23/2001      5.1.2600.0          Not Signed          N/A                 
winlogon.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
winmine.exe              8/23/2001      5.1.2600.0          Not Signed          N/A                 
winmsd.exe               8/23/2001      5.1.2600.0          Not Signed          N/A                 
winspool.exe             8/23/2001      3.10.0.103          Not Signed          N/A                 
winver.exe               8/4/2004       5.1.2600.2180       Not Signed          N/A                 
wisptis.exe              8/21/2002      1.0.2201.0          Not Signed          N/A                 
wmpstub.exe              8/23/2001      8.0.0.4477          Not Signed          N/A                 
wowdeb.exe               8/23/2001      3.10.0.103          Not Signed          N/A                 
wowexec.exe              8/23/2001      3.10.0.103          Not Signed          N/A                 
wpabaln.exe              8/4/2004       5.1.2600.2180       Not Signed          N/A                 
wpnpinst.exe             8/4/2004       5.1.2600.2180       Not Signed          N/A                 
write.exe                8/23/2001      5.1.2600.0          Not Signed          N/A                 
wscntfy.exe              8/4/2004       5.1.2600.2180       Not Signed          N/A                 
wscript.exe              8/4/2004       5.6.0.8820          Not Signed          N/A                 
wuauclt.exe              7/30/2007      2:5.0,2:5.1,2:5.2   Signed              oem17.CAT           Microsoft Windows Component Publisher
wuauclt1.exe             5/26/2005      None                Signed              N/A                 Microsoft Windows XP Publisher
wupdmgr.exe              8/23/2001      5.4.2600.0          Not Signed          N/A                 
xcopy.exe                8/4/2004       5.1.2600.2180       Not Signed          N/A                 
xpsp1hfm.exe             1/10/2004      5.4.1.0             Not Signed          N/A
     
    Flapdoodle,
    #34
  16. 2007/10/11
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    I'm definitely going to have to do some research on this. If anything, those results should be just the opposite .......... 340 signed and 9 unsigned. :confused: :confused:

    As an example, here's mine.

    I can identify the 44 unsigned on mine as belonging to other applications rather than being system files.

    Would you run the same verifier setup on your other comp please, then let me know the results (the same as I posted from mine will suffice).
     
    noahdfear,
    #35
  17. 2007/10/11
    Flapdoodle

    Flapdoodle Inactive Thread Starter

    Joined:
    2007/10/09
    Messages:
    25
    Likes Received:
    0
    Yeah, I thought that seemed a little off. Other computer's results: 299 signed, 11 unsigned. svchost WAS signed on the other computer too. A little extra: I deleted the svchost from the flash drive I used, went to the other computer and copied it to there again. Verified the signature on that computer. Brought it over to this one and verified again, and it wasn't signed anymore.
     
    Flapdoodle,
    #36
  18. 2007/10/11
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    I checked the copy you uploaded too, and it comes up as signed. So, something is causing improper signature verification. The only thing I've found so far suggests that you're running from the guest account, which we already know isn't the case else you wouldn't have gotten a successful Deckard's log. Again, it's going to take a bit of research. I'm off to work and will look into it more this evening.
     
    noahdfear,
    #37
  19. 2007/10/11
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    While I'm trying to find more info on sigverif failing, lets run one more scan to make sure there's nothing else hiding from us.

    Download GMER

    Unzip it to the desktop.

    Open the program and click on the Rootkit tab.
    Make sure all the boxes on the right of the screen are checked, EXCEPT for "˜Show All’.
    Click on Scan.
    When the scan has completed, click Copy and paste the results (if any) into this topic.


    Have you noticed any other problems since disabling the usprserv service?
     
    noahdfear,
    #38
  20. 2007/10/12
    Flapdoodle

    Flapdoodle Inactive Thread Starter

    Joined:
    2007/10/09
    Messages:
    25
    Likes Received:
    0
    Haven't noticed any problems since disabling the thing.

    The GMER file is probably too large to allow me to post here again, which I'm going to assume is not ideal. It's small enough to e-mail, so I'll go ahead and do that.
     
    Flapdoodle,
    #39
  21. 2007/10/12
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    I'll have a closer look at this later tonight.

    GMER 1.0.13.12551 - http://www.gmer.net
    Rootkit scan 2007-10-12 02:22:27
    Windows 5.1.2600 Service Pack 2


    ---- System - GMER 1.0.13 ----

    SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
    SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
    SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
    SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
    SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
    SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
    SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
    SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
    SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
    SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
    SSDT sptd.sys ZwEnumerateKey
    SSDT sptd.sys ZwEnumerateValueKey
    SSDT \SystemRoot\System32\vsdatant.sys ZwLoadDriver
    SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
    SSDT \SystemRoot\System32\vsdatant.sys ZwMapViewOfSection
    SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
    SSDT sptd.sys ZwOpenKey
    SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
    SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
    SSDT sptd.sys ZwQueryKey
    SSDT sptd.sys ZwQueryValueKey
    SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
    SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
    SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
    SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
    SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
    SSDT \SystemRoot\System32\vsdatant.sys ZwSetSystemInformation
    SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
    SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess
    SSDT \SystemRoot\System32\vsdatant.sys ZwUnloadDriver

    ---- Kernel code sections - GMER 1.0.13 ----

    ? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
    .text USBPORT.SYS!DllUnload B96D662C 5 Bytes JMP 8AC841C8
    ? System32\Drivers\a6w0kosu.SYS The system cannot find the file specified.

    ---- Kernel IAT/EAT - GMER 1.0.13 ----

    IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6C0AD4] sptd.sys
    IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6C0C1A] sptd.sys
    IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6C0B9C] sptd.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6C1748] sptd.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6C161E] sptd.sys
    IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [BA6D5ACA] sptd.sys
    IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [AA2CE5D0] \SystemRoot\System32\vsdatant.sys
    IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [AA2CEB10] \SystemRoot\System32\vsdatant.sys
    IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [AA2CEC70] \SystemRoot\System32\vsdatant.sys
    IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [AA2CE740] \SystemRoot\System32\vsdatant.sys
    IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [AA2CE740] \SystemRoot\System32\vsdatant.sys
    IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [AA2CE5D0] \SystemRoot\System32\vsdatant.sys
    IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [AA2CEB10] \SystemRoot\System32\vsdatant.sys
    IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [AA2CEC70] \SystemRoot\System32\vsdatant.sys
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [AA2CE5D0] \SystemRoot\System32\vsdatant.sys
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [AA2CEC70] \SystemRoot\System32\vsdatant.sys
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [AA2CEB10] \SystemRoot\System32\vsdatant.sys
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [AA2CE740] \SystemRoot\System32\vsdatant.sys
    IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [AA2CEC70] \SystemRoot\System32\vsdatant.sys
    IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [AA2CEB10] \SystemRoot\System32\vsdatant.sys
    IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [AA2CE5D0] \SystemRoot\System32\vsdatant.sys
    IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [AA2CE740] \SystemRoot\System32\vsdatant.sys
    IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [AA2CE5D0] \SystemRoot\System32\vsdatant.sys
    IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [AA2CEB10] \SystemRoot\System32\vsdatant.sys
    IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [AA2CEC70] \SystemRoot\System32\vsdatant.sys
    IAT \SystemRoot\System32\DRIVERS\irda.sys[NDIS.SYS!NdisOpenAdapter] [AA2CEB10] \SystemRoot\System32\vsdatant.sys
    IAT \SystemRoot\System32\DRIVERS\irda.sys[NDIS.SYS!NdisRegisterProtocol] [AA2CE5D0] \SystemRoot\System32\vsdatant.sys
    IAT \SystemRoot\System32\DRIVERS\irda.sys[NDIS.SYS!NdisCloseAdapter] [AA2CEC70] \SystemRoot\System32\vsdatant.sys
    IAT \SystemRoot\System32\DRIVERS\irda.sys[NDIS.SYS!NdisDeregisterProtocol] [AA2CE740] \SystemRoot\System32\vsdatant.sys
    IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [AA2CE5D0] \SystemRoot\System32\vsdatant.sys
    IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [AA2CE740] \SystemRoot\System32\vsdatant.sys
    IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [AA2CEC70] \SystemRoot\System32\vsdatant.sys
    IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [AA2CEB10] \SystemRoot\System32\vsdatant.sys

    ---- User IAT/EAT - GMER 1.0.13 ----

    IAT C:\Program Files\Windows Media Player\wmplayer.exe[6596] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
    IAT C:\Program Files\Windows Media Player\wmplayer.exe[6596] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
    IAT C:\Program Files\Windows Media Player\wmplayer.exe[6596] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
    IAT C:\Program Files\Windows Media Player\wmplayer.exe[6596] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
    IAT C:\Program Files\Windows Media Player\wmplayer.exe[6596] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
    IAT C:\Program Files\Windows Media Player\wmplayer.exe[6596] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
    IAT C:\Program Files\Windows Media Player\wmplayer.exe[6596] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
    IAT C:\Program Files\Windows Media Player\wmplayer.exe[6596] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
    IAT C:\Program Files\Windows Media Player\wmplayer.exe[6596] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
    IAT C:\Program Files\Windows Media Player\wmplayer.exe[6596] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
    IAT C:\Program Files\Windows Media Player\wmplayer.exe[6596] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
    IAT C:\Program Files\Windows Media Player\wmplayer.exe[6596] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
    IAT C:\Program Files\Windows Media Player\wmplayer.exe[6596] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
    IAT C:\Program Files\Windows Media Player\wmplayer.exe[6596] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll

    ---- Devices - GMER 1.0.13 ----

    Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 8AE611E8
    Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 8AE611E8
    Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 8AE611E8
    Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 8AE611E8
    Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 8AE611E8
    Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 8AE611E8
    Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 8AE611E8
    Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 8AE611E8
    Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 8AE611E8
    Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 8AE611E8
    Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 8AE611E8
    Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 8AE611E8
    Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 8AE611E8
    Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 8AE611E8
    Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 8AE611E8
    Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 8AE611E8
    Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 8AE611E8
    Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 8AE611E8
    Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 8AE611E8
    Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 8AE611E8
    Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 8AE611E8
    Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 8AE611E8

    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [BAE6E404] avg7rsw.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [BAE6E404] avg7rsw.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [BAE6E404] avg7rsw.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [BAE6E404] avg7rsw.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [BAE6E404] avg7rsw.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [BAE6E404] avg7rsw.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [BAE6E404] avg7rsw.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [BAE6E404] avg7rsw.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [BAE6E404] avg7rsw.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [BAE6E404] avg7rsw.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [BAE6E404] avg7rsw.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [BAE6E404] avg7rsw.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [BAE6E404] avg7rsw.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [BAE6E404] avg7rsw.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [BAE6E404] avg7rsw.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [BAE6E404] avg7rsw.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [BAE6E404] avg7rsw.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [BAE6E404] avg7rsw.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [BAE6E404] avg7rsw.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [BAE6E404] avg7rsw.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [BAE6E404] avg7rsw.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [BAE6E404] avg7rsw.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [BAE6E404] avg7rsw.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [BAE6E404] avg7rsw.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [BAE6E404] avg7rsw.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [BAE6E404] avg7rsw.sys
    AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [BAE6E404] avg7rsw.sys

    Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CREATE 89BF31E8
    Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CLOSE 89BF31E8
    Device \FileSystem\Fastfat \FatCdrom IRP_MJ_READ 89BF31E8
    Device \FileSystem\Fastfat \FatCdrom IRP_MJ_WRITE 89BF31E8
    Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_INFORMATION 89BF31E8
    Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_INFORMATION 89BF31E8
    Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_EA 89BF31E8
    Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_EA 89BF31E8
    Device \FileSystem\Fastfat \FatCdrom IRP_MJ_FLUSH_BUFFERS 89BF31E8
    Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_VOLUME_INFORMATION 89BF31E8
    Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_VOLUME_INFORMATION 89BF31E8
    Device \FileSystem\Fastfat \FatCdrom IRP_MJ_DIRECTORY_CONTROL 89BF31E8
    Device \FileSystem\Fastfat \FatCdrom IRP_MJ_FILE_SYSTEM_CONTROL 89BF31E8
    Device \FileSystem\Fastfat \FatCdrom IRP_MJ_DEVICE_CONTROL 89BF31E8
    Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SHUTDOWN 89BF31E8
    Device \FileSystem\Fastfat \FatCdrom IRP_MJ_LOCK_CONTROL 89BF31E8
    Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CLEANUP 89BF31E8
    Device \FileSystem\Fastfat \FatCdrom IRP_MJ_PNP 89BF31E8
    Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_CREATE 8ADD81E8
    Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_CLOSE 8ADD81E8
    Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_READ 8ADD81E8
    Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_WRITE 8ADD81E8
    Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_QUERY_INFORMATION 8ADD81E8
    Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_SET_INFORMATION 8ADD81E8
    Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_QUERY_VOLUME_INFORMATION 8ADD81E8
    Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_DIRECTORY_CONTROL 8ADD81E8
    Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_FILE_SYSTEM_CONTROL 8ADD81E8
    Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_DEVICE_CONTROL 8ADD81E8
    Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_LOCK_CONTROL 8ADD81E8
    Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_CLEANUP 8ADD81E8
    Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_PNP 8ADD81E8
    Device \FileSystem\Udfs \UdfsDisk IRP_MJ_CREATE 8ADD81E8
    Device \FileSystem\Udfs \UdfsDisk IRP_MJ_CLOSE 8ADD81E8
    Device \FileSystem\Udfs \UdfsDisk IRP_MJ_READ 8ADD81E8
    Device \FileSystem\Udfs \UdfsDisk IRP_MJ_WRITE 8ADD81E8
    Device \FileSystem\Udfs \UdfsDisk IRP_MJ_QUERY_INFORMATION 8ADD81E8
    Device \FileSystem\Udfs \UdfsDisk IRP_MJ_SET_INFORMATION 8ADD81E8
    Device \FileSystem\Udfs \UdfsDisk IRP_MJ_QUERY_VOLUME_INFORMATION 8ADD81E8
    Device \FileSystem\Udfs \UdfsDisk IRP_MJ_DIRECTORY_CONTROL 8ADD81E8
    Device \FileSystem\Udfs \UdfsDisk IRP_MJ_FILE_SYSTEM_CONTROL 8ADD81E8
    Device \FileSystem\Udfs \UdfsDisk IRP_MJ_DEVICE_CONTROL 8ADD81E8
    Device \FileSystem\Udfs \UdfsDisk IRP_MJ_LOCK_CONTROL 8ADD81E8
    Device \FileSystem\Udfs \UdfsDisk IRP_MJ_CLEANUP 8ADD81E8
    Device \FileSystem\Udfs \UdfsDisk IRP_MJ_PNP 8ADD81E8
    Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [AA2EBEA0] vsdatant.sys
    Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [AA2EBEA0] vsdatant.sys
    Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [AA2EBEA0] vsdatant.sys
    Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [BAE4685A] avgtdi.sys
    Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [AA2EBEA0] vsdatant.sys
    Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_CREATE 8ACB01E8
    Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_CLOSE 8ACB01E8
    Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_DEVICE_CONTROL 8ACB01E8
    Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL 8ACB01E8
    Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_POWER 8ACB01E8
    Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_SYSTEM_CONTROL 8ACB01E8
    Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_PNP 8ACB01E8
     
    noahdfear,
    #40
Page 2 of 3

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...