Windows TaskBar and start menu is gone! desktop icons unmovable [Hijack This log]

supacat · 2007/05/31

Please Help... Having the exact same problem. Here is my Hijack This log...

Logfile of HijackThis v1.99.1
Scan saved at 8:36:07 PM, on 5/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\TomTom HOME\TomTomHOME.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Symantec AntiVirus\vpc32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\me\Application Data\U3\000017E48A62BE9E\LaunchPad.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../verizon/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/verizon/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://verizon.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/verizon/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../verizon/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/verizon/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/verizon/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Nord] C:\WINDOWS\system32\nordsys.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe "
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe "
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
O4 - HKCU\..\Run: [Nord] C:\WINDOWS\system32\nordsys.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe "
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Application Management (AppMgmt) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Windows Audio (AudioSrv) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Computer Browser (Browser) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cryptographic Services (CryptSvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: DCOM Server Process Launcher (DcomLaunch) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DHCP Client (Dhcp) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Logical Disk Manager (dmserver) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: DNS Client (Dnscache) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Error Reporting Service (ERSvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: COM+ Event System (EventSystem) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Fast User Switching Compatibility (FastUserSwitchingCompatibility) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Help and Support (helpsvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: MS Internet Countermeasures Framework (ICF) - Unknown owner - C:\WINDOWS\system32\svchost.exe:exe.exe (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Server (lanmanserver) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Workstation (lanmanworkstation) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: TCP/IP NetBIOS Helper (LmHosts) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: Network Connections (Netman) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Network Location Awareness (NLA) (Nla) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Removable Storage (NtmsSvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Access Auto Connection Manager (RasAuto) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Remote Access Connection Manager (RasMan) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Remote Registry (RemoteRegistry) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Secondary Logon (seclogon) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: System Event Notification (SENS) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Shell Hardware Detection (ShellHWDetection) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Restore Service (srservice) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: SSDP Discovery Service (SSDPSRV) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Windows Image Acquisition (WIA) (stisvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Telephony (TapiSrv) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Terminal Services (TermService) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Themes - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Distributed Link Tracking Client (TrkWks) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Universal Plug and Play Device Host (upnphost) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: USB Data Adapter (Usbpda) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Messenger Sharing USN Journal Reader service (usnsvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Time (W32Time) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: WebClient - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Windows Management Instrumentation (winmgmt) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Portable Media Serial Number Service (WmdmPmSN) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Windows Management Instrumentation Driver Extensions (Wmi) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Security Center (wscsvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Wireless Zero Configuration (WZCSVC) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Network Provisioning Service (xmlprov) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)

TeMerc · 2007/06/01

Hello and welcome to WindowsBBS Forums.

WOW!!!

I don't think I've ever seen so many bots on one machine, I'm amazed that it runs at all.

Be fore we proceed a bit of caution. These kinds of backdoors can leave an open port back to 'malware headquarters' as the case may be. Meaning that some of your personal information may have been collected. I strongly urge you to contact any companies which you perform financial transactions with on this computer to alert them of the possible breach to avoid any sort of identity theft.

While this back door should be easily cleaned, there is always a slight possibility we can miss something else. To be 100% sure the system is no longer compromised the best thing to do is to save all data which is important to you and wipe the hard drive, re-installing Windows.

While the chance of this happening is rather low, I want to be sure and alert you of the possibility.

Let me know what you want to do.

supacat · 2007/06/01

Thanks for the help... but please

right now i need to be get my data such as my yahoo logs and email.. and email settings...

Please help... i'll re image later.... also if you could recommend the proper security software that i should be using....

thanks

TeMerc · 2007/06/01

OK, if you insist. One thing tho, do not under any circumstances perform any sort of financial transaction on this machine and I would also alert any banks or credit card companies as to the likely compromise of this machine.

Lets run a bot tool and see how many it picks out. Sure to be some new ones here.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

Instead of Windows loading as normal, the Advanced Options Menu should appear;

Select the first option, to run Windows in Safe Mode, then press Enter.

Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.

Type Y to begin the cleanup process.

It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.

Press any Key and it will restart the PC.

When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.

Finally copy and paste the contents of the results file Report.txt back onto the forum after running the next tool.

Download combofix.exe

Double click combofix.exe & follow the prompts.

When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Then post the SDFix log, ComboFix log and a fresh HJT log as well please.

supacat · 2007/06/18

logs.. sorry for the delay

Here are the logs

Sdfix Log:

SDFix: Version 1.86

Run by me - Mon 06/04/2007 - 19:13:48.87

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\fix\sdfix\SDFix

Safe Mode:
Checking Services:

Name:
ICF
usbpda

ImagePath:
C:\WINDOWS\system32\svchost.exe:exe.exe
%SystemRoot%\System32\svchost.exe -k netsvcs

ICF - Deleted
usbpda - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing SharedAccess Service

Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\DOCUME~1\me\LOCALS~1\Temp\temp_218520218.bat - Deleted
C:\DOCUME~1\me\LOCALS~1\Temp\temp_218772921.bat - Deleted
C:\WINDOWS\system32\svcp.csv - Deleted
C:\WINDOWS\system32\winsub.xml - Deleted
C:\DOCUME~1\me\LOCALS~1\Temp\tmp*.tmp - Deleted

Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
:svchost.exe 19299
Total size: 19299 bytes.

system32: deleted 19299 bytes in 1 streams.

Checking for remaining Streams

C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Checking if ADS is attached to ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"c:\\bqtoxygh.exe "= "C:\\bqtoxygh.exe:*:Enabled:Server "
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe "= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0 "
"C:\\Program Files\\MSN Messenger\\msncall.exe "= "C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone) "
"%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"c:\\bqtoxygh.exe "= "C:\\bqtoxygh.exe:*:Enabled:Server "
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe "= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0 "
"C:\\Program Files\\MSN Messenger\\msncall.exe "= "C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone) "
"%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "

Remaining Files:
---------------

Backups Folder: - C:\fix\sdfix\SDFix\backups\backups.zip

Listing Files with Hidden Attributes:

C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setupx.dll
C:\Documents and Settings\me\Application Data\U3\temp\Launchpad Removal.exe
C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe

Listing User Accounts:

User accounts for \\

Administrator ASPNET Guest
HelpAssistant me SUPPORT_388945a0
The command completed with one or more errors.

Finished

Combofix Log:

"me" - 2007-06-18 21:19:19 Service Pack 2 NTFS
ComboFix 07-06-3 - Running from: "C:\fix\ "

ADS removed - C:\WINDOWS\system32\svchost.exe: The system cannot find the file specified.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\me\APPLIC~1.\macromedia\Flash Player\#SharedObjects\536LTSDW\www.broadcaster.com
C:\DOCUME~1\me\APPLIC~1.\macromedia\Flash Player\#SharedObjects\536LTSDW\www.broadcaster.com\played_list.sol
C:\DOCUME~1\me\APPLIC~1.\macromedia\Flash Player\#SharedObjects\536LTSDW\www.broadcaster.com\video_queue.sol
C:\DOCUME~1\me\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\me\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol

((((((((((((((((((((((((( Files Created from 2007-05-19 to 2007-06-19 )))))))))))))))))))))))))))))))

2007-06-04 19:03 <DIR> d-------- C:\fix
2007-05-31 20:32 <DIR> d-------- C:\hjt
2007-05-31 19:34 <DIR> d-------- C:\DOCUME~1\me\APPLIC~1\Lavasoft

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-19 00:46:42 -------- d-----w C:\Program Files\Symantec AntiVirus
2007-06-01 00:32:49 -------- d-----w C:\DOCUME~1\me\APPLIC~1\U3
2007-05-30 06:11:13 179 ----a-w C:\handle.dat
2007-04-27 12:38:38 -------- d-----w C:\Program Files\FlashGet
2007-04-24 10:09:07 -------- d-----w C:\Program Files\TomTom HOME
2007-04-24 04:04:51 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-24 04:01:53 -------- d-----w C:\DOCUME~1\me\APPLIC~1\InstallShield
2007-04-20 04:55:53 3,072 ----a-w C:\WINDOWS\mozver.dat
2007-03-31 00:52:27 139,264 ----a-w C:\WINDOWS\system32\hpzjrd01.dll
2007-03-29 01:55:04 112,397 ----a-w C:\WINDOWS\hpoins07.dat

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2006-10-26 11:28]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-03-02 12:02]
{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}=C:\PROGRA~1\FlashGet\jccatch.dll [2006-05-16 16:19]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll [2006-10-31 16:33]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{F156768E-81EF-470C-9057-481BA8380DBA}=C:\PROGRA~1\FlashGet\getflash.dll [2006-07-07 17:30]
{F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D}=C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll [2005-02-03 18:07]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp "= "C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 08:57]
"DrvLsnr "= "C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 12:34]
"Zone Labs Client "= "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2005-11-15 00:51]
"ATICCC "= "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41]
"Omnipage "= "C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 11:38]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 13:42]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" []
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"Motive SmartBridge "= "C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe" [2006-06-23 12:33]
"VerizonServicepoint.exe "= "C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe" [2006-02-01 19:33]
"YBrowser "= "C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 17:19]
"vptray "= "C:\PROGRA~1\SYMANT~1\\vptray.exe" [2005-11-15 14:28]
"HP Software Update "= "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12]
"LogitechCommunicationsManager "= "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-08 02:12]
"LogitechQuickCamRibbon "= "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [2007-02-08 02:13]
"PWRISOVM.EXE "= "C:\Program Files\PowerISO\PWRISOVM.EXE" [2006-09-09 05:16]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"TomTomHOME.exe "= "C:\Program Files\TomTom HOME\TomTomHOME.exe" [2007-01-29 12:07]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager "= "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-25 20:11]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize "=0 (0x0)
"NoMovingBands "=0 (0x0)
"NoCloseDragDropBands "=0 (0x0)
"NoSetTaskbar "=0 (0x0)
"NoToolbarsOnTaskbar "=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
AutoRun\command- H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3a0b27ad-b00b-11db-b38d-000bcd669c2c}]
AutoRun\command- I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e88d8813-e81f-11db-b3ab-000bcd669c2c}]
AutoRun\command- H:\InstallTomTomHOME.exe

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-18 21:22:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-18 21:22:44
C:\ComboFix-quarantined-files.txt ... 2007-06-18 21:22

--- E O F ---

HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 9:30:26 PM, on 6/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\TomTom HOME\TomTomHOME.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://verizon.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/verizon/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../verizon/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/verizon/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/verizon/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe "
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe "
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe "
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Application Management (AppMgmt) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Windows Audio (AudioSrv) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Computer Browser (Browser) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cryptographic Services (CryptSvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: DCOM Server Process Launcher (DcomLaunch) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DHCP Client (Dhcp) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Logical Disk Manager (dmserver) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: DNS Client (Dnscache) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Error Reporting Service (ERSvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: COM+ Event System (EventSystem) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Fast User Switching Compatibility (FastUserSwitchingCompatibility) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Help and Support (helpsvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Server (lanmanserver) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Workstation (lanmanworkstation) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: TCP/IP NetBIOS Helper (LmHosts) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: Network Connections (Netman) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Network Location Awareness (NLA) (Nla) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Removable Storage (NtmsSvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Access Auto Connection Manager (RasAuto) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Remote Access Connection Manager (RasMan) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Remote Registry (RemoteRegistry) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Secondary Logon (seclogon) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: System Event Notification (SENS) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Internet Connection Sharing (SharedAccess) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Shell Hardware Detection (ShellHWDetection) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Restore Service (srservice) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: SSDP Discovery Service (SSDPSRV) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Windows Image Acquisition (WIA) (stisvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Telephony (TapiSrv) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Terminal Services (TermService) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Themes - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Distributed Link Tracking Client (TrkWks) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Universal Plug and Play Device Host (upnphost) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Messenger Sharing USN Journal Reader service (usnsvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Time (W32Time) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: WebClient - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Windows Management Instrumentation (winmgmt) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Portable Media Serial Number Service (WmdmPmSN) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Windows Management Instrumentation Driver Extensions (Wmi) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Security Center (wscsvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Wireless Zero Configuration (WZCSVC) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)
O23 - Service: Network Provisioning Service (xmlprov) - Unknown owner - C:\WINDOWS\System32\svchost.exe (file missing)

Thanks in advance for the help.

TeMerc · 2007/06/19

Download GMER from one of the following sites listed on this Google page.

Right Click the Zip file top open it and Select "Extract All "

Double-click gmer.exe to launch the program.

Click on the Rootkit Tab and on the right side, untick the Registry [] box, then click Scan.

Once the scan is done, hit the [copy] button, then open notepad and paste the results here for me to see.

supacat · 2007/06/20

gmer log part 1

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2007-06-20 03:43:26
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.12 ----

SSDT 82A745A8 ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT sptd.sys ZwEnumerateKey
SSDT sptd.sys ZwEnumerateValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT sptd.sys ZwOpenKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT sptd.sys ZwQueryKey
SSDT sptd.sys ZwQueryValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!_abnormal_termination + 24F 804E2F20 1 Byte [ 40 ]
.text ntoskrnl.exe!_abnormal_termination + 251 804E2F22 2 Bytes [ D5, B2 ]
.text USBPORT.SYS!DllUnload F72B862C 5 Bytes JMP 82FAD960

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 82F661D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 82F661D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 82F661D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 82F661D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 82F661D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 82F661D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 82F661D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 82F661D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 82F661D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 82F661D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 82F661D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 82F661D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 82F661D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 82F661D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 82F661D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 82F661D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 82F661D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 82F661D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 82F661D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 82F661D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 82F661D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 82F661D8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CREATE 8286C760
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CLOSE 8286C760
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_READ 8286C760
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_WRITE 8286C760
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_INFORMATION 8286C760
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_INFORMATION 8286C760
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_EA 8286C760
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_EA 8286C760
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_FLUSH_BUFFERS 8286C760
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_VOLUME_INFORMATION 8286C760
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_VOLUME_INFORMATION 8286C760
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_DIRECTORY_CONTROL 8286C760
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_FILE_SYSTEM_CONTROL 8286C760
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_DEVICE_CONTROL 8286C760
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SHUTDOWN 8286C760
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_LOCK_CONTROL 8286C760
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CLEANUP 8286C760
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_PNP 8286C760
Device \Driver\USBSTOR \Device\0000009b IRP_MJ_CREATE 8184F980
Device \Driver\USBSTOR \Device\0000009b IRP_MJ_CLOSE 8184F980
Device \Driver\USBSTOR \Device\0000009b IRP_MJ_READ 8184F980
Device \Driver\USBSTOR \Device\0000009b IRP_MJ_WRITE 8184F980
Device \Driver\USBSTOR \Device\0000009b IRP_MJ_DEVICE_CONTROL 8184F980
Device \Driver\USBSTOR \Device\0000009b IRP_MJ_INTERNAL_DEVICE_CONTROL 8184F980
Device \Driver\USBSTOR \Device\0000009b IRP_MJ_POWER 8184F980
Device \Driver\USBSTOR \Device\0000009b IRP_MJ_SYSTEM_CONTROL 8184F980
Device \Driver\USBSTOR \Device\0000009b IRP_MJ_PNP 8184F980
Device \Driver\USBSTOR \Device\0000009c IRP_MJ_CREATE

supacat · 2007/06/20

gmer log part 2

8184F980
Device \Driver\USBSTOR \Device\0000009c IRP_MJ_CLOSE 8184F980
Device \Driver\USBSTOR \Device\0000009c IRP_MJ_READ 8184F980
Device \Driver\USBSTOR \Device\0000009c IRP_MJ_WRITE 8184F980
Device \Driver\USBSTOR \Device\0000009c IRP_MJ_DEVICE_CONTROL 8184F980
Device \Driver\USBSTOR \Device\0000009c IRP_MJ_INTERNAL_DEVICE_CONTROL 8184F980
Device \Driver\USBSTOR \Device\0000009c IRP_MJ_POWER 8184F980
Device \Driver\USBSTOR \Device\0000009c IRP_MJ_SYSTEM_CONTROL 8184F980
Device \Driver\USBSTOR \Device\0000009c IRP_MJ_PNP 8184F980
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [B2D66230] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [B2D66230] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [B2D66230] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [B2D66230] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [B2D66230] vsdatant.sys
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_CREATE 82EA5548
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_CLOSE 82EA5548
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_DEVICE_CONTROL 82EA5548
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL 82EA5548
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_POWER 82EA5548
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_SYSTEM_CONTROL 82EA5548
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_PNP 82EA5548
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_CREATE 82EA5548
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_CLOSE 82EA5548
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_DEVICE_CONTROL 82EA5548
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL 82EA5548
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_POWER 82EA5548
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_SYSTEM_CONTROL 82EA5548
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_PNP 82EA5548
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CREATE 82FD41D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CLOSE 82FD41D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_READ 82FD41D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_WRITE 82FD41D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_FLUSH_BUFFERS 82FD41D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_DEVICE_CONTROL 82FD41D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_INTERNAL_DEVICE_CONTROL 82FD41D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SHUTDOWN 82FD41D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_POWER 82FD41D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SYSTEM_CONTROL 82FD41D8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_PNP 82FD41D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CREATE 82FD41D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CLOSE 82FD41D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_READ 82FD41D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_WRITE 82FD41D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_FLUSH_BUFFERS 82FD41D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_DEVICE_CONTROL 82FD41D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_INTERNAL_DEVICE_CONTROL 82FD41D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SHUTDOWN 82FD41D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_POWER 82FD41D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SYSTEM_CONTROL 82FD41D8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_PNP 82FD41D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CREATE 82FD41D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CLOSE 82FD41D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_READ 82FD41D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_WRITE 82FD41D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_FLUSH_BUFFERS 82FD41D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_DEVICE_CONTROL 82FD41D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_INTERNAL_DEVICE_CONTROL 82FD41D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SHUTDOWN 82FD41D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_POWER 82FD41D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SYSTEM_CONTROL 82FD41D8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_PNP 82FD41D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CREATE 82FD41D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CLOSE 82FD41D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_READ 82FD41D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_WRITE 82FD41D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_FLUSH_BUFFERS 82FD41D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_DEVICE_CONTROL 82FD41D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_INTERNAL_DEVICE_CONTROL 82FD41D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SHUTDOWN 82FD41D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_POWER 82FD41D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SYSTEM_CONTROL 82FD41D8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_PNP 82FD41D8
Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_CREATE 82FD1980
Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_CLOSE 82FD1980
Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_DEVICE_CONTROL 82FD1980
Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_INTERNAL_DEVICE_CONTROL 82FD1980
Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_POWER 82FD1980
Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_SYSTEM_CONTROL 82FD1980
Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_PNP 82FD1980
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [B2D66230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [B2D66230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [B2D66230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [B2D66230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [B2D66230] vsdatant.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SYSTEM_CONTROL 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_PNP 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_READ 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_WRITE 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_FLUSH_BUFFERS 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_DEVICE_CONTROL 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_INTERNAL_DEVICE_CONTROL 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SHUTDOWN 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CLEANUP 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_POWER 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SYSTEM_CONTROL 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_PNP 82F681D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 82EDD1D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 82EDD1D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 82EDD1D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 82EDD1D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 82EDD1D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 82EDD1D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 82EDD1D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 82EDD1D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 82EDD1D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 82EDD1D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP

supacat · 2007/06/20

gmer log part 3

82EDD1D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_CREATE 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_READ 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_WRITE 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_FLUSH_BUFFERS 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_DEVICE_CONTROL 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_INTERNAL_DEVICE_CONTROL 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SHUTDOWN 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_CLEANUP 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_POWER 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SYSTEM_CONTROL 82F681D8
Device \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_PNP 82F681D8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE 82F671D8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLOSE 82F671D8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CONTROL 82F671D8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL 82F671D8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_POWER 82F671D8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SYSTEM_CONTROL 82F671D8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_PNP 82F671D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE 82F671D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CLOSE 82F671D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DEVICE_CONTROL 82F671D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_INTERNAL_DEVICE_CONTROL 82F671D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_POWER 82F671D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SYSTEM_CONTROL 82F671D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_PNP 82F671D8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE 82F671D8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLOSE 82F671D8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CONTROL 82F671D8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_INTERNAL_DEVICE_CONTROL 82F671D8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_POWER 82F671D8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SYSTEM_CONTROL 82F671D8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_PNP 82F671D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CREATE 82F671D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CLOSE 82F671D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_DEVICE_CONTROL 82F671D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_INTERNAL_DEVICE_CONTROL 82F671D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_POWER 82F671D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SYSTEM_CONTROL 82F671D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_PNP 82F671D8
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_CREATE 82EDD1D8
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_CLOSE 82EDD1D8
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_READ 82EDD1D8
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_WRITE 82EDD1D8
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_FLUSH_BUFFERS 82EDD1D8
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_DEVICE_CONTROL 82EDD1D8
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_INTERNAL_DEVICE_CONTROL 82EDD1D8
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_SHUTDOWN 82EDD1D8
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_POWER 82EDD1D8
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_SYSTEM_CONTROL 82EDD1D8
Device \Driver\Cdrom \Device\CdRom3 IRP_MJ_PNP 82EDD1D8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CREATE 82A1B980
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLOSE 82A1B980
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_DEVICE_CONTROL 82A1B980
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_INTERNAL_DEVICE_CONTROL 82A1B980
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLEANUP 82A1B980
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_PNP 82A1B980
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CREATE 82A1B980
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLOSE 82A1B980
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_DEVICE_CONTROL 82A1B980
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_INTERNAL_DEVICE_CONTROL 82A1B980
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLEANUP 82A1B980
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_PNP 82A1B980
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [B2D66230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [B2D66230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [B2D66230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [B2D66230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [B2D66230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [B2D66230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [B2D66230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [B2D66230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [B2D66230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [B2D66230] vsdatant.sys
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_CREATE 82EA5548
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_CLOSE 82EA5548
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_DEVICE_CONTROL 82EA5548
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL 82EA5548
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_POWER 82EA5548
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_SYSTEM_CONTROL 82EA5548
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_PNP 82EA5548
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_CREATE 82EA5548
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_CLOSE 82EA5548
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_DEVICE_CONTROL 82EA5548
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL 82EA5548
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_POWER 82EA5548
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_SYSTEM_CONTROL 82EA5548
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_PNP 82EA5548
Device \Driver\usbehci \Device\USBFDO-2 IRP_MJ_CREATE 82FD1980
Device \Driver\usbehci \Device\USBFDO-2 IRP_MJ_CLOSE 82FD1980
Device \Driver\usbehci \Device\USBFDO-2 IRP_MJ_DEVICE_CONTROL 82FD1980
Device \Driver\usbehci \Device\USBFDO-2 IRP_MJ_INTERNAL_DEVICE_CONTROL 82FD1980
Device \Driver\usbehci \Device\USBFDO-2 IRP_MJ_POWER 82FD1980
Device \Driver\usbehci \Device\USBFDO-2 IRP_MJ_SYSTEM_CONTROL 82FD1980
Device \Driver\usbehci \Device\USBFDO-2 IRP_MJ_PNP 82FD1980
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [B2D66230] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [B2D66230] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [B2D66230] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [B2D66230] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [B2D66230] vsdatant.sys
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_NAMED_PIPE 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLOSE 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_WRITE 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_INFORMATION 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_INFORMATION 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_EA 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_EA 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FLUSH_BUFFERS 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_VOLUME_INFORMATION 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_VOLUME_INFORMATION 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DIRECTORY_CONTROL 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FILE_SYSTEM_CONTROL 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CONTROL 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_INTERNAL_DEVICE_CONTROL 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SHUTDOWN 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_LOCK_CONTROL 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLEANUP 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_MAILSLOT 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_SECURITY 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_SECURITY 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_POWER 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SYSTEM_CONTROL 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CHANGE 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_QUOTA 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_QUOTA 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE

supacat · 2007/06/20

gmer log part 4

828A31D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_NAMED_PIPE 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLOSE 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_WRITE 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_INFORMATION 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_INFORMATION 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_EA 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_EA 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FLUSH_BUFFERS 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_VOLUME_INFORMATION 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_VOLUME_INFORMATION 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DIRECTORY_CONTROL 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FILE_SYSTEM_CONTROL 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CONTROL 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_INTERNAL_DEVICE_CONTROL 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SHUTDOWN 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_LOCK_CONTROL 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLEANUP 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_MAILSLOT 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_SECURITY 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_SECURITY 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_POWER 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SYSTEM_CONTROL 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CHANGE 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_QUOTA 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_QUOTA 828A31D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP 828A31D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CREATE 82F681D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_READ 82F681D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_WRITE 82F681D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_FLUSH_BUFFERS 82F681D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_DEVICE_CONTROL 82F681D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_INTERNAL_DEVICE_CONTROL 82F681D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SHUTDOWN 82F681D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CLEANUP 82F681D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_POWER 82F681D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SYSTEM_CONTROL 82F681D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_PNP 82F681D8
Device \Driver\USBSTOR \Device\0000009a IRP_MJ_CREATE 8184F980
Device \Driver\USBSTOR \Device\0000009a IRP_MJ_CLOSE 8184F980
Device \Driver\USBSTOR \Device\0000009a IRP_MJ_READ 8184F980
Device \Driver\USBSTOR \Device\0000009a IRP_MJ_WRITE 8184F980
Device \Driver\USBSTOR \Device\0000009a IRP_MJ_DEVICE_CONTROL 8184F980
Device \Driver\USBSTOR \Device\0000009a IRP_MJ_INTERNAL_DEVICE_CONTROL 8184F980
Device \Driver\USBSTOR \Device\0000009a IRP_MJ_POWER 8184F980
Device \Driver\USBSTOR \Device\0000009a IRP_MJ_SYSTEM_CONTROL 8184F980
Device \Driver\USBSTOR \Device\0000009a IRP_MJ_PNP 8184F980
Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE 8286C760
Device \FileSystem\Fastfat \Fat IRP_MJ_CLOSE 8286C760
Device \FileSystem\Fastfat \Fat IRP_MJ_READ 8286C760
Device \FileSystem\Fastfat \Fat IRP_MJ_WRITE 8286C760
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION 8286C760
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION 8286C760
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA 8286C760
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_EA 8286C760
Device \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS 8286C760
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION 8286C760
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION 8286C760
Device \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL 8286C760
Device \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL 8286C760
Device \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL 8286C760
Device \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN 8286C760
Device \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL 8286C760
Device \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP 8286C760
Device \FileSystem\Fastfat \Fat IRP_MJ_PNP 8286C760
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE 82867778
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLOSE 82867778
Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ 82867778
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_INFORMATION 82867778
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SET_INFORMATION 82867778
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_VOLUME_INFORMATION 82867778
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DIRECTORY_CONTROL 82867778
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL 82867778
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL 82867778
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SHUTDOWN 82867778
Device \FileSystem\Cdfs \Cdfs IRP_MJ_LOCK_CONTROL 82867778
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLEANUP 82867778
Device \FileSystem\Cdfs \Cdfs IRP_MJ_PNP 82867778

---- Files - GMER 1.0.12 ----

ADS C:\Documents and Settings\me\My Documents\My Pictures\temp 12 01 06\File00023.jpg:Q30lsldxJoudresxAaaqpcawXc
ADS C:\Documents and Settings\me\My Documents\My Pictures\temp 12 01 06\File00023.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\me\My Documents\My Pictures\temp 12 01 06\File01388.jpg:Q30lsldxJoudresxAaaqpcawXc
ADS C:\Documents and Settings\me\My Documents\My Pictures\temp 12 01 06\File01388.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\me\My Documents\My Pictures\temp 12 01 06\File01555.jpg:Q30lsldxJoudresxAaaqpcawXc
ADS C:\Documents and Settings\me\My Documents\My Pictures\temp 12 01 06\File01555.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\me\My Documents\My Pictures\temp 12 01 06\File02656.jpg:Q30lsldxJoudresxAaaqpcawXc
ADS C:\Documents and Settings\me\My Documents\My Pictures\temp 12 01 06\File02656.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\me\My Documents\My Pictures\temp 12 01 06\File03778.jpg:Q30lsldxJoudresxAaaqpcawXc
ADS C:\Documents and Settings\me\My Documents\My Pictures\temp 12 01 06\File03778.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\me\My Documents\My Pictures\temp 12 01 06\MVC-005F.JPG:Q30lsldxJoudresxAaaqpcawXc
ADS ...
ADS E:\graphics torrents 122406 put to dvd\toshiba data eman\1111aaaaaa samples to ipod\David Base Image.jpg:Q30lsldxJoudresxAaaqpcawXc
ADS E:\graphics torrents 122406 put to dvd\toshiba data eman\1111aaaaaa samples to ipod\David Base Image.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS F:\sort from drive 2 supa vid box\My Pictures\aaaaaaaaaaaaaa\File00003.jpg:Q30lsldxJoudresxAaaqpcawXc
ADS F:\sort from drive 2 supa vid box\My Pictures\aaaaaaaaaaaaaa\File00003.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS F:\sort from drive 2 supa vid box\My Pictures\aaaaaaaaaaaaaa\File00006.jpg:Q30lsldxJoudresxAaaqpcawXc
ADS F:\sort from drive 2 supa vid box\My Pictures\aaaaaaaaaaaaaa\File00006.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS F:\sort from drive 2 supa vid box\My Pictures\aaaaaaaaaaaaaa\File00009.jpg:Q30lsldxJoudresxAaaqpcawXc
ADS F:\sort from drive 2 supa vid box\My Pictures\aaaaaaaaaaaaaa\File00009.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS F:\sort from drive 2 supa vid box\My Pictures\aaaaaaaaaaaaaa\File00011.jpg:Q30lsldxJoudresxAaaqpcawXc
ADS F:\sort from drive 2 supa vid box\My Pictures\aaaaaaaaaaaaaa\File00011.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS F:\sort from drive 2 supa vid box\My Pictures\aaaaaaaaaaaaaa\File00015.jpg:Q30lsldxJoudresxAaaqpcawXc
ADS F:\sort from drive 2 supa vid box\My Pictures\aaaaaaaaaaaaaa\File00015.jpg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS F:\sort from drive 2 supa vid box\My Pictures\aaaaaaaaaaaaaa\File00017.jpg:Q30lsldxJoudresxAaaqpcawXc
ADS ...

---- EOF - GMER 1.0.12 ----

TeMerc · 2007/06/21

I haven't forgotten about you supacat, just getting some clarification on things.

As badly infected as this machine is, I'm double checking pretty much everything.

supacat · 2007/06/21

Thanks

Thanks for taking the time... i really appreciate it.

TeMerc · 2007/06/22

Sorry for long delay, crazy week in the house for me.

We need you to look in one of the back up folders of one of the tools:
C:\fix\sdfix\SDFix<<<--in here

Look for svchost.exe and scan it here:
Jotti Online File Scanner

If it scans clean, then move the file to your system32 folder reboot and re-run HJT and post that log for me, thanks.

Blender · 2007/06/22

Just posting so I get notifications of replies. TeMerc asked me to look.
Interesting thread.

Supacat:

In that SDFix folder will be zip file called "backups.zip ". This is the backups SDFix created before deleting what it found bad.

Unzip that and possibly svchost.exe is in that folder.
Careful around the other files within that folder as they are baddies!

If when you copy svchost.exe to system32 (if its clean) and get a prompt to overwrite already existing file say NO till we figure out why we can't "see" svchost that may already be there.

Can you look also in your dllcache folder to see if svchost.exe exists there? If present... scan it please and post jotti results if infected?

DllCache folder is a hidden system folder.
Type C:\windows\system32\dllcache in the run box & hit OK to get there quick.

Thanks!

Log in or Sign up

Windows TaskBar and start menu is gone! desktop icons unmovable [Hijack This log]

supacat Inactive Thread Starter

TeMerc Inactive Alumni

supacat Inactive Thread Starter

TeMerc Inactive Alumni

supacat Inactive Thread Starter

TeMerc Inactive Alumni

supacat Inactive Thread Starter

supacat Inactive Thread Starter

supacat Inactive Thread Starter

supacat Inactive Thread Starter

TeMerc Inactive Alumni

supacat Inactive Thread Starter

TeMerc Inactive Alumni

Blender Inactive

Share This Page

Log in or Sign up

Windows TaskBar and start menu is gone! desktop icons unmovable [Hijack This log]

supacat Inactive Thread Starter

TeMerc Inactive Alumni

supacat Inactive Thread Starter

TeMerc Inactive Alumni

supacat Inactive Thread Starter

TeMerc Inactive Alumni

supacat Inactive Thread Starter

supacat Inactive Thread Starter

supacat Inactive Thread Starter

supacat Inactive Thread Starter

TeMerc Inactive Alumni

supacat Inactive Thread Starter

TeMerc Inactive Alumni

Blender Inactive

Share This Page

Useful Searches