Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

help with trojan

Started by Xiaoxiao , Oct 21 2006 11:13 PM

  • This topic is locked This topic is locked

#1
Xiaoxiao
Posted 21 October 2006 - 11:13 PM

Xiaoxiao

    Member

  • Member
  • PipPip
  • 19 posts
hi,

Two days ago, a friend of mines msn account got hacked. i was sent a link in msn, which was a link to a .exe file for me to download, afterdownloading it i opened it, and nothing really happened so i deleted the file. Today when i open my pc, i was flooded with messages of my antispyware program (which is Spysweeper BTW) saying that MANY programs were trying to access the internet. after looking though them, i was sure that it was spyware. Also after many programs asking to access to the internet was denied (and i clicked block all box) all the pop ups were just a page saying thigns like access denied etc. The pc also froze after a while (around 1 min or so after i get into my xp account. so i hit the Ctrl+Alt +Delete as fast as i could, there i immediately went to the 'Processes' tab and closed explorer. that helped to stop the freezing which happened for about the first 6 restarts.Then i did a scan in normal mode. it picked up around 4 trojans and 6 or so spywares. after cleaning it all, i found that the problem wasnt fixed, however the freezing stopped, which was to someextent a good thing.

i rebooted in safemode and scanned my pc there for about 5 times, each time finding less and less spyware and its traces. Until now, it always picks up a trojan, heres the description in the log
"Trojan Horse found: Trojan-backdoor-Rustock"
I have tried to scan and delete this in safe mode multiple times. i have found some stuff in Hijack this, and delete from there, which got rid of someother stuff b4 this. But i really dont know where to go from now.

PS: also a note, is that i have 2 protection thingys, one Spysweeper, which has newest perscription updates etc, and also Norton Internet Secutrity 2005. Im aware that its not good to have 2 or more antivirus etc programs, however i find that Norton, dosnt adaquately protect me from spyware, so i got Webroot Spysweeper.

Other than some initial problems, after setting the softwares to accept each other, there has been no crashes between the two programs.

However today, when the viruses acted up, norton, stoped working, and said that there were some internal errors :whistling:. so i removed it, as it can no longer scan viruses or do anyprotection (it says that both antivirus protect, and internet protection thingy were both disabled) i dont know whats wrong, maybe some one hacked me and messed around with it? I cant find my install cd at the moment, so i dont have norton installed at the moment at all. if there is anything i can do to remove this threat, i would be gladly appreciated.

my hijack this log is just below here:

Logfile of HijackThis v1.99.1
Scan saved at 8:19:49 PM, on 22/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\asuskbservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\CAP3RSK.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\HJT\HijackThis.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: YDragSearch - {62EED7C6-9F02-42f9-B634-98E2899E147B} - blank (file missing)
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: update wnwb - {ED8DFC5C-10EF-45AB-9DC2-0639AFF5A270} - C:\PROGRA~1\COMMON~1\Wnwb\wnwbio.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Canon LASER SHOT LBP-1120 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Quick Search (Yisou.com) - res://C:\WINDOWS\DOWNLO~1\CnsMinEx.dll/1003
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1141179784968
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ASUSKeyboardService - ASUSTeK COMPUTER INC. - C:\WINDOWS\asuskbservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: %NVSVC.name% (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe



hope i can get help asap:D thx

Edited by Xiaoxiao, 22 October 2006 - 04:23 AM.

  • 0

Advertisements

#2
Armodeluxe
Posted 25 October 2006 - 07:34 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Hi Xiaoxiao,

That detection of Spysweeper is a very bad rootkit infection.

Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

Please post the following log.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
  • 0

#3
Xiaoxiao
Posted 26 October 2006 - 04:08 AM

Xiaoxiao

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Dennis - 06-10-26 20:02:53.75 Service Pack 1
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Dennis\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\paytime.exe
C:\Program Files\Common Files\{301E8AC9-09A2-3081-0715-04101804003d}
C:\Program Files\Common Files\{801E8AC9-09A2-3081-0715-04101804003d}


((((((((((((((((((((((((((((((( Files Created from 2006-09-26 to 2006-10-26 ))))))))))))))))))))))))))))))))))


2006-10-25 12:49 0 --a------ C:\wldkmd.exe
2006-10-25 12:49 0 --a------ C:\uprupo.exe
2006-10-25 12:49 0 --a------ C:\slmjkd.exe
2006-10-25 12:49 0 --a------ C:\qvfgx.exe
2006-10-25 12:49 0 --a------ C:\pglln.exe
2006-10-25 12:49 0 --a------ C:\opyvcu.exe
2006-10-25 12:49 0 --a------ C:\iritrwmg.exe
2006-10-25 12:49 0 --a------ C:\glnp.exe
2006-10-22 15:56 4,608 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2006-10-19 21:58 24,576 --a------ C:\WINDOWS\system32\STKIT432.DLL
2006-10-11 23:32 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2006-10-11 23:32 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2006-10-03 23:38 15,360 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2006-10-03 23:38 14,848 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2006-10-03 23:38 13,824 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2006-10-03 23:38 117,248 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2006-10-26 20:04 -------- d-------- C:\Program Files\Common Files
2006-10-26 16:28 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-10-23 21:36 -------- d-------- C:\Program Files\Warcraft III
2006-10-22 20:25 -------- d-------- C:\Program Files\HJT
2006-10-22 16:02 -------- d-------- C:\Program Files\Symantec
2006-10-22 16:02 -------- d-------- C:\Program Files\Norton Internet Security
2006-10-20 23:40 -------- d-------- C:\Documents and Settings\Dennis\Application Data\Symantec
2006-10-20 23:33 -------- d-------- C:\Program Files\MSN Messenger
2006-10-19 21:58 -------- d-------- C:\Program Files\Registry Mechanic
2006-10-15 11:34 -------- d-------- C:\Program Files\Google
2006-10-15 10:23 -------- d-------- C:\Program Files\Common Files\Skyscape
2006-10-14 18:53 724992 --a------ C:\WINDOWS\iun6002.exe
2006-10-05 12:57 1402 --a------ C:\Documents and Settings\Dennis\Application Data\Cosmos Prefs
2006-10-03 23:11 -------- d-------- C:\Program Files\Webroot
2006-10-03 23:11 -------- d-------- C:\Documents and Settings\Dennis\Application Data\Webroot(2)
2006-10-03 23:11 -------- d-------- C:\Documents and Settings\Dennis\Application Data\Webroot
2006-09-30 20:14 -------- d-------- C:\Program Files\Common Files\Blizzard Entertainment
2006-09-28 21:25 -------- d---s---- C:\Documents and Settings\Dennis\Application Data\Microsoft
2006-09-26 15:46 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-21 21:00 -------- d-------- C:\Program Files\Graphmatica
2006-09-21 16:07 -------- d-------- C:\Documents and Settings\Dennis\Application Data\Design Science
2006-09-21 16:06 -------- d-------- C:\Program Files\MathType
2006-09-14 21:32 -------- d-------- C:\Documents and Settings\Dennis\Application Data\Hamachi
2006-09-14 16:40 -------- d-------- C:\Program Files\Hamachi
2006-09-14 16:39 10578 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2006-09-12 18:10 -------- d-------- C:\Documents and Settings\Dennis\Application Data\IMVU
2006-09-12 18:02 -------- d-------- C:\Program Files\IMVU
2006-09-05 17:40 606848 --a------ C:\WINDOWS\flashax.exe
2006-09-05 17:40 12288 --a------ C:\WINDOWS\impborl.dll
2006-09-05 16:09 -------- d-------- C:\Program Files\DivX
2006-09-04 22:28 -------- d-------- C:\Program Files\Real
2006-09-04 17:08 -------- d-------- C:\Program Files\Merck
2006-09-03 12:14 -------- d-------- C:\Program Files\Common Files\Real
2006-09-03 12:14 -------- d-------- C:\Documents and Settings\Dennis\Application Data\Real
2006-09-03 11:56 -------- d-------- C:\Documents and Settings\Dennis\Application Data\Leadertech
2006-07-27 03:53 2681296 --a------ C:\WINDOWS\system32\ssartworkz_pc.dll
2006-07-27 03:53 104912 --a------ C:\WINDOWS\system32\sszlib_pc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe\" /startintray"
"NvCplDaemon"="\"RUNDLL32.EXE\" C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="\"nwiz.exe\" /install"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"SSC_UserPrompt"="\"C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe\""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000003

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{9EF34FF2-3396-4527-9D27-04C8C1C67806}"="Microsoft AntiSpyware Service Hook"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Dennis.job

Completion time: 06-10-26 20:05:25.53
C:\ComboFix.txt ... 06-10-26 20:05



here it is.

also i wanted to ask, is there anything i can do at the mean time to slow down its destruction on my pc? ie, dont use internet often or something? thx.

ohh... another note. i have installed norton internet security again, found the cd under like a whole stack of old stuff... neways, i installed it, but since im not subscribing anymore, it wont let me update, so even tho i have the 2005 version, its only patched up till 2004 december... and after running a scan with norton... it didnt even pick up anything...
  • 0

#4
Armodeluxe
Posted 26 October 2006 - 05:57 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
An antivirus with definitions a year old would not provide any serious protection. I will recommend a few free antivirus programs, you can choose one of them and uninstall Norton, but let's hold off on that until we clean this rootkit.

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C): 

Files to delete:

C:\wldkmd.exe
C:\uprupo.exe
C:\slmjkd.exe
C:\qvfgx.exe
C:\pglln.exe
C:\opyvcu.exe
C:\iritrwmg.exe
C:\glnp.exe
C:\WINDOWS\system32\ssartworkz_pc.dll
C:\WINDOWS\system32\sszlib_pc.dll

Drivers to unload:

pe386
msguard
lzx32

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply

4. Please post this following log in a seperate reply to make sure the log doesn't get cut off, after performing the steps above.

Scan for Hidden Data Streams
  • Open HiJackThis
  • Click on the "Config..." button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on "Open ADS Spy.."
  • In ADS Spy, uncheck the following options:
    Quick Scan
    Ignore safe system info streams
  • Click on "Scan"
  • Click on "Save Log..."
  • Copy and paste the List from the notepad into your next post

  • 0

#5
Xiaoxiao
Posted 26 October 2006 - 06:39 AM

Xiaoxiao

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
upon reboot, the thingy came up, but didnt go away. so i was stuck with a pc with no way to do anythnig as explorer etc has not loaded.

so i ctrl+alt+del, and logged my self off again, and reloged in and this thing came up:

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Error: could not create zip file.
Error code: 0

im gonna give this another go... but not sure if i shuold... but gonna do it neways... lol, hope this dosnt make things worse
  • 0

#6
Xiaoxiao
Posted 26 October 2006 - 06:40 AM

Xiaoxiao

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
ermm... i just realised, b4 it restarted. spysweeper came up, and said something was altered in my start up list, i didnt allow it there... there were 2 things, and so im doing it again. lettign it through spysweeper this tiem.

YAY success. it worked this time

first time i logged in, it didnt do anything with the cmd thingy comp just sat there... after waiting around 10 mins i closed it and ctrl+alt+del, and did: newtask explorer, and there wasnt 2nd restart like u told me about... and the cmd prompt thing flashed up and clsoed it self, but it then said something about nto being to save avenger.txt... so what to do now?

inside the two zips, there were not a single file in it...

i still got the two empty back up zips, and every thing it said b4.... should i do a spysweeper again? i think it removed those files u asked avenger to delete for me b4... (those files the .exe ones are clearly visible in the c drive.... quite obvious that they are suss...) but im not going to do anything else now... cause ur the boss :blink:.

here is another HJT log tho:

Logfile of HijackThis v1.99.1
Scan saved at 10:57:51 PM, on 26/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CAP3RSK.EXE
C:\WINDOWS\asuskbservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: YDragSearch - {62EED7C6-9F02-42f9-B634-98E2899E147B} - blank (file missing)
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: update wnwb - {ED8DFC5C-10EF-45AB-9DC2-0639AFF5A270} - C:\PROGRA~1\COMMON~1\Wnwb\wnwbio.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Canon LASER SHOT LBP-1120 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Quick Search (Yisou.com) - res://C:\WINDOWS\DOWNLO~1\CnsMinEx.dll/1003
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1141179784968
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ASUSKeyboardService - ASUSTeK COMPUTER INC. - C:\WINDOWS\asuskbservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: %NVSVC.name% (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


and here is that extra thingy u asked of me

C:\Documents and Settings\All Users\Documents\My Music\Sample Music\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Anemations\Movies\Teachers Pet\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Anemations\MPEGS\Behind Closed Doors\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Anemations\MPEGS\Doctor\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Anemations\MPEGS\Immoral Sisters\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Anemations\MPEGS\Immorality\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Anemations\MPEGS\J\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Anemations\MPEGS\Link\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Anemations\MPEGS\Mezzo Forte\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Anemations\MPEGS\mov sl\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Anemations\MPEGS\Mum\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Anemations\MPEGS\Night Shift Nurses\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Anemations\MPEGS\Nsn\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Anemations\MPEGS\op1 Charm\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Anemations\MPEGS\op1 mid\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Anemations\MPEGS\op1 shell\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Anemations\MPEGS\op1 shell2\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Anemations\MPEGS\op2 shell\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Anemations\MPEGS\op2 shell2\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Anemations\MPEGS\op3 mid\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Anemations\MPEGS\op3 shell\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Anemations\MPEGS\op3 shell2\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Anemations\MPEGS\op4 shell\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Anemations\MPEGS\op4 shell2\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Anemations\MPEGS\Private Sessions\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Anemations\MPEGS\Red Head\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Anemations\MPEGS\Resurection\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Anemations\MPEGS\Slave Nurses\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Anemations\MPEGS\Thief Caught\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Anemations\MPEGS\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Anemations\Real\1\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Anemations\Real\Mike In Brazil\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Anemations\Real\Unseen\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Anemations\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\A\A One\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\A\A Three\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\A\A Two\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\A Justice\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\ADC\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Anegai\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Aneto\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Angel Pain\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Beri Beri\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Blue Eyes\1\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Bondage Faries\Bondage Faries 1\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Bondage Faries\Bondage Faries 2\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Bondage Faries\Bondage Faries 5\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Boy Soprano\1\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Boy Soprano\2\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Boy Soprano\3\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Boy Soprano\4\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Boy Soprano\5\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Boy Soprano\6\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Boy Soprano\7\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Boy Soprano\8\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Boy Soprano\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Chobits Chiibits 2\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Co-Ed\Co Ed 4\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Co-Ed\Co Ed 5\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Co-Ed\Co Ed 7\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Co-Ed\Co Ed 8\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Co-Ed\Co-Ed 10\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Co-Ed\Co-Ed 2\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Co-Ed\Co-Ed 3\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Co-Ed\Co-Ed 6\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Co-Ed\Co_Ed 1\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Crazy Cover Club\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Dangerous Neigbors\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Dark Althena\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Detective in Danger\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\dot hack nightmare\hack 2\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Dynasty Warriors In Sangoku Musou - Rikuson Gaiden\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Dynasty Warriors In Sangoku Musou 2\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Evangelion forces\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Examination\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Exibition\3\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Exibition\4\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Exibition\5\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Exibition\6\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Exibition\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Extra\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\FJIII Factory\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Gachinko\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\GOS\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Happy Smile\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Hermet\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Hot Tails\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Imouto\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Kienokoru\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\King of Fighters The Yuri & Friends Mai Special\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Last Children\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Left Eye\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Mother\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Mujin 2000\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Naruto Sakura Lock On!\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Naruto Sakuraan\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Neon Genesis Evangelion Ayanami Student Compilation\1\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Neon Genesis Evangelion Ayanami Student Compilation\2\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Neon Genesis Evangelion Ayanami Student Compilation\3\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Neon Genesis Evangelion Ayanami Student Compilation\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Noir\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Non - English\Aerial\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Non - English\Angel Crown\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Non - English\Dojin 1\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Non - English\Dojin 2\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Non - English\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Office Lady Special\2\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Office Lady Special\3\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Office Lady Special\4\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Office Lady Special\5\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Office Lady Special\6\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Office Lady Special\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Onna Nokodoushi Gaichachasuru\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Overflow\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Perscription\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Reiko\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Right Here\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Sakaki Manga Daioh\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Sakurasaku Heisei Juu Nananen\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Secret Plot\Secret Plot 1\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Secret Plot\Secret Plot 2\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Secret Plot\Secret Plot 3\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Secret Plot\Secret Plot 4\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Secret Plot\Secret Plot 5\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Secret Plot\Secret Plot 6\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Secret Plot\Secret Plot 8\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Secret Plot Deep\5\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Secret Plot Deep\6\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Shinwasu No Okina\1\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Shinwasu No Okina\2\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Shinwasu No Okina\3\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Shinwasu No Okina\4\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Shinwasu No Okina\5\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Shinwasu No Okina\6\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Soyo Soyo\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\SP4\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Stul Girl\1\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Stul Girl\2\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Stul Girl\3\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Stul Girl\4\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Stul Girl\5\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Stul Girl\6\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Super Taboo\Super Taboo\1\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Super Taboo\Super Taboo\2\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Super Taboo\Super Taboo\3\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Super Taboo\Super Taboo\4\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Super Taboo\Super Taboo\5\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Super Taboo\Super Taboo\6\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Super Taboo\Super Taboo\7\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Super Taboo\Super Taboo\8\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Super Taboo\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Survivor\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Take On Me\1\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Techno Pans\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\The Worst Mistake\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Vandread\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Voice Of Submission\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Comics\Yuri And Friends 3\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Picutres\Angels\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Picutres\Animations\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Picutres\Anime Chicks\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Picutres\Bish J\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Picutres\Kazaa\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Picutres\Nudes\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\Desktop\Anime\Picutres\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\My Music\Anime\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\My Pictures\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\My Pictures\Wallpapers\Kakashi\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\My Pictures\Wallpapers\Screensavers\Anime Girls\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\My Pictures\Wallpapers\Screensavers\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\My Pictures\Wallpapers\Temari\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\My Pictures\Wallpapers\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\My Received Files\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\My Unused Files\My Report\Report.zip : SummaryInformation (88 bytes)
C:\Documents and Settings\Dennis\My Documents\My Unused Files\My Report\Report.zip : {4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (0 bytes)
C:\Documents and Settings\Dennis\My Documents\My Unused Files\My Report\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\My Unused Files\New Folder\Green Green Game Gallery\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\My Unused Files\New Folder\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\My Unused Files\Picture\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\Wei-Jing\New Folder\130305\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\Wei-Jing\New Folder\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\Wei-Jing\New Folder\đ-˘ż+-+¦+đ\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\Wei-Jing\New Folder\đ-˘ż+-+¦+đ (2)\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\Wei-Jing\Pictures\Anime Girls\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\Wei-Jing\Pictures\Battle Angels\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\Wei-Jing\Pictures\DNA2\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\Wei-Jing\Pictures\dot hack the legend of the twilight bracelet\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\Wei-Jing\Pictures\Evangelion\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\Wei-Jing\Pictures\FAVS\A One\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\Wei-Jing\Pictures\FAVS\A Three\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\Wei-Jing\Pictures\FAVS\A Two\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\Wei-Jing\Pictures\FAVS\ADC\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\Wei-Jing\Pictures\FAVS\anemations\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\Wei-Jing\Pictures\FAVS\Angel Pain\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\Wei-Jing\Pictures\FAVS\Crazy Cover Club\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\Wei-Jing\Pictures\FAVS\Dark Althena\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\Wei-Jing\Pictures\FAVS\Extra\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\Wei-Jing\Pictures\FAVS\Happy Smile\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\Wei-Jing\Pictures\FAVS\Hermet\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\Wei-Jing\Pictures\FAVS\Kienokoru\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\Wei-Jing\Pictures\FAVS\Survivor\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\Wei-Jing\Pictures\FAVS\Techno Pans\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\Wei-Jing\Pictures\FAVS\Yuri And Friends 3\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\Wei-Jing\Pictures\Get Backers\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\Wei-Jing\Pictures\Hikaru No Go\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\Wei-Jing\Pictures\Hunter X Hunter\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\Wei-Jing\Pictures\inuyasha\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\Wei-Jing\Pictures\Nadesico\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\Wei-Jing\Pictures\Naruto\Misc\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\Wei-Jing\Pictures\Naruto\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\Wei-Jing\Pictures\Naruto\Wall Papers\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\Wei-Jing\Pictures\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\Wei-Jing\Pictures\wallpapers\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\Wei-Jing\Scores From Anime\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Dennis\My Documents\Wei-Jing\Thumbs.db : encryptable (0 bytes)
C:\Documents and Settings\Lynn\My Documents\My Pictures\Thumbs.db : encryptable (0 bytes)
C:\Program Files\Warcraft III\Maps\Campaigns\Thumbs.db : encryptable (0 bytes)
C:\WINDOWS\system32 : lzx32.sys (69500 bytes)
C:\WINDOWS\system32 : lzx32.sys (69500 bytes)
D:\CloneDVDTemp\Thumbs.db : encryptable (0 bytes)


also, i prolly wont be able to do much tomorrow since i work late friday evenings. hopefully i mite get time to do something tho :help:

err... i found a thing in the HJT folder called killbox or something... i tried to use that thingy to get rid of the files, theres the log file:

C:\glnp.exe
File Was Deleted
C:\iritrwmg.exe
File Was Deleted
C:\opyvcu.exe
File Was Deleted
C:\pglln.exe
File Was Deleted
C:\qvfgx.exe
File Was Deleted
C:\slmjkd.exe
File Was Deleted
C:\uprupo.exe
File Was Deleted
C:\wldkmd.exe
File Was Deleted
C:\uniq
File Was Deleted
dunno if it was really taken care of or not tho... mite have made more trouble for u :whistling: sorrie! but as they say.. courisoty kills the cat... (dam i got terrible spelling)

Edited by Xiaoxiao, 26 October 2006 - 07:12 AM.

  • 0

#7
Armodeluxe
Posted 27 October 2006 - 05:28 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Let's try another tool.

Please run a GMER Rootkit scan:

Download GMER from here:
http://www.gmer.net/gmer.zip

Unzip it to the desktop and start GMER.exe
Click the Rootkit tab and click the Scan button.

Warning! Please do not select the "Show all" checkbox during the scan.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results here in your next reply.

If you're having problems with running GMER.exe, try when you get to the Rootkit tab unchecking "Devices" from the list on the right. Also you can try it in safe mode. This tool works in safe mode. Most other rootkit revealers don't
  • 0

#8
Xiaoxiao
Posted 27 October 2006 - 07:29 AM

Xiaoxiao

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
yay... work ended early today :whistling:.

kk i done what u asked.

erm just another report, my norton once again has its antivirus option disabled, and im unable to turn it back on, it says an internal error... same thing happened last time when the virus infected my comp.

GMER 1.0.11.11390 - http://www.gmer.net
Rootkit 2006-10-27 23:27:44
Windows 5.1.2600 Service Pack 1


---- System - GMER 1.0.11 ----

SSDT 82F3A220 ZwAllocateVirtualMemory
SSDT a347bus.sys ZwClose
SSDT 82D9B270 ZwConnectPort
SSDT 82FB2380 ZwCreateKey
SSDT a347bus.sys ZwCreatePagingFile
SSDT 82F6DE78 ZwCreateProcess
SSDT 82FD31E8 ZwCreateProcessEx
SSDT 82FB1400 ZwCreateThread
SSDT 82FCF6C0 ZwDeleteKey
SSDT 82FE80D8 ZwDeleteValueKey
SSDT a347bus.sys ZwEnumerateKey
SSDT a347bus.sys ZwEnumerateValueKey
SSDT a347bus.sys ZwOpenFile
SSDT a347bus.sys ZwOpenKey
SSDT 82C62200 ZwOpenProcess
SSDT 82A692B0 ZwOpenThread
SSDT a347bus.sys ZwQueryKey
SSDT a347bus.sys ZwQueryValueKey
SSDT 82F3A298 ZwQueueApcThread
SSDT 82F3A130 ZwReadVirtualMemory
SSDT 82FB20F8 ZwRenameKey
SSDT 82F3A388 ZwSetContextThread
SSDT 82FA6238 ZwSetInformationKey
SSDT 82F941F0 ZwSetInformationProcess
SSDT 82F3A400 ZwSetInformationThread
SSDT a347bus.sys ZwSetSystemPowerState
SSDT 82F90118 ZwSetValueKey
SSDT 82FB1478 ZwSuspendProcess
SSDT 82F3A310 ZwSuspendThread
SSDT 82FD0020 ZwTerminateProcess
SSDT 82F3A478 ZwTerminateThread
SSDT 82F3A1A8 ZwWriteVirtualMemory

---- Devices - GMER 1.0.11 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 82F87B88
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_READ 825C15D0
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE 82C8AA80
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE 82C8AA08
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE 82C8A990
Device \Driver\Tcpip \Device\Ip IRP_MJ_READ 82C8A918
Device \Driver\Tcpip \Device\Ip IRP_MJ_WRITE 82C8A8A0
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION 82C8A828
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION 82C8A7B0
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA 82C8A738
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA 82C8A6C0
Device \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS 82C8A648
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION 82C8A5D0
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION 82C8A558
Device \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL 82C8A4E0
Device \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL 82C8A468
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL 82C8A3F0
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL 82C8A378
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN 82C8A300
Device \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL 82C8A288
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP 82C8A210
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT 82C89020
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY 82C89FA8
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY 82C89F30
Device \Driver\Tcpip \Device\Ip IRP_MJ_POWER 82C89EB8
Device \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL 82C89E40
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE 82C89DC8
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA 82C89D50
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA 82C89CD8
Device \Driver\Tcpip \Device\Ip IRP_MJ_PNP 82C89C60
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE 82C8AA80
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE 82C8AA08
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE 82C8A990
Device \Driver\Tcpip \Device\Tcp IRP_MJ_READ 82C8A918
Device \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE 82C8A8A0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION 82C8A828
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION 82C8A7B0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA 82C8A738
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA 82C8A6C0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS 82C8A648
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION 82C8A5D0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION 82C8A558
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL 82C8A4E0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL 82C8A468
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL 82C8A3F0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL 82C8A378
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN 82C8A300
Device \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL 82C8A288
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP 82C8A210
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT 82C89020
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY 82C89FA8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY 82C89F30
Device \Driver\Tcpip \Device\Tcp IRP_MJ_POWER 82C89EB8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL 82C89E40
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE 82C89DC8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA 82C89D50
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA 82C89CD8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_PNP 82C89C60
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 82F84580
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_NAMED_PIPE 82F84580
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 82F84580
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 82F84580
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 82F84580
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_INFORMATION 82F84580
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_INFORMATION 82F84580
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_EA 82F84580
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_EA 82F84580
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 82F84580
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_VOLUME_INFORMATION 82F84580
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_VOLUME_INFORMATION 82F84580
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DIRECTORY_CONTROL 82F84580
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FILE_SYSTEM_CONTROL 82F84580
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 82F84580
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 82F84580
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 82F84580
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_LOCK_CONTROL 82F84580
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLEANUP 82F84580
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_MAILSLOT 82F84580
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_SECURITY 82F84580
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_SECURITY 82F84580
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 82F84580
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 82F84580
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CHANGE 82F84580
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_QUOTA 82F84580
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_QUOTA 82F84580
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 82F84580
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_READ 82C5DAE0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 82F84580
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_NAMED_PIPE 82F84580
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE 82F84580
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ 82F84580
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 82F84580
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_INFORMATION 82F84580
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_INFORMATION 82F84580
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_EA 82F84580
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_EA 82F84580
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 82F84580
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_VOLUME_INFORMATION 82F84580
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_VOLUME_INFORMATION 82F84580
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DIRECTORY_CONTROL 82F84580
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FILE_SYSTEM_CONTROL 82F84580
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 82F84580
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 82F84580
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 82F84580
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_LOCK_CONTROL 82F84580
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLEANUP 82F84580
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_MAILSLOT 82F84580
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_SECURITY 82F84580
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_SECURITY 82F84580
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 82F84580
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 82F84580
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CHANGE 82F84580
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_QUOTA 82F84580
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_QUOTA 82F84580
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 82F84580
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_CREATE 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_CREATE_NAMED_PIPE 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_CLOSE 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_READ 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_WRITE 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_QUERY_INFORMATION 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_SET_INFORMATION 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_QUERY_EA 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_SET_EA 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_FLUSH_BUFFERS 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_QUERY_VOLUME_INFORMATION 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_SET_VOLUME_INFORMATION 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_DIRECTORY_CONTROL 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_FILE_SYSTEM_CONTROL 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_DEVICE_CONTROL 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_INTERNAL_DEVICE_CONTROL 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_SHUTDOWN 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_LOCK_CONTROL 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_CLEANUP 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_CREATE_MAILSLOT 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_QUERY_SECURITY 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_SET_SECURITY 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_POWER 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_SYSTEM_CONTROL 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_DEVICE_CHANGE 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_QUERY_QUOTA 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_SET_QUOTA 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 IRP_MJ_PNP 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE_NAMED_PIPE 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CLOSE 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_READ 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_WRITE 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_INFORMATION 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_INFORMATION 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_EA 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_EA 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_FLUSH_BUFFERS 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_VOLUME_INFORMATION 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_VOLUME_INFORMATION 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DIRECTORY_CONTROL 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_FILE_SYSTEM_CONTROL 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DEVICE_CONTROL 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_INTERNAL_DEVICE_CONTROL 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SHUTDOWN 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_LOCK_CONTROL 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CLEANUP 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE_MAILSLOT 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_SECURITY 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_SECURITY 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_POWER 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SYSTEM_CONTROL 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DEVICE_CHANGE 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_QUOTA 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_QUOTA 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_PNP 82F84008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE 82F84008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_NAMED_PIPE 82F84008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLOSE 82F84008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_READ 82F84008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_WRITE 82F84008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_INFORMATION 82F84008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_INFORMATION 82F84008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_EA 82F84008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_EA 82F84008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FLUSH_BUFFERS 82F84008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_VOLUME_INFORMATION 82F84008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_VOLUME_INFORMATION 82F84008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DIRECTORY_CONTROL 82F84008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FILE_SYSTEM_CONTROL 82F84008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CONTROL 82F84008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL 82F84008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SHUTDOWN 82F84008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_LOCK_CONTROL 82F84008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLEANUP 82F84008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_MAILSLOT 82F84008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_SECURITY 82F84008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_SECURITY 82F84008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_POWER 82F84008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SYSTEM_CONTROL 82F84008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CHANGE 82F84008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_QUOTA 82F84008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_QUOTA 82F84008
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_PNP 82F84008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE 82F84008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_NAMED_PIPE 82F84008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLOSE 82F84008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_READ 82F84008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_WRITE 82F84008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_INFORMATION 82F84008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_INFORMATION 82F84008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_EA 82F84008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_EA 82F84008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FLUSH_BUFFERS 82F84008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_VOLUME_INFORMATION 82F84008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_VOLUME_INFORMATION 82F84008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DIRECTORY_CONTROL 82F84008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FILE_SYSTEM_CONTROL 82F84008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CONTROL 82F84008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_INTERNAL_DEVICE_CONTROL 82F84008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SHUTDOWN 82F84008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_LOCK_CONTROL 82F84008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLEANUP 82F84008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_MAILSLOT 82F84008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_SECURITY 82F84008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_SECURITY 82F84008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_POWER 82F84008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SYSTEM_CONTROL 82F84008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CHANGE 82F84008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_QUOTA 82F84008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_QUOTA 82F84008
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_PNP 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_CREATE 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_CREATE_NAMED_PIPE 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_CLOSE 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_READ 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_WRITE 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_QUERY_INFORMATION 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_SET_INFORMATION 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_QUERY_EA 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_SET_EA 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_FLUSH_BUFFERS 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_QUERY_VOLUME_INFORMATION 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_SET_VOLUME_INFORMATION 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_DIRECTORY_CONTROL 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_FILE_SYSTEM_CONTROL 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_DEVICE_CONTROL 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_INTERNAL_DEVICE_CONTROL 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_SHUTDOWN 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_LOCK_CONTROL 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_CLEANUP 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_CREATE_MAILSLOT 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_QUERY_SECURITY 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_SET_SECURITY 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_POWER 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_SYSTEM_CONTROL 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_DEVICE_CHANGE 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_QUERY_QUOTA 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_SET_QUOTA 82F84008
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f IRP_MJ_PNP 82F84008
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE 82F84580
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE_NAMED_PIPE 82F84580
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CLOSE 82F84580
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_READ 82F84580
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_WRITE 82F84580
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_INFORMATION 82F84580
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_INFORMATION 82F84580
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_EA 82F84580
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_EA 82F84580
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_FLUSH_BUFFERS 82F84580
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_VOLUME_INFORMATION 82F84580
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_VOLUME_INFORMATION 82F84580
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DIRECTORY_CONTROL 82F84580
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_FILE_SYSTEM_CONTROL 82F84580
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DEVICE_CONTROL 82F84580
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_INTERNAL_DEVICE_CONTROL 82F84580
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SHUTDOWN 82F84580
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_LOCK_CONTROL 82F84580
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CLEANUP 82F84580
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE_MAILSLOT 82F84580
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_SECURITY 82F84580
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_SECURITY 82F84580
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_POWER 82F84580
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SYSTEM_CONTROL 82F84580
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DEVICE_CHANGE 82F84580
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_QUOTA 82F84580
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_QUOTA 82F84580
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_PNP 82F84580
Device \FileSystem\InCDfs \Device\InCDfsComm IRP_MJ_READ 82CAF990
Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_READ 827F0D50
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE 82C8AA80
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE 82C8AA08
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE 82C8A990
Device \Driver\Tcpip \Device\Udp IRP_MJ_READ 82C8A918
Device \Driver\Tcpip \Device\Udp IRP_MJ_WRITE 82C8A8A0
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION 82C8A828
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION 82C8A7B0
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA 82C8A738
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA 82C8A6C0
Device \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS 82C8A648
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION 82C8A5D0
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION 82C8A558
Device \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL 82C8A4E0
Device \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL 82C8A468
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL 82C8A3F0
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL 82C8A378
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN 82C8A300
Device \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL 82C8A288
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP 82C8A210
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT 82C89020
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY 82C89FA8
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY 82C89F30
Device \Driver\Tcpip \Device\Udp IRP_MJ_POWER 82C89EB8
Device \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL 82C89E40
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE 82C89DC8
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA 82C89D50
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA 82C89CD8
Device \Driver\Tcpip \Device\Udp IRP_MJ_PNP 82C89C60
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE 82C8AA80
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE 82C8AA08
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE 82C8A990
Device \Driver\Tcpip \Device\RawIp IRP_MJ_READ 82C8A918
Device \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE 82C8A8A0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION 82C8A828
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION 82C8A7B0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA 82C8A738
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA 82C8A6C0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS 82C8A648
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION 82C8A5D0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION 82C8A558
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL 82C8A4E0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL 82C8A468
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL 82C8A3F0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL 82C8A378
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN 82C8A300
Device \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL 82C8A288
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP 82C8A210
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT 82C89020
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY 82C89FA8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY 82C89F30
Device \Driver\Tcpip \Device\RawIp IRP_MJ_POWER 82C89EB8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL 82C89E40
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE 82C89DC8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA 82C89D50
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA 82C89CD8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_PNP 82C89C60
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE 82C8AA80
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_NAMED_PIPE 82C8AA08
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE 82C8A990
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_READ 82C8A918
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_WRITE 82C8A8A0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_INFORMATION 82C8A828
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_INFORMATION 82C8A7B0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_EA 82C8A738
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_EA 82C8A6C0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FLUSH_BUFFERS 82C8A648
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_VOLUME_INFORMATION 82C8A5D0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_VOLUME_INFORMATION 82C8A558
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DIRECTORY_CONTROL 82C8A4E0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FILE_SYSTEM_CONTROL 82C8A468
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL 82C8A3F0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL 82C8A378
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN 82C8A300
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_LOCK_CONTROL 82C8A288
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP 82C8A210
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_MAILSLOT 82C89020
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_SECURITY 82C89FA8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_SECURITY 82C89F30
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_POWER 82C89EB8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SYSTEM_CONTROL 82C89E40
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CHANGE 82C89DC8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_QUOTA 82C89D50
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_QUOTA 82C89CD8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_PNP 82C89C60
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 82C86DD0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 82C86DD0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_READ 82CAAE90
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_READ 82D6F150
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_CREATE 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_CREATE_NAMED_PIPE 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_CLOSE 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_READ 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_WRITE 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_QUERY_INFORMATION 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SET_INFORMATION 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_QUERY_EA 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SET_EA 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_FLUSH_BUFFERS 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_QUERY_VOLUME_INFORMATION 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SET_VOLUME_INFORMATION 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_DIRECTORY_CONTROL 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_FILE_SYSTEM_CONTROL 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_DEVICE_CONTROL 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_INTERNAL_DEVICE_CONTROL 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SHUTDOWN 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_LOCK_CONTROL 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_CLEANUP 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_CREATE_MAILSLOT 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_QUERY_SECURITY 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SET_SECURITY 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_POWER 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SYSTEM_CONTROL 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_DEVICE_CHANGE 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_QUERY_QUOTA 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SET_QUOTA 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_PNP 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_CREATE 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_CREATE_NAMED_PIPE 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_CLOSE 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_READ 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_WRITE 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_QUERY_INFORMATION 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_SET_INFORMATION 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_QUERY_EA 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_SET_EA 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_FLUSH_BUFFERS 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_QUERY_VOLUME_INFORMATION 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_SET_VOLUME_INFORMATION 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_DIRECTORY_CONTROL 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_FILE_SYSTEM_CONTROL 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_DEVICE_CONTROL 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_INTERNAL_DEVICE_CONTROL 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_SHUTDOWN 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_LOCK_CONTROL 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_CLEANUP 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_CREATE_MAILSLOT 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_QUERY_SECURITY 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_SET_SECURITY 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_POWER 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_SYSTEM_CONTROL 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_DEVICE_CHANGE 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_QUERY_QUOTA 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_SET_QUOTA 82DFA1B0
Device \Driver\a347scsi \Device\Scsi\a347scsi1Port2Path0Target0Lun0 IRP_MJ_PNP 82DFA1B0
Device \FileSystem\Fastfat \Fat IRP_MJ_READ 825C15D0
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer IRP_MJ_READ 82CAD790
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer IRP_MJ_READ 82CAD790
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer IRP_MJ_READ 82CAD790
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer IRP_MJ_READ 82CAD790
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer IRP_MJ_READ 82CAD790
Device \FileSystem\InCDfs \GLOBAL??\BsUDF IRP_MJ_READ 82CAF990
Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ 82C4F9A0

---- Modules - GMER 1.0.11 ----

Module _________ F7415000


it kinda froze at this point...

well not freeze but it just stoped showing more stuff in the log for like a whole 10 mins or so... it was still checking and stuff cause the thingy at the bottom was flashing with file addresses, but it didnt go down anymore... i gotta go today... im going to try again tomorrow, maybe
  • 0

#9
Armodeluxe
Posted 27 October 2006 - 07:49 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Yes give it one more try and when you do, uncheck devices from the list on the right, I've seen that section already.
  • 0

#10
Armodeluxe
Posted 28 October 2006 - 06:07 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Xiaoxiao,

Hold back on the GMER for now. There is a brand new removal tool made for this infection, let's try that out.

But first please disable Spysweeper temporarily, I don't want it to interfere with the fix.

To disable SpySweeper Shields
  • Open SpySweeper.
  • Click > Options over to the left then > click the Program tab > Uncheck "Start Spy Sweeper at Windows startup".
  • Click Shield Settings on the right
    (or Shields on the left, depending what screen you're on).
  • Click Internet Explorer and uncheck all items.
  • Click Windows System and uncheck all items.
  • Click Hosts File and uncheck all items.
  • Click Startup Programs and uncheck all items.
  • Close SpySweeper.

Then,

Download
http://www.uploads.e...et/rustbfix.exe
...and save it to your desktop.

Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these logfiles along with a new HijackThis log.
  • 0

Advertisements

#11
Xiaoxiao
Posted 28 October 2006 - 07:37 AM

Xiaoxiao

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
once again the modules bit didnt load properly, this is what it got to b4 it stoped

GMER 1.0.11.11390 - http://www.gmer.net
Rootkit 2006-10-28 23:33:58
Windows 5.1.2600 Service Pack 1


---- System - GMER 1.0.11 ----

SSDT 82F8FE40 ZwAllocateVirtualMemory
SSDT a347bus.sys ZwClose
SSDT 82D75F80 ZwConnectPort
SSDT 82FE9380 ZwCreateKey
SSDT a347bus.sys ZwCreatePagingFile
SSDT 82F75FA8 ZwCreateProcess
SSDT 82FAFD50 ZwCreateProcessEx
SSDT 82F92308 ZwCreateThread
SSDT 82F90350 ZwDeleteKey
SSDT 82FE71B8 ZwDeleteValueKey
SSDT a347bus.sys ZwEnumerateKey
SSDT a347bus.sys ZwEnumerateValueKey
SSDT a347bus.sys ZwOpenFile
SSDT a347bus.sys ZwOpenKey
SSDT 82C63490 ZwOpenProcess
SSDT 82C831F0 ZwOpenThread
SSDT a347bus.sys ZwQueryKey
SSDT a347bus.sys ZwQueryValueKey
SSDT 82F8FEB8 ZwQueueApcThread
SSDT 82F8FD50 ZwReadVirtualMemory
SSDT 82F757D0 ZwRenameKey
SSDT 82F8FFA8 ZwSetContextThread
SSDT 82F75460 ZwSetInformationKey
SSDT 82FD2238 ZwSetInformationProcess
SSDT 82F8F020 ZwSetInformationThread
SSDT a347bus.sys ZwSetSystemPowerState
SSDT 82F75C18 ZwSetValueKey
SSDT 82F92380 ZwSuspendProcess
SSDT 82F8FF30 ZwSuspendThread
SSDT 82F91328 ZwTerminateProcess
SSDT 82F92290 ZwTerminateThread
SSDT 82F8FDC8 ZwWriteVirtualMemory

---- Modules - GMER 1.0.11 ----

Module _________ F7415000


erm, this mite be because i havent restarted my comp after i disabled spysweeper... i'll try that tomorrow (so sorry, but for me fridays and saturdays are very buzy days for me, the rest of the week i'll have plenty more time)

neways, i disabled spysweepers IE options, but i cant find windows options, so i just disabled the whole thing. (btw does it matter if i use mozilla? or not? hope it dosnt matter much)

i am doing the rust thingy now... hopefully its going to be fine :whistling:
  • 0

#12
Xiaoxiao
Posted 28 October 2006 - 07:38 AM

Xiaoxiao

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
once again the modules bit didnt load properly, this is what it got to b4 it stoped

GMER 1.0.11.11390 - http://www.gmer.net
Rootkit 2006-10-28 23:33:58
Windows 5.1.2600 Service Pack 1


---- System - GMER 1.0.11 ----

SSDT 82F8FE40 ZwAllocateVirtualMemory
SSDT a347bus.sys ZwClose
SSDT 82D75F80 ZwConnectPort
SSDT 82FE9380 ZwCreateKey
SSDT a347bus.sys ZwCreatePagingFile
SSDT 82F75FA8 ZwCreateProcess
SSDT 82FAFD50 ZwCreateProcessEx
SSDT 82F92308 ZwCreateThread
SSDT 82F90350 ZwDeleteKey
SSDT 82FE71B8 ZwDeleteValueKey
SSDT a347bus.sys ZwEnumerateKey
SSDT a347bus.sys ZwEnumerateValueKey
SSDT a347bus.sys ZwOpenFile
SSDT a347bus.sys ZwOpenKey
SSDT 82C63490 ZwOpenProcess
SSDT 82C831F0 ZwOpenThread
SSDT a347bus.sys ZwQueryKey
SSDT a347bus.sys ZwQueryValueKey
SSDT 82F8FEB8 ZwQueueApcThread
SSDT 82F8FD50 ZwReadVirtualMemory
SSDT 82F757D0 ZwRenameKey
SSDT 82F8FFA8 ZwSetContextThread
SSDT 82F75460 ZwSetInformationKey
SSDT 82FD2238 ZwSetInformationProcess
SSDT 82F8F020 ZwSetInformationThread
SSDT a347bus.sys ZwSetSystemPowerState
SSDT 82F75C18 ZwSetValueKey
SSDT 82F92380 ZwSuspendProcess
SSDT 82F8FF30 ZwSuspendThread
SSDT 82F91328 ZwTerminateProcess
SSDT 82F92290 ZwTerminateThread
SSDT 82F8FDC8 ZwWriteVirtualMemory

---- Modules - GMER 1.0.11 ----

Module _________ F7415000


erm, this mite be because i havent restarted my comp after i disabled spysweeper... i'll try that tomorrow (so sorry, but for me fridays and saturdays are very buzy days for me, the rest of the week i'll have plenty more time)

neways, i disabled spysweepers IE options, but i cant find windows options, so i just disabled the whole thing. (btw does it matter if i use mozilla? or not? hope it dosnt matter much)

and as for the rust.exe... it says this :

************************* Rustock.b-fix -- By ejvindh *************************
Sat 28/10/2006 23:37:49.90


No Rustock.b-rootkits found


******************************* End of Logfile ********************************


tomorrow i'll scan my comp with spysweeper in safe mode again... and as well as run rust.exe in safe mode as well... but im pretty sure my pc is still acting funny :whistling:
  • 0

#13
Xiaoxiao
Posted 28 October 2006 - 11:04 PM

Xiaoxiao

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
here is another try at the thingy...

GMER 1.0.11.11390 - http://www.gmer.net
Rootkit 2006-10-29 13:56:07
Windows 5.1.2600 Service Pack 1


---- System - GMER 1.0.11 ----

SSDT 82F8FE40 ZwAllocateVirtualMemory
SSDT a347bus.sys ZwClose
SSDT 82C8ACF0 ZwConnectPort
SSDT 82FE9380 ZwCreateKey
SSDT a347bus.sys ZwCreatePagingFile
SSDT 82F75FA8 ZwCreateProcess
SSDT 82FAFD50 ZwCreateProcessEx
SSDT 82F92308 ZwCreateThread
SSDT 82F90350 ZwDeleteKey
SSDT 82FE71B8 ZwDeleteValueKey
SSDT a347bus.sys ZwEnumerateKey
SSDT a347bus.sys ZwEnumerateValueKey
SSDT a347bus.sys ZwOpenFile
SSDT a347bus.sys ZwOpenKey
SSDT 82C39200 ZwOpenProcess
SSDT 82C5EB08 ZwOpenThread
SSDT a347bus.sys ZwQueryKey
SSDT a347bus.sys ZwQueryValueKey
SSDT 82F8FEB8 ZwQueueApcThread
SSDT 82F8FD50 ZwReadVirtualMemory
SSDT 82F757D0 ZwRenameKey
SSDT 82F8FFA8 ZwSetContextThread
SSDT 82F75460 ZwSetInformationKey
SSDT 82FD2238 ZwSetInformationProcess
SSDT 82F8F020 ZwSetInformationThread
SSDT a347bus.sys ZwSetSystemPowerState
SSDT 82F75C18 ZwSetValueKey
SSDT 82F92380 ZwSuspendProcess
SSDT 82F8FF30 ZwSuspendThread
SSDT 82F91328 ZwTerminateProcess
SSDT 82F92290 ZwTerminateThread
SSDT 82F8FDC8 ZwWriteVirtualMemory

---- Modules - GMER 1.0.11 ----

Module _________ F7415000
---- Processes - GMER 1.0.11 ----

Library C:\Program (*** hidden *** ) @ C:\WINDOWS\explorer.exe [344] 0x6AF30000

---- Files - GMER 1.0.11 ----

ADS ...

---- EOF - GMER 1.0.11 ----


at teh end of the thing it said something about a root kit or something... the entire scan took over 2 hours o.O.
  • 0

#14
Armodeluxe
Posted 29 October 2006 - 06:14 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Are you still getting detection from Spysweeper?
  • 0

#15
Xiaoxiao
Posted 29 October 2006 - 06:37 AM

Xiaoxiao

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
hi.

i have noticed that the virus/malware is triggered by msn, when ever i open msn, and after i log into my account, i get lots and lots of popups. and after that even when i restart my pc, its still the same, thus i need to go into safe mode to maintain some control. Heres the log i got:

Spy Sweeper will provide you with detailed information about the operations being performed in this area.
Program Version 5.0.7.1608 Using Spyware Definitions 783

To ensure proper removal of spyware, adware and other unwanted items, be sure to close any programs that are open.
Your Sweep Options indicate the following will be swept:
Drives: A: C: D: E: F: G:
Also sweeping: Memory, Cookies, Registry, All Folders
Adware found: zquest
Spy Cookie found: searchingbooth cookie
Spy Cookie found: exitexchange cookie
Spy Cookie found: top-banners cookie
Spy Cookie found: revenue.net cookie
Adware found: look2me
Adware found: dollarrevenue
Trojan Horse found: trojan-dh
Adware found: deskwizz
Adware found: command
Trojan Horse found: trojan-backdoor-rustock
Adware found: deluxecommunications
Trojan Horse found: trojan-downloader-ac2
Full Sweep has completed. Elapsed time 00:26:03
Traces Found: 29

After this, i rebooted and rescaned and picked up nothing at all. however, after opening msn and logging in, the same thing occured, so i went back to safemode and did another scan, the same thing happened as above, same adware and trojan again. so i have now uninstalled msn from the add/remove programs section. i've tried using the rustbfix.exe thingy again, same thing as last time (tho i regret not running it during the times that i actually opened msn, and when my comp was actually playing up). plz help!

i also have ran a registry cleaner called "registry mechanic" which picked up nothing major. spysweeper is still disabled as u have asked however, in windows task manager, under processes, there is still a process named spysweeper.exe, which is under the SYSTEM user. its using 00 cpu and using 6292k or mem usage... dont know how to get rid of that as when i try to end process it says "operation can not be completed access is denied" and im doing this from an admin account already. so i dont know why.

i have just uninstalled more components of msn, and then downloaded the newest version, im now running it quite well.

however i think the malware mite still be in my pc, and also when ever i boot up my, pc and when i log in it says :

(area on top of the box, with the title thingy) RUNDLL
(actual message):
Error loading woo4463d.dll

The specifide module could not be found.

dont know what this means, but im sure its not normal, (its doing thsi every single time)

Edited by Xiaoxiao, 29 October 2006 - 07:35 AM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP