Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91981 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

My computer is running slow


  • This topic is locked This topic is locked
25 replies to this topic

#16 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 15 March 2007 - 10:57 PM

Hello baby_gurlyuk,

I'm sorry you are having difficulty, these last few things are very important so we can be happy that you're clean. If any steps don't work again please tell me what's happened and I'll try my best to help you through it.

First, delete the fix.bat on your desktop and try this modified version, I think it will work better:

Go to Start > Run and type Notepad
Copy/paste the following quote box into a new notepad (not wordpad) document. Before starting select Format from the top menu and make sure Word Wrap is NOT checked.

@echo off
del /q c:\Junk
attrib -r -s -h C:\windows\ss3unstl.exe
del C:\windows\ss3unstl.exe
reg export "HKEY_CURRENT_USER\CLSID" C:\registrybackup2.reg
reg delete "HKEY_CURRENT_USER\CLSID\{35F59C80-C1F2-4EEA-9981-686C7D5A9277}" /f
echo All done!
pause

Go to the menu at the top of the Notepad File and Save as
Save it to your Desktop as "fix.bat" (you MUST include the quotes)

Locate fix.bat on your Desktop and double-click it. A black box should appear and say "All done!" and ask for you to press a key - press a key and the black box will close. If this doesn't occur then please let me know.

Instead of Blacklight, try Rootkit Revealer:
Download Rootkit Revealer from here:
http://download.sysi...kitRevealer.zip
  • Unzip it to your desktop.
  • Open the rootkitrevealer folder and double-click rootkitrevealer.exe
  • OK the EULAs and click the Scan button (bottom right)
  • It may take a while to scan - please don't use your computer while it's running, otherwise we get a lot of false positives in the log
  • When it's done, go up to File > Save. Choose to save it to your desktop as rootkitrevealer.txt
  • Please post the contents of rootkitrevealer.txt in your next response
Next please scan with AVG Antispyware:
Download the installer from this page:
http://www.ewido.net/en/download/
  • Save the installer to desktop
  • Double click the installer, select your language, and then select OK
  • Click NEXT->Do or don't read the "User License Agreement"
    Select I Agree->NEXT->INSTALL
  • AVG will now install and afterwards click FINISH
  • Click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes the status bar at the bottom will display "Update successful"
  • Close AVG Anti-Spyware 7.5. Do not run a scan yet.
Reboot your computer into Safe Mode
To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads.
Select Safe Mode at the top, on the screen that appears.
Sign in with your normal user account

Once in safe mode:
  • Then run AVG Anti-Spyware 7.5 and click on the Scanner tab at the top
  • Click the Settings tab and then change the recommended action to Quarantine and ensure that Automatically generate report after every scan is selected and Un-check Only if Threats are found
  • Click back to the Scan tab and then click on Complete System Scan.
  • This scan can take quite a while to run, so be prepared.
  • AVG Anti-Spyware 7.5 will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action.
  • Click the Apply all actions button. AVG Anti-Spyware 7.5 will display All actions have been applied on the right hand side.
  • Click on Save Report, then Save Report As. This will create a text file. Make sure you know where to find this file again (like on the Desktop).
Once complete, please reboot your computer normally and post the Rootkit Revealer log, the AVG log along with another HijackThis log and tell me if everything went OK with the notepad job.
ASAP & UNITE Member

    Advertisements

Register to Remove


#17 baby_gurlyuk

baby_gurlyuk

    New Member

  • Authentic Member
  • Pip
  • 12 posts

Posted 17 March 2007 - 12:19 PM

Hi Silver,

Everything seemed to go to plan this time!! Hoping that is a good thing! When I did the "fix.bat" on Notepad, it worked the way that you said it should! Thanks! Here are the latest items:

Logfile of HijackThis v1.99.1
Scan saved at 2:08:20 PM, on 3/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Chelsea\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher 2006\Protector.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - AppInit_DLLs: interceptor.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe



---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:01:34 PM 3/17/2007

+ Scan result:



C:\System Volume Information\_restore{B9776B22-0B08-4CAD-800C-B246686E8DDF}\RP799\A0059810.exe -> Adware.Spysheriff : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B9776B22-0B08-4CAD-800C-B246686E8DDF}\RP793\A0059495.exe -> Adware.SystemDoctor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B9776B22-0B08-4CAD-800C-B246686E8DDF}\RP793\A0059482.sys -> Adware.WinAntiVirus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B9776B22-0B08-4CAD-800C-B246686E8DDF}\RP793\A0059483.dll -> Adware.WinAntiVirus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B9776B22-0B08-4CAD-800C-B246686E8DDF}\RP793\A0059485.ini -> Adware.WinAntiVirus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B9776B22-0B08-4CAD-800C-B246686E8DDF}\RP793\A0059497.exe -> Adware.WinAntiVirus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B9776B22-0B08-4CAD-800C-B246686E8DDF}\RP793\A0059500.sys -> Adware.WinAntiVirus : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B9776B22-0B08-4CAD-800C-B246686E8DDF}\RP799\A0059809.exe -> Dialer.GBDialer.i : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B9776B22-0B08-4CAD-800C-B246686E8DDF}\RP798\A0059716.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B9776B22-0B08-4CAD-800C-B246686E8DDF}\RP822\A0065213.EXE -> Not-A-Virus.Monitor.Win32.PCDetective.b : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B9776B22-0B08-4CAD-800C-B246686E8DDF}\RP871\A0081349.dll -> Not-A-Virus.Monitor.Win32.SpyAgent.60006 : Cleaned with backup (quarantined).


::Report end



HKU\S-1-5-21-1343024091-2000478354-839522115-1004\Software\Adobe\MediaBrowser\MRU\illustrator\ApplicationPath 1/1/2007 7:52 PM 91 bytes Data mismatch between Windows API and raw hive data.
HKLM\SECURITY\Policy\Secrets\SAC* 1/1/2005 8:51 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 1/1/2005 8:51 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Symantec\ErrLog\{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}e8b35886.zip 1/11/2007 4:01 PM 15 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Symantec\ErrLog\{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}5854325a.zip 1/11/2007 4:01 PM 15 bytes Data mismatch between Windows API and raw hive data.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg 12/24/2006 1:17 PM 0 bytes Access is denied.
C:\Documents and Settings\All Users\Application Data\sacache 11/21/2006 5:49 AM 0 bytes Hidden from Windows API.
C:\Documents and Settings\All Users\Application Data\sacache\1 11/21/2006 5:49 AM 0 bytes Hidden from Windows API.
C:\Documents and Settings\All Users\Application Data\sacache\2 11/21/2006 5:49 AM 0 bytes Hidden from Windows API.
C:\Documents and Settings\All Users\Application Data\sacache\3 11/21/2006 5:49 AM 0 bytes Hidden from Windows API.
C:\Documents and Settings\All Users\Application Data\sacache\4 11/21/2006 5:49 AM 0 bytes Hidden from Windows API.
C:\Documents and Settings\All Users\Application Data\sacache\5 11/21/2006 5:49 AM 0 bytes Hidden from Windows API.
C:\Documents and Settings\All Users\Application Data\sacache\6 11/21/2006 5:49 AM 0 bytes Hidden from Windows API.
C:\Documents and Settings\All Users\Application Data\sacache\7 11/21/2006 5:49 AM 0 bytes Hidden from Windows API.
C:\Documents and Settings\All Users\Application Data\sacache\8 11/21/2006 5:49 AM 0 bytes Hidden from Windows API.
C:\Documents and Settings\All Users\Application Data\sacache\EI 11/21/2006 5:49 AM 0 bytes Hidden from Windows API.
C:\Documents and Settings\All Users\Application Data\sacache\EO 11/21/2006 5:49 AM 0 bytes Hidden from Windows API.
C:\Documents and Settings\All Users\Application Data\Tenebril\SpyCatcher\HiddenFiles.txt 3/15/2007 12:06 PM 1.00 KB Hidden from Windows API.
C:\Documents and Settings\All Users\Application Data\Tenebril\SpyCatcher\QuarantinedExecutables.txt 3/15/2007 12:06 PM 89 bytes Hidden from Windows API.
C:\Documents and Settings\All Users\Application Data\Tenebril\SpyCatcher\QuarantinedLibraries.txt 3/15/2007 12:06 PM 187 bytes Hidden from Windows API.
C:\Program Files\Codec Pack - All In 1\irunin.lng 1/1/2005 9:27 AM 15.56 KB Hidden from Windows API.
C:\WINDOWS\system32\ciaResSvr20.dll 12/14/2003 4:47 PM 676.00 KB Hidden from Windows API.
C:\WINDOWS\system32\ciaXPRegSvr20.dll 12/12/2003 5:41 PM 52.00 KB Hidden from Windows API.
C:\WINDOWS\system32\FileOps.exe 8/16/2004 8:40 PM 16.00 KB Hidden from Windows API.
C:\WINDOWS\system32\VchReg.dll 5/24/2005 12:43 PM 428.00 KB Hidden from Windows API.
C:\WINDOWS\system32\ZoneLabs\lib\zpy.zip.dll 6/18/2006 5:55 PM 1.30 MB Hidden from Windows API.
C:\WINDOWS\system\SysSpyRemover.dll 9/23/2005 5:53 PM 18 bytes Hidden from Windows API.

#18 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 18 March 2007 - 12:27 AM

Hi baby_gurlyuk,

I'm glad to hear everything has worked, however the bad news is that we have turned up some hidden bad stuff to get rid of :(.

Download Gmer to your Desktop from here:
http://www.gmer.net/gmer.zip
  • Unzip the program onto your Desktop
  • Disconnect from internet and close all running programs and save any work you have open
  • Double click gmer.exe, let the gmer.sys driver load if asked
  • If it gives you a warning at program start about rootkit activity and asks if you want to run scan...say OK
  • If no warning....Check that the Rootkit tab is selected and click the Scan button - don't change any settings before you do so
  • Once the scan is complete, click the Copy button
  • Open Notepad and hit Ctrl+v to paste the log and then save the log to your desktop
When complete, post the GMER log along with another HijackThis log.
ASAP & UNITE Member

#19 baby_gurlyuk

baby_gurlyuk

    New Member

  • Authentic Member
  • Pip
  • 12 posts

Posted 20 March 2007 - 07:25 AM

Hi Silver, Thanks again for your help. I have winrar to unzip the file, however when I try and use it, this is what comes up: WinRar archiver has encountered a problem and needs to close. We are sorry for the inconvenience. If you were in the middle of something, the information you were working on might be lost. Please tell Microsoft about his problem. We have created an error report that you can send to us. We will treat this report as confidential and anonymous. To see what data this error report contatins, click here. Then when I click on it, it says: This error report includes: information regarding the condition of WinRAR archiver when the problem occurred; the operating system version and computer hardware in use; your Digital Product ID, which could be used to identify your license; and the Internet Protocol (IP) address of your computer. We do not intentionally collect your files, name, address, email address or any other form of personally identifiable informaiton. However, the error report could contain customer-specific information such as data from open files. While this information could potentially be used to determine your identity, if present, it will not be used. The data that we collect will only be used to fix the problem. If more information is available, we will tell you when you report the problem. This error report will be sent using a secure connection to a database with limited access and will not be used for marketing purposes. To view technical information about the error report, click here. To see our data collection policy on the web, click here. Then when I click on technical information about the error report, it says that this file will be included in the error report: C"\Docume~1\Chelsea\LOCALS~1\Temp\107f_appcompat.txt Then I uninstalled Winrar and then re-installed it and I still have the same problem. Many thanks.

#20 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 20 March 2007 - 05:56 PM

Hi baby_gurlyuk,

OK please open this link in your browser:
http://www.mytempdir.com/1262765
From this page you should be able to download gmer.exe
Download it to your desktop, this copy has already been extracted, so double-click it to start the program and follow the above instructions.
ASAP & UNITE Member

#21 baby_gurlyuk

baby_gurlyuk

    New Member

  • Authentic Member
  • Pip
  • 12 posts

Posted 21 March 2007 - 11:24 AM

Hi Silver,

Here are the latest logs. I hope they are getting better?! Many thanks.


GMER 1.0.12.12086 - http://www.gmer.net
Rootkit scan 2007-03-21 11:23:00
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwCreateFile
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwCreateKey
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwCreateSymbolicLinkObject
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwCreateThread
SSDT sptd.sys ZwEnumerateKey
SSDT sptd.sys ZwEnumerateValueKey
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwFsControlFile
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwOpenFile
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwOpenKey
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwOpenSection
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwProtectVirtualMemory
SSDT sptd.sys ZwQueryKey
SSDT sptd.sys ZwQueryValueKey
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwReadVirtualMemory
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwRequestWaitReplyPort
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwSetContextThread
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwSetValueKey
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwSuspendProcess
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwSuspendThread
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwTerminateProcess
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwTerminateThread
SSDT \??\C:\WINDOWS\system32\drivers\procguard.sys ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!_abnormal_termination + 19C 804E27F8 1 Byte [ DA ]
.text ntoskrnl.exe!_abnormal_termination + 19E 804E27FA 2 Bytes [ 87, F8 ]
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload F77BF62C 5 Bytes JMP 8208C730
? C:\WINDOWS\system32\drivers\procguard.sys Access is denied.

---- User code sections - GMER 1.0.12 ----

.text C:\Program Files\SpyCatcher 2006\Protector.exe[1048] USER32.dll!SetScrollInfo 77D49056 7 Bytes JMP 01CFD5F7 C:\Program Files\SpyCatcher 2006\skin.dll
.text C:\Program Files\SpyCatcher 2006\Protector.exe[1048] USER32.dll!GetScrollInfo 77D517F8 7 Bytes JMP 01CFD57F C:\Program Files\SpyCatcher 2006\skin.dll
.text C:\Program Files\SpyCatcher 2006\Protector.exe[1048] USER32.dll!ShowScrollBar 77D5F2CA 5 Bytes JMP 01CFD67B C:\Program Files\SpyCatcher 2006\skin.dll
.text C:\Program Files\SpyCatcher 2006\Protector.exe[1048] USER32.dll!GetScrollPos 77D5F6DC 5 Bytes JMP 01CFD5A7 C:\Program Files\SpyCatcher 2006\skin.dll
.text C:\Program Files\SpyCatcher 2006\Protector.exe[1048] USER32.dll!SetScrollPos 77D5F728 5 Bytes JMP 01CFD622 C:\Program Files\SpyCatcher 2006\skin.dll
.text C:\Program Files\SpyCatcher 2006\Protector.exe[1048] USER32.dll!GetScrollRange 77D5F75F 5 Bytes JMP 01CFD5CC C:\Program Files\SpyCatcher 2006\skin.dll
.text C:\Program Files\SpyCatcher 2006\Protector.exe[1048] USER32.dll!SetScrollRange 77D5F973 5 Bytes JMP 01CFD64D C:\Program Files\SpyCatcher 2006\skin.dll
.text C:\Program Files\SpyCatcher 2006\Protector.exe[1048] USER32.dll!EnableScrollBar 77D97BC5 7 Bytes JMP 01CFD557 C:\Program Files\SpyCatcher 2006\skin.dll

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 823D61D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 823D61D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 823D61D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 823D61D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 823D61D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 823D61D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 823D61D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 823D61D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 823D61D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 823D61D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 823D61D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 823D61D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 823D61D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 823D61D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 823D61D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 823D61D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 823D61D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 823D61D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 823D61D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 823D61D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 823D61D8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 823D61D8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CREATE 81F86980
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CLOSE 81F86980
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_READ 81F86980
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_WRITE 81F86980
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_INFORMATION 81F86980
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_INFORMATION 81F86980
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_EA 81F86980
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_EA 81F86980
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_FLUSH_BUFFERS 81F86980
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_VOLUME_INFORMATION 81F86980
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_VOLUME_INFORMATION 81F86980
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_DIRECTORY_CONTROL 81F86980
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_FILE_SYSTEM_CONTROL 81F86980
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_DEVICE_CONTROL 81F86980
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SHUTDOWN 81F86980
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_LOCK_CONTROL 81F86980
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CLEANUP 81F86980
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_PNP 81F86980
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_CREATE 821371D8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_CLOSE 821371D8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_DEVICE_CONTROL 821371D8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL 821371D8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_POWER 821371D8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_SYSTEM_CONTROL 821371D8
Device \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_PNP 821371D8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_CREATE 821371D8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_CLOSE 821371D8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_DEVICE_CONTROL 821371D8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL 821371D8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_POWER 821371D8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_SYSTEM_CONTROL 821371D8
Device \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_PNP 821371D8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_CREATE 821371D8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_CLOSE 821371D8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_DEVICE_CONTROL 821371D8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_INTERNAL_DEVICE_CONTROL 821371D8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_POWER 821371D8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_SYSTEM_CONTROL 821371D8
Device \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_PNP 821371D8
Device \Driver\usbuhci \Device\USBPDO-3 IRP_MJ_CREATE 821371D8
Device \Driver\usbuhci \Device\USBPDO-3 IRP_MJ_CLOSE 821371D8
Device \Driver\usbuhci \Device\USBPDO-3 IRP_MJ_DEVICE_CONTROL 821371D8
Device \Driver\usbuhci \Device\USBPDO-3 IRP_MJ_INTERNAL_DEVICE_CONTROL 821371D8
Device \Driver\usbuhci \Device\USBPDO-3 IRP_MJ_POWER 821371D8
Device \Driver\usbuhci \Device\USBPDO-3 IRP_MJ_SYSTEM_CONTROL 821371D8
Device \Driver\usbuhci \Device\USBPDO-3 IRP_MJ_PNP 821371D8
Device \Driver\pctfw1 \Device\PcaTcpFilter IRP_MJ_INTERNAL_DEVICE_CONTROL [EFF0485A] avgtdi.sys
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_CREATE 821201D8
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_CLOSE 821201D8
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_DEVICE_CONTROL 821201D8
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_INTERNAL_DEVICE_CONTROL 821201D8
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_POWER 821201D8
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_SYSTEM_CONTROL 821201D8
Device \Driver\usbehci \Device\USBPDO-4 IRP_MJ_PNP 821201D8
Device \Driver\NetBT \Device\NetBT_Tcpip_{8414F830-9540-4EB7-8748-D4C4B171D9CB} IRP_MJ_CREATE 81F4B3C0
Device \Driver\NetBT \Device\NetBT_Tcpip_{8414F830-9540-4EB7-8748-D4C4B171D9CB} IRP_MJ_CLOSE 81F4B3C0
Device \Driver\NetBT \Device\NetBT_Tcpip_{8414F830-9540-4EB7-8748-D4C4B171D9CB} IRP_MJ_DEVICE_CONTROL 81F4B3C0
Device \Driver\NetBT \Device\NetBT_Tcpip_{8414F830-9540-4EB7-8748-D4C4B171D9CB} IRP_MJ_INTERNAL_DEVICE_CONTROL 81F4B3C0
Device \Driver\NetBT \Device\NetBT_Tcpip_{8414F830-9540-4EB7-8748-D4C4B171D9CB} IRP_MJ_CLEANUP 81F4B3C0
Device \Driver\NetBT \Device\NetBT_Tcpip_{8414F830-9540-4EB7-8748-D4C4B171D9CB} IRP_MJ_PNP 81F4B3C0
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 823D81D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ 823D81D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE 823D81D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS 823D81D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL 823D81D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL 823D81D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN 823D81D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP 823D81D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER 823D81D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SYSTEM_CONTROL 823D81D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_PNP 823D81D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 8208D1D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 8208D1D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 8208D1D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 8208D1D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 8208D1D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 8208D1D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 8208D1D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 8208D1D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 8208D1D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 8208D1D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 8208D1D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE 8236A1D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CLOSE 8236A1D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DEVICE_CONTROL 8236A1D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_INTERNAL_DEVICE_CONTROL 8236A1D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_POWER 8236A1D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SYSTEM_CONTROL 8236A1D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_PNP 8236A1D8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE 8236A1D8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLOSE 8236A1D8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CONTROL 8236A1D8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL 8236A1D8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_POWER 8236A1D8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SYSTEM_CONTROL 8236A1D8
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_PNP 8236A1D8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE 8236A1D8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLOSE 8236A1D8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CONTROL 8236A1D8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_INTERNAL_DEVICE_CONTROL 8236A1D8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_POWER 8236A1D8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SYSTEM_CONTROL 8236A1D8
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_PNP 8236A1D8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CREATE 81F4B3C0
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLOSE 81F4B3C0
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_DEVICE_CONTROL 81F4B3C0
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_INTERNAL_DEVICE_CONTROL 81F4B3C0
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLEANUP 81F4B3C0
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_PNP 81F4B3C0
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CREATE 81F4B3C0
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLOSE 81F4B3C0
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_DEVICE_CONTROL 81F4B3C0
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_INTERNAL_DEVICE_CONTROL 81F4B3C0
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLEANUP 81F4B3C0
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_PNP 81F4B3C0
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_CREATE 821371D8
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_CLOSE 821371D8
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_DEVICE_CONTROL 821371D8
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL 821371D8
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_POWER 821371D8
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_SYSTEM_CONTROL 821371D8
Device \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_PNP 821371D8
Device \Driver\pctfw1 \Device\PCTFW1 IRP_MJ_INTERNAL_DEVICE_CONTROL [EFF0485A] avgtdi.sys
Device \Driver\pctfw1 \Device\PcaRawIpFilter IRP_MJ_INTERNAL_DEVICE_CONTROL [EFF0485A] avgtdi.sys
Device \Driver\pctfw1 \Device\PcaUdpFilter IRP_MJ_INTERNAL_DEVICE_CONTROL [EFF0485A] avgtdi.sys
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_CREATE 821371D8
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_CLOSE 821371D8
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_DEVICE_CONTROL 821371D8
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL 821371D8
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_POWER 821371D8
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_SYSTEM_CONTROL 821371D8
Device \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_PNP 821371D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE 81D09980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_NAMED_PIPE 81D09980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLOSE 81D09980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 81D09980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_WRITE 81D09980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_INFORMATION 81D09980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_INFORMATION 81D09980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_EA 81D09980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_EA 81D09980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FLUSH_BUFFERS 81D09980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_VOLUME_INFORMATION 81D09980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_VOLUME_INFORMATION 81D09980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DIRECTORY_CONTROL 81D09980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FILE_SYSTEM_CONTROL 81D09980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CONTROL 81D09980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_INTERNAL_DEVICE_CONTROL 81D09980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SHUTDOWN 81D09980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_LOCK_CONTROL 81D09980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLEANUP 81D09980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_MAILSLOT 81D09980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_SECURITY 81D09980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_SECURITY 81D09980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_POWER 81D09980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SYSTEM_CONTROL 81D09980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CHANGE 81D09980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_QUOTA 81D09980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_QUOTA 81D09980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP 81D09980
Device \Driver\usbuhci \Device\USBFDO-2 IRP_MJ_CREATE 821371D8
Device \Driver\usbuhci \Device\USBFDO-2 IRP_MJ_CLOSE 821371D8
Device \Driver\usbuhci \Device\USBFDO-2 IRP_MJ_DEVICE_CONTROL 821371D8
Device \Driver\usbuhci \Device\USBFDO-2 IRP_MJ_INTERNAL_DEVICE_CONTROL 821371D8
Device \Driver\usbuhci \Device\USBFDO-2 IRP_MJ_POWER 821371D8
Device \Driver\usbuhci \Device\USBFDO-2 IRP_MJ_SYSTEM_CONTROL 821371D8
Device \Driver\usbuhci \Device\USBFDO-2 IRP_MJ_PNP 821371D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE 81D09980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_NAMED_PIPE 81D09980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLOSE 81D09980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 81D09980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_WRITE 81D09980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_INFORMATION 81D09980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_INFORMATION 81D09980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_EA 81D09980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_EA 81D09980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FLUSH_BUFFERS 81D09980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_VOLUME_INFORMATION 81D09980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_VOLUME_INFORMATION 81D09980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DIRECTORY_CONTROL 81D09980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FILE_SYSTEM_CONTROL 81D09980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CONTROL 81D09980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_INTERNAL_DEVICE_CONTROL 81D09980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SHUTDOWN 81D09980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_LOCK_CONTROL 81D09980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLEANUP 81D09980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_MAILSLOT 81D09980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_SECURITY 81D09980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_SECURITY 81D09980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_POWER 81D09980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SYSTEM_CONTROL 81D09980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CHANGE 81D09980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_QUOTA 81D09980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_QUOTA 81D09980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP 81D09980
Device \Driver\usbuhci \Device\USBFDO-3 IRP_MJ_CREATE 821371D8
Device \Driver\usbuhci \Device\USBFDO-3 IRP_MJ_CLOSE 821371D8
Device \Driver\usbuhci \Device\USBFDO-3 IRP_MJ_DEVICE_CONTROL 821371D8
Device \Driver\usbuhci \Device\USBFDO-3 IRP_MJ_INTERNAL_DEVICE_CONTROL 821371D8
Device \Driver\usbuhci \Device\USBFDO-3 IRP_MJ_POWER 821371D8
Device \Driver\usbuhci \Device\USBFDO-3 IRP_MJ_SYSTEM_CONTROL 821371D8
Device \Driver\usbuhci \Device\USBFDO-3 IRP_MJ_PNP 821371D8
Device \Driver\usbehci \Device\USBFDO-4 IRP_MJ_CREATE 821201D8
Device \Driver\usbehci \Device\USBFDO-4 IRP_MJ_CLOSE 821201D8
Device \Driver\usbehci \Device\USBFDO-4 IRP_MJ_DEVICE_CONTROL 821201D8
Device \Driver\usbehci \Device\USBFDO-4 IRP_MJ_INTERNAL_DEVICE_CONTROL 821201D8
Device \Driver\usbehci \Device\USBFDO-4 IRP_MJ_POWER 821201D8
Device \Driver\usbehci \Device\USBFDO-4 IRP_MJ_SYSTEM_CONTROL 821201D8
Device \Driver\usbehci \Device\USBFDO-4 IRP_MJ_PNP 821201D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CREATE 823D81D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_READ 823D81D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_WRITE 823D81D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_FLUSH_BUFFERS 823D81D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_DEVICE_CONTROL 823D81D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_INTERNAL_DEVICE_CONTROL 823D81D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SHUTDOWN 823D81D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CLEANUP 823D81D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_POWER 823D81D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SYSTEM_CONTROL 823D81D8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_PNP 823D81D8
Device \Driver\viasraid \Device\Scsi\viasraid1 IRP_MJ_CREATE 823D71D8
Device \Driver\viasraid \Device\Scsi\viasraid1 IRP_MJ_CLOSE 823D71D8
Device \Driver\viasraid \Device\Scsi\viasraid1 IRP_MJ_DEVICE_CONTROL 823D71D8
Device \Driver\viasraid \Device\Scsi\viasraid1 IRP_MJ_INTERNAL_DEVICE_CONTROL 823D71D8
Device \Driver\viasraid \Device\Scsi\viasraid1 IRP_MJ_POWER 823D71D8
Device \Driver\viasraid \Device\Scsi\viasraid1 IRP_MJ_SYSTEM_CONTROL 823D71D8
Device \Driver\viasraid \Device\Scsi\viasraid1 IRP_MJ_PNP 823D71D8
Device \Driver\viasraid \Device\Scsi\viasraid1Port2Path0Target0Lun0 IRP_MJ_CREATE 823D71D8
Device \Driver\viasraid \Device\Scsi\viasraid1Port2Path0Target0Lun0 IRP_MJ_CLOSE 823D71D8
Device \Driver\viasraid \Device\Scsi\viasraid1Port2Path0Target0Lun0 IRP_MJ_DEVICE_CONTROL 823D71D8
Device \Driver\viasraid \Device\Scsi\viasraid1Port2Path0Target0Lun0 IRP_MJ_INTERNAL_DEVICE_CONTROL 823D71D8
Device \Driver\viasraid \Device\Scsi\viasraid1Port2Path0Target0Lun0 IRP_MJ_POWER 823D71D8
Device \Driver\viasraid \Device\Scsi\viasraid1Port2Path0Target0Lun0 IRP_MJ_SYSTEM_CONTROL 823D71D8
Device \Driver\viasraid \Device\Scsi\viasraid1Port2Path0Target0Lun0 IRP_MJ_PNP 823D71D8
Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE 81F86980
Device \FileSystem\Fastfat \Fat IRP_MJ_CLOSE 81F86980
Device \FileSystem\Fastfat \Fat IRP_MJ_READ 81F86980
Device \FileSystem\Fastfat \Fat IRP_MJ_WRITE 81F86980
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION 81F86980
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION 81F86980
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA 81F86980
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_EA 81F86980
Device \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS 81F86980
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION 81F86980
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION 81F86980
Device \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL 81F86980
Device \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL 81F86980
Device \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL 81F86980
Device \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN 81F86980
Device \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL 81F86980
Device \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP 81F86980
Device \FileSystem\Fastfat \Fat IRP_MJ_PNP 81F86980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE 81C31408
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLOSE 81C31408
Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ 81C31408
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_INFORMATION 81C31408
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SET_INFORMATION 81C31408
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_VOLUME_INFORMATION 81C31408
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DIRECTORY_CONTROL 81C31408
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL 81C31408
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL 81C31408
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SHUTDOWN 81C31408
Device \FileSystem\Cdfs \Cdfs IRP_MJ_LOCK_CONTROL 81C31408
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLEANUP 81C31408
Device \FileSystem\Cdfs \Cdfs IRP_MJ_PNP 81C31408

---- Processes - GMER 1.0.12 ----

Process C:\Program Files\SpyCatcher 2006\Protector.exe (*** hidden *** ) 1048
Process C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe (*** hidden *** ) 1660

---- Files - GMER 1.0.12 ----

File C:\Documents and Settings\All Users\Application Data\sacache
File C:\Documents and Settings\All Users\Application Data\sacache\1
File C:\Documents and Settings\All Users\Application Data\sacache\2
File C:\Documents and Settings\All Users\Application Data\sacache\3
File C:\Documents and Settings\All Users\Application Data\sacache\4
File C:\Documents and Settings\All Users\Application Data\sacache\5
File C:\Documents and Settings\All Users\Application Data\sacache\6
File C:\Documents and Settings\All Users\Application Data\sacache\7
File C:\Documents and Settings\All Users\Application Data\sacache\8
File C:\Documents and Settings\All Users\Application Data\sacache\EI
File C:\Documents and Settings\All Users\Application Data\sacache\EO
File C:\Documents and Settings\All Users\Application Data\Tenebril\SpyCatcher\HiddenFiles.txt
File C:\Documents and Settings\All Users\Application Data\Tenebril\SpyCatcher\QuarantinedExecutables.txt
File C:\Documents and Settings\All Users\Application Data\Tenebril\SpyCatcher\QuarantinedLibraries.txt
File C:\Program Files\Codec Pack - All In 1\irunin.lng
File C:\WINDOWS\system\SysSpyRemover.dll
File C:\WINDOWS\system32\ciaResSvr20.dll
File C:\WINDOWS\system32\ciaXPRegSvr20.dll
File C:\WINDOWS\system32\FileOps.exe
File C:\WINDOWS\system32\VchReg.dll

---- EOF - GMER 1.0.12 ----


Logfile of HijackThis v1.99.1
Scan saved at 1:20:59 PM, on 3/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Chelsea\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher 2006\Protector.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - AppInit_DLLs: interceptor.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

#22 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 22 March 2007 - 01:30 AM

Hi baby_gurlyuk, I'm showing your logs to some high-powered experts and I'll be back with a response as quickly as possible.
ASAP & UNITE Member

#23 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 23 March 2007 - 08:45 PM

Hi baby_gurlyuk,

You have a program called Codec Pack - All In 1 6.0.2.2 installed on your computer, can you tell me if you knowingly installed this? If you did install it, do you know if it actually helps you play audio/video on your computer?

OK next please run another GMER scan and remove some bad stuff:
  • Disconnect from internet and close all running programs and save any work you have open
  • Double click gmer.exe, let the gmer.sys driver load if asked
  • If it gives you a warning at program start about rootkit activity and asks if you want to run scan...say OK
  • If no warning....Check that the Rootkit tab is selected and click the Scan button - don't change any settings before you do so
  • Once the scan is complete, look down the list for the following entries:
File C:\Documents and Settings\All Users\Application Data\sacache
File C:\Documents and Settings\All Users\Application Data\sacache\1
File C:\Documents and Settings\All Users\Application Data\sacache\2
File C:\Documents and Settings\All Users\Application Data\sacache\3
File C:\Documents and Settings\All Users\Application Data\sacache\4
File C:\Documents and Settings\All Users\Application Data\sacache\5
File C:\Documents and Settings\All Users\Application Data\sacache\6
File C:\Documents and Settings\All Users\Application Data\sacache\7
File C:\Documents and Settings\All Users\Application Data\sacache\8
File C:\Documents and Settings\All Users\Application Data\sacache\EI
File C:\Documents and Settings\All Users\Application Data\sacache\EO
  • For each of these entries, please right-click it and choose Delete file
  • Once all have been deleted, then run a new scan.
  • Once the scan is complete, click the Copy button
  • Open Notepad and hit Ctrl+v to paste the log and then save the log to your desktop
Once complete, please post the latest GMER log and a new HijackThis log, and let me know me about the codec pack.
ASAP & UNITE Member

#24 baby_gurlyuk

baby_gurlyuk

    New Member

  • Authentic Member
  • Pip
  • 12 posts

Posted 29 March 2007 - 12:13 PM

Hi Silver, Sorry to have taken so long to reply, but I got a bit paranoid and had my relative in Kingston-upon-Hull help me re-format the computer. I should have thought of him to begin with, but I wasn't thinking. Thank you for all of your help! Kind regards.

#25 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 29 March 2007 - 07:04 PM

Hi,

I don't think that's paranoid, you had a very nasty infection and your machine was compromised - I would have done the same in your shoes.

I hope everything is working better now, please read this article - it has some excellent information which will help prevent this happening again:

http://forum.malware...pic.php?p=33687

Best of luck!
ASAP & UNITE Member

    Advertisements

Register to Remove


#26 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,173 posts

Posted 30 March 2007 - 05:48 AM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users