Rogue Traffic

Steviebone

By Steviebone,
in Malware Removal

 Share Followers 0

Recommended Posts

Steviebone

Steviebone

Posted
Posted

Below is a hijack this log... the computer in question has been scanned by SpyBOT S&D, Spy Sweeper, Avast Pro (boot time) and NOD32. Whenever the computer starts up, even before log in syslog shows continuous various outbound traffic to rogue destination ip adresses. The traffic is continuous and eats up anywhere from 4 to 85% of the CPU power according to task manager. The only thing showing consumption in task manager however is System Idle Process. At semi periodic intervals I get errors in services.exe result code 0 and a forced NT Authority Shutdown/Reboot.

As there are over 70 programs installed on this workstation I would prefer NOT to have to rebuild from scratch. BTW, Acronis has been used to regulalry back up the OS daily but whatever it is is now embedded in all 7 OS backups.

Here is the log:

Logfile of HijackThis v1.99.1

Scan saved at 2:02:22 AM, on 5/20/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\XP\System32\smss.exe

C:\XP\system32\winlogon.exe

C:\XP\system32\services.exe

C:\XP\system32\lsass.exe

C:\XP\system32\svchost.exe

C:\XP\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\XP\system32\spoolsv.exe

C:\Program Files\Acronis\BackupServer\backupserver.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Eset\nod32krn.exe

C:\XP\system32\nvsvc32.exe

C:\XP\System32\svchost.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\XP\Explorer.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

C:\Program Files\Eset\nod32kui.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\PTSync\PTSync.exe

C:\Program Files\Acronis\TrueImageEnterpriseServer\TRUEIM~3.EXE

C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

C:\Program Files\Acronis\TrueImageEnterpriseServer\TIMOUN~1.EXE

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Program Files\Webroot\Spy Sweeper\SSU.EXE

C:\XP\system32\NOTEPAD.EXE

C:\XP\system32\NOTEPAD.EXE

C:\XP\system32\vsjitdebugger.exe

C:\XP\system32\vsjitdebugger.exe

C:\XP\system32\taskmgr.exe

C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.americansingles.com/

F2 - REG:system.ini: Shell=C:\XP\Explorer.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Acrobat7\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Acrobat7\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Cooxie - {DC99E960-6594-45e3-9D5D-141D825B8096} - C:\Program Files\Cooxie Toolbar\PrvcBand.dll

O4 - HKLM\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray

O4 - HKLM\..\RunOnce: [speedStartup] "C:\Program Files\Speed Startup\speedstartup.exe" runonce

O4 - HKCU\..\Run: [speedStartup] "C:\Program Files\Speed Startup\speedstartup.exe" bootup

O8 - Extra context menu item: Add to &Teleport - D:\TeleportUltra\teleport.htm

O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MsOffice\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Open with Scansoft PDF Converter 3.0 - res://D:\OmniPage15\PDFConverter3\IEShellExt.dll /100

O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll

O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll

O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MsOffice\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1145986548799

O17 - HKLM\System\CCS\Services\Tcpip\..\{90F742E6-14BD-42BD-B353-7487933899E6}: NameServer = 66.254.6.2,66.254.1.2

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O20 - Winlogon Notify: WgaLogon - C:\XP\SYSTEM32\WgaLogon.dll

O20 - Winlogon Notify: WRNotifier - C:\XP\SYSTEM32\WRLogonNTF.dll

O23 - Service: Acronis Remote Agent (AcronisAgent) - Acronis - C:\Program Files\Common Files\Acronis\Agent\agent.exe

O23 - Service: Acronis Backup Server Service (AcronisBackupServerService) - Acronis - C:\Program Files\Acronis\BackupServer\backupserver.exe

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

O23 - Service: Arcana Notification Agent (adnotify) - Unknown owner - C:\Program Files\Arcana Development\Notification Agent\ADNotify.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Arcana Scheduler - Arcana Development - C:\Program Files\Arcana Development\Arcana Scheduler\adscheduler.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Acronis Group Server (GroupServer) - Acronis - C:\Program Files\Acronis\GroupServer\GroupServer.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\XP\system32\drivers\KodakCCS.exe

O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe

O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\XP\system32\nvsvc32.exe

O23 - Service: O&O Defrag - O&O Software GmbH - C:\XP\system32\oodag.exe

O23 - Service: ProgramCheckerPro (sassvc) - Unknown owner - C:\Program Files\Zenturi\ProgramChecker\sassvc.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Link to post
Share on other sites
Steviebone

Steviebone

Posted
  • Author
Posted

Here is an updated log after running spydetector:

C:\XP\System32\smss.exe

C:\XP\system32\winlogon.exe

C:\XP\system32\services.exe

C:\XP\system32\lsass.exe

C:\XP\system32\svchost.exe

C:\XP\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\XP\system32\spoolsv.exe

C:\Program Files\Acronis\BackupServer\backupserver.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Eset\nod32krn.exe

C:\XP\system32\nvsvc32.exe

C:\Program Files\SpywareDetector\SDService.exe

C:\XP\System32\svchost.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\XP\Explorer.EXE

C:\Program Files\SpywareDetector\SDSystemTray.exe

C:\Program Files\Eset\nod32kui.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\PTSync\PTSync.exe

C:\Program Files\Acronis\TrueImageEnterpriseServer\TRUEIM~3.EXE

C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

C:\Program Files\Acronis\TrueImageEnterpriseServer\TIMOUN~1.EXE

C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

C:\XP\system32\taskmgr.exe

C:\Program Files\Webroot\Spy Sweeper\SSU.EXE

C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.americansingles.com/

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Acrobat7\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Acrobat7\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Cooxie - {DC99E960-6594-45e3-9D5D-141D825B8096} - C:\Program Files\Cooxie Toolbar\PrvcBand.dll

O4 - HKLM\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray

O4 - HKLM\..\Run: [sDAutoLiveupdate] "C:\Program Files\SpywareDetector\LiveUpdateSD.exe" -AUTO

O4 - HKLM\..\Run: [systemTraySD] "C:\Program Files\SpywareDetector\SDSystemTray.exe" -AUTO

O4 - HKLM\..\RunOnce: [speedStartup] "C:\Program Files\Speed Startup\speedstartup.exe" runonce

O4 - HKCU\..\Run: [speedStartup] "C:\Program Files\Speed Startup\speedstartup.exe" bootup

O8 - Extra context menu item: Add to &Teleport - D:\TeleportUltra\teleport.htm

O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MsOffice\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Open with Scansoft PDF Converter 3.0 - res://D:\OmniPage15\PDFConverter3\IEShellExt.dll /100

O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll

O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll

O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MsOffice\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1145986548799

O17 - HKLM\System\CCS\Services\Tcpip\..\{90F742E6-14BD-42BD-B353-7487933899E6}: NameServer = 66.254.6.2,66.254.1.2

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll

O20 - Winlogon Notify: WgaLogon - C:\XP\SYSTEM32\WgaLogon.dll

O20 - Winlogon Notify: WRNotifier - C:\XP\SYSTEM32\WRLogonNTF.dll

O23 - Service: Acronis Remote Agent (AcronisAgent) - Acronis - C:\Program Files\Common Files\Acronis\Agent\agent.exe

O23 - Service: Acronis Backup Server Service (AcronisBackupServerService) - Acronis - C:\Program Files\Acronis\BackupServer\backupserver.exe

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

O23 - Service: Arcana Notification Agent (adnotify) - Unknown owner - C:\Program Files\Arcana Development\Notification Agent\ADNotify.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Arcana Scheduler - Arcana Development - C:\Program Files\Arcana Development\Arcana Scheduler\adscheduler.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Acronis Group Server (GroupServer) - Acronis - C:\Program Files\Acronis\GroupServer\GroupServer.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\XP\system32\drivers\KodakCCS.exe

O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe

O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\XP\system32\nvsvc32.exe

O23 - Service: O&O Defrag - O&O Software GmbH - C:\XP\system32\oodag.exe

O23 - Service: ProgramCheckerPro (sassvc) - Unknown owner - C:\Program Files\Zenturi\ProgramChecker\sassvc.exe

O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Note: although the rogue traffic on syslog has ceased for the moment, there were still out bounds detected during bootup going to unknown domains and task manager still shows continuous memory and resource useage with spikes to 100%.

Link to post
Share on other sites
jwbirdsong

jwbirdsong

Posted
Posted (edited)

Let's look a little deeper

Download Combofix to your desktop.

Doubleclick combofix.exe

Follow the prompts.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.

Post this log in your next reply

Edited by jwbirdsong
Link to post
Share on other sites
Steviebone

Steviebone

Posted
  • Author
Posted

ok, combo found a rootkit as I half expected... below is the log after 3 reboots...

unfortunately, on every reboot I have an MSI for Visual Foxpro trying to run now... I assume this may be the originally infected file trying to reload... on each reboot, before anything else (even speed startup) starts running, I get repeated message dialogs saying Windows Installer is preparing install for VFP9. I keep hitting cancel as quickly as possible but the window pops right back up... takes about 8 or 10 cancels to make it stay away... I fear this program will not give up perhaps until it has reinfected the machine... task manager is still going nuts showing constant activity 2-22% with never a pause... syslog is not showing any outbound traffic however so we're probably headed in the right direction....

I'm going to run combofix a second time and see if the installer has indeed reinfected the machine...

"Staypuffer" - 2007-05-20 10:29:12 Service Pack 2

ComboFix 07-05.20.9.V - Running from: "J:\Spywaredetector\"

Rootkit driver pe386 is present. ... attempting disinfection

pe386 ...... driver unloaded successfully.

ADS removed - system32: deleted 79094 bytes in 1 streams.

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\STAYPU~1\Desktop.\internet explorer.lnk

C:\Program Files\install.log

((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-20 ))))))))))))))))))))))))))))))))))

2007-05-20 06:42 2,922 --a------ C:\XP\system32\IE_Backup.reg

2007-05-20 06:42 2,846,854 --a------ C:\XP\system32\Windows_Backup.reg

2007-05-20 06:42 2,588 --a------ C:\XP\system32\startupBackup.reg

2007-05-20 02:27 123 --a------ C:\XP\system\SysSD.dll

2007-05-20 02:26 63,192 --a------ C:\XP\system32\CloseAll.exe

2007-05-20 02:26 270,336 --a------ C:\XP\system32\CheckDll.dll

2007-05-20 02:26 1,019,904 --a------ C:\XP\system32\VchReg.dll

2007-05-20 02:25 <DIR> d-------- C:\Program Files\SpywareDetector

2007-05-19 18:15 22,080 --a------ C:\XP\system32\drivers\sshrmd.sys

2007-05-19 18:15 21,056 --a------ C:\XP\system32\drivers\sskbfd.sys

2007-05-19 18:15 20,544 --a------ C:\XP\system32\drivers\SSFS0509.sys

2007-05-19 18:15 144,960 --a------ C:\XP\system32\drivers\ssidrv.sys

2007-05-19 18:15 <DIR> d-------- C:\DOCUME~1\LOCALS~1.NTA\APPLIC~1\Webroot

2007-05-19 18:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.XP\APPLIC~1\Webroot

2007-05-19 18:08 164 --a------ C:\install.dat

2007-05-19 18:08 <DIR> d-------- C:\DOCUME~1\STAYPU~1\APPLIC~1\Webroot

2007-05-18 11:43 <DIR> d--h----- C:\XP\system32\GroupPolicy

2007-05-17 22:04 <DIR> d-------- C:\DOCUME~1\STAYPU~1\APPLIC~1\Texture Maker

2007-05-17 22:03 <DIR> d-------- C:\Program Files\Texture Maker

2007-05-17 17:39 <DIR> d-------- C:\DOCUME~1\STAYPU~1\APPLIC~1\Google

2007-05-15 13:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.XP\APPLIC~1\Spybot - Search & Destroy

2007-05-08 01:29 <DIR> d-------- C:\Program Files\Network Chemistry

2007-05-08 01:17 <DIR> d-------- C:\Program Files\WinPcap

2007-05-08 01:17 <DIR> d-------- C:\Program Files\Nmap

2007-04-26 18:37 298,496 --a------ C:\XP\uninst.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-17 22:39:02 -------- d-----w C:\Program Files\Google

2007-05-16 04:57:49 -------- d-----w C:\DOCUME~1\STAYPU~1\APPLIC~1\WeatherBug

2007-05-15 21:02:01 -------- d-----w C:\DOCUME~1\STAYPU~1\APPLIC~1\dvdcss

2007-05-15 18:38:06 -------- d-----w C:\Program Files\MySpace

2007-05-07 17:28:32 -------- d-----w C:\Program Files\EPSON Print CD

2007-05-07 13:39:36 298,104 ----a-w C:\XP\system32\imon.dll

2007-05-07 13:39:34 512,096 ----a-w C:\XP\system32\drivers\amon.sys

2007-05-07 13:39:33 15,424 ----a-w C:\XP\system32\drivers\nod32drv.sys

2007-05-03 05:49:55 -------- d-----w C:\Program Files\LeapFTP

2007-04-30 15:46:10 745,600 ----a-w C:\XP\system32\aswBoot.exe

2007-04-30 15:41:55 85,952 ----a-w C:\XP\system32\drivers\aswmon.sys

2007-04-30 15:41:42 94,552 ----a-w C:\XP\system32\drivers\aswmon2.sys

2007-04-30 15:39:41 23,416 ----a-w C:\XP\system32\drivers\aswRdr.sys

2007-04-30 15:38:51 43,176 ----a-w C:\XP\system32\drivers\aswTdi.sys

2007-04-30 15:37:23 26,888 ----a-w C:\XP\system32\drivers\aavmker4.sys

2007-04-30 15:35:28 95,872 ----a-w C:\XP\system32\AVASTSS.scr

2007-04-30 08:55:32 -------- d-----w C:\Program Files\ViceVersa Pro 2

2007-04-26 23:09:43 -------- d-----w C:\Program Files\IsoBuster

2007-04-25 08:04:12 88,952 ----a-w C:\XP\system32\packet.dll

2007-04-25 08:04:12 68,480 ----a-w C:\XP\system32\wanpacket.dll

2007-04-25 08:04:12 42,000 ----a-w C:\XP\system32\drivers\npf.sys

2007-04-25 08:04:12 240,496 ----a-w C:\XP\system32\wpcap.dll

2007-04-21 03:30:35 -------- d-----w C:\Program Files\Speed Startup

2007-04-20 03:28:54 1,040,384 ----a-w C:\XP\system32\libeay32.dll

2007-04-20 03:27:57 196,608 ----a-w C:\XP\system32\ssleay32.dll

2007-04-16 06:45:33 -------- d-----w C:\DOCUME~1\STAYPU~1\APPLIC~1\MySpace

2007-04-09 04:37:55 -------- d-----w C:\Program Files\SlySoft

2007-04-09 03:42:45 29,392 ----a-w C:\XP\system32\drivers\secdrv.sys

2007-04-08 22:59:29 -------- d-----w C:\Program Files\PowerISO

2007-04-06 21:14:04 542 ----a-w C:\hrlist.scr

2007-04-06 20:32:08 371 ----a-w C:\getbilldirs.scr

2007-04-06 20:31:54 371 ----a-w C:\gethbdirs.scr

2007-04-06 20:28:28 139 ----a-w C:\tryftp.scr

2007-04-06 05:46:37 -------- d-----w C:\DOCUME~1\STAYPU~1\APPLIC~1\Zeon

2007-04-06 05:02:00 -------- d-----w C:\Program Files\G-Lock Software

2007-04-05 15:31:07 -------- d-----w C:\DOCUME~1\STAYPU~1\APPLIC~1\G-Lock Software

2007-04-04 10:33:04 -------- d-----w C:\Program Files\Yahoo!

2007-03-18 17:28:30 5,885 ----a-w C:\XP\mozver.dat

2007-03-17 13:43:01 292,864 ----a-w C:\XP\system32\winsrv.dll

2007-03-15 19:35:33 -------- d-----w C:\Program Files\Tracker

2007-03-15 10:52:51 -------- d-----w C:\Program Files\Registry Watch

2007-03-15 10:14:59 720,896 ----a-w C:\XP\iun6002ev.exe

2007-03-15 04:18:10 -------- d-----w C:\Program Files\Salive

2007-03-15 04:17:28 -------- d--h--r C:\DOCUME~1\STAYPU~1\APPLIC~1\yahoo!

2007-03-08 15:36:28 577,536 ----a-w C:\XP\system32\user32.dll

2007-03-08 15:36:28 40,960 ----a-w C:\XP\system32\mf3216.dll

2007-03-08 15:36:28 281,600 ----a-w C:\XP\system32\gdi32.dll

2007-03-08 13:47:48 1,843,584 ----a-w C:\XP\system32\win32k.sys

2007-03-08 04:59:59 -------- d-----w C:\Program Files\DirPrn

2007-03-07 09:16:28 -------- d-----w C:\Program Files\'Net Monitor

2007-03-07 09:13:15 -------- d-----w C:\Program Files\PTZone

2007-03-07 09:10:26 -------- d-----w C:\Program Files\WinWatch

2007-03-07 09:10:21 249,856 ------w C:\XP\Setup1.exe

2007-03-07 09:10:09 -------- d-----w C:\Program Files\LanMon

2007-03-07 09:09:11 73,216 ------w C:\XP\ST6UNST.EXE

2007-02-28 08:59:01 26,000 ----a-w C:\XP\system32\E3TL.DLL

2007-02-05 20:17:02 185,344 ----a-w C:\XP\system32\upnphost.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2004-05-12 01:03]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll [2006-11-09 16:21]

{AE7CD045-E861-484f-8273-0445EE161910}=D:\Acrobat7\Acrobat\AcroIEFavClient.dll [2005-09-24 00:41]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpeedStartup"="C:\Program Files\Speed Startup\speedstartup.exe" [2006-12-14 17:12]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]

"SpeedStartup"=C:\Program Files\Speed Startup\speedstartup.exe runonce

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"="D:\Internet\eudora\EuShlExt.dll" [2005-11-14 16:15]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDNotify]

C:\Program Files\SpywareDetector\SDNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

Contents of the 'Scheduled Tasks' folder

2007-05-20 06:01:04 C:\XP\tasks\_viceversapr2_task_Ascend.job

2007-05-20 11:19:10 C:\XP\tasks\_viceversapr2_task_Bashful2Booby.job

2007-05-20 11:30:08 C:\XP\tasks\_viceversapr2_task_batch.job

2007-05-20 18:01:35 C:\XP\tasks\_viceversapr2_task_Bills.job

2007-03-26 09:40:18 C:\XP\tasks\_viceversapr2_task_documents_and_settings.job

2007-05-20 11:20:37 C:\XP\tasks\_viceversapr2_task_Eudora.job

2007-05-20 18:01:25 C:\XP\tasks\_viceversapr2_task_hits prg to Tweetie D.job

2007-05-20 06:20:36 C:\XP\tasks\_viceversapr2_task_HITSSOURCES.job

2007-05-20 14:00:31 C:\XP\tasks\_viceversapr2_task_HITSVEN.job

2007-05-20 13:18:16 C:\XP\tasks\_viceversapr2_task_Idisk.job

2007-05-20 13:00:22 C:\XP\tasks\_viceversapr2_task_Links.job

2007-03-26 09:33:37 C:\XP\tasks\_viceversapr2_task_madden.job

2007-05-20 08:50:46 C:\XP\tasks\_viceversapr2_task_newag.job

2007-05-20 10:32:16 C:\XP\tasks\_viceversapr2_task_OHITS.job

2007-05-20 11:34:08 C:\XP\tasks\_viceversapr2_task_personal.job

2007-05-20 14:00:39 C:\XP\tasks\_viceversapr2_task_ServersAlive.job

2007-05-20 11:45:13 C:\XP\tasks\_viceversapr2_task_Steviebone.job

2007-03-26 11:38:02 C:\XP\tasks\_viceversapr2_task_Torrents.job

2007-05-20 18:45:01 C:\XP\tasks\_viceversapr2_task_txdot.job

2007-05-20 11:20:07 C:\XP\tasks\_viceversapr2_task_visaversaprofiles.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-05-20 13:54:48

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

********************************************************************

Completion time: 2007-05-20 14:04:04 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-05-20 14:04

--- E O F ---

Link to post
Share on other sites
Steviebone

Steviebone

Posted
  • Author
Posted

ok, still got a rootkit and the windows installer is still persisting... how can I stop this from running, where in the registry would this be found and how do I stop it from repeatedlt reopening?

"Staypuffer" - 2007-05-20 14:18:51 Service Pack 2

ComboFix 07-05.20.9.V - Running from: "J:\Spywaredetector\"

Rootkit driver lzx32 is present. A rootkit scan is required

((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-20 ))))))))))))))))))))))))))))))))))

2007-05-20 14:04 49,152 --a------ C:\XP\nircmd.exe

2007-05-20 06:42 2,922 --a------ C:\XP\system32\IE_Backup.reg

2007-05-20 06:42 2,846,854 --a------ C:\XP\system32\Windows_Backup.reg

2007-05-20 06:42 2,588 --a------ C:\XP\system32\startupBackup.reg

2007-05-20 02:27 123 --a------ C:\XP\system\SysSD.dll

2007-05-20 02:26 63,192 --a------ C:\XP\system32\CloseAll.exe

2007-05-20 02:26 270,336 --a------ C:\XP\system32\CheckDll.dll

2007-05-20 02:26 1,019,904 --a------ C:\XP\system32\VchReg.dll

2007-05-20 02:25 <DIR> d-------- C:\Program Files\SpywareDetector

2007-05-19 18:15 22,080 --a------ C:\XP\system32\drivers\sshrmd.sys

2007-05-19 18:15 21,056 --a------ C:\XP\system32\drivers\sskbfd.sys

2007-05-19 18:15 20,544 --a------ C:\XP\system32\drivers\SSFS0509.sys

2007-05-19 18:15 144,960 --a------ C:\XP\system32\drivers\ssidrv.sys

2007-05-19 18:15 <DIR> d-------- C:\DOCUME~1\LOCALS~1.NTA\APPLIC~1\Webroot

2007-05-19 18:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.XP\APPLIC~1\Webroot

2007-05-19 18:08 164 --a------ C:\install.dat

2007-05-19 18:08 <DIR> d-------- C:\DOCUME~1\STAYPU~1\APPLIC~1\Webroot

2007-05-18 11:43 <DIR> d--h----- C:\XP\system32\GroupPolicy

2007-05-17 22:04 <DIR> d-------- C:\DOCUME~1\STAYPU~1\APPLIC~1\Texture Maker

2007-05-17 22:03 <DIR> d-------- C:\Program Files\Texture Maker

2007-05-17 17:39 <DIR> d-------- C:\DOCUME~1\STAYPU~1\APPLIC~1\Google

2007-05-15 13:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.XP\APPLIC~1\Spybot - Search & Destroy

2007-05-08 01:29 <DIR> d-------- C:\Program Files\Network Chemistry

2007-05-08 01:17 <DIR> d-------- C:\Program Files\WinPcap

2007-05-08 01:17 <DIR> d-------- C:\Program Files\Nmap

2007-04-26 18:37 298,496 --a------ C:\XP\uninst.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-17 22:39:02 -------- d-----w C:\Program Files\Google

2007-05-16 04:57:49 -------- d-----w C:\DOCUME~1\STAYPU~1\APPLIC~1\WeatherBug

2007-05-15 21:02:01 -------- d-----w C:\DOCUME~1\STAYPU~1\APPLIC~1\dvdcss

2007-05-15 18:38:06 -------- d-----w C:\Program Files\MySpace

2007-05-07 17:28:32 -------- d-----w C:\Program Files\EPSON Print CD

2007-05-07 13:39:36 298,104 ----a-w C:\XP\system32\imon.dll

2007-05-07 13:39:34 512,096 ----a-w C:\XP\system32\drivers\amon.sys

2007-05-07 13:39:33 15,424 ----a-w C:\XP\system32\drivers\nod32drv.sys

2007-05-03 05:49:55 -------- d-----w C:\Program Files\LeapFTP

2007-04-30 15:46:10 745,600 ----a-w C:\XP\system32\aswBoot.exe

2007-04-30 15:41:55 85,952 ----a-w C:\XP\system32\drivers\aswmon.sys

2007-04-30 15:41:42 94,552 ----a-w C:\XP\system32\drivers\aswmon2.sys

2007-04-30 15:39:41 23,416 ----a-w C:\XP\system32\drivers\aswRdr.sys

2007-04-30 15:38:51 43,176 ----a-w C:\XP\system32\drivers\aswTdi.sys

2007-04-30 15:37:23 26,888 ----a-w C:\XP\system32\drivers\aavmker4.sys

2007-04-30 15:35:28 95,872 ----a-w C:\XP\system32\AVASTSS.scr

2007-04-30 08:55:32 -------- d-----w C:\Program Files\ViceVersa Pro 2

2007-04-26 23:09:43 -------- d-----w C:\Program Files\IsoBuster

2007-04-25 08:04:12 88,952 ----a-w C:\XP\system32\packet.dll

2007-04-25 08:04:12 68,480 ----a-w C:\XP\system32\wanpacket.dll

2007-04-25 08:04:12 42,000 ----a-w C:\XP\system32\drivers\npf.sys

2007-04-25 08:04:12 240,496 ----a-w C:\XP\system32\wpcap.dll

2007-04-21 03:30:35 -------- d-----w C:\Program Files\Speed Startup

2007-04-20 03:28:54 1,040,384 ----a-w C:\XP\system32\libeay32.dll

2007-04-20 03:27:57 196,608 ----a-w C:\XP\system32\ssleay32.dll

2007-04-16 06:45:33 -------- d-----w C:\DOCUME~1\STAYPU~1\APPLIC~1\MySpace

2007-04-09 04:37:55 -------- d-----w C:\Program Files\SlySoft

2007-04-09 03:42:45 29,392 ----a-w C:\XP\system32\drivers\secdrv.sys

2007-04-08 22:59:29 -------- d-----w C:\Program Files\PowerISO

2007-04-06 21:14:04 542 ----a-w C:\hrlist.scr

2007-04-06 20:32:08 371 ----a-w C:\getbilldirs.scr

2007-04-06 20:31:54 371 ----a-w C:\gethbdirs.scr

2007-04-06 20:28:28 139 ----a-w C:\tryftp.scr

2007-04-06 05:46:37 -------- d-----w C:\DOCUME~1\STAYPU~1\APPLIC~1\Zeon

2007-04-06 05:02:00 -------- d-----w C:\Program Files\G-Lock Software

2007-04-05 15:31:07 -------- d-----w C:\DOCUME~1\STAYPU~1\APPLIC~1\G-Lock Software

2007-04-04 10:33:04 -------- d-----w C:\Program Files\Yahoo!

2007-03-18 17:28:30 5,885 ----a-w C:\XP\mozver.dat

2007-03-17 13:43:01 292,864 ----a-w C:\XP\system32\winsrv.dll

2007-03-15 19:35:33 -------- d-----w C:\Program Files\Tracker

2007-03-15 10:52:51 -------- d-----w C:\Program Files\Registry Watch

2007-03-15 10:14:59 720,896 ----a-w C:\XP\iun6002ev.exe

2007-03-15 04:18:10 -------- d-----w C:\Program Files\Salive

2007-03-15 04:17:28 -------- d--h--r C:\DOCUME~1\STAYPU~1\APPLIC~1\yahoo!

2007-03-08 15:36:28 577,536 ----a-w C:\XP\system32\user32.dll

2007-03-08 15:36:28 40,960 ----a-w C:\XP\system32\mf3216.dll

2007-03-08 15:36:28 281,600 ----a-w C:\XP\system32\gdi32.dll

2007-03-08 13:47:48 1,843,584 ----a-w C:\XP\system32\win32k.sys

2007-03-08 04:59:59 -------- d-----w C:\Program Files\DirPrn

2007-03-07 09:16:28 -------- d-----w C:\Program Files\'Net Monitor

2007-03-07 09:13:15 -------- d-----w C:\Program Files\PTZone

2007-03-07 09:10:26 -------- d-----w C:\Program Files\WinWatch

2007-03-07 09:10:21 249,856 ------w C:\XP\Setup1.exe

2007-03-07 09:10:09 -------- d-----w C:\Program Files\LanMon

2007-03-07 09:09:11 73,216 ------w C:\XP\ST6UNST.EXE

2007-02-28 08:59:01 26,000 ----a-w C:\XP\system32\E3TL.DLL

2007-02-05 20:17:02 185,344 ----a-w C:\XP\system32\upnphost.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2004-05-12 01:03]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll [2006-11-09 16:21]

{AE7CD045-E861-484f-8273-0445EE161910}=D:\Acrobat7\Acrobat\AcroIEFavClient.dll [2005-09-24 00:41]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpeedStartup"="C:\Program Files\Speed Startup\speedstartup.exe" [2006-12-14 17:12]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]

"SpeedStartup"=C:\Program Files\Speed Startup\speedstartup.exe runonce

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"="D:\Internet\eudora\EuShlExt.dll" [2005-11-14 16:15]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDNotify]

C:\Program Files\SpywareDetector\SDNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

Contents of the 'Scheduled Tasks' folder

2007-05-20 06:01:04 C:\XP\tasks\_viceversapr2_task_Ascend.job

2007-05-20 11:19:10 C:\XP\tasks\_viceversapr2_task_Bashful2Booby.job

2007-05-20 11:30:08 C:\XP\tasks\_viceversapr2_task_batch.job

2007-05-20 19:30:03 C:\XP\tasks\_viceversapr2_task_Bills.job

2007-03-26 09:40:18 C:\XP\tasks\_viceversapr2_task_documents_and_settings.job

2007-05-20 11:20:37 C:\XP\tasks\_viceversapr2_task_Eudora.job

2007-05-20 19:00:31 C:\XP\tasks\_viceversapr2_task_hits prg to Tweetie D.job

2007-05-20 06:20:36 C:\XP\tasks\_viceversapr2_task_HITSSOURCES.job

2007-05-20 14:00:31 C:\XP\tasks\_viceversapr2_task_HITSVEN.job

2007-05-20 13:18:16 C:\XP\tasks\_viceversapr2_task_Idisk.job

2007-05-20 13:00:22 C:\XP\tasks\_viceversapr2_task_Links.job

2007-03-26 09:33:37 C:\XP\tasks\_viceversapr2_task_madden.job

2007-05-20 08:50:46 C:\XP\tasks\_viceversapr2_task_newag.job

2007-05-20 10:32:16 C:\XP\tasks\_viceversapr2_task_OHITS.job

2007-05-20 11:34:08 C:\XP\tasks\_viceversapr2_task_personal.job

2007-05-20 14:00:39 C:\XP\tasks\_viceversapr2_task_ServersAlive.job

2007-05-20 11:45:13 C:\XP\tasks\_viceversapr2_task_Steviebone.job

2007-03-26 11:38:02 C:\XP\tasks\_viceversapr2_task_Torrents.job

2007-05-20 18:45:01 C:\XP\tasks\_viceversapr2_task_txdot.job

2007-05-20 11:20:07 C:\XP\tasks\_viceversapr2_task_visaversaprofiles.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-05-20 14:31:41

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

********************************************************************

Completion time: 2007-05-20 14:38:44 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-05-20 14:38

C:\ComboFix2.txt ... 2007-05-20 14:04

--- E O F ---

Link to post
Share on other sites
Steviebone

Steviebone

Posted
  • Author
Posted

ran rustockbfix exe then got this:

Rustock.b-ADS attached to the System32-folder:

Attempting to remove ADS...

Looking for Rustock.b-files in the System32-folder:

ECHO is off.

******************* Post-run Status of system *******************

Rustock.b-driver on the system:

YOU NEED TO CONSULT MORE ADVANCED TOOLS!!

The Gmer-rootkitscanner may be a good place to start.

Gmer rootkit-scanner may be found here: http://www.gmer.net

Rustock.b-ADS attached to the System32-folder:

ECHO is off.

You should either run the tool again or consult more advanced tools

The Gmer-rootkitscanner may be a good place to start.

Gmer rootkit-scanner may be found here: http://www.gmer.net

Looking for Rustock.b-files in the System32-folder:

ECHO is off.

You should either run the tool again or consult more advanced tools

Swandog46's Avenger or Gmer's-rootkitscanner may be a good place to start.

Swandog46's Avenger may be found here: http://swandog46.geekstogo.com/avengernotes.htm

Gmer rootkit-scanner may be found here: http://www.gmer.net

******************************* End of Logfile ********************************

Link to post
Share on other sites
Steviebone

Steviebone

Posted
  • Author
Posted

so I ran gmer... I have no idea what to do with this information:

GMER 1.0.12.12244 - http://www.gmer.net

Rootkit scan 2007-05-20 17:02:03

Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.12 ----

SSDT 82F60CD8 ZwAllocateVirtualMemory

SSDT a347bus.sys ZwClose

SSDT 82FAE198 ZwCreateKey

SSDT a347bus.sys ZwCreatePagingFile

SSDT 82FE4880 ZwCreateProcess

SSDT 82F7AB70 ZwCreateProcessEx

SSDT 82F60FA8 ZwCreateThread

SSDT 82FAD338 ZwDeleteKey

SSDT 82FED248 ZwDeleteValueKey

SSDT a347bus.sys ZwEnumerateKey

SSDT a347bus.sys ZwEnumerateValueKey

SSDT a347bus.sys ZwOpenFile

SSDT a347bus.sys ZwOpenKey

SSDT a347bus.sys ZwQueryKey

SSDT a347bus.sys ZwQueryValueKey

SSDT 82F60D50 ZwQueueApcThread

SSDT 82F60BE8 ZwReadVirtualMemory

SSDT 82FCBB38 ZwRenameKey

SSDT 82F60E40 ZwSetContextThread

SSDT 82FE75C0 ZwSetInformationKey

SSDT 82F77210 ZwSetInformationProcess

SSDT 82F60EB8 ZwSetInformationThread

SSDT a347bus.sys ZwSetSystemPowerState

SSDT 82FAD680 ZwSetValueKey

SSDT 82F77198 ZwSuspendProcess

SSDT 82F60DC8 ZwSuspendThread

SSDT 82F77288 ZwTerminateProcess

SSDT 82F60F30 ZwTerminateThread

SSDT 82F60C60 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.12 ----

? C:\XP\System32\DRIVERS\update.sys

---- User code sections - GMER 1.0.12 ----

.text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[1044] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ AB, FA, C3, 83 ]

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 82F992B0

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE 829A6550

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE 829A33D8

Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE 829A5B88

Device \Driver\Tcpip \Device\Ip IRP_MJ_READ 829A5A60

Device \Driver\Tcpip \Device\Ip IRP_MJ_WRITE 829A5938

Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION 829A5810

Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION 829A56E8

Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA 829A4C60

Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA 829A4B38

Device \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS 829A4A10

Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION 829A48E8

Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION 829A3E58

Device \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL 82983D90

Device \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL 82983C68

Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL 82983B40

Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL 829D2DA0

Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN 829D2C88

Device \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL 829D2B60

Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP 829D2A38

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT 829D2910

Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY 829D27E8

Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY 829D26C0

Device \Driver\Tcpip \Device\Ip IRP_MJ_POWER 829D2598

Device \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL 829D2470

Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE 829D2348

Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA 829D2220

Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA 829D1FA8

Device \Driver\Tcpip \Device\Ip IRP_MJ_PNP 829D1E90

Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE 829A6550

Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE 829A33D8

Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE 829A5B88

Device \Driver\Tcpip \Device\Tcp IRP_MJ_READ 829A5A60

Device \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE 829A5938

Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION 829A5810

Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION 829A56E8

Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA 829A4C60

Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA 829A4B38

Device \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS 829A4A10

Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION 829A48E8

Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION 829A3E58

Device \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL 82983D90

Device \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL 82983C68

Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL 82983B40

Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL 829D2DA0

Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN 829D2C88

Device \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL 829D2B60

Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP 829D2A38

Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT 829D2910

Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY 829D27E8

Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY 829D26C0

Device \Driver\Tcpip \Device\Tcp IRP_MJ_POWER 829D2598

Device \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL 829D2470

Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE 829D2348

Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA 829D2220

Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA 829D1FA8

Device \Driver\Tcpip \Device\Tcp IRP_MJ_PNP 829D1E90

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 82DBD540

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_NAMED_PIPE 82DBD540

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 82DBD540

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 82DBD540

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 82DBD540

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_INFORMATION 82DBD540

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_INFORMATION 82DBD540

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_EA 82DBD540

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_EA 82DBD540

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 82DBD540

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_VOLUME_INFORMATION 82DBD540

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_VOLUME_INFORMATION 82DBD540

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DIRECTORY_CONTROL 82DBD540

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FILE_SYSTEM_CONTROL 82DBD540

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 82DBD540

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 82DBD540

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 82DBD540

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_LOCK_CONTROL 82DBD540

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLEANUP 82DBD540

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_MAILSLOT 82DBD540

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_SECURITY 82DBD540

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_SECURITY 82DBD540

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 82DBD540

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 82DBD540

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CHANGE 82DBD540

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_QUOTA 82DBD540

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_QUOTA 82DBD540

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 82DBD540

Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_READ 8245BFB0

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 82DBD540

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_NAMED_PIPE 82DBD540

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE 82DBD540

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ 82DBD540

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 82DBD540

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_INFORMATION 82DBD540

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_INFORMATION 82DBD540

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_EA 82DBD540

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_EA 82DBD540

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 82DBD540

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_VOLUME_INFORMATION 82DBD540

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_VOLUME_INFORMATION 82DBD540

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DIRECTORY_CONTROL 82DBD540

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FILE_SYSTEM_CONTROL 82DBD540

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 82DBD540

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 82DBD540

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 82DBD540

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_LOCK_CONTROL 82DBD540

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLEANUP 82DBD540

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_MAILSLOT 82DBD540

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_SECURITY 82DBD540

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_SECURITY 82DBD540

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 82DBD540

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 82DBD540

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CHANGE 82DBD540

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_QUOTA 82DBD540

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_QUOTA 82DBD540

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 82DBD540

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_NAMED_PIPE 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLOSE 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_READ 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_WRITE 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_INFORMATION 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_INFORMATION 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_EA 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_EA 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FLUSH_BUFFERS 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_VOLUME_INFORMATION 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_VOLUME_INFORMATION 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DIRECTORY_CONTROL 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FILE_SYSTEM_CONTROL 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CONTROL 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SHUTDOWN 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_LOCK_CONTROL 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLEANUP 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_MAILSLOT 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_SECURITY 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_SECURITY 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_POWER 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SYSTEM_CONTROL 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CHANGE 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_QUOTA 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_QUOTA 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_PNP 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CREATE 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CREATE_NAMED_PIPE 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CLOSE 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_READ 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_WRITE 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_INFORMATION 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_INFORMATION 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_EA 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_EA 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_FLUSH_BUFFERS 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_VOLUME_INFORMATION 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_VOLUME_INFORMATION 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_DIRECTORY_CONTROL 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_FILE_SYSTEM_CONTROL 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_DEVICE_CONTROL 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_INTERNAL_DEVICE_CONTROL 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SHUTDOWN 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_LOCK_CONTROL 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CLEANUP 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_CREATE_MAILSLOT 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_SECURITY 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_SECURITY 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_POWER 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SYSTEM_CONTROL 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_DEVICE_CHANGE 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_QUERY_QUOTA 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_SET_QUOTA 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 IRP_MJ_PNP 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_NAMED_PIPE 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLOSE 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_READ 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_WRITE 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_INFORMATION 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_INFORMATION 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_EA 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_EA 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FLUSH_BUFFERS 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_VOLUME_INFORMATION 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_VOLUME_INFORMATION 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DIRECTORY_CONTROL 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FILE_SYSTEM_CONTROL 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CONTROL 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_INTERNAL_DEVICE_CONTROL 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SHUTDOWN 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_LOCK_CONTROL 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLEANUP 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_MAILSLOT 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_SECURITY 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_SECURITY 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_POWER 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SYSTEM_CONTROL 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CHANGE 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_QUOTA 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_QUOTA 82DB42E0

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_PNP 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CREATE 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CREATE_NAMED_PIPE 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CLOSE 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_READ 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_WRITE 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_QUERY_INFORMATION 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SET_INFORMATION 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_QUERY_EA 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SET_EA 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_FLUSH_BUFFERS 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_QUERY_VOLUME_INFORMATION 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SET_VOLUME_INFORMATION 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_DIRECTORY_CONTROL 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_FILE_SYSTEM_CONTROL 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_DEVICE_CONTROL 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_INTERNAL_DEVICE_CONTROL 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SHUTDOWN 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_LOCK_CONTROL 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CLEANUP 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_CREATE_MAILSLOT 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_QUERY_SECURITY 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SET_SECURITY 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_POWER 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SYSTEM_CONTROL 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_DEVICE_CHANGE 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_QUERY_QUOTA 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_SET_QUOTA 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c IRP_MJ_PNP 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_CREATE 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_CREATE_NAMED_PIPE 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_CLOSE 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_READ 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_WRITE 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_QUERY_INFORMATION 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_SET_INFORMATION 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_QUERY_EA 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_SET_EA 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_FLUSH_BUFFERS 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_QUERY_VOLUME_INFORMATION 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_SET_VOLUME_INFORMATION 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_DIRECTORY_CONTROL 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_FILE_SYSTEM_CONTROL 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_DEVICE_CONTROL 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_INTERNAL_DEVICE_CONTROL 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_SHUTDOWN 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_LOCK_CONTROL 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_CLEANUP 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_CREATE_MAILSLOT 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_QUERY_SECURITY 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_SET_SECURITY 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_POWER 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_SYSTEM_CONTROL 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_DEVICE_CHANGE 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_QUERY_QUOTA 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_SET_QUOTA 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 IRP_MJ_PNP 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_CREATE 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_CREATE_NAMED_PIPE 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_CLOSE 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_READ 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_WRITE 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_QUERY_INFORMATION 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_SET_INFORMATION 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_QUERY_EA 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_SET_EA 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_FLUSH_BUFFERS 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_QUERY_VOLUME_INFORMATION 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_SET_VOLUME_INFORMATION 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_DIRECTORY_CONTROL 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_FILE_SYSTEM_CONTROL 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_DEVICE_CONTROL 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_INTERNAL_DEVICE_CONTROL 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_SHUTDOWN 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_LOCK_CONTROL 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_CLEANUP 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_CREATE_MAILSLOT 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_QUERY_SECURITY 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_SET_SECURITY 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_POWER 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_SYSTEM_CONTROL 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_DEVICE_CHANGE 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_QUERY_QUOTA 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_SET_QUOTA 82DB42E0

Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 IRP_MJ_PNP 82DB42E0

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE 82DBD540

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE_NAMED_PIPE 82DBD540

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CLOSE 82DBD540

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_READ 82DBD540

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_WRITE 82DBD540

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_INFORMATION 82DBD540

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_INFORMATION 82DBD540

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_EA 82DBD540

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_EA 82DBD540

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_FLUSH_BUFFERS 82DBD540

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_VOLUME_INFORMATION 82DBD540

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_VOLUME_INFORMATION 82DBD540

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DIRECTORY_CONTROL 82DBD540

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_FILE_SYSTEM_CONTROL 82DBD540

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DEVICE_CONTROL 82DBD540

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_INTERNAL_DEVICE_CONTROL 82DBD540

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SHUTDOWN 82DBD540

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_LOCK_CONTROL 82DBD540

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CLEANUP 82DBD540

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE_MAILSLOT 82DBD540

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_SECURITY 82DBD540

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_SECURITY 82DBD540

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_POWER 82DBD540

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SYSTEM_CONTROL 82DBD540

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DEVICE_CHANGE 82DBD540

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_QUERY_QUOTA 82DBD540

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SET_QUOTA 82DBD540

Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_PNP 82DBD540

Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_READ 82016E98

Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE 829A6550

Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE 829A33D8

Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE 829A5B88

Device \Driver\Tcpip \Device\Udp IRP_MJ_READ 829A5A60

Device \Driver\Tcpip \Device\Udp IRP_MJ_WRITE 829A5938

Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION 829A5810

Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION 829A56E8

Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA 829A4C60

Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA 829A4B38

Device \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS 829A4A10

Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION 829A48E8

Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION 829A3E58

Device \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL 82983D90

Device \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL 82983C68

Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL 82983B40

Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL 829D2DA0

Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN 829D2C88

Device \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL 829D2B60

Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP 829D2A38

Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT 829D2910

Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY 829D27E8

Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY 829D26C0

Device \Driver\Tcpip \Device\Udp IRP_MJ_POWER 829D2598

Device \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL 829D2470

Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE 829D2348

Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA 829D2220

Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA 829D1FA8

Device \Driver\Tcpip \Device\Udp IRP_MJ_PNP 829D1E90

Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE 829A6550

Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE 829A33D8

Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE 829A5B88

Device \Driver\Tcpip \Device\RawIp IRP_MJ_READ 829A5A60

Device \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE 829A5938

Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION 829A5810

Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION 829A56E8

Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA 829A4C60

Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA 829A4B38

Device \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS 829A4A10

Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION 829A48E8

Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION 829A3E58

Device \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL 82983D90

Device \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL 82983C68

Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL 82983B40

Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL 829D2DA0

Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN 829D2C88

Device \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL 829D2B60

Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP 829D2A38

Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT 829D2910

Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY 829D27E8

Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY 829D26C0

Device \Driver\Tcpip \Device\RawIp IRP_MJ_POWER 829D2598

Device \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL 829D2470

Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE 829D2348

Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA 829D2220

Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA 829D1FA8

Device \Driver\Tcpip \Device\RawIp IRP_MJ_PNP 829D1E90

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 824B8708

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE 829A6550

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_NAMED_PIPE 829A33D8

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE 829A5B88

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_READ 829A5A60

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_WRITE 829A5938

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_INFORMATION 829A5810

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_INFORMATION 829A56E8

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_EA 829A4C60

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_EA 829A4B38

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FLUSH_BUFFERS 829A4A10

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_VOLUME_INFORMATION 829A48E8

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_VOLUME_INFORMATION 829A3E58

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DIRECTORY_CONTROL 82983D90

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FILE_SYSTEM_CONTROL 82983C68

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL 82983B40

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL 829D2DA0

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN 829D2C88

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_LOCK_CONTROL 829D2B60

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP 829D2A38

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_MAILSLOT 829D2910

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_SECURITY 829D27E8

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_SECURITY 829D26C0

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_POWER 829D2598

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SYSTEM_CONTROL 829D2470

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CHANGE 829D2348

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_QUOTA 829D2220

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_QUOTA 829D1FA8

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_PNP 829D1E90

Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 824B8708

Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_READ 8294FE70

Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_READ 829DB400

Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_CREATE 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_CREATE_NAMED_PIPE 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_CLOSE 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_READ 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_WRITE 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_QUERY_INFORMATION 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SET_INFORMATION 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_QUERY_EA 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SET_EA 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_FLUSH_BUFFERS 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_QUERY_VOLUME_INFORMATION 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SET_VOLUME_INFORMATION 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_DIRECTORY_CONTROL 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_FILE_SYSTEM_CONTROL 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_DEVICE_CONTROL 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_INTERNAL_DEVICE_CONTROL 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SHUTDOWN 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_LOCK_CONTROL 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_CLEANUP 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_CREATE_MAILSLOT 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_QUERY_SECURITY 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SET_SECURITY 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_POWER 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SYSTEM_CONTROL 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_DEVICE_CHANGE 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_QUERY_QUOTA 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_SET_QUOTA 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1 IRP_MJ_PNP 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_CREATE 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_CREATE_NAMED_PIPE 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_CLOSE 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_READ 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_WRITE 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_QUERY_INFORMATION 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_SET_INFORMATION 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_QUERY_EA 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_SET_EA 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_FLUSH_BUFFERS 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_QUERY_VOLUME_INFORMATION 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_SET_VOLUME_INFORMATION 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_DIRECTORY_CONTROL 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_FILE_SYSTEM_CONTROL 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_DEVICE_CONTROL 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_INTERNAL_DEVICE_CONTROL 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_SHUTDOWN 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_LOCK_CONTROL 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_CLEANUP 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_CREATE_MAILSLOT 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_QUERY_SECURITY 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_SET_SECURITY 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_POWER 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_SYSTEM_CONTROL 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_DEVICE_CHANGE 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_QUERY_QUOTA 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_SET_QUOTA 82D47008

Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 IRP_MJ_PNP 82D47008

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer IRP_MJ_READ 8294DFB0

Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer IRP_MJ_READ 8294DFB0

Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer IRP_MJ_READ 8294DFB0

Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer IRP_MJ_READ 8294DFB0

Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer IRP_MJ_READ 8294DFB0

Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ 824A9458

---- Modules - GMER 1.0.12 ----

Module _________ F853D000-F8555000 (98304 bytes)

---- Registry - GMER 1.0.12 ----

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\XP\system32\OLE32.DLL

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xC8 0x28 0x51 0xAF ...

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\XP\system32\OLE32.DLL

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x46 0x47 0x15 0xB0 ...

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\XP\system32\OLE32.DLL

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ...

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\XP\system32\OLE32.DLL

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x86 0x8C 0x21 0x01 ...

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\XP\system32\OLE32.DLL

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ...

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\XP\system32\OLE32.DLL

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ...

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\XP\system32\OLE32.DLL

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0xFB 0xA7 0x78 0xE6 ...

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\XP\system32\OLE32.DLL

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x83 0x6C 0x56 0x8B ...

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\XP\system32\OLE32.DLL

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0x51 0xFA 0x6E 0x91 ...

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\XP\system32\OLE32.DLL

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0xB1 0xCD 0x45 0x5A ...

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\XP\system32\OLE32.DLL

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ...

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\XP\system32\OLE32.DLL

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0xFA 0xEA 0x66 0x7F ...

Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\[email protected] 277C3E89C499B260DD37410948245D4EF0F20E10950C565FF78C1B98AB8108FD49B9A5D4B4BC8A91

1C20E908F74267BDB63C6AB7C7F066FC361E452196606E00606F1C0E8C9AEFE583CB87EBB390683DE

869A138AE71EAD95A91193F0A4DC2FCB36A5A29117C23C3040D44D3BBEC60EE3F716FFEA3A443F604

22034E972F67716D4A1F0DAEC324C47089CED3F2CC122AD61F92ED23339508B961731AF4857F0F9A0

6AA94F1E139B5013BD974633704792F91CFD8CFDA49F1E4B0DFE57B6476B8AFE3440E0F5F6D99D06F

1DB038CA829B2DBA6F0AEB6C8953D1C9FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CF

EBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C8EDD5E5BE2F6E667C038D530D6EB3452C0

38D530D6EB3452A6171C11EC38DE3D8F36E2B830ED536A1FE23375D0DC89E38A98A9CE7ED5A4E9AA7

5EBD488D5586AA24CCE959D5C24FC6114136BD03AD5DF429EB19F3FBE9CB8A72832553B26ABB53937

96540ADF6D7028C3D90EB6A3442605B37308E8545D4327AC7684DC3695BBA32BBE875A726A2FD1F22

2A6C5ECF8E8E347C2A74066169E8B7C6AF4D4726F14334F6D59B3BC3BF8C216AC91089C7D2AF23B9C

325078D9343A86DE4FCBFCF32DBFBFEF84839EE5616218DFC1C8EF40C3CB651C6B62459D3F9D2F4B4

D32ABC149248D365AF629D1CB9B55443A18D392DF0A0F05AD0BB

Reg \Registry\USER\S-1-5-21-527237240-854245398-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0AF7744A-9721-FDD5-BA18-A9578358D751}@hadnkljcbmkdoggg 0x67 0x61 0x6B 0x6C ...

Reg \Registry\USER\S-1-5-21-527237240-854245398-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0AF7744A-9721-FDD5-BA18-A9578358D751}@iaponpeaajedpgikna 0x63 0x61 0x68 0x6B ...

Reg \Registry\USER\S-1-5-21-527237240-854245398-1343024091-1003\Software\Zepter Software\RegLib

Reg \Registry\USER\S-1-5-21-527237240-854245398-1343024091-1003\Software\Zepter Software\RegLib

---- EOF - GMER 1.0.12 ----

Link to post
Share on other sites
Steviebone

Steviebone

Posted
  • Author
Posted

I ran avg in safe mode, reran combofix, and for a brief period it looked as tho this might have done it... but alas... the windows installer for vfp9 persisted popping up continuously on every reboot until I let it run... here is the avg and another current hijack log:

Logfile of HijackThis v1.99.1

Scan saved at 1:24:51 AM, on 5/21/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\XP\System32\smss.exe

C:\XP\system32\winlogon.exe

C:\XP\system32\services.exe

C:\XP\system32\lsass.exe

C:\XP\system32\svchost.exe

C:\XP\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\XP\system32\spoolsv.exe

C:\Program Files\Acronis\BackupServer\backupserver.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Eset\nod32krn.exe

C:\XP\system32\nvsvc32.exe

C:\Program Files\SpywareDetector\SDService.exe

C:\XP\System32\svchost.exe

C:\XP\Explorer.EXE

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\XP\system32\wuauclt.exe

C:\Program Files\Eset\nod32kui.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

C:\Program Files\SpywareDetector\SDSystemTray.exe

C:\Program Files\PTSync\PTSync.exe

C:\Program Files\Acronis\TrueImageEnterpriseServer\TRUEIM~3.EXE

C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

C:\Program Files\Acronis\TrueImageEnterpriseServer\TIMOUN~1.EXE

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Webroot\Spy Sweeper\SSU.EXE

C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.americansingles.com/

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Acrobat7\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Acrobat7\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Cooxie - {DC99E960-6594-45e3-9D5D-141D825B8096} - C:\Program Files\Cooxie Toolbar\PrvcBand.dll

O4 - HKLM\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\RunOnce: [speedStartup] "C:\Program Files\Speed Startup\speedstartup.exe" runonce

O4 - HKCU\..\Run: [speedStartup] "C:\Program Files\Speed Startup\speedstartup.exe" bootup

O8 - Extra context menu item: Add to &Teleport - D:\TeleportUltra\teleport.htm

O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://D:\Acrobat7\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MsOffice\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Open with Scansoft PDF Converter 3.0 - res://D:\OmniPage15\PDFConverter3\IEShellExt.dll /100

O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll

O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll

O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MsOffice\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1145986548799

O17 - HKLM\System\CCS\Services\Tcpip\..\{90F742E6-14BD-42BD-B353-7487933899E6}: NameServer = 66.254.6.2,66.254.1.2

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll

O20 - Winlogon Notify: WgaLogon - C:\XP\SYSTEM32\WgaLogon.dll

O20 - Winlogon Notify: WRNotifier - C:\XP\SYSTEM32\WRLogonNTF.dll

O23 - Service: Acronis Remote Agent (AcronisAgent) - Acronis - C:\Program Files\Common Files\Acronis\Agent\agent.exe

O23 - Service: Acronis Backup Server Service (AcronisBackupServerService) - Acronis - C:\Program Files\Acronis\BackupServer\backupserver.exe

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

O23 - Service: Arcana Notification Agent (adnotify) - Unknown owner - C:\Program Files\Arcana Development\Notification Agent\ADNotify.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Arcana Scheduler - Arcana Development - C:\Program Files\Arcana Development\Arcana Scheduler\adscheduler.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Acronis Group Server (GroupServer) - Acronis - C:\Program Files\Acronis\GroupServer\GroupServer.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\XP\system32\drivers\KodakCCS.exe

O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe

O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\XP\system32\nvsvc32.exe

O23 - Service: O&O Defrag - O&O Software GmbH - C:\XP\system32\oodag.exe

O23 - Service: ProgramCheckerPro (sassvc) - Unknown owner - C:\Program Files\Zenturi\ProgramChecker\sassvc.exe

O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

avg:

---------------------------------------------------------

AVG Anti-Spyware - Scan Report

---------------------------------------------------------

+ Created at: 11:32:38 PM 5/20/2007

+ Scan result:

F:\Audio Programs and Plugins\Holding\CyberlinkPower2go\CyberLink.Power2Go.Deluxe.v5.50.2614.Multilingual.Incl.Keymaker\keygen.exe -> Logger.Banker : Cleaned.

F:\Audio Programs and Plugins\Holding\XPGenuine\Make Windows XP Genuine\3) Genuine.rar/Port_RockXP_v4.exe/RockXP4.exe -> Not-A-Virus.PSWTool.Win32.RAS.a : Cleaned.

:mozilla.355:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.356:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.357:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.358:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.359:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.360:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.361:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.362:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.363:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.364:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.365:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.366:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.367:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.368:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.369:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.370:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.371:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.372:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.373:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.374:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.375:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.376:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.377:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.378:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.379:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.380:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.381:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.382:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.383:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.384:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.385:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.386:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.387:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.388:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.389:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.390:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.391:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.392:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.393:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.394:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.395:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.396:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.397:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.398:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.399:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.400:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.401:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.402:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.403:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.404:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.405:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.510:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.559:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.676:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.695:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.730:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.761:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.820:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.839:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.450:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.

:mozilla.451:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.

:mozilla.452:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.

:mozilla.453:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.

:mozilla.241:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.

:mozilla.242:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.

:mozilla.243:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.

:mozilla.245:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.

:mozilla.250:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.

:mozilla.251:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.

:mozilla.252:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.

:mozilla.253:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.

:mozilla.254:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.

:mozilla.179:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.

:mozilla.180:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.

:mozilla.182:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.

:mozilla.183:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.

:mozilla.184:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.

:mozilla.186:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.

:mozilla.87:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.

:mozilla.420:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned.

:mozilla.892:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned.

:mozilla.416:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.

:mozilla.417:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.

:mozilla.418:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.

:mozilla.419:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.

:mozilla.192:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.

:mozilla.193:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.

:mozilla.194:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.

:mozilla.195:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.

:mozilla.196:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.

:mozilla.197:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.

:mozilla.198:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.

:mozilla.200:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.

:mozilla.201:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.

:mozilla.694:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Cnn : Cleaned.

:mozilla.869:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Com : Cleaned.

:mozilla.870:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Com : Cleaned.

:mozilla.871:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Com : Cleaned.

:mozilla.872:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Com : Cleaned.

:mozilla.503:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.

:mozilla.504:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.

:mozilla.505:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.

:mozilla.506:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.

:mozilla.142:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.

:mozilla.143:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.

:mozilla.261:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.

:mozilla.262:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.

:mozilla.263:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.

:mozilla.264:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.

:mozilla.265:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.

:mozilla.244:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.

:mozilla.246:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.

:mozilla.247:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.

:mozilla.248:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.

:mozilla.249:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.

:mozilla.110:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.

:mozilla.447:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.

:mozilla.464:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.

:mozilla.556:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.

:mozilla.574:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.

:mozilla.585:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.

:mozilla.650:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.

:mozilla.655:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.

:mozilla.660:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.

:mozilla.224:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.

:mozilla.225:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.

:mozilla.227:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.

:mozilla.228:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.

:mozilla.231:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.

:mozilla.232:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.

:mozilla.704:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.

:mozilla.705:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.

:mozilla.706:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.

:mozilla.707:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.

:mozilla.708:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.

:mozilla.709:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.

:mozilla.896:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.

:mozilla.115:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned.

:mozilla.927:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Hotlog : Cleaned.

:mozilla.786:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.

:mozilla.787:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.

:mozilla.539:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.

:mozilla.540:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.

:mozilla.541:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.

:mozilla.283:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.

:mozilla.284:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.

:mozilla.331:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Msn : Cleaned.

:mozilla.332:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Msn : Cleaned.

:mozilla.335:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Msn : Cleaned.

:mozilla.7:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Netflame : Cleaned.

:mozilla.8:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Netflame : Cleaned.

:mozilla.9:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Netflame : Cleaned.

:mozilla.931:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.

:mozilla.932:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.

:mozilla.727:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Overture : Cleaned.

:mozilla.728:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Overture : Cleaned.

:mozilla.729:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Overture : Cleaned.

:mozilla.428:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Paypal : Cleaned.

:mozilla.255:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.

:mozilla.256:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.

:mozilla.257:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.

:mozilla.258:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.

:mozilla.259:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.

:mozilla.260:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.

:mozilla.285:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.

:mozilla.286:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.

:mozilla.287:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.

:mozilla.288:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.

:mozilla.289:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.

:mozilla.290:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.

:mozilla.291:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.

:mozilla.602:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.

:mozilla.603:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.

:mozilla.604:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.

:mozilla.605:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.

:mozilla.606:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.

:mozilla.607:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.

:mozilla.608:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.

:mozilla.609:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.

:mozilla.610:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.

:mozilla.629:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Revenue : Cleaned.

:mozilla.205:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.

:mozilla.206:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.

:mozilla.207:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.

:mozilla.208:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.

:mozilla.209:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.

:mozilla.210:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.

:mozilla.211:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.

:mozilla.212:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.

:mozilla.213:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.

:mozilla.214:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.

:mozilla.215:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.

:mozilla.216:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.

:mozilla.217:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.

:mozilla.218:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.

:mozilla.219:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.

:mozilla.220:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.

:mozilla.221:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.

:mozilla.222:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.

:mozilla.223:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.

:mozilla.149:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.

:mozilla.150:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.

:mozilla.151:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.

:mozilla.152:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.

:mozilla.153:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.

:mozilla.154:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.

:mozilla.731:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.

:mozilla.732:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.

:mozilla.733:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.

:mozilla.734:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.

:mozilla.735:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.

:mozilla.736:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.

:mozilla.737:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.

:mozilla.738:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.

:mozilla.21:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.

:mozilla.22:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.

:mozilla.23:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.

:mozilla.24:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.

:mozilla.25:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.

:mozilla.26:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.

:mozilla.27:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.

:mozilla.28:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.

:mozilla.29:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.

:mozilla.30:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.

:mozilla.31:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.

:mozilla.32:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.

:mozilla.33:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.

:mozilla.34:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.

:mozilla.35:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.

:mozilla.36:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.

:mozilla.37:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.

:mozilla.38:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.

:mozilla.39:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.

:mozilla.40:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.

:mozilla.41:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.

:mozilla.46:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.

:mozilla.47:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.

:mozilla.48:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.

:mozilla.49:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.

:mozilla.50:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.

:mozilla.51:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.

:mozilla.52:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.

:mozilla.53:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.

:mozilla.54:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.

:mozilla.55:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.

:mozilla.56:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.

:mozilla.57:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.

:mozilla.58:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.

:mozilla.59:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.

:mozilla.60:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.

:mozilla.61:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.

:mozilla.62:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.

:mozilla.63:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.

:mozilla.64:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.

:mozilla.65:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.

:mozilla.66:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.

:mozilla.67:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.

:mozilla.68:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.

:mozilla.69:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.

:mozilla.421:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.

:mozilla.422:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.

:mozilla.423:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.

:mozilla.424:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.

:mozilla.920:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Toplist : Cleaned.

:mozilla.899:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.

:mozilla.266:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.

:mozilla.267:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.

:mozilla.268:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.

:mozilla.269:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.

:mozilla.270:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.

:mozilla.271:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.

:mozilla.272:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.

:mozilla.273:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.

:mozilla.274:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.

:mozilla.444:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Trafic : Cleaned.

:mozilla.148:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.

:mozilla.89:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.

:mozilla.128:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Webtrends : Cleaned.

:mozilla.79:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.

:mozilla.944:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.

:mozilla.135:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.

:mozilla.136:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.

:mozilla.137:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.

:mozilla.138:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.

:mozilla.139:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.

:mozilla.140:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.

:mozilla.141:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.

:mozilla.485:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.

:mozilla.486:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.

:mozilla.487:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.

:mozilla.488:C:\Documents and Settings\Staypuffer\Application Data\Mozilla\Firefox\Profiles\c1capmv4.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.

C:\Program Files\Teleport Ultra\scheduler.exe -> Trojan.Agent.iu : Cleaned.

D:\TeleportUltra\scheduler.exe -> Trojan.Agent.iu : Cleaned.

F:\Audio Programs and Plugins\Audio Programs\Vegas\SONY.Vegas.6.0c.FULL.Include.Keymaker-PDX.zip/KEYGEN/SONYkeygen.exe -> Trojan.Pakes.edg : Cleaned.

F:\Audio Programs and Plugins\Audio Programs\Vegas\install\KEYGEN\SONYkeygen.exe -> Trojan.Pakes.edg : Cleaned.

D:\Acronis Complete Suite\Acronis Complete\WinRAR.v3.51.WinALL.Cracked-CORE\cr-wr351.zip/crack.exe -> Trojan.Small : Cleaned.

F:\Audio Programs and Plugins\Holding\SpiderWriter\Spider_Writer_v5-20-00610\Spider_Writer_v5[1].20.0610Patch.zip/crack.exe -> Trojan.Small : Cleaned.

::Report end

Link to post
Share on other sites
jwbirdsong

jwbirdsong

Posted
Posted (edited)

Sorry for the delay, lots going on. As you can well imaging log are our one line into your computer so the more info I have the better armed I'll be... You said you ran the Rustock.b-fix.. Was it the -- By ejvindh?? Could you post that log also please.

Download and Save Blacklight Beta (graphical user interface version) to your desktop.

Double-click fsbl.exe then accept the agreement.

click > scan then > next,

You'll see a list of all items found.

Don't choose for rename yet! I want to see the log first, because legit items can also be present there... like "wbemtest.exe" :!:

There will be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)

1.) Download and install Rootkit Unhooker.

2.) Disconnect from the internet and close all active protection programs especially HIPs programs like Prevx1 which will interfere. Leave your firewall on.

3.) Next, it is very important for you to Temporarily Disable Active Protection for any security programs you have enabled such as Prevx while we complete the fixes. You may keep firewall enabled.

Click Start --> All Programs --> Rootkit Unhooker to run the program.

  • Click Hidden Process Detector - then click File --> Quick Report and save the information on that page.
  • Click Hidden Drivers Detector- then click File --> Quick Report and save the information on that page.
  • Click Code Hooks Detector- then click File --> Quick Report and save the information on that page.
  • Click Hidden Files Detector - then click Scan Do not touch your computer during the scan.
  • At the end of the Hidden File scan, save the report and then post all four labelled reports back here.Plus the other logs asked for above.

I realise that is a lot of logs to post..take as many post as you need OR if you use the ADDREPLY option (Not quick reply) there should be an attach file option, you can just attach file if you prefer.

PS ADDED You may get an error about missing Windows DLL when running one of the 4 scans from Unhooker it's normal and shouldn't effect the other scans...

Edited by jwbirdsong
ADDED PS
Link to post
Share on other sites
Steviebone

Steviebone

Posted
  • Author
Posted

below is the log u asked for:

Rustock.b-ADS attached to the System32-folder:

Attempting to remove ADS...

Looking for Rustock.b-files in the System32-folder:

ECHO is off.

******************* Post-run Status of system *******************

Rustock.b-driver on the system:

YOU NEED TO CONSULT MORE ADVANCED TOOLS!!

The Gmer-rootkitscanner may be a good place to start.

Gmer rootkit-scanner may be found here: http://www.gmer.net

Rustock.b-ADS attached to the System32-folder:

ECHO is off.

You should either run the tool again or consult more advanced tools

The Gmer-rootkitscanner may be a good place to start.

Gmer rootkit-scanner may be found here: http://www.gmer.net

Looking for Rustock.b-files in the System32-folder:

ECHO is off.

You should either run the tool again or consult more advanced tools

Swandog46's Avenger or Gmer's-rootkitscanner may be a good place to start.

Swandog46's Avenger may be found here: http://swandog46.geekstogo.com/avengernotes.htm

Gmer rootkit-scanner may be found here: http://www.gmer.net

----------------

I then ran gmer, the log is in an above post... I had no idea what to do with the information it presented.

No matter what I did, whenever I rebooted, early in the log on process I got a Windows installer trying to re-install vIsual Foxpro 9, a program which was already on my computer and running fine. No matter how many times I clicked cancel, the installer would close and immediately reopen itself. I would have to click cancel at least 12-15 times (the installer would close and then restart each time) to make the window go away for good. I fear this may have been the vehicle used to infect the machine. I could find no registry entries anywhere that where telling it to run on startup. I have several starup monitors and none of them showed an entry for it either... very suspiscious IMO. I finally got tired of hovering over the mouse all the way thru each 5 minute boot and let it do its thing to see what would happen. I said it was preparing to instal VFP9, would gather a bunch of data and then finally close without ever installing anything near as I could tell.

Subsequent scans did not turn up any rootkit, however, spydetector said that rustock backdoor had been successfully removed whenever I tried to run the rust checker. So I am now assuming from reading your post that I need to close all protection programs but my firewall while performing these checks.. this may invalidate much of previous information as I have avast pro, nod32, spybot S&D, spysweeper, spydetector and now avg all loaded on the system now. So before running combofix, etc, I should have all other protection programs disabled?

Running the rust checker now just returns an error after reboot saying it can't find files.

I DID run the avgantirootkit in depth scan last night and it found no rootkits. However, several of the protection programs were also running at the time...

current status: tho I can see no outbound in the syslogs, task manager shows continuous memory useage and constant cpu useage from 2 up to 86% even tho no applications are open. Average is probably about 12%. However, on all my other computer systems when nothing is running tactual useage hovers near zero with NO spikes. Over night, my available memory has been reduced to almost zero as well. CLosing all the protection programs only freed a small portion oif the memory and had no effect on the task manager reported cpu activity. ALl of it always gets lumped under system idle even tho the computer doesnt seem to be doing anything.

I noticed there didnt seem to be anyway to unload the nod32krn from task manager, it and its memory allocation seemed to hang around no matter how I closed the app. Sam thing with Spy Sweeper... even tho it has been unloaded using its own menu the app remains in the task manager list sucking up resources even tho it is not doing anything. BTW, Spy Sweper seems to be a huge resource hog. With all of its protections enabled CPU is at near 100% all the time even with no other applications open.

Maybe Im obsessing too much over the CPU activity, but having anything spiking resources when u are running some applications, especially those with real time graphics (like games for example) are adverserly noticeably affected.

(sigh)... I will now try your latest suggestion and then post the results in a while.

Thanks for your help, I really appreciate it.

Link to post
Share on other sites
jwbirdsong

jwbirdsong

Posted
Posted

Kind of in reverse order.

whats an HIP program

Host Intrusion Prevention like System Safety Monitor or Kaspersky's Proactive Defense Module

using the one found here: http://www.antirootkit.com/software/RootKit-Unhooker.htm

hope this is the same

Yep..one note on the 'usage speech' I inluded...each time you save one of the results you need to change name else it will overwrite previous result--it does NOT append.

I see in my previous reply some how my link for Blacklite didn't get included.

http://www.f-secure.com/exclude/blacklight/index.shtml

Then follow instruction in last post. Just make sure to get the GRAPHIC and not the commandline version.

It's QUITE possible that your high CPU usage is NOW due to the fact that you have both Nod and Avast on the machine...The WILL battle for control of the system and eat up resouorces.

Let's see the Unhooker logs and Blacklight log....I think we may now just be chasing your rogue startup installer.

Link to post
Share on other sites
Steviebone

Steviebone

Posted
  • Author
Posted

ok thanks for all ur help..

a couple of notes, I finally let the installer go... whatever it did it did and has not come back the last few reboots

the rootkit program runs the hidden file scan but crashes near the end every time... Ive checked the disk for errors but nada... at the point only one file is listed in the window... to the best of my knowledege no log is ever written for that function, the other three logs are copied below..

As for resource useage, in safe mode of course the task manager looks right. I disabled ALL of the programs however for these tests, following the instructions in the page you referenced AND going to startup controller and disabling all of them... I then checked on reboot and none of the programs had loaded. Even still, with NONE of those programs loaded the activity remains... including constant memory allocation changes... again task manager only indicates system idle at 98-99% even though no applications are opne there doesnt appear to be anything else running.

I will download backlight next and post the results.

Here are the other logs:

RkUnhooker report generator v0.6

==============================================

Rootkit Unhooker kernel version: 3.31.150.420

==============================================

Windows Major Version: 5

Windows Minor Version: 1

Windows Build Number: 2600

==============================================

Process: System

Process Id: 4

EPROCESS Address: 0x82FCA490

Process: C:\XP\system32\nvsvc32.exe

Process Id: 288

EPROCESS Address: 0x82487890

Process: C:\XP\system32\smss.exe

Process Id: 532

EPROCESS Address: 0x82494020

Process: C:\XP\system32\csrss.exe

Process Id: 648

EPROCESS Address: 0x8217A360

Process: C:\XP\system32\winlogon.exe

Process Id: 676

EPROCESS Address: 0x822EEBC8

Process: C:\XP\system32\services.exe

Process Id: 720

EPROCESS Address: 0x8213CC88

Process: C:\Program Files\Acronis\TrueImageEnterpriseServer\TRUEIM~3.EXE

Process Id: 724

EPROCESS Address: 0x81E6ADA0

Process: C:\XP\system32\lsass.exe

Process Id: 732

EPROCESS Address: 0x82169A18

Process: C:\XP\system32\svchost.exe

Process Id: 884

EPROCESS Address: 0x82113460

Process: C:\XP\system32\svchost.exe

Process Id: 972

EPROCESS Address: 0x820E1020

Process: C:\XP\system32\svchost.exe

Process Id: 1028

EPROCESS Address: 0x820CE300

Process: C:\Program Files\SpywareDetector\SDService.exe

Process Id: 1076

EPROCESS Address: 0x824D5AC8

Process: C:\XP\system32\svchost.exe

Process Id: 1088

EPROCESS Address: 0x820DBB50

Process: C:\XP\system32\svchost.exe

Process Id: 1132

EPROCESS Address: 0x82492980

Process: C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

Process Id: 1148

EPROCESS Address: 0x820DC8E0

Process: C:\Program Files\Alwil Software\Avast4\ashServ.exe

Process Id: 1204

EPROCESS Address: 0x820CB8E0

Process: C:\XP\system32\spoolsv.exe

Process Id: 1408

EPROCESS Address: 0x82054B30

Process: C:\Program Files\Common Files\Acronis\Agent\agent.exe

Process Id: 1524

EPROCESS Address: 0x8202BDA0

Process: C:\Program Files\Acronis\BackupServer\backupserver.exe

Process Id: 1540

EPROCESS Address: 0x82017DA0

Process: C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

Process Id: 1572

EPROCESS Address: 0x82060350

Process: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

Process Id: 1608

EPROCESS Address: 0x8208C020

Process: C:\Program Files\PTSync\PTSync.exe

Process Id: 1616

EPROCESS Address: 0x81EAB020

Process: C:\XP\system32\svchost.exe

Process Id: 1620

EPROCESS Address: 0x8204CDA0

Process: C:\Program Files\Acronis\GroupServer\GroupServer.exe

Process Id: 1704

EPROCESS Address: 0x81FEE5B0

Process: C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

Process Id: 1780

EPROCESS Address: 0x81F9DDA0

Process: C:\XP\system32\wdfmgr.exe

Process Id: 1996

EPROCESS Address: 0x81FE6890

Process: C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Process Id: 2120

EPROCESS Address: 0x821B0890

Process: C:\XP\system32\taskmgr.exe

Process Id: 2412

EPROCESS Address: 0xFE03F608

Process: C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

Process Id: 2436

EPROCESS Address: 0x8214C930

Process: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

Process Id: 2468

EPROCESS Address: 0x82E68020

Process: C:\Program Files\Acronis\TrueImageEnterpriseServer\TIMOUN~1.EXE

Process Id: 2484

EPROCESS Address: 0xFDA9B890

Process: C:\XP\system32\alg.exe

Process Id: 2712

EPROCESS Address: 0x81EC7890

Process: C:\XP\system32\wuauclt.exe

Process Id: 2888

EPROCESS Address: 0x82E54020

Process: C:\RkUnhooker\oAi7c8OoI7xio.exe

Process Id: 3028

EPROCESS Address: 0xFCFC95B0

Process: C:\XP\explorer.exe

Process Id: 3852

EPROCESS Address: 0x81E27DA0

---------------------

RkUnhooker report generator v0.6

==============================================

Rootkit Unhooker kernel version: 3.31.150.420

==============================================

Windows Major Version: 5

Windows Minor Version: 1

Windows Build Number: 2600

==============================================

Driver:

Address: 0xF853D000

Size: 98304 bytes

Driver: ?_unknown_code_page_?

Address: 0x82F6F278

Size: 3464 bytes

Driver: ?_unknown_code_page_?

Address: 0x82DC1B78

Size: 1160 bytes

Driver: ?_unknown_code_page_?

Address: 0x82D49008

Size: 4088 bytes

Driver: ?_unknown_code_page_?

Address: 0x82E775C8

Size: 2616 bytes

Driver: ?_unknown_code_page_?

Address: 0x82985D68

Size: 664 bytes

Driver: ?_unknown_code_page_?

Address: 0x82985C40

Size: 960 bytes

Driver: ?_unknown_code_page_?

Address: 0x82985B18

Size: 1256 bytes

Driver: ?_unknown_code_page_?

Address: 0x82C387B0

Size: 2128 bytes

Driver: ?_unknown_code_page_?

Address: 0x82C38688

Size: 2424 bytes

Driver: ?_unknown_code_page_?

Address: 0x82C38560

Size: 2720 bytes

Driver: ?_unknown_code_page_?

Address: 0x82C38438

Size: 3016 bytes

Driver: ?_unknown_code_page_?

Address: 0x82C38310

Size: 3312 bytes

Driver: ?_unknown_code_page_?

Address: 0x82C381E8

Size: 3608 bytes

Driver: ?_unknown_code_page_?

Address: 0x82C379A0

Size: 1632 bytes

Driver: ?_unknown_code_page_?

Address: 0x82C37888

Size: 1912 bytes

Driver: ?_unknown_code_page_?

Address: 0x82C37760

Size: 2208 bytes

Driver: ?_unknown_code_page_?

Address: 0x82C37638

Size: 2504 bytes

Driver: ?_unknown_code_page_?

Address: 0x82C37510

Size: 2800 bytes

Driver: ?_unknown_code_page_?

Address: 0x82C373E8

Size: 3096 bytes

Driver: ?_unknown_code_page_?

Address: 0x82C372C0

Size: 3392 bytes

Driver: ?_unknown_code_page_?

Address: 0x829AC810

Size: 2032 bytes

Driver: ?_unknown_code_page_?

Address: 0x829AC6E8

Size: 2328 bytes

Driver: ?_unknown_code_page_?

Address: 0x829AC5C0

Size: 2624 bytes

Driver: ?_unknown_code_page_?

Address: 0x829AC498

Size: 2920 bytes

Driver: ?_unknown_code_page_?

Address: 0x829AC370

Size: 3216 bytes

Driver: ?_unknown_code_page_?

Address: 0x829AC248

Size: 3512 bytes

Driver: ?_unknown_code_page_?

Address: 0x829ABDA0

Size: 608 bytes

Driver: ?_unknown_code_page_?

Address: 0x82AE81A0

Size: 3680 bytes

Driver: ?_unknown_code_page_?

Address: 0x824D0820

Size: 2016 bytes

Driver: ?_unknown_code_page_?

Address: 0x824F52E8

Size: 3352 bytes

Driver: ?_unknown_code_page_?

Address: 0x82B9EFA8

Size: 88 bytes

Driver: ?_unknown_code_page_?

Address: 0x82B9EF30

Size: 208 bytes

Driver: ?_unknown_code_page_?

Address: 0x8245C750

Size: 2224 bytes

Driver: ?_unknown_code_page_?

Address: 0x820AEBD0

Size: 1072 bytes

Driver: ?_unknown_code_page_?

Address: 0x824D4370

Size: 3216 bytes

Driver: ?_unknown_code_page_?

Address: 0x829929E8

Size: 1560 bytes

Driver: ?_unknown_code_page_?

Address: 0x82DB3430

Size: 3024 bytes

Driver: ?_unknown_code_page_?

Address: 0x82AF17E0

Size: 2080 bytes

Driver: ?_unknown_code_page_?

Address: 0x8245E1A0

Size: 3680 bytes

Driver: a347bus.sys

Address: 0xF862D000

Size: 163840 bytes

Driver: a347scsi.sys

Address: 0xF8B80000

Size: 8192 bytes

Driver: C:\XP\System32\Drivers\Aavmker4.SYS

Address: 0xF8A76000

Size: 20480 bytes

Driver: ACPI.sys

Address: 0xF85FF000

Size: 188416 bytes

Driver: ACPI_HAL

Address: 0x806EC000

Size: 81280 bytes

Driver: C:\XP\system32\drivers\aec.sys

Address: 0xB92B8000

Size: 143360 bytes

Driver: C:\XP\system32\drivers\Afc.sys

Address: 0xF8A5E000

Size: 32768 bytes

Driver: C:\XP\System32\drivers\afd.sys

Address: 0xF67B8000

Size: 139264 bytes

Driver: C:\XP\System32\DRIVERS\amdk7.sys

Address: 0xF8726000

Size: 40960 bytes

Driver: C:\XP\system32\drivers\amon.sys

Address: 0xB9892000

Size: 503808 bytes

Driver: C:\XP\System32\Drivers\AnyDVD.sys

Address: 0xF8786000

Size: 36864 bytes

Driver: C:\XP\System32\Drivers\Asapi.SYS

Address: 0xF8936000

Size: 32768 bytes

Driver: C:\XP\System32\drivers\aspi32.sys

Address: 0xF669E000

Size: 20480 bytes

Driver: C:\XP\System32\Drivers\aswMon2.SYS

Address: 0xB9B92000

Size: 90112 bytes

Driver: C:\XP\System32\Drivers\aswRdr.SYS

Address: 0xB9564000

Size: 16384 bytes

Driver: C:\XP\System32\Drivers\aswTdi.SYS

Address: 0xF8886000

Size: 36864 bytes

Driver: C:\XP\System32\DRIVERS\audstub.sys

Address: 0xF8CBB000

Size: 4096 bytes

Driver: C:\XP\System32\DRIVERS\AvgArCln.sys

Address: 0xF8D0F000

Size: 4096 bytes

Driver: avgarkt.sys

Address: 0xF8B7A000

Size: 8192 bytes

Driver: C:\XP\System32\DRIVERS\AvgAsCln.sys

Address: 0xF8D19000

Size: 4096 bytes

Driver: C:\XP\System32\Drivers\Beep.SYS

Address: 0xF8B9C000

Size: 8192 bytes

Driver: C:\XP\system32\BOOTVID.dll

Address: 0xF8A86000

Size: 12288 bytes

Driver: C:\XP\System32\Drivers\Cdfs.SYS

Address: 0xF7BC8000

Size: 65536 bytes

Driver: C:\XP\System32\DRIVERS\cdrom.sys

Address: 0xF8796000

Size: 53248 bytes

Driver: C:\XP\System32\DRIVERS\CLASSPNP.SYS

Address: 0xF86E6000

Size: 53248 bytes

Driver: C:\XP\system32\drivers\cmaudio.sys

Address: 0xF7F05000

Size: 380928 bytes

Driver: C:\XP\system32\DRIVERS\ctoss2k.sys

Address: 0xF7D17000

Size: 196608 bytes

Driver: C:\XP\system32\DRIVERS\ctsfm2k.sys

Address: 0xF7C2D000

Size: 155648 bytes

Driver: C:\XP\system32\DRIVERS\DcCam.sys

Address: 0xF8846000

Size: 36864 bytes

Driver: C:\XP\system32\drivers\dcfs2k.sys

Address: 0xF6168000

Size: 40960 bytes

Driver: disk.sys

Address: 0xF86D6000

Size: 36864 bytes

Driver: C:\XP\System32\drivers\dmboot.sys

Address: 0xF7C53000

Size: 802816 bytes

Driver: dmio.sys

Address: 0xF8555000

Size: 155648 bytes

Driver: dmload.sys

Address: 0xF8B7E000

Size: 8192 bytes

Driver: C:\XP\system32\drivers\DMusic.sys

Address: 0xB9648000

Size: 53248 bytes

Driver: C:\XP\system32\drivers\drmk.sys

Address: 0xF8736000

Size: 61440 bytes

Driver: C:\XP\system32\drivers\drmkaud.sys

Address: 0xF8D88000

Size: 4096 bytes

Driver: C:\XP\System32\Drivers\dump_atapi.sys

Address: 0xF60C8000

Size: 98304 bytes

Driver: C:\XP\System32\Drivers\dump_WMILIB.SYS

Address: 0xF8BC4000

Size: 8192 bytes

Driver: C:\XP\System32\drivers\Dxapi.sys

Address: 0xF66F2000

Size: 12288 bytes

Driver: C:\XP\System32\drivers\dxg.sys

Address: 0xBF000000

Size: 73728 bytes

Driver: C:\XP\System32\drivers\dxgthk.sys

Address: 0xF8CD1000

Size: 4096 bytes

Driver: C:\XP\System32\DRIVERS\el90xbc5.sys

Address: 0xF7C1C000

Size: 69632 bytes

Driver: C:\XP\System32\Drivers\ElbyCDFL.sys

Address: 0xF8A56000

Size: 28672 bytes

Driver: C:\XP\System32\Drivers\ElbyCDIO.sys

Address: 0xF8BC2000

Size: 8192 bytes

Driver: C:\XP\System32\Drivers\ElbyDelay.sys

Address: 0xF8B84000

Size: 8192 bytes

Driver: C:\XP\system32\DRIVERS\EXPORTIT.SYS

Address: 0xF6976000

Size: 155648 bytes

Driver: C:\XP\System32\DRIVERS\fdc.sys

Address: 0xF8A36000

Size: 28672 bytes

Driver: C:\XP\System32\Drivers\Fips.SYS

Address: 0xF88C6000

Size: 36864 bytes

Driver: C:\XP\System32\DRIVERS\flpydisk.sys

Address: 0xF89A6000

Size: 20480 bytes

Driver: fltmgr.sys

Address: 0xF8505000

Size: 131072 bytes

Driver: C:\XP\System32\Drivers\Fs_Rec.SYS

Address: 0xF8B96000

Size: 8192 bytes

Driver: ftdisk.sys

Address: 0xF857B000

Size: 126976 bytes

Driver: C:\XP\system32\DRIVERS\gameenum.sys

Address: 0xF8365000

Size: 12288 bytes

Driver: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys

Address: 0xF8D80000

Size: 4096 bytes

Driver: C:\XP\system32\hal.dll

Address: 0x806EC000

Size: 81280 bytes

Driver: C:\XP\System32\Drivers\HIDCLASS.SYS

Address: 0xF8866000

Size: 36864 bytes

Driver: C:\XP\system32\DRIVERS\HIDPARSE.SYS

Address: 0xF89DE000

Size: 28672 bytes

Driver: hpt3xx.sys

Address: 0xF86C6000

Size: 45056 bytes

Driver: C:\XP\System32\Drivers\HTTP.sys

Address: 0xB9014000

Size: 266240 bytes

Driver: C:\XP\System32\DRIVERS\i8042prt.sys

Address: 0xF8756000

Size: 53248 bytes

Driver: C:\XP\system32\DRIVERS\imapi.sys

Address: 0xF8776000

Size: 45056 bytes

Driver: C:\XP\System32\DRIVERS\ipnat.sys

Address: 0xF6802000

Size: 135168 bytes

Driver: C:\XP\System32\DRIVERS\ipsec.sys

Address: 0xF687B000

Size: 77824 bytes

Driver: isapnp.sys

Address: 0xF8676000

Size: 36864 bytes

Driver: C:\XP\system32\drivers\iviaspi.sys

Address: 0xF8A6E000

Size: 24576 bytes

Driver: C:\XP\System32\DRIVERS\kbdclass.sys

Address: 0xF8A4E000

Size: 24576 bytes

Driver: C:\XP\system32\KDCOM.DLL

Address: 0xF8B76000

Size: 8192 bytes

Driver: C:\XP\system32\drivers\kmixer.sys

Address: 0xB928D000

Size: 176128 bytes

Driver: C:\XP\system32\drivers\ks.sys

Address: 0xF7EBE000

Size: 143360 bytes

Driver: KSecDD.sys

Address: 0xF84DC000

Size: 94208 bytes

Driver: C:\XP\system32\DRIVERS\L8042Kbd.sys

Address: 0xF8345000

Size: 12288 bytes

Driver: C:\XP\system32\DRIVERS\LHidKE.Sys

Address: 0xF89AE000

Size: 24576 bytes

Driver: C:\XP\System32\Drivers\LHidUsbK.Sys

Address: 0xF8856000

Size: 36864 bytes

Driver: C:\XP\system32\DRIVERS\LMouKE.Sys

Address: 0xF7BD8000

Size: 65536 bytes

Driver: C:\XP\system32\DRIVERS\lv302af.sys

Address: 0xF8BB0000

Size: 8192 bytes

Driver: C:\XP\system32\DRIVERS\LV302AV.SYS

Address: 0xF63C3000

Size: 913408 bytes

Driver: C:\XP\system32\DRIVERS\lvsvf2.sys

Address: 0xF61A8000

Size: 2207744 bytes

Driver: C:\XP\System32\Drivers\mnmdd.SYS

Address: 0xF8BA0000

Size: 8192 bytes

Driver: C:\XP\System32\DRIVERS\mouclass.sys

Address: 0xF8986000

Size: 24576 bytes

Driver: C:\XP\System32\DRIVERS\mouhid.sys

Address: 0xF696A000

Size: 12288 bytes

Driver: MountMgr.sys

Address: 0xF86A6000

Size: 45056 bytes

Driver: C:\XP\System32\DRIVERS\mrxdav.sys

Address: 0xB99FD000

Size: 184320 bytes

Driver: C:\XP\System32\DRIVERS\mrxsmb.sys

Address: 0xF66F6000

Size: 454656 bytes

Driver: C:\XP\System32\Drivers\Msfs.SYS

Address: 0xF89F6000

Size: 20480 bytes

Driver: C:\XP\System32\DRIVERS\msgpc.sys

Address: 0xF8876000

Size: 36864 bytes

Driver: C:\XP\System32\DRIVERS\mssmbios.sys

Address: 0xF8309000

Size: 16384 bytes

Driver: Mup.sys

Address: 0xF83BD000

Size: 110592 bytes

Driver: C:\XP\SYSTEM32\Drivers\NDIS.SYS

Address: 0xF859A000

Size: 184320 bytes

Driver: C:\XP\System32\DRIVERS\ndistapi.sys

Address: 0xF8325000

Size: 12288 bytes

Driver: C:\XP\System32\DRIVERS\ndiswan.sys

Address: 0xF7B51000

Size: 94208 bytes

Driver: C:\XP\System32\Drivers\NDProxy.SYS

Address: 0xF8826000

Size: 40960 bytes

Driver: C:\XP\System32\DRIVERS\netbios.sys

Address: 0xF88A6000

Size: 36864 bytes

Driver: C:\XP\System32\DRIVERS\netbt.sys

Address: 0xF67DA000

Size: 163840 bytes

Driver: C:\XP\system32\drivers\nod32drv.sys

Address: 0xF8BAA000

Size: 8192 bytes

Driver: C:\XP\system32\drivers\npf.sys

Address: 0xB97B8000

Size: 36864 bytes

Driver: C:\XP\System32\Drivers\Npfs.SYS

Address: 0xF8A06000

Size: 32768 bytes

Driver: Ntfs.sys

Address: 0xF844F000

Size: 577536 bytes

Driver: C:\XP\system32\ntoskrnl.exe

Address: 0x804D7000

Size: 2180352 bytes

Driver: C:\XP\System32\Drivers\Null.SYS

Address: 0xF8D0B000

Size: 4096 bytes

Driver: C:\XP\System32\nv4_disp.dll

Address: 0xBF012000

Size: 3928064 bytes

Driver: C:\XP\System32\DRIVERS\nv4_mini.sys

Address: 0xF7F9E000

Size: 3534848 bytes

Driver: C:\XP\system32\DRIVERS\nvcap.sys

Address: 0xF6022000

Size: 110592 bytes

Driver: C:\XP\system32\DRIVERS\nvtunep.sys

Address: 0xF66DA000

Size: 16384 bytes

Driver: C:\XP\system32\DRIVERS\nvtvsnd.sys

Address: 0xF7B78000

Size: 45056 bytes

Driver: C:\XP\system32\DRIVERS\NVxbar.sys

Address: 0xF66E2000

Size: 12288 bytes

Driver: C:\XP\system32\drivers\P17.sys

Address: 0xF7D47000

Size: 1392640 bytes

Driver: C:\XP\System32\DRIVERS\parport.sys

Address: 0xF7C08000

Size: 81920 bytes

Driver: PartMgr.sys

Address: 0xF8906000

Size: 20480 bytes

Driver: C:\XP\System32\Drivers\ParVdm.SYS

Address: 0xF8BA6000

Size: 8192 bytes

Driver: pci.sys

Address: 0xF85EE000

Size: 69632 bytes

Driver: C:\XP\System32\DRIVERS\PCIIDEX.SYS

Address: 0xF88FE000

Size: 28672 bytes

Driver: C:\XP\System32\Drivers\Pcouffin.sys

Address: 0xF87E6000

Size: 40960 bytes

Driver: C:\XP\system32\drivers\pfc.sys

Address: 0xF8335000

Size: 12288 bytes

Driver: PnpManager

Address: 0x804D7000

Size: 2180352 bytes

Driver: C:\XP\system32\drivers\portcls.sys

Address: 0xF7EE1000

Size: 147456 bytes

Driver: C:\XP\System32\DRIVERS\ptilink.sys

Address: 0xF896E000

Size: 20480 bytes

Driver: PxHelp20.sys

Address: 0xF890E000

Size: 20480 bytes

Driver: C:\XP\System32\DRIVERS\rasacd.sys

Address: 0xF8329000

Size: 12288 bytes

Driver: C:\XP\System32\DRIVERS\rasl2tp.sys

Address: 0xF87B6000

Size: 53248 bytes

Driver: C:\XP\System32\DRIVERS\raspppoe.sys

Address: 0xF87C6000

Size: 45056 bytes

Driver: C:\XP\System32\DRIVERS\raspptp.sys

Address: 0xF87D6000

Size: 49152 bytes

Driver: C:\XP\System32\DRIVERS\raspti.sys

Address: 0xF897E000

Size: 20480 bytes

Driver: RAW

Address: 0x804D7000

Size: 2180352 bytes

Driver: C:\XP\System32\DRIVERS\rdbss.sys

Address: 0xF678D000

Size: 176128 bytes

Driver: C:\XP\System32\DRIVERS\RDPCDD.sys

Address: 0xF8BA4000

Size: 8192 bytes

Driver: C:\XP\System32\DRIVERS\rdpdr.sys

Address: 0xF7AF8000

Size: 200704 bytes

Driver: C:\XP\System32\DRIVERS\redbook.sys

Address: 0xF87A6000

Size: 61440 bytes

Driver: C:\XP\System32\Drivers\rkhdrv31.SYS

Address: 0xF8976000

Size: 20480 bytes

Driver: C:\XP\System32\Drivers\SCDEmu.SYS

Address: 0xF8A3E000

Size: 32768 bytes

Driver: C:\XP\system32\DRIVERS\SCSIPORT.SYS

Address: 0xF8525000

Size: 98304 bytes

Driver: C:\XP\System32\DRIVERS\secdrv.sys

Address: 0xF8956000

Size: 28672 bytes

Driver: C:\XP\System32\DRIVERS\serenum.sys

Address: 0xF834D000

Size: 16384 bytes

Driver: C:\XP\System32\DRIVERS\serial.sys

Address: 0xF8746000

Size: 65536 bytes

Driver: snapman.sys

Address: 0xF83D8000

Size: 102400 bytes

Driver: C:\XP\system32\drivers\splitter.sys

Address: 0xF8BF4000

Size: 8192 bytes

Driver: sr.sys

Address: 0xF84F3000

Size: 73728 bytes

Driver: C:\XP\System32\DRIVERS\srv.sys

Address: 0xB97F0000

Size: 335872 bytes

Driver: SSFS0509.SYS

Address: 0xF8696000

Size: 36864 bytes

Driver: SSHRMD.SYS

Address: 0xF8686000

Size: 36864 bytes

Driver: SSIDRV.SYS

Address: 0xF85C7000

Size: 159744 bytes

Driver: C:\XP\System32\Drivers\sskbfd.sys

Address: 0xF8766000

Size: 49152 bytes

Driver: C:\XP\system32\DRIVERS\STREAM.SYS

Address: 0xF88E6000

Size: 49152 bytes

Driver: C:\XP\System32\DRIVERS\swenum.sys

Address: 0xF8B8C000

Size: 8192 bytes

Driver: C:\XP\system32\drivers\swmidi.sys

Address: 0xB9AE2000

Size: 57344 bytes

Driver: C:\XP\system32\drivers\sysaudio.sys

Address: 0xB9368000

Size: 61440 bytes

Driver: C:\XP\System32\DRIVERS\tcpip.sys

Address: 0xF6823000

Size: 360448 bytes

Driver: C:\XP\SYSTEM32\Drivers\TDI.SYS

Address: 0xF88F6000

Size: 20480 bytes

Driver: C:\XP\System32\DRIVERS\termdd.sys

Address: 0xF87F6000

Size: 40960 bytes

Driver: C:\XP\system32\DRIVERS\tifsfilt.sys

Address: 0xF899E000

Size: 32768 bytes

Driver: timntr.sys

Address: 0xF83F1000

Size: 385024 bytes

Driver: C:\XP\System32\DRIVERS\update.sys

Address: 0xF7AC4000

Size: 212992 bytes

Driver: C:\XP\system32\drivers\usbaudio.sys

Address: 0xF7BE8000

Size: 61440 bytes

Driver: C:\XP\System32\DRIVERS\usbccgp.sys

Address: 0xF89CE000

Size: 32768 bytes

Driver: C:\XP\System32\DRIVERS\USBD.SYS

Address: 0xF8B90000

Size: 8192 bytes

Driver: C:\XP\system32\DRIVERS\usbehci.sys

Address: 0xF8966000

Size: 28672 bytes

Driver: C:\XP\System32\DRIVERS\usbhub.sys

Address: 0xF8816000

Size: 61440 bytes

Driver: C:\XP\System32\DRIVERS\usbohci.sys

Address: 0xF895E000

Size: 20480 bytes

Driver: C:\XP\System32\DRIVERS\USBPORT.SYS

Address: 0xF7E9B000

Size: 143360 bytes

Driver: C:\XP\System32\DRIVERS\usbprint.sys

Address: 0xF8946000

Size: 28672 bytes

Driver: C:\XP\system32\DRIVERS\USBSTOR.SYS

Address: 0xF8A26000

Size: 28672 bytes

Driver: C:\XP\System32\DRIVERS\usbuhci.sys

Address: 0xF893E000

Size: 20480 bytes

Driver: D:\Virtual CD\VCdRom.sys

Address: 0xF7B31000

Size: 12288 bytes

Driver: C:\XP\System32\drivers\vga.sys

Address: 0xF89E6000

Size: 24576 bytes

Driver: viaagp.sys

Address: 0xF86F6000

Size: 45056 bytes

Driver: viaide.sys

Address: 0xF8B7C000

Size: 8192 bytes

Driver: C:\XP\System32\DRIVERS\VIDEOPRT.SYS

Address: 0xF7F8A000

Size: 81920 bytes

Driver: VolSnap.sys

Address: 0xF86B6000

Size: 53248 bytes

Driver: C:\XP\System32\DRIVERS\wanarp.sys

Address: 0xF8896000

Size: 36864 bytes

Driver: C:\XP\System32\watchdog.sys

Address: 0xF89D6000

Size: 20480 bytes

Driver: C:\XP\system32\drivers\wdmaud.sys

Address: 0xB92DB000

Size: 86016 bytes

Driver: Win32k

Address: 0xBF800000

Size: 1847296 bytes

Driver: C:\XP\System32\win32k.sys

Address: 0xBF800000

Size: 1847296 bytes

Driver: C:\XP\system32\drivers\WmBEnum.sys

Address: 0xF8301000

Size: 12288 bytes

Driver: C:\XP\System32\DRIVERS\WMILIB.SYS

Address: 0xF8B78000

Size: 8192 bytes

Driver: WMIxWDM

Address: 0x804D7000

Size: 2180352 bytes

Driver: C:\XP\system32\drivers\WmXlCore.sys

Address: 0xF8806000

Size: 45056 bytes

Driver: C:\XP\System32\drivers\ws2ifsl.sys

Address: 0xF7B3D000

Size: 12288 bytes

----

RkUnhooker report generator v0.6

==============================================

Rootkit Unhooker kernel version: 3.31.150.420

==============================================

Windows Major Version: 5

Windows Minor Version: 1

Windows Build Number: 2600

==============================================

[2120]SpySweeper.exe-->kernel32.dll-->CreateThread, Type: Inline - PushRet at address 0x7C810651 hook handler located in [unknown_code_page]

ntoskrnl.exe+0x0000B9A8, Type: Inline - RelativeCall at address 0x804E29A8 hook handler located in [unknown_code_page]

tcpip.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification at address 0xF6861F60 hook handler located in [unknown_code_page]

wanarp.sys-->ndis.sys-->NdisDeregisterProtocol, Type: IAT modification at address 0xF889BB1C hook handler located in [unknown_code_page]

wanarp.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification at address 0xF889BB28 hook handler located in [unknown_code_page]

As always, thanks a million for your assistance!

Link to post
Share on other sites
Steviebone

Steviebone

Posted
  • Author
Posted (edited)

Backlight didn't find anything.

BTW, I have 8 other machines in here including some servers. Even with apps running on them most of them idle at 0-2% only spiking when an app does something (such as a web hit). Even then the spike is small and non-repetitive.

The activity here is repetitive and continuous... I'm pretty sure there's still a rogue process running somewhere....

Edited by Steviebone
Link to post
Share on other sites
Steviebone

Steviebone

Posted
  • Author
Posted (edited)

ok I think I fugured it out... I downloaded a program called process explorer which is more detailed than task manager (of course everything Windows has built in sucks compared to third party alternatives!). This program broke the activity down much better. The spikes were coming from hardware interrupts. Hardware interrupts? Yep. It was all the USB drives. I disconnected the USB drives and wahla... the interrupt load went down as did the overall activity which now hovers between 0-4%... acceptable if not perfect.

I'm hoping the system is now clean. Let me know if you see anything else in the logs that appears suspicous... I never liked USB drives anyway... :blink:

I suppose there's still the small possibility that the rogue program resided on one of the drives and was running from there which was causing the interrupts.... :wacko:

Edited by Steviebone
Link to post
Share on other sites
jwbirdsong

jwbirdsong

Posted
Posted

You been (at least) a half a step ahead of me the whole way....Process Explorer (the one from SysInternals ??) was my next recommendation to you.

All of your scan look good w/ possibly one exception. I'd like you to upload one file or me to look at please.

Please go here to upload a suspicious file for analysis.

  • Enter your username from this forum
  • Copy and paste the link to this thread
  • Browse for this filename: C:\XP\system32\DRIVERS\EXPORTIT.SYS
  • In the comments, please mention that I asked you to upload this file
  • Click on Send File

The ONLY other references I find to it are a Kodak file and it's allways in a Kodak sub folder..Just like to look at it and make sure.

Jst keep an eye on your resources (Doesn't really seem I need to tell YOU that tho ;) )

If you would give one final (?) Combofix log and let me have a look at that file hopefully we can put an end to this..

Sorry I wasn't timely enough to be of more assistance to you in this..but it seems you REALLY had it pretty well handled all along.

Link to post
Share on other sites
Steviebone

Steviebone

Posted
  • Author
Posted (edited)

file uploaded... will post combofix log shortly...

sysinternals yes... great replacement for task manager... still wondering why the USB interuupts were triggering with no disk access but then I think USB drives are polled... one reason why they stink...

btw, u been plenty of help, thanks

You been (at least) a half a step ahead of me the whole way....Process Explorer (the one from SysInternals ??) was my next recommendation to you.

All of your scan look good w/ possibly one exception. I'd like you to upload one file or me to look at please.

Please go here to upload a suspicious file for analysis.

  • Enter your username from this forum
  • Copy and paste the link to this thread
  • Browse for this filename: C:\XP\system32\DRIVERS\EXPORTIT.SYS
  • In the comments, please mention that I asked you to upload this file
  • Click on Send File

The ONLY other references I find to it are a Kodak file and it's allways in a Kodak sub folder..Just like to look at it and make sure.

Jst keep an eye on your resources (Doesn't really seem I need to tell YOU that tho ;) )

If you would give one final (?) Combofix log and let me have a look at that file hopefully we can put an end to this..

Sorry I wasn't timely enough to be of more assistance to you in this..but it seems you REALLY had it pretty well handled all along.

Edited by Steviebone
Link to post
Share on other sites
Steviebone

Steviebone

Posted
  • Author
Posted

well chit...

I ran combofix, but I forgot to turn off all my protective programs first. Immediately upon execution spydetector popped up window that said "Rustock.b successfully removed". Then towards the end of the scan another popup saying Trojan.Agent removed. Then combo said disinfecting and rebooting. After reboot, the following log was generated:

"Staypuffer" - 2007-05-22 9:18:29 Service Pack 2

ComboFix 07-05.20.9.V - Running from: "J:\Spywaredetector\"

Rootkit driver lzx32 is present. A rootkit scan is required

((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-22 ))))))))))))))))))))))))))))))))))

2007-05-21 23:15 <DIR> d-------- C:\ProcessExplorer

2007-05-21 09:17 5,632 --a------ C:\XP\system32\71430B71.exe

2007-05-21 08:57 <DIR> d-------- C:\RkUnhooker

2007-05-21 01:33 3,968 --a------ C:\XP\system32\drivers\AvgArCln.sys

2007-05-21 01:20 <DIR> d-------- C:\avenger

2007-05-21 00:59 16 --a------ C:\chdir.bat

2007-05-20 17:30 <DIR> d-------- C:\DOCUME~1\NETWOR~1.NTA\APPLIC~1\Webroot

2007-05-20 17:18 3,968 --a------ C:\XP\system32\drivers\AvgAsCln.sys

2007-05-20 14:53 60,416 --a------ C:\XP\system32\drivers\k^nymapg.sys

2007-05-20 14:53 1,075 --a------ C:\xqsjepbn.bat

2007-05-20 14:04 49,152 --a------ C:\XP\nircmd.exe

2007-05-20 06:42 2,922 --a------ C:\XP\system32\IE_Backup.reg

2007-05-20 06:42 2,846,854 --a------ C:\XP\system32\Windows_Backup.reg

2007-05-20 06:42 2,588 --a------ C:\XP\system32\startupBackup.reg

2007-05-20 02:27 123 --a------ C:\XP\system\SysSD.dll

2007-05-20 02:26 63,192 --a------ C:\XP\system32\CloseAll.exe

2007-05-20 02:26 270,336 --a------ C:\XP\system32\CheckDll.dll

2007-05-20 02:26 1,019,904 --a------ C:\XP\system32\VchReg.dll

2007-05-20 02:25 <DIR> d-------- C:\Program Files\SpywareDetector

2007-05-19 18:15 22,080 --a------ C:\XP\system32\drivers\sshrmd.sys

2007-05-19 18:15 21,056 --a------ C:\XP\system32\drivers\sskbfd.sys

2007-05-19 18:15 20,544 --a------ C:\XP\system32\drivers\SSFS0509.sys

2007-05-19 18:15 144,960 --a------ C:\XP\system32\drivers\ssidrv.sys

2007-05-19 18:15 <DIR> d-------- C:\DOCUME~1\LOCALS~1.NTA\APPLIC~1\Webroot

2007-05-19 18:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.XP\APPLIC~1\Webroot

2007-05-19 18:08 164 --a------ C:\install.dat

2007-05-19 18:08 <DIR> d-------- C:\DOCUME~1\STAYPU~1\APPLIC~1\Webroot

2007-05-18 11:43 <DIR> d--h----- C:\XP\system32\GroupPolicy

2007-05-17 22:04 <DIR> d-------- C:\DOCUME~1\STAYPU~1\APPLIC~1\Texture Maker

2007-05-17 22:03 <DIR> d-------- C:\Program Files\Texture Maker

2007-05-17 17:39 <DIR> d-------- C:\DOCUME~1\STAYPU~1\APPLIC~1\Google

2007-05-15 13:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.XP\APPLIC~1\Spybot - Search & Destroy

2007-05-08 01:29 <DIR> d-------- C:\Program Files\Network Chemistry

2007-05-08 01:17 <DIR> d-------- C:\Program Files\WinPcap

2007-05-08 01:17 <DIR> d-------- C:\Program Files\Nmap

2007-04-26 18:37 298,496 --a------ C:\XP\uninst.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-22 14:08:10 -------- d-----w C:\DOCUME~1\STAYPU~1\APPLIC~1\dvdcss

2007-05-21 05:50:19 -------- d-----w C:\Program Files\Common Files\Merge Modules

2007-05-17 22:39:02 -------- d-----w C:\Program Files\Google

2007-05-16 04:57:49 -------- d-----w C:\DOCUME~1\STAYPU~1\APPLIC~1\WeatherBug

2007-05-15 18:38:06 -------- d-----w C:\Program Files\MySpace

2007-05-07 17:28:32 -------- d-----w C:\Program Files\EPSON Print CD

2007-05-07 13:39:36 298,104 ----a-w C:\XP\system32\imon.dll

2007-05-07 13:39:34 512,096 ----a-w C:\XP\system32\drivers\amon.sys

2007-05-07 13:39:33 15,424 ----a-w C:\XP\system32\drivers\nod32drv.sys

2007-05-03 05:49:55 -------- d-----w C:\Program Files\LeapFTP

2007-04-30 15:46:10 745,600 ----a-w C:\XP\system32\aswBoot.exe

2007-04-30 15:41:55 85,952 ----a-w C:\XP\system32\drivers\aswmon.sys

2007-04-30 15:41:42 94,552 ----a-w C:\XP\system32\drivers\aswmon2.sys

2007-04-30 15:39:41 23,416 ----a-w C:\XP\system32\drivers\aswRdr.sys

2007-04-30 15:38:51 43,176 ----a-w C:\XP\system32\drivers\aswTdi.sys

2007-04-30 15:37:23 26,888 ----a-w C:\XP\system32\drivers\aavmker4.sys

2007-04-30 15:35:28 95,872 ----a-w C:\XP\system32\AVASTSS.scr

2007-04-30 08:55:32 -------- d-----w C:\Program Files\ViceVersa Pro 2

2007-04-26 23:09:43 -------- d-----w C:\Program Files\IsoBuster

2007-04-25 08:04:12 88,952 ----a-w C:\XP\system32\packet.dll

2007-04-25 08:04:12 68,480 ----a-w C:\XP\system32\wanpacket.dll

2007-04-25 08:04:12 42,000 ----a-w C:\XP\system32\drivers\npf.sys

2007-04-25 08:04:12 240,496 ----a-w C:\XP\system32\wpcap.dll

2007-04-21 03:30:35 -------- d-----w C:\Program Files\Speed Startup

2007-04-20 03:28:54 1,040,384 ----a-w C:\XP\system32\libeay32.dll

2007-04-20 03:27:57 196,608 ----a-w C:\XP\system32\ssleay32.dll

2007-04-16 06:45:33 -------- d-----w C:\DOCUME~1\STAYPU~1\APPLIC~1\MySpace

2007-04-09 04:37:55 -------- d-----w C:\Program Files\SlySoft

2007-04-09 03:42:45 29,392 ----a-w C:\XP\system32\drivers\secdrv.sys

2007-04-08 22:59:29 -------- d-----w C:\Program Files\PowerISO

2007-04-06 21:14:04 542 ----a-w C:\hrlist.scr

2007-04-06 20:32:08 371 ----a-w C:\getbilldirs.scr

2007-04-06 20:31:54 371 ----a-w C:\gethbdirs.scr

2007-04-06 20:28:28 139 ----a-w C:\tryftp.scr

2007-04-06 05:46:37 -------- d-----w C:\DOCUME~1\STAYPU~1\APPLIC~1\Zeon

2007-04-06 05:02:00 -------- d-----w C:\Program Files\G-Lock Software

2007-04-05 15:31:07 -------- d-----w C:\DOCUME~1\STAYPU~1\APPLIC~1\G-Lock Software

2007-04-04 10:33:04 -------- d-----w C:\Program Files\Yahoo!

2007-03-18 17:28:30 5,885 ----a-w C:\XP\mozver.dat

2007-03-17 13:43:01 292,864 ----a-w C:\XP\system32\winsrv.dll

2007-03-15 19:35:33 -------- d-----w C:\Program Files\Tracker

2007-03-15 10:52:51 -------- d-----w C:\Program Files\Registry Watch

2007-03-15 10:14:59 720,896 ----a-w C:\XP\iun6002ev.exe

2007-03-15 04:18:10 -------- d-----w C:\Program Files\Salive

2007-03-15 04:17:28 -------- d--h--r C:\DOCUME~1\STAYPU~1\APPLIC~1\yahoo!

2007-03-08 15:36:28 577,536 ----a-w C:\XP\system32\user32.dll

2007-03-08 15:36:28 40,960 ----a-w C:\XP\system32\mf3216.dll

2007-03-08 15:36:28 281,600 ----a-w C:\XP\system32\gdi32.dll

2007-03-08 13:47:48 1,843,584 ----a-w C:\XP\system32\win32k.sys

2007-03-08 04:59:59 -------- d-----w C:\Program Files\DirPrn

2007-03-07 09:16:28 -------- d-----w C:\Program Files\'Net Monitor

2007-03-07 09:13:15 -------- d-----w C:\Program Files\PTZone

2007-03-07 09:10:26 -------- d-----w C:\Program Files\WinWatch

2007-03-07 09:10:21 249,856 ------w C:\XP\Setup1.exe

2007-03-07 09:10:09 -------- d-----w C:\Program Files\LanMon

2007-03-07 09:09:11 73,216 ------w C:\XP\ST6UNST.EXE

2007-02-28 08:59:01 26,000 ----a-w C:\XP\system32\E3TL.DLL

2007-02-05 20:17:02 185,344 ----a-w C:\XP\system32\upnphost.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll [2006-11-09 16:21]

{AE7CD045-E861-484f-8273-0445EE161910}=D:\Acrobat7\Acrobat\AcroIEFavClient.dll [2005-09-24 00:41]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="C:\XP\system32\NvCpl.dll" [2005-10-28 16:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpeedStartup"="C:\Program Files\Speed Startup\speedstartup.exe" [2006-12-14 17:12]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]

"SpeedStartup"=C:\Program Files\Speed Startup\speedstartup.exe runonce

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"="D:\Internet\eudora\EuShlExt.dll" [2005-11-14 16:15]

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 09:13]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDNotify]

C:\Program Files\SpywareDetector\SDNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Y]

AutoRun\command- Y:\vfpstart.exe IE5="vfpstart.hta" IELess="vfpstart.htm"

Contents of the 'Scheduled Tasks' folder

2007-05-22 12:48:24 C:\XP\tasks\New Task 2.job

2007-05-22 10:54:10 C:\XP\tasks\New Task.job

2007-05-22 10:50:00 C:\XP\tasks\_viceversapr2_task_Bashful2Booby.job

2007-05-22 11:30:00 C:\XP\tasks\_viceversapr2_task_batch.job

2007-05-22 13:30:00 C:\XP\tasks\_viceversapr2_task_Bills.job

2007-03-26 09:40:18 C:\XP\tasks\_viceversapr2_task_documents_and_settings.job

2007-05-22 11:10:00 C:\XP\tasks\_viceversapr2_task_Eudora.job

2007-05-22 14:00:00 C:\XP\tasks\_viceversapr2_task_hits prg to Tweetie D.job

2007-05-22 06:00:00 C:\XP\tasks\_viceversapr2_task_HITSSOURCES.job

2007-05-22 14:00:00 C:\XP\tasks\_viceversapr2_task_HITSVEN.job

2007-05-22 13:15:00 C:\XP\tasks\_viceversapr2_task_Idisk.job

2007-05-22 13:00:00 C:\XP\tasks\_viceversapr2_task_Links.job

2007-03-26 09:33:37 C:\XP\tasks\_viceversapr2_task_madden.job

2007-05-22 09:59:49 C:\XP\tasks\_viceversapr2_task_newag.job

2007-05-22 10:30:00 C:\XP\tasks\_viceversapr2_task_OHITS.job

2007-05-22 11:34:00 C:\XP\tasks\_viceversapr2_task_personal.job

2007-05-22 14:00:00 C:\XP\tasks\_viceversapr2_task_ServersAlive.job

2007-05-22 12:00:53 C:\XP\tasks\_viceversapr2_task_Steviebone.job

2007-03-26 11:38:02 C:\XP\tasks\_viceversapr2_task_Torrents.job

2007-05-22 14:15:00 C:\XP\tasks\_viceversapr2_task_txdot.job

2007-05-22 11:20:00 C:\XP\tasks\_viceversapr2_task_visaversaprofiles.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-05-22 09:31:21

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

********************************************************************

Completion time: 2007-05-22 9:39:30 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-05-22 09:39

C:\ComboFix2.txt ... 2007-05-20 14:38

C:\ComboFix3.txt ... 2007-05-20 14:04

--- E O F ---

here is the quarantine log:

2006-04-26 00:31	  775	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\STAYPU~1\Desktop\Internet Explorer.lnk.vir
2006-05-05 03:30	  300	--a------	C:\Qoobox\Quarantine\C\Program Files\INSTALL.LOG.vir
2007-05-20 10:22	  77725	--a------	C:\Qoobox\Quarantine\catchme2007-05-20_135445.26.zip
2007-05-22 09:27	  500	--a------	C:\Qoobox\Quarantine\catchme.log


Folder PATH listing for volume PrimaryC
Volume serial number is 747C-9F49
C:\QOOBOX
\---Quarantine
	|   catchme.log
	|   catchme2007-05-20_135445.26.zip
	|   
	+---C
	|   +---DOCUME~1
	|   |   \---STAYPU~1
	|   |	   \---Desktop
	|   |			   Internet Explorer.lnk.vir
	|   |			   
	|   \---Program Files
	|		   INSTALL.LOG.vir
	|		   
	\---Registry_backups

I'm guessing I need to run another scan with the HIPS off?

Link to post
Share on other sites
jwbirdsong

jwbirdsong

Posted
Posted

K Copy the following to a new notepad file and save to your desktop as "fix.reg". Make sure to INCLUDE the quotes as you are naming the file in Notepad.

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Y]

If done correctly it will have an icon like reg.jpg.

Now right click fix.reg and choose Merge it should ask for confirmation then give a sucess msg.

You MUST be connected to the internet for the next part

1. Download - rustbfix.exe from HERE ...and save it to your desktop.

2. Double click on rustbfix.exe to run the tool.

1. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically.

2. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). If needed (still infected), post the content of these logfiles along with a new Combofix log....

I'll look into the taskscheduler issue.

PS that file you uploaded was fine..as I figured..ust double checking.

Link to post
Share on other sites
Steviebone

Steviebone

Posted
  • Author
Posted

ok, second combofix scan with all protective programs off did better (see below). Perhaps the combo was picking up on something in spydetector?

Anyway it found no lzx32 this time... curious....

As for the task manager thingy: 0x80090016: Keysey does not exist. I have googled the hell out of that one and tried every fix I could find including deletion of the RSA files, etc. There are no registry entries that MS talks about. I did find a few people complaining about this problem after applying updates.

"Staypuffer" - 2007-05-22 9:58:48 Service Pack 2

ComboFix 07-05.20.9.V - Running from: "J:\Spywaredetector\"

((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-22 ))))))))))))))))))))))))))))))))))

2007-05-21 23:15 <DIR> d-------- C:\ProcessExplorer

2007-05-21 09:17 5,632 --a------ C:\XP\system32\71430B71.exe

2007-05-21 08:57 <DIR> d-------- C:\RkUnhooker

2007-05-21 01:33 3,968 --a------ C:\XP\system32\drivers\AvgArCln.sys

2007-05-21 01:20 <DIR> d-------- C:\avenger

2007-05-21 00:59 16 --a------ C:\chdir.bat

2007-05-20 17:30 <DIR> d-------- C:\DOCUME~1\NETWOR~1.NTA\APPLIC~1\Webroot

2007-05-20 17:18 3,968 --a------ C:\XP\system32\drivers\AvgAsCln.sys

2007-05-20 14:53 60,416 --a------ C:\XP\system32\drivers\k^nymapg.sys

2007-05-20 14:53 1,075 --a------ C:\xqsjepbn.bat

2007-05-20 14:04 49,152 --a------ C:\XP\nircmd.exe

2007-05-20 06:42 2,922 --a------ C:\XP\system32\IE_Backup.reg

2007-05-20 06:42 2,846,854 --a------ C:\XP\system32\Windows_Backup.reg

2007-05-20 06:42 2,588 --a------ C:\XP\system32\startupBackup.reg

2007-05-20 02:27 123 --a------ C:\XP\system\SysSD.dll

2007-05-20 02:26 63,192 --a------ C:\XP\system32\CloseAll.exe

2007-05-20 02:26 270,336 --a------ C:\XP\system32\CheckDll.dll

2007-05-20 02:26 1,019,904 --a------ C:\XP\system32\VchReg.dll

2007-05-20 02:25 <DIR> d-------- C:\Program Files\SpywareDetector

2007-05-19 18:15 22,080 --a------ C:\XP\system32\drivers\sshrmd.sys

2007-05-19 18:15 21,056 --a------ C:\XP\system32\drivers\sskbfd.sys

2007-05-19 18:15 20,544 --a------ C:\XP\system32\drivers\SSFS0509.sys

2007-05-19 18:15 144,960 --a------ C:\XP\system32\drivers\ssidrv.sys

2007-05-19 18:15 <DIR> d-------- C:\DOCUME~1\LOCALS~1.NTA\APPLIC~1\Webroot

2007-05-19 18:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.XP\APPLIC~1\Webroot

2007-05-19 18:08 164 --a------ C:\install.dat

2007-05-19 18:08 <DIR> d-------- C:\DOCUME~1\STAYPU~1\APPLIC~1\Webroot

2007-05-18 11:43 <DIR> d--h----- C:\XP\system32\GroupPolicy

2007-05-17 22:04 <DIR> d-------- C:\DOCUME~1\STAYPU~1\APPLIC~1\Texture Maker

2007-05-17 22:03 <DIR> d-------- C:\Program Files\Texture Maker

2007-05-17 17:39 <DIR> d-------- C:\DOCUME~1\STAYPU~1\APPLIC~1\Google

2007-05-15 13:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.XP\APPLIC~1\Spybot - Search & Destroy

2007-05-08 01:29 <DIR> d-------- C:\Program Files\Network Chemistry

2007-05-08 01:17 <DIR> d-------- C:\Program Files\WinPcap

2007-05-08 01:17 <DIR> d-------- C:\Program Files\Nmap

2007-04-26 18:37 298,496 --a------ C:\XP\uninst.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-22 14:08:10 -------- d-----w C:\DOCUME~1\STAYPU~1\APPLIC~1\dvdcss

2007-05-21 05:50:19 -------- d-----w C:\Program Files\Common Files\Merge Modules

2007-05-17 22:39:02 -------- d-----w C:\Program Files\Google

2007-05-16 04:57:49 -------- d-----w C:\DOCUME~1\STAYPU~1\APPLIC~1\WeatherBug

2007-05-15 18:38:06 -------- d-----w C:\Program Files\MySpace

2007-05-07 17:28:32 -------- d-----w C:\Program Files\EPSON Print CD

2007-05-07 13:39:36 298,104 ----a-w C:\XP\system32\imon.dll

2007-05-07 13:39:34 512,096 ----a-w C:\XP\system32\drivers\amon.sys

2007-05-07 13:39:33 15,424 ----a-w C:\XP\system32\drivers\nod32drv.sys

2007-05-03 05:49:55 -------- d-----w C:\Program Files\LeapFTP

2007-04-30 15:46:10 745,600 ----a-w C:\XP\system32\aswBoot.exe

2007-04-30 15:41:55 85,952 ----a-w C:\XP\system32\drivers\aswmon.sys

2007-04-30 15:41:42 94,552 ----a-w C:\XP\system32\drivers\aswmon2.sys

2007-04-30 15:39:41 23,416 ----a-w C:\XP\system32\drivers\aswRdr.sys

2007-04-30 15:38:51 43,176 ----a-w C:\XP\system32\drivers\aswTdi.sys

2007-04-30 15:37:23 26,888 ----a-w C:\XP\system32\drivers\aavmker4.sys

2007-04-30 15:35:28 95,872 ----a-w C:\XP\system32\AVASTSS.scr

2007-04-30 08:55:32 -------- d-----w C:\Program Files\ViceVersa Pro 2

2007-04-26 23:09:43 -------- d-----w C:\Program Files\IsoBuster

2007-04-25 08:04:12 88,952 ----a-w C:\XP\system32\packet.dll

2007-04-25 08:04:12 68,480 ----a-w C:\XP\system32\wanpacket.dll

2007-04-25 08:04:12 42,000 ----a-w C:\XP\system32\drivers\npf.sys

2007-04-25 08:04:12 240,496 ----a-w C:\XP\system32\wpcap.dll

2007-04-21 03:30:35 -------- d-----w C:\Program Files\Speed Startup

2007-04-20 03:28:54 1,040,384 ----a-w C:\XP\system32\libeay32.dll

2007-04-20 03:27:57 196,608 ----a-w C:\XP\system32\ssleay32.dll

2007-04-16 06:45:33 -------- d-----w C:\DOCUME~1\STAYPU~1\APPLIC~1\MySpace

2007-04-09 04:37:55 -------- d-----w C:\Program Files\SlySoft

2007-04-09 03:42:45 29,392 ----a-w C:\XP\system32\drivers\secdrv.sys

2007-04-08 22:59:29 -------- d-----w C:\Program Files\PowerISO

2007-04-06 21:14:04 542 ----a-w C:\hrlist.scr

2007-04-06 20:32:08 371 ----a-w C:\getbilldirs.scr

2007-04-06 20:31:54 371 ----a-w C:\gethbdirs.scr

2007-04-06 20:28:28 139 ----a-w C:\tryftp.scr

2007-04-06 05:46:37 -------- d-----w C:\DOCUME~1\STAYPU~1\APPLIC~1\Zeon

2007-04-06 05:02:00 -------- d-----w C:\Program Files\G-Lock Software

2007-04-05 15:31:07 -------- d-----w C:\DOCUME~1\STAYPU~1\APPLIC~1\G-Lock Software

2007-04-04 10:33:04 -------- d-----w C:\Program Files\Yahoo!

2007-03-18 17:28:30 5,885 ----a-w C:\XP\mozver.dat

2007-03-17 13:43:01 292,864 ----a-w C:\XP\system32\winsrv.dll

2007-03-15 19:35:33 -------- d-----w C:\Program Files\Tracker

2007-03-15 10:52:51 -------- d-----w C:\Program Files\Registry Watch

2007-03-15 10:14:59 720,896 ----a-w C:\XP\iun6002ev.exe

2007-03-15 04:18:10 -------- d-----w C:\Program Files\Salive

2007-03-15 04:17:28 -------- d--h--r C:\DOCUME~1\STAYPU~1\APPLIC~1\yahoo!

2007-03-08 15:36:28 577,536 ----a-w C:\XP\system32\user32.dll

2007-03-08 15:36:28 40,960 ----a-w C:\XP\system32\mf3216.dll

2007-03-08 15:36:28 281,600 ----a-w C:\XP\system32\gdi32.dll

2007-03-08 13:47:48 1,843,584 ----a-w C:\XP\system32\win32k.sys

2007-03-08 04:59:59 -------- d-----w C:\Program Files\DirPrn

2007-03-07 09:16:28 -------- d-----w C:\Program Files\'Net Monitor

2007-03-07 09:13:15 -------- d-----w C:\Program Files\PTZone

2007-03-07 09:10:26 -------- d-----w C:\Program Files\WinWatch

2007-03-07 09:10:21 249,856 ------w C:\XP\Setup1.exe

2007-03-07 09:10:09 -------- d-----w C:\Program Files\LanMon

2007-03-07 09:09:11 73,216 ------w C:\XP\ST6UNST.EXE

2007-02-28 08:59:01 26,000 ----a-w C:\XP\system32\E3TL.DLL

2007-02-05 20:17:02 185,344 ----a-w C:\XP\system32\upnphost.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll [2006-11-09 16:21]

{AE7CD045-E861-484f-8273-0445EE161910}=D:\Acrobat7\Acrobat\AcroIEFavClient.dll [2005-09-24 00:41]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="C:\XP\system32\NvCpl.dll" [2005-10-28 16:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpeedStartup"="C:\Program Files\Speed Startup\speedstartup.exe" [2006-12-14 17:12]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]

"SpeedStartup"=C:\Program Files\Speed Startup\speedstartup.exe runonce

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"="D:\Internet\eudora\EuShlExt.dll" [2005-11-14 16:15]

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 09:13]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDNotify]

C:\Program Files\SpywareDetector\SDNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Y]

AutoRun\command- Y:\vfpstart.exe IE5="vfpstart.hta" IELess="vfpstart.htm"

Contents of the 'Scheduled Tasks' folder

2007-05-22 12:48:24 C:\XP\tasks\New Task 2.job

2007-05-22 10:54:10 C:\XP\tasks\New Task.job

2007-05-22 10:50:00 C:\XP\tasks\_viceversapr2_task_Bashful2Booby.job

2007-05-22 11:30:00 C:\XP\tasks\_viceversapr2_task_batch.job

2007-05-22 15:00:00 C:\XP\tasks\_viceversapr2_task_Bills.job

2007-03-26 09:40:18 C:\XP\tasks\_viceversapr2_task_documents_and_settings.job

2007-05-22 11:10:00 C:\XP\tasks\_viceversapr2_task_Eudora.job

2007-05-22 15:00:00 C:\XP\tasks\_viceversapr2_task_hits prg to Tweetie D.job

2007-05-22 06:00:00 C:\XP\tasks\_viceversapr2_task_HITSSOURCES.job

2007-05-22 14:00:00 C:\XP\tasks\_viceversapr2_task_HITSVEN.job

2007-05-22 13:15:00 C:\XP\tasks\_viceversapr2_task_Idisk.job

2007-05-22 13:00:00 C:\XP\tasks\_viceversapr2_task_Links.job

2007-03-26 09:33:37 C:\XP\tasks\_viceversapr2_task_madden.job

2007-05-22 09:59:49 C:\XP\tasks\_viceversapr2_task_newag.job

2007-05-22 10:30:00 C:\XP\tasks\_viceversapr2_task_OHITS.job

2007-05-22 11:34:00 C:\XP\tasks\_viceversapr2_task_personal.job

2007-05-22 14:00:00 C:\XP\tasks\_viceversapr2_task_ServersAlive.job

2007-05-22 12:00:53 C:\XP\tasks\_viceversapr2_task_Steviebone.job

2007-03-26 11:38:02 C:\XP\tasks\_viceversapr2_task_Torrents.job

2007-05-22 14:15:00 C:\XP\tasks\_viceversapr2_task_txdot.job

2007-05-22 11:20:00 C:\XP\tasks\_viceversapr2_task_visaversaprofiles.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-05-22 10:06:49

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

********************************************************************

Completion time: 2007-05-22 10:08:30

C:\ComboFix-quarantined-files.txt ... 2007-05-22 10:08

C:\ComboFix2.txt ... 2007-05-22 09:39

C:\ComboFix3.txt ... 2007-05-20 14:38

--- E O F ---

2006-04-26 00:31	  775	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\STAYPU~1\Desktop\Internet Explorer.lnk.vir
2006-05-05 03:30	  300	--a------	C:\Qoobox\Quarantine\C\Program Files\INSTALL.LOG.vir
2007-05-20 10:22	  77725	--a------	C:\Qoobox\Quarantine\catchme2007-05-20_135445.26.zip
2007-05-22 09:27	  500	--a------	C:\Qoobox\Quarantine\catchme.log


Folder PATH listing for volume PrimaryC
Volume serial number is 747C-9F49
C:\QOOBOX
\---Quarantine
	|   catchme.log
	|   catchme2007-05-20_135445.26.zip
	|   
	+---C
	|   +---DOCUME~1
	|   |   \---STAYPU~1
	|   |	   \---Desktop
	|   |			   Internet Explorer.lnk.vir
	|   |			   
	|   \---Program Files
	|		   INSTALL.LOG.vir
	|		   
	\---Registry_backups

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
 Share
Followers 0
Go to topic listing