Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

I had lots of spyware and am not convinced it's all gone

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby Susan528 » January 23rd, 2007, 9:16 am

http://ebookswriter-pro.visual-vision.q ... eport.html
I believe that the file is okay also and that it is a false positive.
C:\vv\cdroms\iper3pro\eng\client\f\zipdll.dll

The other entries appear to be the Guardian monitor to me.
http://www.symantec.com/smb/security_re ... 99&tabid=2
Go ahead and view the removal instructions. I am wondering if you just have the remnants of the Guardian monitor left. Can you find any GDMgr.exe; GDAdmin.exe; gsp.dll?

So far all I have is a hijackthis log, ComboFix log, AVG anti-spyware and CounterSpy log to look at.

STEP 1.
======
GMER
Please create a new subfolder in the Program Files folder called GMER. If you have an older version of GMER installed, you must delete it.
  • Download GMER and extract it to the C:\program files\GMER folder.
  • Please rename the GMER file
    Note: You can rename gmer.exe to anything you like as long as you keep the .exe ending.
    Run the Gmer.exe renamed program by double-clicking the executable file (gmer.exe) in Windows Explorer.
    You may be prompted to scan immediately if GMER detects rootkit activity.
    • If you are prompted to scan your system click "yes" to begin the scan.
    • If you are not prompted, Click the "Rootkit" tab, then click "Scan".
DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

At the end of the scan, click "Copy" to copy the scan results to the clipboard. Then paste the results in a notepad file and also paste them back in your next reply.

Please post (reply) with the results from the GMER scan, and a fresh hijackthis log.

STARTDRECK

Download StartDreck

Unzip to its own folder and start the program:
Press 'Config'
Press 'Unmark All'

Check the following boxes only:
Registry -> Run Keys
System/drivers> Running processes
Press 'Ok'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

STEP 2.
======
Uninstall Manager

Let's see if we can find out what it got installed with.
  • Open HijackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on the Box that says "Uninstall Manager"
  • Click on the button "Save list"
  • Copy and past the List from notepad into your post


======
Please show all files for your system.
You will need to reverse this process when all steps are done.


C:\DOCUME~1\ALLUSE~1\Application Data\íÇŽ>ã3113>.sys
C:\DOCUME~1\ALLUSE~1\Application Data\13.sys
mscmx1032.DLL



Submit File to Jotti
Please click on Jotti
Use the "Browse" button and locate the following file on your computer:
C:\DOCUME~1\ALLUSE~1\Application Data\íÇŽ>ã3113>.sys
Click the "Submit" button.
Please copy and post (reply) with the results

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustotal.com/xhtml/index_en.html

Please also check the properties of those files (right-click and select properties from the popupmenu). Look if you can find some company information, etc.

Please repeat Jotti for these:
C:\DOCUME~1\ALLUSE~1\Application Data\13.sys
mscmx1032.DLL
<=search for it to find location



Post (reply) with the log from GMER and the StartDreck, the uninstall list from hijackthis, the results from Jotti here in this thread.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA
Advertisement
Register to Remove

Unread postby person » January 25th, 2007, 5:07 am

Just an update before I post the logs. Further scans with revealed new malware or false positives.
A scan with AVG Anti-Spyware found:

C:\System Volume

Information\_restore{72AD7F61-95D8-4117-B56E-B057E25780D3}\RP334\A01288

93.dll -> Adware.WinAD : Cleaned with backup (quarantined).
C:\System Volume

Information\_restore{72AD7F61-95D8-4117-B56E-B057E25780D3}\RP334\A01288

94.exe -> Adware.WinAD : Cleaned with backup (quarantined).
C:\System Volume

Information\_restore{72AD7F61-95D8-4117-B56E-B057E25780D3}\RP334\A01289

31.exe -> Adware.WinAD : Cleaned with backup (quarantined).
They say quarantined but I deleted them with the program. I assume they

were just stuff I'd gotten rid of that of and was backed up by system

restore.

A CounterSpy found this:

AdStatus Adware (General)
Status: Deleted
Infected files detected
C:\Program Files\AdStatus Service\AdStatServ.exe

Infected folders detected
c:\program files\adstatus service

WindUpdates Browser Plug-in
Status: Quarantined
Infected files detected
c:\windows\system32\ide21201.vxd

It also showed up the Guardian Monitor files again even though I

quarantined them before so this time I deleted them and the quarantined

ones.


Trend Micro Anti-Spyware found:

C:\Program Files\AdStatus Service\AdStatServ.exe
c:\program files\adstatus service



I realise what program I installed that gave me AdStatus, it was a

freeware program and it's since been uninstalled.
User avatar
person
Regular Member
 
Posts: 21
Joined: January 1st, 2007, 2:06 pm

Unread postby person » January 25th, 2007, 5:15 am

I scanned those files you mentioned with http://www.virustotal.com/xhtml/index_en.html and no viruses were found, couldn't much information about them in their properties or on the internet.

Gmer log:

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2007-01-25 17:55:04
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT sptd.sys ZwEnumerateKey
SSDT sptd.sys ZwEnumerateValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwMapViewOfSection
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT sptd.sys ZwOpenKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT sptd.sys ZwQueryKey
SSDT sptd.sys ZwQueryValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT \SystemRoot\System32\vsdatant.sys ZwSetSystemInformation
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!_abnormal_termination + 104 804E2760 12 Bytes [ 60, 8C, EF, B6, E0, EE, EF, ... ]
.text ntoskrnl.exe!_abnormal_termination + 104 804E2760 12 Bytes [ 60, 8C, EF, B6, E0, EE, EF, ... ]

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 81B950E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 81B950E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 81B950E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 81B950E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 81B950E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 81B950E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 81B950E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 81B950E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 81B950E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 81B950E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 81B950E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 81B950E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 81B950E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 81B950E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 81B950E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 81B950E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 81B950E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 81B950E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 81B950E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 81B950E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 81B950E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 81B950E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CREATE 818520E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CLOSE 818520E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_READ 818520E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_WRITE 818520E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_INFORMATION 818520E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_INFORMATION 818520E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_EA 818520E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_EA 818520E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_FLUSH_BUFFERS 818520E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_VOLUME_INFORMATION 818520E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_VOLUME_INFORMATION 818520E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_DIRECTORY_CONTROL 818520E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_FILE_SYSTEM_CONTROL 818520E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_DEVICE_CONTROL 818520E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SHUTDOWN 818520E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_LOCK_CONTROL 818520E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CLEANUP 818520E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_PNP 818520E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{2A2AD24C-77A5-4F1B-A5CC-D9982F5F5460} IRP_MJ_CREATE 8157ACA8
Device \Driver\NetBT \Device\NetBT_Tcpip_{2A2AD24C-77A5-4F1B-A5CC-D9982F5F5460} IRP_MJ_CLOSE 8157ACA8
Device \Driver\NetBT \Device\NetBT_Tcpip_{2A2AD24C-77A5-4F1B-A5CC-D9982F5F5460} IRP_MJ_DEVICE_CONTROL 8157ACA8
Device \Driver\NetBT \Device\NetBT_Tcpip_{2A2AD24C-77A5-4F1B-A5CC-D9982F5F5460} IRP_MJ_INTERNAL_DEVICE_CONTROL 8157ACA8
Device \Driver\NetBT \Device\NetBT_Tcpip_{2A2AD24C-77A5-4F1B-A5CC-D9982F5F5460} IRP_MJ_CLEANUP 8157ACA8
Device \Driver\NetBT \Device\NetBT_Tcpip_{2A2AD24C-77A5-4F1B-A5CC-D9982F5F5460} IRP_MJ_PNP 8157ACA8
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [B6F0A2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [B6F0A2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [B6F0A2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [B6F0A2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [B6F0A2A0] vsdatant.sys
Device \Driver\00000048 \Device\00000046 IRP_MJ_POWER [F994DEA8] sptd.sys
Device \Driver\00000048 \Device\00000046 IRP_MJ_SYSTEM_CONTROL [F9961A70] sptd.sys
Device \Driver\00000048 \Device\00000046 IRP_MJ_PNP [F995A728] sptd.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [B6F0A2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [B6F0A2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [B6F0A2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [B6F0A2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [B6F0A2A0] vsdatant.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 81BDF878
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ 81BDF878
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE 81BDF878
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS 81BDF878
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL 81BDF878
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL 81BDF878
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN 81BDF878
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP 81BDF878
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER 81BDF878
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SYSTEM_CONTROL 81BDF878
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_PNP 81BDF878
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 819504D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 819504D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 819504D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 819504D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 819504D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 819504D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 819504D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 819504D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 819504D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 819504D8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 819504D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE 81BDF878
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_READ 81BDF878
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_WRITE 81BDF878
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_FLUSH_BUFFERS 81BDF878
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_DEVICE_CONTROL 81BDF878
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_INTERNAL_DEVICE_CONTROL 81BDF878
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SHUTDOWN 81BDF878
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CLEANUP 81BDF878
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_POWER 81BDF878
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SYSTEM_CONTROL 81BDF878
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_PNP 81BDF878
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE 81424EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE_NAMED_PIPE 81424EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CLOSE 81424EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_READ 81424EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_WRITE 81424EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_INFORMATION 81424EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_INFORMATION 81424EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_EA 81424EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_EA 81424EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_FLUSH_BUFFERS 81424EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_VOLUME_INFORMATION 81424EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_VOLUME_INFORMATION 81424EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DIRECTORY_CONTROL 81424EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_FILE_SYSTEM_CONTROL 81424EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DEVICE_CONTROL 81424EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_INTERNAL_DEVICE_CONTROL 81424EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SHUTDOWN 81424EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_LOCK_CONTROL 81424EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CLEANUP 81424EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE_MAILSLOT 81424EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_SECURITY 81424EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_SECURITY 81424EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_POWER 81424EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SYSTEM_CONTROL 81424EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DEVICE_CHANGE 81424EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_QUOTA 81424EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_QUOTA 81424EB0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 819504D8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE 819504D8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ 819504D8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 819504D8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 819504D8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 819504D8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 819504D8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 819504D8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 819504D8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 819504D8
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 819504D8
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE 819504D8
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CLOSE 819504D8
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_READ 819504D8
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_WRITE 819504D8
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_FLUSH_BUFFERS 819504D8
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DEVICE_CONTROL 819504D8
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_INTERNAL_DEVICE_CONTROL 819504D8
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SHUTDOWN 819504D8
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_POWER 819504D8
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SYSTEM_CONTROL 819504D8
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_PNP 819504D8
Device \Driver\usbstor \Device\00000069 IRP_MJ_CREATE 8167F0E8
Device \Driver\usbstor \Device\00000069 IRP_MJ_CLOSE 8167F0E8
Device \Driver\usbstor \Device\00000069 IRP_MJ_READ 8167F0E8
Device \Driver\usbstor \Device\00000069 IRP_MJ_WRITE 8167F0E8
Device \Driver\usbstor \Device\00000069 IRP_MJ_DEVICE_CONTROL 8167F0E8
Device \Driver\usbstor \Device\00000069 IRP_MJ_INTERNAL_DEVICE_CONTROL 8167F0E8
Device \Driver\usbstor \Device\00000069 IRP_MJ_POWER 8167F0E8
Device \Driver\usbstor \Device\00000069 IRP_MJ_SYSTEM_CONTROL 8167F0E8
Device \Driver\usbstor \Device\00000069 IRP_MJ_PNP 8167F0E8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CREATE 8157ACA8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLOSE 8157ACA8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_DEVICE_CONTROL 8157ACA8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_INTERNAL_DEVICE_CONTROL 8157ACA8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLEANUP 8157ACA8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_PNP 8157ACA8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CREATE 8157ACA8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLOSE 8157ACA8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_DEVICE_CONTROL 8157ACA8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_INTERNAL_DEVICE_CONTROL 8157ACA8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLEANUP 8157ACA8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_PNP 8157ACA8
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [B6F0A2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [B6F0A2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [B6F0A2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [B6F0A2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [B6F0A2A0] vsdatant.sys
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_CREATE 81BDF308
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_CLOSE 81BDF308
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_READ 81BDF308
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_WRITE 81BDF308
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_FLUSH_BUFFERS 81BDF308
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_DEVICE_CONTROL 81BDF308
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_INTERNAL_DEVICE_CONTROL 81BDF308
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_SHUTDOWN 81BDF308
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_POWER 81BDF308
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_SYSTEM_CONTROL 81BDF308
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_PNP 81BDF308
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [B6F0A2A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [B6F0A2A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [B6F0A2A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [B6F0A2A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [B6F0A2A0] vsdatant.sys
Device \Driver\Disk \Device\Harddisk1\DR2 IRP_MJ_CREATE 81BDF308
Device \Driver\Disk \Device\Harddisk1\DR2 IRP_MJ_CLOSE 81BDF308
Device \Driver\Disk \Device\Harddisk1\DR2 IRP_MJ_READ 81BDF308
Device \Driver\Disk \Device\Harddisk1\DR2 IRP_MJ_WRITE 81BDF308
Device \Driver\Disk \Device\Harddisk1\DR2 IRP_MJ_FLUSH_BUFFERS 81BDF308
Device \Driver\Disk \Device\Harddisk1\DR2 IRP_MJ_DEVICE_CONTROL 81BDF308
Device \Driver\Disk \Device\Harddisk1\DR2 IRP_MJ_INTERNAL_DEVICE_CONTROL 81BDF308
Device \Driver\Disk \Device\Harddisk1\DR2 IRP_MJ_SHUTDOWN 81BDF308
Device \Driver\Disk \Device\Harddisk1\DR2 IRP_MJ_POWER 81BDF308
Device \Driver\Disk \Device\Harddisk1\DR2 IRP_MJ_SYSTEM_CONTROL 81BDF308
Device \Driver\Disk \Device\Harddisk1\DR2 IRP_MJ_PNP 81BDF308
Device \Driver\usbstor \Device\0000006b IRP_MJ_CREATE 8167F0E8
Device \Driver\usbstor \Device\0000006b IRP_MJ_CLOSE 8167F0E8
Device \Driver\usbstor \Device\0000006b IRP_MJ_READ 8167F0E8
Device \Driver\usbstor \Device\0000006b IRP_MJ_WRITE 8167F0E8
Device \Driver\usbstor \Device\0000006b IRP_MJ_DEVICE_CONTROL 8167F0E8
Device \Driver\usbstor \Device\0000006b IRP_MJ_INTERNAL_DEVICE_CONTROL 8167F0E8
Device \Driver\usbstor \Device\0000006b IRP_MJ_POWER 8167F0E8
Device \Driver\usbstor \Device\0000006b IRP_MJ_SYSTEM_CONTROL 8167F0E8
Device \Driver\usbstor \Device\0000006b IRP_MJ_PNP 8167F0E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_NAMED_PIPE 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLOSE 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_WRITE 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_INFORMATION 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_INFORMATION 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_EA 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_EA 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FLUSH_BUFFERS 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_VOLUME_INFORMATION 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_VOLUME_INFORMATION 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DIRECTORY_CONTROL 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FILE_SYSTEM_CONTROL 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CONTROL 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_INTERNAL_DEVICE_CONTROL 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SHUTDOWN 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_LOCK_CONTROL 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLEANUP 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_MAILSLOT 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_SECURITY 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_SECURITY 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_POWER 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SYSTEM_CONTROL 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CHANGE 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_QUOTA 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_QUOTA 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP 81411EB0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [B6F0A2A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [B6F0A2A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [B6F0A2A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [B6F0A2A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [B6F0A2A0] vsdatant.sys
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_NAMED_PIPE 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLOSE 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_WRITE 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_INFORMATION 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_INFORMATION 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_EA 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_EA 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FLUSH_BUFFERS 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_VOLUME_INFORMATION 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_VOLUME_INFORMATION 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DIRECTORY_CONTROL 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FILE_SYSTEM_CONTROL 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CONTROL 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_INTERNAL_DEVICE_CONTROL 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SHUTDOWN 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_LOCK_CONTROL 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLEANUP 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_MAILSLOT 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_SECURITY 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_SECURITY 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_POWER 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SYSTEM_CONTROL 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CHANGE 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_QUOTA 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_QUOTA 81411EB0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP 81411EB0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CREATE 81897B40
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CREATE_NAMED_PIPE 81897B40
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CLOSE 81897B40
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_READ 81897B40
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_WRITE 81897B40
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_INFORMATION 81897B40
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_SET_INFORMATION 81897B40
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_FLUSH_BUFFERS 81897B40
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_VOLUME_INFORMATION 81897B40
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_DIRECTORY_CONTROL 81897B40
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_FILE_SYSTEM_CONTROL 81897B40
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CLEANUP 81897B40
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_SECURITY 81897B40
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_SET_SECURITY 81897B40
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CREATE 81BDF878
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_READ 81BDF878
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_WRITE 81BDF878
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_FLUSH_BUFFERS 81BDF878
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_DEVICE_CONTROL 81BDF878
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_INTERNAL_DEVICE_CONTROL 81BDF878
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SHUTDOWN 81BDF878
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CLEANUP 81BDF878
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_POWER 81BDF878
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SYSTEM_CONTROL 81BDF878
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_PNP 81BDF878
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CREATE 81586200
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CLOSE 81586200
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_READ 81586200
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_WRITE 81586200
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_QUERY_INFORMATION 81586200
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_SET_INFORMATION 81586200
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_QUERY_VOLUME_INFORMATION 81586200
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_DIRECTORY_CONTROL 81586200
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_FILE_SYSTEM_CONTROL 81586200
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CLEANUP 81586200
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CREATE_MAILSLOT 81586200
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_QUERY_SECURITY 81586200
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_SET_SECURITY 81586200
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1 IRP_MJ_CREATE 81982A60
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1 IRP_MJ_CLOSE 81982A60
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1 IRP_MJ_DEVICE_CONTROL 81982A60
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1 IRP_MJ_INTERNAL_DEVICE_CONTROL 81982A60
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1 IRP_MJ_POWER 81982A60
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1 IRP_MJ_SYSTEM_CONTROL 81982A60
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1 IRP_MJ_PNP 81982A60
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1Port2Path0Target0Lun0 IRP_MJ_CREATE 81982A60
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1Port2Path0Target0Lun0 IRP_MJ_CLOSE 81982A60
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1Port2Path0Target0Lun0 IRP_MJ_DEVICE_CONTROL 81982A60
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1Port2Path0Target0Lun0 IRP_MJ_INTERNAL_DEVICE_CONTROL 81982A60
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1Port2Path0Target0Lun0 IRP_MJ_POWER 81982A60
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1Port2Path0Target0Lun0 IRP_MJ_SYSTEM_CONTROL 81982A60
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1Port2Path0Target0Lun0 IRP_MJ_PNP 81982A60
Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE 818520E8
Device \FileSystem\Fastfat \Fat IRP_MJ_CLOSE 818520E8
Device \FileSystem\Fastfat \Fat IRP_MJ_READ 818520E8
Device \FileSystem\Fastfat \Fat IRP_MJ_WRITE 818520E8
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION 818520E8
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION 818520E8
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA 818520E8
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_EA 818520E8
Device \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS 818520E8
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION 818520E8
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION 818520E8
Device \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL 818520E8
Device \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL 818520E8
Device \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL 818520E8
Device \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN 818520E8
Device \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL 818520E8
Device \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP 818520E8
Device \FileSystem\Fastfat \Fat IRP_MJ_PNP 818520E8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE 8187C0E8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLOSE 8187C0E8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ 8187C0E8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_INFORMATION 8187C0E8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SET_INFORMATION 8187C0E8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_VOLUME_INFORMATION 8187C0E8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DIRECTORY_CONTROL 8187C0E8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL 8187C0E8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL 8187C0E8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SHUTDOWN 8187C0E8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_LOCK_CONTROL 8187C0E8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLEANUP 8187C0E8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_PNP 8187C0E8

---- Files - GMER 1.0.12 ----

ADS C:\Documents and Settings\All Users\Application Data\TEMP:C4252FE0
ADS C:\Documents and Settings\All Users\Application Data\TEMP:DA868A70
ADS C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
ADS C:\Documents and Settings\Katrina\Favorites\Panda ActiveScan :favicon

---- EOF - GMER 1.0.12 ----

That one was done without all files shown my system like you were talking about but I assume that's only relevant to find those other files.

StartDreck log:

StartDreck (build 2.1.7 public stable) - 2007-01-25 @ 18:10:21 (GMT +11:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 2)
Internet Explorer: 7.0.5730.11
Logged in as Katrina at SPUNKETTE

»Registry
»Run Keys
»Current User
»Run
*ctfmon.exe=C:\WINDOWS\system32\ctfmon.exe
»RunOnce
»Default User
»Run
*CTFMON.EXE=C:\WINDOWS\System32\CTFMON.EXE
»RunOnce
*SSS7="C:\Program Files\Steganos Security Suite 7\SSS7.exe" -firstboot
»Local Machine
»Run
*vptray=C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
*Zone Labs Client="C:\Program Files\ZoneAlarm\zlclient.exe"
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»Files
»System/Drivers
»Running Processes
+0=<idle>
+4=<system>
+596=\SystemRoot\System32\smss.exe
+664=\??\C:\WINDOWS\system32\csrss.exe
+688=\??\C:\WINDOWS\system32\winlogon.exe
+736=C:\WINDOWS\system32\services.exe
+748=C:\WINDOWS\system32\lsass.exe
+900=C:\WINDOWS\system32\svchost.exe
+976=C:\WINDOWS\system32\svchost.exe
+1072=C:\Program Files\Windows Defender\MsMpEng.exe
+1112=C:\WINDOWS\System32\svchost.exe
+1164=C:\WINDOWS\System32\svchost.exe
+1364=C:\WINDOWS\System32\svchost.exe
+1504=C:\WINDOWS\system32\spoolsv.exe
+1792=C:\WINDOWS\Explorer.EXE
+1992=C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
+204=C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
+272=C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
+280=C:\Program Files\ZoneAlarm\zlclient.exe
+348=C:\Program Files\SpywareGuard\sgmain.exe
+1036=C:\Program Files\SpywareGuard\sgbhp.exe
+1608=C:\WINDOWS\system32\ZoneLabs\vsmon.exe
+1740=C:\WINDOWS\System32\alg.exe
+2192=C:\WINDOWS\system32\wuauclt.exe
+3112=C:\Program Files\PeerGuardian2\pg2.exe
+3300=C:\WINDOWS\system32\ctfmon.exe
+3512=C:\WINDOWS\system32\notepad.exe
+2764=C:\WINDOWS\System32\svchost.exe
+2760=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
+872=C:\Program Files\Virtual Villagers\VirtualVillagers.exe
+660=C:\Program Files\Virtual Villagers\VirtualVillagers.RWG
+3576=C:\Program Files\Virtual Villagers\ReflexiveArcade\RAW_003.wdt
+4092=C:\StartDeck\StartDreck.exe
»Application specific

HijackThis Uninstall:

3ivx D4 4.5.1 (remove only)
4Diskclean Gold
ActorStudio
Ad-Aware SE Professional
Add/Remove 4Good
Add/Remove Plus! 2003
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.8
Advanced System Optimizer (Shareware Release)
Advanced WindowsCare 2.30 Personal
Astral Tournament 1.7
Autoplay Repair 1.0.2
AVG Anti-Spyware 7.5
Beat The Broker
Book Writer
Car Thief 5.1 Demo
Car Thief 6 Demo
CCleaner (remove only)
CounterSpy
Crooked Money 1 Demo
Currency Converter 1.0
DemocracyDemo
D-Fend v2
DOSBox Frontend
DriveImage XML
DVD Identifier
DVD Shrink 3.2
Easy Ebook Creator ©
Easy Uninstaller
eBook Compiler Demo
Ebook Creator 2.0
eBookGuard V3.1
Enable S3 for USB Device
Finders Keepers
FireTune
Flash Designer 4
Genie Backup Manager V4.0
GoldWave v5.18
GTK+ 2.6.8-1 runtime environment
Guns Girls Lawyers Dollars
HijackThis 1.99.1
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB928388)
Hotfix for Windows XP (KB929120)
ICQ 5.1
Idea Tracker
Interstellar Law
IObit SmartDefrag Beta 2.01
J2SE Runtime Environment 5.0 Update 9
JD Secure 3.1
Just Banners
Karen's Computer Profiler
Karen's Cookie Viewer
Karen's Hasher
Karen's Registry Ripper
Karen's Version Browser
KC Softwares VideoInspector
KoolMoves Lite 4.3.6
LinkLaunch
LiveUpdate 1.7 (Symantec Corporation)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Script Debugger
Microsoft User-Mode Driver Framework Feature Pack 1.0
MiniMinder 7.26
Movie Outline 2.0
Mozilla Firefox (2.0.0.1)
MSXML 4.0 SP2 (KB927978)
Mystery Case Files Huntsville
Name Maker LE 4.0
NameSpire v1.2
NATATA eBook Compiler Free 2.1
Nero 7 Ultra Edition
Newspaper Manager II
NoteStudio 2.0.9
Nvu 1.0
PageFour 1.50
Panda ActiveScan
Paparazzi Free Trial
PC Inspector File Recovery
PeerGuardian 2.0
Personal Knowbase 3.0.4
PracticalScriptwriter
QuadQuest II - SHAREWARE
Quiz-Tac-Toe v1.2
Registry Mechanic 4.0
Rhymesaurus
RoughDraft 2.11
Search and Replace 98
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
simGangster
single-step
Snooker&Pool 1.0
SoftCAT
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
SpywareGuard v2.2
Steganos Security Suite 7.1.6
Stellar Phoenix Deleted File Recovery 1.0
Store Manager
SunRav BookOffice
Symantec AntiVirus Client
The Apprentice Free Trial
The GIMP 2.2.10
TheSage
Trend Micro Anti-Spyware
TrojanHunter 4.6
UltimateDefrag
Unistall eBook Blaster
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Useful File Utilities (remove only)
VIA Audio Driver Setup Program
VIA Rhine-Family Fast-Ethernet Adapter
VideoLAN VLC media player 0.8.5
Virtual Villagers
Westward Free Trial
Winamp (remove only)
Windows Defender
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
WinZip
Xara Webstyle 3.0
XviD MPEG-4 Video Codec
XXXTYCOON
yWriter2
ZoneAlarm Pro

HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 7:41:09 PM, on 25/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [sunasDtServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 2247132000
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file:///E:/SuperCD/IntraLaunch.CAB
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: x-mem3 - {4F6D06DD-44AB-4F89-BF13-9027B505B15A} - C:\Program Files\Common Files\eztools\eztoolslib2.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
User avatar
person
Regular Member
 
Posts: 21
Joined: January 1st, 2007, 2:06 pm

Unread postby Susan528 » January 25th, 2007, 3:32 pm

The infected _restore files were restore points. You get rid of those by clearing your restore points which we give instructions at the end of a log.

It looks like you figured out the problems with the freeware program. Many freeware programs are like that--loaded with adware or malware.

About the Guardian problem, are you the only one who uses the computer?

I would like to see a complete anti-virus scan.

STEP 1.
======
MWAV Scan
Please download MWAV to a convenient location.
This scan only produces a report, it doesn't clean your system. I will analyze the report and recommend a course of action depending on the results.
This scan might take around 3+ hours to finish when set to scan everything.

Double-click on mwav.exe.
Put a check next to the below items before scanning:
  • Memory
  • Startup Folders
  • Drive - All Local Drives
  • Folder - then click "browse" to change the directory to C: (default is C:\Windows)
  • Registry
  • System Folders
  • Services
  • Include Sub-Directory
  • Scan All Files

Please make sure ALL of these are checked, then press the Scan button- I would Scan and not Scan and Clean. This typically will take hours to complete.

**NOTE*** Sometimes MWav will pause and it appears to be finished, but it isn't done. Just let it run until it says it's complete.

On the bottom portion of the window, you will see the lower panel where MWav is listing "infected items", please highlight everything in that lower panel and copy them by holding CTRL + C then paste it here. The whole log will be extremely BIG so there is no way to post the log. I just need the infected items list.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby person » January 25th, 2007, 11:07 pm

I will post that log later but I did another scan with CounterSpy and it found those Guardian Monitor files again. It seems to be replicating itself whenever the computer is restarted. Is there anyway to stop them doing this or doing you seriously think I should just restore an image of the hard drive? Since I don't seem to have any of the main files for the program on my computer is it still operational or are they just left overs? This would be a big factor in my decision to restore an image or not because this spyware is my main concern at the moment.
User avatar
person
Regular Member
 
Posts: 21
Joined: January 1st, 2007, 2:06 pm

Unread postby person » January 25th, 2007, 11:08 pm

I will post that log later but I did another scan with CounterSpy and it found those Guardian Monitor files again. It seems to be replicating itself whenever the computer is restarted. Is there anyway to stop them doing this or doing you seriously think I should just restore an image of the hard drive? Since I don't seem to have any of the main files for the program on my computer is it still operational or are they just left overs? This would be a big factor in my decision to restore an image or not because this spyware is my main concern at the moment.
User avatar
person
Regular Member
 
Posts: 21
Joined: January 1st, 2007, 2:06 pm

Unread postby person » January 27th, 2007, 6:19 am

I had a look at the log and it showed a bit more information on the infections so I've copied those bits here.

Sat Jan 27 07:47:43 2007 => Offending Key found: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\media-motor.net !!!
Sat Jan 27 07:47:43 2007 => Object "medload Adware" found in File System! Action Taken: No Action Taken.

Sat Jan 27 07:47:51 2007 => Offending file found: C:\Documents and Settings\Katrina\My Documents\kmart_files\button_small.gif
Sat Jan 27 07:47:51 2007 => System found infected with ezula toptext Spyware/Adware (button_small.gif)! Action taken: No Action Taken.

Sat Jan 27 07:47:58 2007 => Offending file found: C:\WINDOWS\unvise32.exe
Sat Jan 27 07:47:58 2007 => System found infected with spylax Trojan (C:\WINDOWS\unvise32.exe)! Action taken: No Action Taken.

Also I forgot to mentioned the scan I did with CounterSpy yesterday also revealed something new.

Artic
Type: RAT
Author: Aristides
Files:
c:\windows\rundll16.exe
User avatar
person
Regular Member
 
Posts: 21
Joined: January 1st, 2007, 2:06 pm

Unread postby Susan528 » January 29th, 2007, 8:46 am

I'm a bit confused why all of a sudden you seemed to have stopped helping me with my problem http://www.malwareremoval.com/forum/viewtopic.php?t=17381
Is it because you've been too busy or have you just given up on it? I'm not having a go at you, I'm wondering whether you're going to continue working on it or not, that's all.


Maybe it is because I never have a complete log from a scan posted. I do not think I am receiving full cooperation.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby Susan528 » January 29th, 2007, 1:33 pm

I asked you if you were the sole user of the computer. You did not respond.

I played with keyloggers and some cases I would find that the installer application was hidden. If you did delete files with hijackthis, etc. and the keylogger was broken, all the person would have to do was install it again, enter the password and there would be the logs again.

Also I like to see statistics from logs--like for CounterSpy. When person posts complete logs I see statistics.

Scan History Details
Start Date: 1/15/2007 3:34:49 PM
End Date: 1/15/2007 3:34:51 PM
Total Time: 2 Sec
Detected security risks


======
Please show all files for your system.
You will need to reverse this process when all steps are done.


Delete this file:
C:\Documents and Settings\Katrina\My Documents\kmart_files\button_small.gif<=file
C:\WINDOWS\unvise32.exe<=file

Submit File to Jotti
Please click on Jotti
Use the "Browse" button and locate the following file on your computer:
c:\windows\rundll16.exe
Click the "Submit" button.
Please copy and post (reply) with the results

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustotal.com/xhtml/index_en.html

Please also check the properties of those files (right-click and select properties from the popupmenu). Look if you can find some company information, etc.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby person » January 29th, 2007, 6:21 pm

I deleted those 2 files but before I did I checked their properties and unvise32.exe and it's company is Mindvision Software but as far I know they don't make software that contains malware. The other one was properly a false positive because it was just a picture I downloaded as part of a webpage from a Kmart website.

I couldn't find rundll16.exe anywhere on my system anymore.

So about the Guardian Monitor situation, how do I stop it from replicating those files if I can?
User avatar
person
Regular Member
 
Posts: 21
Joined: January 1st, 2007, 2:06 pm

Unread postby Susan528 » January 31st, 2007, 9:14 am

I do not have any logs now showing the Guardian entries. I do not have any logs showing the rundll16.exe. Did it get deleted somehow since you cannot find it? In fact I have had a shortage of logs.

doing you seriously think I should just restore an image of the hard drive?

Why don't you just restore your image!
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby person » February 1st, 2007, 3:15 am

Here is the latest scan results of CounterSpy, as far as I know the full log and I have no idea what the second result is all about, it just comes up as a 0 as to what it's supposed to be but I've had that file for ages and I don't think it's malware. It appears Guardian Monitor is no longer on my computer. I decided since CounterSpy didn't seem to be getting rid of it I'd search for all the entries of it it found and delete them myself. Not all displayed I could find but I deleted the ones I could and now it seems to have gone.

Spyware Scan Details
Start Date: 31/01/2007 11:02:48 PM
End Date: 1/02/2007 12:10:43 AM
Total Time: 1 hrs 7 mins 55 secs

Detected spyware

Actmon PC & Internet Monitoring Commercial Key Logger more information...
Status: Ignored
Severe spyware - Severe threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction and exploits are in the wild. There exists a high possibility of potential system damage or security flaw. Attacker has complete control over your computer or install new software on your machine.

Infected files detected
c:\vv\cdroms\iper3pro\eng\client\f\zipdll.dll


more information...
Status: Ignored
High spyware - High risk threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction. May open up communication ports, use polymorphic tactics, stealth installations, and/or anti-spy counter measures. May us a security flaw in the operating system to gain access to your computer.

Infected files detected
c:\documents and settings\katrina\my documents\stories\fantasy tales\logs\wordcount.txt


Detected Spyware Cookies
No spyware cookies were found during this scan.

Logfile of HijackThis v1.99.1
Scan saved at 5:41:46 PM, on 1/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\ZoneAlarm\zlclient.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [sunasDtServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RestoreDesktop] C:\Program Files\Restore Desktop\RestoreDesktop.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: MiniMinder.lnk = C:\Program Files\MiniMind\MiniMind.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 2247132000
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file:///E:/SuperCD/IntraLaunch.CAB
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: x-mem3 - {4F6D06DD-44AB-4F89-BF13-9027B505B15A} - C:\Program Files\Common Files\eztools\eztoolslib2.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

The reason I could no longer find rundll16.exe was because I'd quarantined it and so I just decided to delete it altogether.

The main problem left now is 2 things. Firstly my msconfig seems corrupted somehow. When I look at the Non Microsoft services only a few programs are shown and many aren't being displayed. Secondly my computer seems to freeze a lot and I've done a defrag a little while ago so I can't work out why.
User avatar
person
Regular Member
 
Posts: 21
Joined: January 1st, 2007, 2:06 pm

Unread postby Susan528 » February 1st, 2007, 11:38 am

start > Run > copy and paste in:
sfc /scannow
Click 'OK'
You will need your XP/2000/ME disk. If you don't have it and instead only have a recovery CD, there is a work around. View the following link for a tutorial:

http://www.updatexp.com/scannow-sfc.html

sfc - system file checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file.

If you want to see what was replaced, right click My Computer > manage, expand event viewer > system.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby NonSuch » February 13th, 2007, 4:14 am

This topic is now closed due to inactivity. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27304
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: random/random and 66 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware