Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

No Taskbar/desktop Pctools.dll, Other Stuff, Rootkit?


  • This topic is locked This topic is locked
32 replies to this topic

#1 garcia1000

garcia1000

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 27 October 2007 - 07:47 AM

Hi, please help me! I have run through the topic and ran all the virus/spyware/scanners, and everything. I cannot delete pctools.dll even when running in safe mode.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:47 PM, on 10/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\ec9b1.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Brian Desktop\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kzdh.com/?g
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll (file missing)
O2 - BHO: Invoke Class - {42A3A616-FF3C-4713-A5C2-4F1B566CEF51} - C:\WINDOWS\system32\aec1.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Asus Probe\AsusProb.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Policies\Explorer\Run: [quo] rundll32 "C:\WINDOWS\Downlo~1\quo.dll",Run
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://bba.bloomberg.net/Citrix/ICAWEB/en/ica32/wficat.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: IPSEC Client (BRGNS) - Unknown owner - C:\WINDOWS\SYSTEM32\RUNDLL2KXP.EXE (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

BC AdBot (Login to Remove)

 


#2 jedi

jedi

  • Members
  • 274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:22 PM

Posted 04 November 2007 - 05:22 AM

Hi,

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
Next:

1. Download this file -
ComboFix
2. Double click ComboFix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall


jedi

#3 garcia1000

garcia1000
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 04 November 2007 - 07:45 PM

Hi jedi,

Thank you very much for taking the time to help me, I really appreciate it!

Here are the things I have done -

DrWeb - I downloaded it, rebooted in safe mode, and ran the express and custom scans. I forgot to save the log the first time :thumbsup: but I ran it again and I saved the log for the second time which I have pasted below. The first time scan found a lot of files (~70-80) and I remember that most of them were to do with Chinese adware programs and some trojans and backdoors.

I am very sorry for not having saved the original log, it slipped my mind.

Log:
A0005801.exe;C:\System Volume Information\_restore{7D35014A-C947-4A65-BBEF-48C646AB2FF3}\RP16;Probably BACKDOOR.Trojan;Incurable.Moved.;
A0005802.exe;C:\System Volume Information\_restore{7D35014A-C947-4A65-BBEF-48C646AB2FF3}\RP16;Probably BACKDOOR.Trojan;Incurable.Moved.;
A0005803.exe;C:\System Volume Information\_restore{7D35014A-C947-4A65-BBEF-48C646AB2FF3}\RP16;Probably BACKDOOR.Trojan;Incurable.Moved.;
A0005804.exe;C:\System Volume Information\_restore{7D35014A-C947-4A65-BBEF-48C646AB2FF3}\RP16;Probably BACKDOOR.Trojan;Incurable.Moved.;
A0005805.exe;C:\System Volume Information\_restore{7D35014A-C947-4A65-BBEF-48C646AB2FF3}\RP16;Probably BACKDOOR.Trojan;Incurable.Moved.;
A0005806.exe;C:\System Volume Information\_restore{7D35014A-C947-4A65-BBEF-48C646AB2FF3}\RP16;Probably BACKDOOR.Trojan;Incurable.Moved.;
A0005807.dll;C:\System Volume Information\_restore{7D35014A-C947-4A65-BBEF-48C646AB2FF3}\RP16;Adware.Sogou;Incurable.Moved.;
A0005808.dll;C:\System Volume Information\_restore{7D35014A-C947-4A65-BBEF-48C646AB2FF3}\RP16;Adware.Sogou.origin;Incurable.Moved.;
A0005809.dll;C:\System Volume Information\_restore{7D35014A-C947-4A65-BBEF-48C646AB2FF3}\RP16;Probably DLOADER.Trojan;Incurable.Moved.;

---

Combofix I ran Combofix in safe mode. It gave the following log:

ComboFix 07-11-04.5 - Brian Desktop 2007-11-05 8:25:19.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.685 [GMT 8:00]
Running from: C:\Documents and Settings\Brian Desktop\Desktop\ComboFix(2).exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\microsoft\pctools
C:\Documents and Settings\All Users\Application Data.\microsoft\pctools\pctools.dll
C:\Documents and Settings\All Users\Application Data.\t
C:\Documents and Settings\All Users\Application Data.\t\a2001.dat
C:\Documents and Settings\All Users\Application Data.\t\b2001.dat
C:\Documents and Settings\All Users\Application Data.\t\k2001.dat
C:\Documents and Settings\All Users\Application Data.\t\p2001.dat
C:\Documents and Settings\All Users\Application Data.\t\r2001.dat
C:\Documents and Settings\All Users\Application Data\microsoft\pctools\pctools.dll
C:\Documents and Settings\Brian Desktop\Favorites\7BFA~1.URL
C:\WINDOWS\system32\cnprov.dat
C:\WINDOWS\system32\drivers\acpidisk.sys
C:\WINDOWS\system32\drivers\mxdispdr.sys
C:\WINDOWS\system32\mprmsgse.axz
C:\WINDOWS\system32\mscpx32r.det
C:\WINDOWS\system32\score.txt
C:\WINDOWS\TEMP.\~my1.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_ACPIDISK
-------\LEGACY_BRGNS
-------\LEGACY_CNPROV
-------\LEGACY_MS_2FAX
-------\LEGACY_MXDISPDR
-------\acpidisk
-------\BRGNS
-------\mxdispdr


((((((((((((((((((((((((( Files Created from 2007-10-05 to 2007-11-05 )))))))))))))))))))))))))))))))
.

2007-11-05 08:24 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-04 21:42 <DIR> d-------- C:\Documents and Settings\Brian Desktop\DoctorWeb
2007-10-27 20:09 7,882,784 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-10-27 20:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-10-27 20:02 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-10-27 19:18 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-10-27 18:52 8,453,632 --a------ C:\shell32.dll
2007-10-27 18:52 984,576 --a------ C:\kernel32.dll
2007-10-27 18:52 577,536 --a------ C:\user32.dll
2007-10-27 18:40 <DIR> d-------- C:\Documents and Settings\Administrator.BRIANDESKTOP\Application Data\UnH Solutions
2007-10-27 14:29 <DIR> d-------- C:\Program Files\EasyCleaner
2007-10-27 14:20 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2007-10-27 14:14 744,853 --a------ C:\Documents and Settings\Brian Desktop\PAVARK.exe
2007-10-27 14:13 <DIR> d-------- C:\Documents and Settings\Brian Desktop\Pavark
2007-10-27 14:02 <DIR> d-------- C:\Program Files\CCleaner
2007-10-27 13:48 <DIR> d-------- C:\Program Files\RegCleaner
2007-10-27 13:32 <DIR> d-------- C:\Documents and Settings\Brian Desktop\Application Data\Uniblue
2007-10-27 01:11 94,480 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-10-27 01:09 <DIR> d-------- C:\Documents and Settings\Brian Desktop\Application Data\HouseCall 6.6
2007-10-26 01:07 <DIR> d-------- C:\Documents and Settings\Brian Desktop\.housecall6.6
2007-10-26 00:54 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-10-26 00:14 <DIR> d-------- C:\WINDOWS\pss
2007-10-26 00:12 <DIR> d-------- C:\Documents and Settings\Brian Desktop\rkrev
2007-10-25 23:49 <DIR> d-------- C:\Program Files\ACW
2007-10-25 23:43 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2007-10-16 03:06 <DIR> d-------- C:\Documents and Settings\Brian Desktop\Application Data\UFOAI
2007-10-13 15:51 266,240 -ra------ C:\WINDOWS\system32\hppasc01.dll
2007-10-13 15:41 53,602 --a------ C:\WINDOWS\hppins02.dat
2007-10-13 15:41 2,009 --------- C:\WINDOWS\hppmdl02.dat
2007-10-06 15:20 172,416 -----c--- C:\WINDOWS\system32\dllcache\kmixer.sys
2007-10-06 15:20 82,944 -----c--- C:\WINDOWS\system32\dllcache\wdmaud.sys
2007-10-06 15:20 6,400 -----c--- C:\WINDOWS\system32\dllcache\splitter.sys
2007-10-06 15:17 <DIR> d-------- C:\WUTemp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-04 16:50 94,496 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-04 14:10 --------- d-----w C:\Program Files\Browser Sentinel 2
2007-11-02 02:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-10-27 11:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-27 11:56 --------- d-----w C:\Documents and Settings\Brian Desktop\Application Data\My Games
2007-10-27 06:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-27 03:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-25 11:45 --------- d-----w C:\Documents and Settings\Brian Desktop\Application Data\AVG7
2007-10-20 20:10 --------- d-----w C:\Program Files\Wesnoth
2007-10-15 18:14 --------- d-----w C:\Program Files\Java
2007-10-13 07:55 --------- d-----w C:\Program Files\HP
2007-10-11 16:14 --------- d-----w C:\Program Files\MSN Messenger
2007-10-07 06:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2007-10-06 06:41 --------- d-----w C:\Program Files\ISOpen
2007-10-02 11:42 --------- d-----w C:\Documents and Settings\Brian Desktop\Application Data\Logitech
2007-10-02 11:41 --------- d-----w C:\Program Files\Common Files\LogiShared
2007-10-02 11:40 --------- d-----w C:\Program Files\Common Files\Logitech
2007-10-02 11:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2007-10-02 11:39 --------- d-----w C:\Program Files\Logitech
2007-10-02 11:39 --------- d-----w C:\Documents and Settings\Brian Desktop\Application Data\InstallShield
2007-10-02 11:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogiShrd
2007-09-20 11:49 --------- d-----w C:\Documents and Settings\Brian Desktop\Application Data\UnH Solutions
2007-09-15 02:14 20,541 ----a-w C:\WINDOWS\system32\detoured.dll
2007-09-15 02:14 --------- d-----w C:\Program Files\Windows Live
2007-09-06 08:14 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-09-06 08:14 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2006-02-20 20:58 456 ----a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ToolBoxFX"="C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2005-11-21 15:55]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 18:20 C:\WINDOWS\SOUNDMAN.EXE]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\qttask.exe" [2006-10-25 18:58]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 09:07]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 09:07]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2005-11-11 13:47]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" [2004-12-06 12:06]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-11-11 13:47]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 09:07]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 C:\WINDOWS\KHALMNPR.Exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 09:07]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-27 11:59]
"ASUS Probe"="C:\Program Files\ASUS\Asus Probe\AsusProb.exe" [2002-12-06 16:07]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"n4xruq5v"=%systemroot%\system32\Rundll32.exe %systemroot%\system32\n4xruq5v.dll,DllUnregisterServer

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-10-02 19:40:13]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"=0 (0x0)
"NoMovingBands"=0 (0x0)
"NoCloseDragDropBands"=0 (0x0)
"NoToolbarsOnTaskbar"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
CoolWare

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-05 08:28:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-05 8:28:38 - machine was rebooted
.
--- E O F ---


HijackThis - Here is the new Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:44:33 AM, on 11/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Brian Desktop\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kzdh.com/?g
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Asus Probe\AsusProb.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://bba.bloomberg.net/Citrix/ICAWEB/en/ica32/wficat.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

--
End of file - 5468 bytes

#4 jedi

jedi

  • Members
  • 274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:22 PM

Posted 05 November 2007 - 01:56 PM

Hi again,

Please navigate (using Internet Explorer, other browsers won't work) to the following site: http://support.f-secure.com/enu/home/ols.shtml

Scroll to the bottom of the page, and click Start Scan.

When prompted, choose to install the software. After the software has installed, click Accept. Click Custom Scan and check the option for Scan inside archives, then click Start. The necessary databases will then be downloaded, and the scan will then start automatically.

Please be patient as this scan will take a while to complete. If any infections are found then once the scan has finished, the "cleaning" screen will be displayed.

Choose Automatic cleaning (recommended).After cleaning has finished, then the Finish screen will be displayed.

Choose Show Report. In order to post the report, press CTRL+A on your keyboard to highlight all the text.

Then copy and paste that information into this thread.

jedi

#5 garcia1000

garcia1000
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 05 November 2007 - 07:34 PM

Thanks very much jedi.

I can't run internet explorer at the moment because I can't access my taskbar or desktop. I am currently running programs by using Ctrl-Alt-Del and then File -> Run.

Running iexplore.exe doesn't do anything. When I try browsing to a .htm file, right-clicking it and selecting Open With -> Internet Explorer, it gives me the error message "Windows cannot find '[path and filename]'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search."

I am using firefox at the moment. What should I do?

#6 jedi

jedi

  • Members
  • 274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:22 PM

Posted 06 November 2007 - 11:59 AM

Hi,

Open notepad and copy/paste the text in the quotebox below into it (do not include the word ‘Quote’)

File::
C:\WINDOWS\\system32\n4xruq5v.dll
C:\WINDOWS\system32\hppasc01.dll
C:\WINDOWS\hppins02.dat
C:\WINDOWS\hppmdl02.dat
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"n4xruq5v"=-


Save this as CFScript

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

jedi

#7 garcia1000

garcia1000
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 06 November 2007 - 07:49 PM

Thanks!
I ran Combofix in safe mode again using CFScript.

Here's the Combofix Log:


ComboFix 07-11-04.5 - Brian Desktop 2007-11-07 8:33:21.2 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.822 [GMT 8:00]
Running from: C:\Documents and Settings\Brian Desktop\Desktop\ComboFix(2).exe
Command switches used :: C:\Documents and Settings\Brian Desktop\Desktop\CFscript.txt
.

((((((((((((((((((((((((( Files Created from 2007-10-07 to 2007-11-07 )))))))))))))))))))))))))))))))
.

2007-11-05 08:24 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-04 21:42 <DIR> d-------- C:\Documents and Settings\Brian Desktop\DoctorWeb
2007-10-27 20:09 8,009,760 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-10-27 20:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-10-27 20:02 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-10-27 19:18 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-10-27 18:52 8,453,632 --a------ C:\shell32.dll
2007-10-27 18:52 984,576 --a------ C:\kernel32.dll
2007-10-27 18:52 577,536 --a------ C:\user32.dll
2007-10-27 18:40 <DIR> d-------- C:\Documents and Settings\Administrator.BRIANDESKTOP\Application Data\UnH Solutions
2007-10-27 14:29 <DIR> d-------- C:\Program Files\EasyCleaner
2007-10-27 14:20 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2007-10-27 14:14 744,853 --a------ C:\Documents and Settings\Brian Desktop\PAVARK.exe
2007-10-27 14:13 <DIR> d-------- C:\Documents and Settings\Brian Desktop\Pavark
2007-10-27 14:02 <DIR> d-------- C:\Program Files\CCleaner
2007-10-27 13:48 <DIR> d-------- C:\Program Files\RegCleaner
2007-10-27 13:32 <DIR> d-------- C:\Documents and Settings\Brian Desktop\Application Data\Uniblue
2007-10-27 01:11 94,480 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-10-27 01:09 <DIR> d-------- C:\Documents and Settings\Brian Desktop\Application Data\HouseCall 6.6
2007-10-26 01:07 <DIR> d-------- C:\Documents and Settings\Brian Desktop\.housecall6.6
2007-10-26 00:54 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-10-26 00:14 <DIR> d-------- C:\WINDOWS\pss
2007-10-26 00:12 <DIR> d-------- C:\Documents and Settings\Brian Desktop\rkrev
2007-10-25 23:49 <DIR> d-------- C:\Program Files\ACW
2007-10-25 23:43 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2007-10-16 03:06 <DIR> d-------- C:\Documents and Settings\Brian Desktop\Application Data\UFOAI
2007-10-13 15:51 266,240 -ra------ C:\WINDOWS\system32\hppasc01.dll
2007-10-13 15:41 53,602 --a------ C:\WINDOWS\hppins02.dat
2007-10-13 15:41 2,009 --------- C:\WINDOWS\hppmdl02.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-07 00:31 95,984 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-04 14:10 --------- d-----w C:\Program Files\Browser Sentinel 2
2007-11-02 02:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-10-27 11:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-27 11:56 --------- d-----w C:\Documents and Settings\Brian Desktop\Application Data\My Games
2007-10-27 06:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-27 03:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-25 11:45 --------- d-----w C:\Documents and Settings\Brian Desktop\Application Data\AVG7
2007-10-20 20:10 --------- d-----w C:\Program Files\Wesnoth
2007-10-15 18:14 --------- d-----w C:\Program Files\Java
2007-10-13 07:55 --------- d-----w C:\Program Files\HP
2007-10-11 16:14 --------- d-----w C:\Program Files\MSN Messenger
2007-10-07 06:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2007-10-06 06:41 --------- d-----w C:\Program Files\ISOpen
2007-10-02 11:42 --------- d-----w C:\Documents and Settings\Brian Desktop\Application Data\Logitech
2007-10-02 11:41 --------- d-----w C:\Program Files\Common Files\LogiShared
2007-10-02 11:40 --------- d-----w C:\Program Files\Common Files\Logitech
2007-10-02 11:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2007-10-02 11:39 --------- d-----w C:\Program Files\Logitech
2007-10-02 11:39 --------- d-----w C:\Documents and Settings\Brian Desktop\Application Data\InstallShield
2007-10-02 11:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogiShrd
2007-09-20 11:49 --------- d-----w C:\Documents and Settings\Brian Desktop\Application Data\UnH Solutions
2007-09-15 02:14 20,541 ----a-w C:\WINDOWS\system32\detoured.dll
2007-09-15 02:14 --------- d-----w C:\Program Files\Windows Live
2007-09-06 08:14 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-09-06 08:14 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2006-02-20 20:58 456 ----a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ToolBoxFX"="C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2005-11-21 15:55]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 18:20 C:\WINDOWS\SOUNDMAN.EXE]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\qttask.exe" [2006-10-25 18:58]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 09:07]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 09:07]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2005-11-11 13:47]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" [2004-12-06 12:06]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-11-11 13:47]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 09:07]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 C:\WINDOWS\KHALMNPR.Exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 09:07]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-27 11:59]
"ASUS Probe"="C:\Program Files\ASUS\Asus Probe\AsusProb.exe" [2002-12-06 16:07]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-10-02 19:40:13]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"=0 (0x0)
"NoMovingBands"=0 (0x0)
"NoCloseDragDropBands"=0 (0x0)
"NoToolbarsOnTaskbar"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""


R0 sd64zfa;sd64zf;C:\WINDOWS\system32\DRIVERS\sd64zfa.sys
S2 96nrjcozb;96nrjcozb;\??\C:\WINDOWS\system32\drivers\96nrjcozb.sys
S2 CoolWare;CoolWare;C:\WINDOWS\System32\svchost.exe -k netsvcs
S2 qdqm;Std qdqm Service;C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\ivie\vivr.dll,Service -s
S2 rw201;rw201;\??\C:\WINDOWS\system32\drivers\rw201.sys
S3 ASNDIS5;ASNDIS5 Protocol Driver;\??\C:\WINDOWS\system32\ASNDIS5.SYS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
CoolWare

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-07 08:34:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-07 8:35:17
.
--- E O F ---




Here is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:20 AM, on 11/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Brian Desktop\Desktop\HiJackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kzdh.com/?g
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Asus Probe\AsusProb.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://bba.bloomberg.net/Citrix/ICAWEB/en/ica32/wficat.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

--
End of file - 5501 bytes




At the moment, the taskbar and desktop icons still do not appear. Also, on startup, I still get two messages about 'cannot find /ivie/vivr.dll' and something about nx4ruq5v cannot be found.

Thanks for your help so far

#8 jedi

jedi

  • Members
  • 274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:22 PM

Posted 07 November 2007 - 03:34 PM

Hi,

Please run this in normal mode, rather than safe mode:

Open notepad and copy/paste the text in the quotebox below into it (do not include the word ‘Quote’)

Driver::
C:\WINDOWS\system32\DRIVERS\sd64zfa.sys
C:\WINDOWS\system32\drivers\96nrjcozb.sys
C:\WINDOWS\system32\drivers\rw201.sys


Save this as CFScript

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Also:

Download getservices from http://www.bleepingcomputer.com/files/spyw...getservices.zip

To use this script, extract the zip file to your C: drive. Once it is extracted you will find a directory on your C: drive called getservice. Inside the C:\getservice directory will be a file called getservice.bat . Simply double-click on the getservice.bat file and when it is completed a notepad will open with a lot of information. Copy and paste the information from the notepad and post it here as your reply.

jedi

#9 garcia1000

garcia1000
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 07 November 2007 - 07:46 PM

Thanks jedi,

I ran Combofix in normal mode. Here's the log:

ComboFix 07-11-04.5 - Brian Desktop 2007-11-08 8:37:44.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.491 [GMT 8:00]
Running from: C:\Documents and Settings\Brian Desktop\Desktop\ComboFix(2).exe
Command switches used :: C:\Documents and Settings\Brian Desktop\Desktop\cfscript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-10-08 to 2007-11-08 )))))))))))))))))))))))))))))))
.

2007-11-05 08:24 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-04 21:42 <DIR> d-------- C:\Documents and Settings\Brian Desktop\DoctorWeb
2007-10-27 20:09 11,728,928 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-10-27 20:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-10-27 20:02 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-10-27 19:18 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-10-27 18:52 8,453,632 --a------ C:\shell32.dll
2007-10-27 18:52 984,576 --a------ C:\kernel32.dll
2007-10-27 18:52 577,536 --a------ C:\user32.dll
2007-10-27 18:40 <DIR> d-------- C:\Documents and Settings\Administrator.BRIANDESKTOP\Application Data\UnH Solutions
2007-10-27 14:29 <DIR> d-------- C:\Program Files\EasyCleaner
2007-10-27 14:20 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2007-10-27 14:14 744,853 --a------ C:\Documents and Settings\Brian Desktop\PAVARK.exe
2007-10-27 14:13 <DIR> d-------- C:\Documents and Settings\Brian Desktop\Pavark
2007-10-27 14:02 <DIR> d-------- C:\Program Files\CCleaner
2007-10-27 13:48 <DIR> d-------- C:\Program Files\RegCleaner
2007-10-27 13:32 <DIR> d-------- C:\Documents and Settings\Brian Desktop\Application Data\Uniblue
2007-10-27 01:11 94,480 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-10-27 01:09 <DIR> d-------- C:\Documents and Settings\Brian Desktop\Application Data\HouseCall 6.6
2007-10-26 01:07 <DIR> d-------- C:\Documents and Settings\Brian Desktop\.housecall6.6
2007-10-26 00:54 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-10-26 00:14 <DIR> d-------- C:\WINDOWS\pss
2007-10-26 00:12 <DIR> d-------- C:\Documents and Settings\Brian Desktop\rkrev
2007-10-25 23:49 <DIR> d-------- C:\Program Files\ACW
2007-10-25 23:43 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2007-10-16 03:06 <DIR> d-------- C:\Documents and Settings\Brian Desktop\Application Data\UFOAI
2007-10-13 15:51 266,240 -ra------ C:\WINDOWS\system32\hppasc01.dll
2007-10-13 15:41 53,602 --a------ C:\WINDOWS\hppins02.dat
2007-10-13 15:41 2,009 --------- C:\WINDOWS\hppmdl02.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-07 02:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-11-07 00:31 95,984 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-04 14:10 --------- d-----w C:\Program Files\Browser Sentinel 2
2007-10-27 11:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-27 11:56 --------- d-----w C:\Documents and Settings\Brian Desktop\Application Data\My Games
2007-10-27 06:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-27 03:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-25 11:45 --------- d-----w C:\Documents and Settings\Brian Desktop\Application Data\AVG7
2007-10-20 20:10 --------- d-----w C:\Program Files\Wesnoth
2007-10-15 18:14 --------- d-----w C:\Program Files\Java
2007-10-13 07:55 --------- d-----w C:\Program Files\HP
2007-10-11 16:14 --------- d-----w C:\Program Files\MSN Messenger
2007-10-07 06:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2007-10-06 06:41 --------- d-----w C:\Program Files\ISOpen
2007-10-02 11:42 --------- d-----w C:\Documents and Settings\Brian Desktop\Application Data\Logitech
2007-10-02 11:41 --------- d-----w C:\Program Files\Common Files\LogiShared
2007-10-02 11:40 --------- d-----w C:\Program Files\Common Files\Logitech
2007-10-02 11:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2007-10-02 11:39 --------- d-----w C:\Program Files\Logitech
2007-10-02 11:39 --------- d-----w C:\Documents and Settings\Brian Desktop\Application Data\InstallShield
2007-10-02 11:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogiShrd
2007-09-20 11:49 --------- d-----w C:\Documents and Settings\Brian Desktop\Application Data\UnH Solutions
2007-09-15 02:14 20,541 ----a-w C:\WINDOWS\system32\detoured.dll
2007-09-15 02:14 --------- d-----w C:\Program Files\Windows Live
2007-09-06 08:14 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-09-06 08:14 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2006-02-20 20:58 456 ----a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ToolBoxFX"="C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2005-11-21 15:55]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 18:20 C:\WINDOWS\SOUNDMAN.EXE]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\qttask.exe" [2006-10-25 18:58]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 09:07]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 09:07]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2005-11-11 13:47]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" [2004-12-06 12:06]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-11-11 13:47]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 09:07]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 C:\WINDOWS\KHALMNPR.Exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 09:07]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-27 11:59]
"ASUS Probe"="C:\Program Files\ASUS\Asus Probe\AsusProb.exe" [2002-12-06 16:07]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-10-02 19:40:13]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"=0 (0x0)
"NoMovingBands"=0 (0x0)
"NoCloseDragDropBands"=0 (0x0)
"NoToolbarsOnTaskbar"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""


R0 sd64zfa;sd64zf;C:\WINDOWS\system32\DRIVERS\sd64zfa.sys
R2 rw201;rw201;\??\C:\WINDOWS\system32\drivers\rw201.sys
S2 96nrjcozb;96nrjcozb;\??\C:\WINDOWS\system32\drivers\96nrjcozb.sys
S2 CoolWare;CoolWare;C:\WINDOWS\System32\svchost.exe -k netsvcs
S2 qdqm;Std qdqm Service;C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\ivie\vivr.dll,Service -s
S3 ASNDIS5;ASNDIS5 Protocol Driver;\??\C:\WINDOWS\system32\ASNDIS5.SYS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
CoolWare

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-08 08:39:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-08 8:40:31
C:\ComboFix2.txt ... 2007-11-07 08:35
C:\combofixlog1.txt ... 2007-11-07 08:39
.
--- E O F ---



Here is the getservice log:


PsService v1.1 - local and remote services viewer/controller
Copyright © 2001-2003 Mark Russinovich
Sysinternals - www.sysinternals.com

SERVICE_NAME: Alerter
Notifies selected users and computers of administrative alerts. If the service is stopped, programs that use administrative alerts will not receive them. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Alerter
DEPENDENCIES : LanmanWorkstation
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: ALG
Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Windows Firewall.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\alg.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Application Layer Gateway Service
DEPENDENCIES :
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: AppMgmt
Provides software installation services such as Assign, Publish, and Remove.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Application Management
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: aspnet_state
Provides support for out-of-process session states for ASP.NET. If this service is stopped, out-of-process requests will not be processed. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ASP.NET State Service
DEPENDENCIES :
SERVICE_START_NAME: NT AUTHORITY\NetworkService

SERVICE_NAME: AudioSrv
Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : AudioGroup
TAG : 0
DISPLAY_NAME : Windows Audio
DEPENDENCIES : PlugPlay
: RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: AVG Anti-Spyware Guard
(null)
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : AVG Anti-Spyware Guard
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Avg7Alrt
(null)
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : AVG7 Alert Manager Server
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Avg7UpdSvc
(null)
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : AVG7 Update Service
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: BITS
Transfers data between clients and servers in the background. If BITS is disabled, features such as Windows Update will not work correctly.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Background Intelligent Transfer Service
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 0 seconds
FAILURE_ACTIONS : Restart DELAY: 60000 seconds
: Restart DELAY: 60000 seconds
: Restart DELAY: 60000 seconds

SERVICE_NAME: Browser
Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Computer Browser
DEPENDENCIES : LanmanWorkstation
: LanmanServer
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: CCALib8
(null)
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Canon\CAL\CALMAIN.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Canon Camera Access Library 8
DEPENDENCIES : stisvc
: SSDPSRV
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: cisvc
Indexes contents and properties of files on local and remote computers; provides rapid access to files through flexible querying language.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\cisvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Indexing Service
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ClipSrv
Enables ClipBook Viewer to store information and share it with remote computers. If the service is stopped, ClipBook Viewer will not be able to share information with remote computers. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\clipsrv.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ClipBook
DEPENDENCIES : NetDDE
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: clr_optimization_v2.0.50727_32
Microsoft .NET Framework NGEN
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : .NET Runtime Optimization Service v2.0.50727_X86
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS : Restart DELAY: 60000 seconds
: Restart DELAY: 960000 seconds
: Restart DELAY: 15360000 seconds
: None DELAY: 0 seconds

SERVICE_NAME: COMSysApp
Manages the configuration and tracking of Component Object Model (COM)+-based components. If the service is stopped, most COM+-based components will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : COM+ System Application
DEPENDENCIES : rpcss
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 30 seconds
FAILURE_ACTIONS : Restart DELAY: 1000 seconds
: Restart DELAY: 5000 seconds
: None DELAY: 1000 seconds

SERVICE_NAME: CoolWare
(null)
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : CoolWare
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: CryptSvc
Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Cryptographic Services
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: DcomLaunch
Provides launch functionality for DCOM services.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost -k DcomLaunch
LOAD_ORDER_GROUP : Event Log
TAG : 0
DISPLAY_NAME : DCOM Server Process Launcher
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 0 seconds
FAILURE_ACTIONS : Reboot DELAY: 60000 seconds

SERVICE_NAME: Dhcp
Manages network configuration by registering and updating IP addresses and DNS names.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : DHCP Client
DEPENDENCIES : Tcpip
: Afd
: NetBT
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: dmadmin
Configures hard disk drives and volumes. The service only runs for configuration processes and then stops.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\dmadmin.exe /com
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Logical Disk Manager Administrative Service
DEPENDENCIES : RpcSs
: PlugPlay
: DmServer
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: dmserver
Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of date. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Logical Disk Manager
DEPENDENCIES : RpcSs
: PlugPlay
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Dnscache
Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k NetworkService
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : DNS Client
DEPENDENCIES : Tcpip
SERVICE_START_NAME: NT AUTHORITY\NetworkService

SERVICE_NAME: ERSvc
Allows error reporting for services and applictions running in non-standard environments.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Error Reporting Service
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Eventlog
Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\services.exe
LOAD_ORDER_GROUP : Event log
TAG : 0
DISPLAY_NAME : Event Log
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: EventSystem
Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : Network
TAG : 0
DISPLAY_NAME : COM+ Event System
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: FastUserSwitchingCompatibility
Provides management for applications that require assistance in a multiple user environment.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Fast User Switching Compatibility
DEPENDENCIES : TermService
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: helpsvc
Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Help and Support
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS : Restart DELAY: 100 seconds
: Restart DELAY: 100 seconds
: None DELAY: 100 seconds

SERVICE_NAME: HidServ
Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. If this service is stopped, hot buttons controlled by this service will no longer function. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Human Interface Device Access
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: HTTPFilter
This service implements the secure hypertext transfer protocol (HTTPS) for the HTTP service, using the Secure Socket Layer (SSL). If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k HTTPFilter
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : HTTP SSL
DEPENDENCIES : HTTP
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ImapiService
Manages CD recording using Image Mastering Applications Programming Interface (IMAPI). If this service is stopped, this computer will be unable to record CDs. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\imapi.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : IMAPI CD-Burning COM Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: iPod Service
iPod hardware management services
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\iPod\bin\iPodService.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : iPod Service
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: lanmanserver
Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Server
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: lanmanworkstation
Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : NetworkProvider
TAG : 0
DISPLAY_NAME : Workstation
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: LmHosts
Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : TCP/IP NetBIOS Helper
DEPENDENCIES : NetBT
: Afd
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: Messenger
Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Messenger
DEPENDENCIES : LanmanWorkstation
: NetBIOS
: PlugPlay
: RpcSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: mnmsrvc
Enables an authorized user to access this computer remotely by using NetMeeting over a corporate intranet. If this service is stopped, remote desktop sharing will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\mnmsrvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NetMeeting Remote Desktop Sharing
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: MSDTC
Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. If this service is stopped, these transactions will not occur. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\msdtc.exe
LOAD_ORDER_GROUP : MS Transactions
TAG : 1
DISPLAY_NAME : Distributed Transaction Coordinator
DEPENDENCIES : RPCSS
: SamSS
SERVICE_START_NAME: NT AUTHORITY\NetworkService

SERVICE_NAME: MSIServer
Adds, modifies, and removes applications provided as a Windows Installer (*.msi) package. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\msiexec.exe /V
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Installer
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NetDDE
Provides network transport and security for Dynamic Data Exchange (DDE) for programs running on the same computer or on different computers. If this service is stopped, DDE transport and security will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\netdde.exe
LOAD_ORDER_GROUP : NetDDEGroup
TAG : 0
DISPLAY_NAME : Network DDE
DEPENDENCIES : NetDDEDSDM
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NetDDEdsdm
Manages Dynamic Data Exchange (DDE) network shares. If this service is stopped, DDE network shares will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\netdde.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network DDE DSDM
DEPENDENCIES :
: EGrLocalSystem
: Network DDE DSDM
: etwork DDE
: workService
: Distributed Transaction Coordinator
: ion
: \jre1.5.€
: 
:

: 
: XP7
: x7
: ges Dynamic Data Exchange (DDE) network shares. If this service is stopped, DDE network shares will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
:
: u
: n
: a
: v
: a
: i
: l
: a
: b
: l
: e
: .
:
: I
: f
:
: t
: h
: i
: s
:
: s
: e
: r
: v
: i
: c
: e
:
: i
: s
:
: d
: i
: s
: a
: b
: l
: e
: d
: ,
:
: a
: n
: y
:
: s
: e
: r
: v
: i
: c
: e
: s
:
: t
: h
: a
: t
:
: e
: x
: p
: l
: i
: c
: i
: t
: l
: y
:
: d
: e
: p
: e
: n
: d
:
: o
: n
:
: i
: t
:
: w
: i
: l
: l
:
: f
: a
: i
: l
:
: t
: o
:
: s
: t
: a
: r
: t
: .
:
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Netlogon
Supports pass-through authentication of account logon events for computers in a domain.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
LOAD_ORDER_GROUP : RemoteValidation
TAG : 0
DISPLAY_NAME : Net Logon
DEPENDENCIES : LanmanWorkstation
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Netman
Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network Connections
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Nla
Collects and stores network configuration and location information, and notifies applications when this information changes.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network Location Awareness (NLA)
DEPENDENCIES : Tcpip
: Afd
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NtLmSsp
Provides security to remote procedure call (RPC) programs that use transports other than named pipes.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NT LM Security Support Provider
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NtmsSvc
(null)
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Removable Storage
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NVSvc
Provides system and desktop level support to the NVIDIA display driver
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\nvsvc32.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NVIDIA Display Driver Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ose
Saves installation files used for updates and repairs and is required for the downloading of Setup updates and Watson error reports.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Office Source Engine
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: PlugPlay
Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\services.exe
LOAD_ORDER_GROUP : PlugPlay
TAG : 0
DISPLAY_NAME : Plug and Play
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Pml Driver HPZ12
(null)
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\HPZipm12.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Pml Driver HPZ12
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: PolicyAgent
Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : IPSEC Services
DEPENDENCIES : RPCSS
: Tcpip
: IPSec
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ProtectedStorage
Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Protected Storage
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: qdqm
(null)
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\ivie\vivr.dll,Service -s
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Std qdqm Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RasAuto
Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Access Auto Connection Manager
DEPENDENCIES : RasMan
: Tapisrv
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RasMan
Creates a network connection.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Access Connection Manager
DEPENDENCIES : Tapisrv
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RDSessMgr
Manages and controls Remote Assistance. If this service is stopped, Remote Assistance will be unavailable. Before stopping this service, see the Dependencies tab of the Properties dialog box.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\sessmgr.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Desktop Help Session Manager
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RemoteAccess
Offers routing services to businesses in local area and wide area network environments.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Routing and Remote Access
DEPENDENCIES : RpcSS
: +NetBIOSGroup
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RemoteRegistry
Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Registry
DEPENDENCIES : RPCSS
SERVICE_START_NAME: NT AUTHORITY\LocalService
FAIL_RESET_PERIOD : 0 seconds
FAILURE_ACTIONS : Restart DELAY: 1000 seconds

SERVICE_NAME: RpcLocator
Manages the RPC name service database.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\locator.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Procedure Call (RPC) Locator
DEPENDENCIES : LanmanWorkstation
SERVICE_START_NAME: NT AUTHORITY\NetworkService

SERVICE_NAME: RpcSs
Provides the endpoint mapper and other miscellaneous RPC services.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost -k rpcss
LOAD_ORDER_GROUP : COM Infrastructure
TAG : 0
DISPLAY_NAME : Remote Procedure Call (RPC)
DEPENDENCIES :
SERVICE_START_NAME: NT AUTHORITY\NetworkService
FAIL_RESET_PERIOD : 0 seconds
FAILURE_ACTIONS : Reboot DELAY: 60000 seconds

SERVICE_NAME: RSVP
Provides network signaling and local traffic control setup functionality for QoS-aware programs and control applets.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\rsvp.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : QoS RSVP
DEPENDENCIES : TcpIp
: Afd
: RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SamSs
Stores security information for local user accounts.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
LOAD_ORDER_GROUP : LocalValidation
TAG : 0
DISPLAY_NAME : Security Accounts Manager
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SCardDrv
Enables support for legacy non-plug and play smart-card readers used by this computer. If this service is stopped, this computer will not support legacy reader. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\System32\SCardSvr.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Smart Card Helper
DEPENDENCIES : +Smart Card Reader
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: SCardSvr
Manages access to smart cards read by this computer. If this service is stopped, this computer will be unable to read smart cards. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\System32\SCardSvr.exe
LOAD_ORDER_GROUP : SmartCardGroup
TAG : 0
DISPLAY_NAME : Smart Card
DEPENDENCIES : PlugPlay
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: Schedule
Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : SchedulerGroup
TAG : 0
DISPLAY_NAME : Task Scheduler
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS : Restart DELAY: 6000 seconds
: Restart DELAY: 60000 seconds
: None DELAY: 0 seconds

SERVICE_NAME: seclogon
Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Secondary Logon
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SENS
Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : Network
TAG : 0
DISPLAY_NAME : System Event Notification
DEPENDENCIES : EventSystem
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SharedAccess
Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Firewall/Internet Connection Sharing (ICS)
DEPENDENCIES : Netman
: WinMgmt
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ShellHWDetection
Provides notifications for AutoPlay hardware events.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : ShellSvcGroup
TAG : 0
DISPLAY_NAME : Shell Hardware Detection
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Spooler
Loads files to memory for later printing.
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\spoolsv.exe
LOAD_ORDER_GROUP : SpoolerGroup
TAG : 0
DISPLAY_NAME : Print Spooler
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS : Restart DELAY: 60000 seconds
: Restart DELAY: 60000 seconds
: None DELAY: 0 seconds

SERVICE_NAME: srservice
Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : System Restore Service
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SSDPSRV
Enables discovery of UPnP devices on your home network.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : SSDP Discovery Service
DEPENDENCIES : HTTP
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: stisvc
Provides image acquisition services for scanners and cameras.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k imgsvc
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Image Acquisition (WIA)
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SwPrv
Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this service is stopped, software-based volume shadow copies cannot be managed. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\system32\dllhost.exe /Processid:{69C87EC8-175F-4566-B07C-DFB9F24895B0}
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : MS Software Shadow Copy Provider
DEPENDENCIES : rpcss
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SysmonLog
Collects performance data from local or remote computers based on preconfigured schedule parameters, then writes the data to a log or triggers an alert. If this service is stopped, performance information will not be collected. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\smlogsvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Performance Logs and Alerts
DEPENDENCIES :
SERVICE_START_NAME: NT Authority\NetworkService

SERVICE_NAME: TapiSrv
Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Telephony
DEPENDENCIES : PlugPlay
: RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: TermService
Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost -k DComLaunch
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Terminal Services
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Themes
Provides user experience theme management.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : UIGroup
TAG : 0
DISPLAY_NAME : Themes
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS : Restart DELAY: 60000 seconds
: Restart DELAY: 60000 seconds
: None DELAY: 0 seconds

SERVICE_NAME: TlntSvr
Enables a remote user to log on to this computer and run programs, and supports various TCP/IP Telnet clients, including UNIX-based and Windows-based computers. If this service is stopped, remote user access to programs might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\tlntsvr.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Telnet
DEPENDENCIES : RPCSS
: TCPIP
: NTLMSSP
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: TrkWks
Maintains links between NTFS files within a computer or across computers in a network domain.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Distributed Link Tracking Client
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: upnphost
Provides support to host Universal Plug and Play devices.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Universal Plug and Play Device Host
DEPENDENCIES : SSDPSRV
: HTTP
SERVICE_START_NAME: NT AUTHORITY\LocalService
FAIL_RESET_PERIOD : -1 seconds
FAILURE_ACTIONS : Restart DELAY: 0 seconds

SERVICE_NAME: UPS
Manages an uninterruptible power supply (UPS) connected to the computer.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\ups.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Uninterruptible Power Supply
DEPENDENCIES :
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: vsmon
Monitors internet traffic and generates alerts for disallowed access.
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : TrueVector Internet Monitor
DEPENDENCIES : Afd
: RpcSs
: vsdatant
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: VSS
Manages and implements Volume Shadow Copies used for backup and other purposes. If this service is stopped, shadow copies will be unavailable for backup and the backup may fail. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\vssvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Volume Shadow Copy
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: W32Time
Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.


TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Time
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WebClient
Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService
LOAD_ORDER_GROUP : NetworkProvider
TAG : 0
DISPLAY_NAME : WebClient
DEPENDENCIES : MRxDAV
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: winmgmt
Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Management Instrumentation
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS : Restart DELAY: 60000 seconds
: Restart DELAY: 60000 seconds

SERVICE_NAME: WmdmPmSN
Retrieves the serial number of any portable media player connected to this computer. If this service is stopped, protected content might not be down loaded to the device.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Portable Media Serial Number Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Wmi
Provides systems management information to and from drivers.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Management Instrumentation Driver Extensions
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WmiApSrv
Provides performance library information from WMI HiPerf providers.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\wbem\wmiapsrv.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : WMI Performance Adapter
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: wscsvc
Monitors system security settings and configurations.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Security Center
DEPENDENCIES : RpcSs
: winmgmt
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: wuauserv
Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Automatic Updates
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WUSB54GCSVC
(null)
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe" "WUSB54GC.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : WUSB54GCSVC
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 0 seconds
FAILURE_ACTIONS : Restart DELAY: 0 seconds

SERVICE_NAME: WZCSVC
Provides automatic configuration for the 802.11 adapters
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : Wireless Zero Configuration
DEPENDENCIES : RpcSs
: Ndisuio
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: xmlprov
Manages XML configuration files on a domain basis for automatic network provisioning.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network Provisioning Service
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

#10 jedi

jedi

  • Members
  • 274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:22 PM

Posted 08 November 2007 - 05:11 PM

Hi again,



Download Taskbar Repair Tool Plus! from here:

http://www.kellys-korner-xp.com/taskbarplus!.htm

Unzip and open the program. From the dropdown menus (top to bottom) select
Taskbar is Missing
Show Missing Icons

Check the Disable SSDP etc. box and click Apply.

Let me know if this restores the Taskbar and icons.

jedi

#11 garcia1000

garcia1000
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 08 November 2007 - 07:57 PM

Thanks,

I have downloaded and run the Taskbar Repair Tool Plus! program in normal mode. The taskbar and icons do not reappear for me.

#12 jedi

jedi

  • Members
  • 274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:22 PM

Posted 09 November 2007 - 04:43 AM

Hi again,


Reconfigure Windows XP to show hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

Search for and delete these files, if present:

C:\WINDOWS\system32\hppasc01.dll
C:\WINDOWS\hppins02.dat
C:\WINDOWS\hppmdl02.dat


Next:

Please navigate to C:\Windows\System32\ (folder) and tell me if the following files are present there:

shell32.dll
kernel32.dll
user32.dll


(Do not delete these)

jedi

#13 garcia1000

garcia1000
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 09 November 2007 - 01:56 PM

Thanks, Jedi

I cannot run start menu as I don't have the taskbar. Running File -> New Task -> Explorer (from ctrl-alt-del) doesn't work either. Instead, I ran cmd and did the following, hope it is ok:

cd c:\windows\system32
attrib -r hppasc01.dll
del hppasc01.dll

cd c:\windows
del hppins02.dat
del hppmdl02.dat

In C:\windows\system32, there exists the following files:
shell32.dll 8,453,632 bytes
kernel32.dll 984,576 bytes
user32.dll 577,536 bytes

Thanks, I await your further instructions.
Edit: I still get the cannot find the ivie/vivr.dll and the n4xruq5v error messages, and taskbar and desktop icons do not appear.

Edited by garcia1000, 09 November 2007 - 02:00 PM.


#14 jedi

jedi

  • Members
  • 274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:22 PM

Posted 10 November 2007 - 01:16 PM

OK,

Please post a fresh Combofix log, in normal mode, and download GMER from here:
http://www.majorgeeks.com/GMER_d5198.html

Unzip it to desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, apart from ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.

jedi

#15 garcia1000

garcia1000
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 11 November 2007 - 02:38 AM

Thanks jedi,

The log is pretty long. Thank you so much for your help so far.
Here's the combofix log, it was run in normal mode:

ComboFix 07-11-04.5 - Brian Desktop 2007-11-11 11:43:55.5 - NTFSx86
Running from: C:\Documents and Settings\Brian Desktop\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-11 to 2007-11-11 )))))))))))))))))))))))))))))))
.

2007-11-11 11:40 <DIR> d-------- C:\gmer
2007-11-08 08:42 <DIR> d-------- C:\getservice
2007-11-05 08:24 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-04 21:42 <DIR> d-------- C:\Documents and Settings\Brian Desktop\DoctorWeb
2007-10-27 20:09 15,513,632 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-10-27 20:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-10-27 20:02 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-10-27 19:18 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-10-27 18:52 8,453,632 --a------ C:\shell32.dll
2007-10-27 18:52 984,576 --a------ C:\kernel32.dll
2007-10-27 18:52 577,536 --a------ C:\user32.dll
2007-10-27 18:40 <DIR> d-------- C:\Documents and Settings\Administrator.BRIANDESKTOP\Application Data\UnH Solutions
2007-10-27 14:29 <DIR> d-------- C:\Program Files\EasyCleaner
2007-10-27 14:20 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2007-10-27 14:13 <DIR> d-------- C:\Documents and Settings\Brian Desktop\Pavark
2007-10-27 14:02 <DIR> d-------- C:\Program Files\CCleaner
2007-10-27 13:48 <DIR> d-------- C:\Program Files\RegCleaner
2007-10-27 13:32 <DIR> d-------- C:\Documents and Settings\Brian Desktop\Application Data\Uniblue
2007-10-27 01:11 94,480 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-10-27 01:09 <DIR> d-------- C:\Documents and Settings\Brian Desktop\Application Data\HouseCall 6.6
2007-10-26 01:07 <DIR> d-------- C:\Documents and Settings\Brian Desktop\.housecall6.6
2007-10-26 00:54 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-10-26 00:14 <DIR> d-------- C:\WINDOWS\pss
2007-10-26 00:12 <DIR> d-------- C:\Documents and Settings\Brian Desktop\rkrev
2007-10-25 23:49 <DIR> d-------- C:\Program Files\ACW
2007-10-25 23:43 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2007-10-16 03:06 <DIR> d-------- C:\Documents and Settings\Brian Desktop\Application Data\UFOAI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-11 03:41 183,776 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-10 02:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-11-04 14:10 --------- d-----w C:\Program Files\Browser Sentinel 2
2007-10-27 11:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-27 11:56 --------- d-----w C:\Documents and Settings\Brian Desktop\Application Data\My Games
2007-10-27 06:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-27 03:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-25 11:45 --------- d-----w C:\Documents and Settings\Brian Desktop\Application Data\AVG7
2007-10-20 20:10 --------- d-----w C:\Program Files\Wesnoth
2007-10-15 18:14 --------- d-----w C:\Program Files\Java
2007-10-13 07:55 --------- d-----w C:\Program Files\HP
2007-10-11 16:14 --------- d-----w C:\Program Files\MSN Messenger
2007-10-07 06:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2007-10-06 06:41 --------- d-----w C:\Program Files\ISOpen
2007-10-02 11:42 --------- d-----w C:\Documents and Settings\Brian Desktop\Application Data\Logitech
2007-10-02 11:41 --------- d-----w C:\Program Files\Common Files\LogiShared
2007-10-02 11:40 --------- d-----w C:\Program Files\Common Files\Logitech
2007-10-02 11:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2007-10-02 11:39 --------- d-----w C:\Program Files\Logitech
2007-10-02 11:39 --------- d-----w C:\Documents and Settings\Brian Desktop\Application Data\InstallShield
2007-10-02 11:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogiShrd
2007-09-20 11:49 --------- d-----w C:\Documents and Settings\Brian Desktop\Application Data\UnH Solutions
2007-09-15 02:14 20,541 ----a-w C:\WINDOWS\system32\detoured.dll
2007-09-15 02:14 --------- d-----w C:\Program Files\Windows Live
2007-09-06 08:14 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-09-06 08:14 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2006-02-20 20:58 456 ----a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ToolBoxFX"="C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2005-11-21 15:55]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 18:20 C:\WINDOWS\SOUNDMAN.EXE]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\qttask.exe" [2006-10-25 18:58]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 09:07]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 09:07]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2005-11-11 13:47]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" [2004-12-06 12:06]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-11-11 13:47]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 09:07]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 C:\WINDOWS\KHALMNPR.Exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 09:07]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-27 11:59]
"ASUS Probe"="C:\Program Files\ASUS\Asus Probe\AsusProb.exe" [2002-12-06 16:07]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-10-02 19:40:13]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"=0 (0x0)
"NoMovingBands"=0 (0x0)
"NoCloseDragDropBands"=0 (0x0)
"NoToolbarsOnTaskbar"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""


R0 sd64zfa;sd64zf;C:\WINDOWS\system32\DRIVERS\sd64zfa.sys
R2 rw201;rw201;\??\C:\WINDOWS\system32\drivers\rw201.sys
S2 96nrjcozb;96nrjcozb;\??\C:\WINDOWS\system32\drivers\96nrjcozb.sys
S2 CoolWare;CoolWare;C:\WINDOWS\System32\svchost.exe -k netsvcs
S2 qdqm;Std qdqm Service;C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\ivie\vivr.dll,Service -s
S3 ASNDIS5;ASNDIS5 Protocol Driver;\??\C:\WINDOWS\system32\ASNDIS5.SYS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
CoolWare

*Newly Created Service* - GTNDIS5
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-11 11:45:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-11 11:46:14
C:\ComboFix2.txt ... 2007-11-08 08:40
C:\ComboFix3.txt ... 2007-11-07 08:35
C:\combofixlog1.txt ... 2007-11-07 08:39
.
--- E O F ---



Here's the GMER paste:

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-11-11 13:06:51
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.13 ----

SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT sptd.sys ZwEnumerateKey
SSDT sptd.sys ZwEnumerateValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT sptd.sys ZwOpenKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT sptd.sys ZwQueryKey
SSDT sptd.sys ZwQueryValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRenameKey
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT \??\C:\WINDOWS\system32\drivers\rw201.sys ZwSetValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess

---- Kernel code sections - GMER 1.0.13 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 23D0 805010D4 2 Bytes [ 20, 97 ]
.text ntkrnlpa.exe!ZwCallbackReturn + 2424 80501128 6 Bytes [ F0, EE, 60, EB, 40, A7 ]
.text ntkrnlpa.exe!ZwCallbackReturn + 2430 80501134 2 Bytes [ 80, A3 ]
.text ntkrnlpa.exe!ZwCallbackReturn + 24B4 805011B8 2 Bytes [ 80, AA ]
.text ntkrnlpa.exe!ZwCallbackReturn + 262C 80501330 2 Bytes [ F0, B1 ]
.text ...
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
? srescan.sys The system cannot find the file specified.
? C:\WINDOWS\system32\drivers\sd64zfa.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload F5FA662C 5 Bytes JMP 86DA27A0
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified.
? C:\DOCUME~1\BRIAND~1\LOCALS~1\Temp\catchme.sys The system cannot find the file specified.

---- Kernel IAT/EAT - GMER 1.0.13 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7382AB4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F7382BFA] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F7382B7C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F7383728] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F73835FE] sptd.sys
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F7395C5A] sptd.sys
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [EB6169F0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [EB616F10] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [EB617070] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [EB616B60] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [EB616B60] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [EB6169F0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [EB616F10] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [EB617070] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [EB6169F0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [EB617070] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [EB616F10] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [EB616B60] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [EB617070] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [EB616F10] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [EB6169F0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [EB616B60] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [EB6169F0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [EB616F10] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [EB617070] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [EB6169F0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [EB616B60] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [EB617070] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [EB616F10] \SystemRoot\System32\vsdatant.sys

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 86F6D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 86F6D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 86F6D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 86F6D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 86F6D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 86F6D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 86F6D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 86F6D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 86F6D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 86F6D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 86F6D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 86F6D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 86F6D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 86F6D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 86F6D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 86F6D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 86F6D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 86F6D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 86F6D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 86F6D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 86F6D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 86F6D1E8

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F72A61DE] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F72A61DE] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F7299F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F7299F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F7299F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F7299F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F7299F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F7299F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F7299F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F7299F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F7299F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F7299F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F7299F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F72A6454] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F7299F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F7299F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F7299F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F7299F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F7299F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F72A61DE] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F7299F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F7299F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F7299F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F7299F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F7299F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F7299F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F7299F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F2B92404] avg7rsw.sys

Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CREATE 86D251E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CLOSE 86D251E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_READ 86D251E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_WRITE 86D251E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_INFORMATION 86D251E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_INFORMATION 86D251E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_EA 86D251E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_EA 86D251E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_FLUSH_BUFFERS 86D251E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_VOLUME_INFORMATION 86D251E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_VOLUME_INFORMATION 86D251E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_DIRECTORY_CONTROL 86D251E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_FILE_SYSTEM_CONTROL 86D251E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_DEVICE_CONTROL 86D251E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SHUTDOWN 86D251E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_LOCK_CONTROL 86D251E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CLEANUP 86D251E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_PNP 86D251E8
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [EB623CC0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [EB623CC0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [EB623CC0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [EB623CC0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [EB623CC0] vsdatant.sys
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_CREATE 86E041E8
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_CLOSE 86E041E8
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_DEVICE_CONTROL 86E041E8
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL 86E041E8
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_POWER 86E041E8
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_SYSTEM_CONTROL 86E041E8
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_PNP 86E041E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CREATE 86F711E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CLOSE 86F711E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_READ 86F711E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_WRITE 86F711E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_FLUSH_BUFFERS 86F711E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_DEVICE_CONTROL 86F711E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_INTERNAL_DEVICE_CONTROL 86F711E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SHUTDOWN 86F711E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_POWER 86F711E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SYSTEM_CONTROL 86F711E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_PNP 86F711E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CREATE 86F711E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CLOSE 86F711E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_READ 86F711E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_WRITE 86F711E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_FLUSH_BUFFERS 86F711E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_DEVICE_CONTROL 86F711E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_INTERNAL_DEVICE_CONTROL 86F711E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SHUTDOWN 86F711E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_POWER 86F711E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SYSTEM_CONTROL 86F711E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_PNP 86F711E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CREATE 86F711E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CLOSE 86F711E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_READ 86F711E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_WRITE 86F711E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_FLUSH_BUFFERS 86F711E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_DEVICE_CONTROL 86F711E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_INTERNAL_DEVICE_CONTROL 86F711E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SHUTDOWN 86F711E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_POWER 86F711E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SYSTEM_CONTROL 86F711E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_PNP 86F711E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CREATE 86F711E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CLOSE 86F711E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_READ 86F711E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_WRITE 86F711E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_FLUSH_BUFFERS 86F711E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_DEVICE_CONTROL 86F711E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_INTERNAL_DEVICE_CONTROL 86F711E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SHUTDOWN 86F711E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_POWER 86F711E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SYSTEM_CONTROL 86F711E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_PNP 86F711E8
Device \Driver\usbehci \Device\USBPDO-1 IRP_MJ_CREATE 86DA14F8
Device \Driver\usbehci \Device\USBPDO-1 IRP_MJ_CLOSE 86DA14F8
Device \Driver\usbehci \Device\USBPDO-1 IRP_MJ_DEVICE_CONTROL 86DA14F8
Device \Driver\usbehci \Device\USBPDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL 86DA14F8
Device \Driver\usbehci \Device\USBPDO-1 IRP_MJ_POWER 86DA14F8
Device \Driver\usbehci \Device\USBPDO-1 IRP_MJ_SYSTEM_CONTROL 86DA14F8
Device \Driver\usbehci \Device\USBPDO-1 IRP_MJ_PNP 86DA14F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{B20F974B-8561-4437-9B13-140145A673D1} IRP_MJ_CREATE 86CBF1E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{B20F974B-8561-4437-9B13-140145A673D1} IRP_MJ_CLOSE 86CBF1E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{B20F974B-8561-4437-9B13-140145A673D1} IRP_MJ_DEVICE_CONTROL 86CBF1E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{B20F974B-8561-4437-9B13-140145A673D1} IRP_MJ_INTERNAL_DEVICE_CONTROL 86CBF1E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{B20F974B-8561-4437-9B13-140145A673D1} IRP_MJ_CLEANUP 86CBF1E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{B20F974B-8561-4437-9B13-140145A673D1} IRP_MJ_PNP 86CBF1E8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [EB623CC0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [EB623CC0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [EB623CC0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [EB623CC0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [EB623CC0] vsdatant.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 86F721E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ 86F721E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE 86F721E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS 86F721E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL 86F721E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL 86F721E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN 86F721E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP 86F721E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER 86F721E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SYSTEM_CONTROL 86F721E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_PNP 86F721E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE 86F721E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_READ 86F721E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_WRITE 86F721E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_FLUSH_BUFFERS 86F721E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_DEVICE_CONTROL 86F721E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_INTERNAL_DEVICE_CONTROL 86F721E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SHUTDOWN 86F721E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CLEANUP 86F721E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_POWER 86F721E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SYSTEM_CONTROL 86F721E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_PNP 86F721E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 86C9A980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 86C9A980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 86C9A980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 86C9A980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 86C9A980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 86C9A980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 86C9A980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 86C9A980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 86C9A980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 86C9A980
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 86C9A980
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CREATE 86CBF1E8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLOSE 86CBF1E8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_DEVICE_CONTROL 86CBF1E8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_INTERNAL_DEVICE_CONTROL 86CBF1E8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLEANUP 86CBF1E8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_PNP 86CBF1E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CREATE 86CBF1E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLOSE 86CBF1E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_DEVICE_CONTROL 86CBF1E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_INTERNAL_DEVICE_CONTROL 86CBF1E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLEANUP 86CBF1E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_PNP 86CBF1E8
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [EB623CC0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [EB623CC0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [EB623CC0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [EB623CC0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [EB623CC0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [EB623CC0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [EB623CC0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [EB623CC0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [EB623CC0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [EB623CC0] vsdatant.sys
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_CREATE 86E041E8
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_CLOSE 86E041E8
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_DEVICE_CONTROL 86E041E8
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL 86E041E8
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_POWER 86E041E8
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_SYSTEM_CONTROL 86E041E8
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_PNP 86E041E8
Device \Driver\nvata \Device\0000007a IRP_MJ_CREATE 86F6F1E8
Device \Driver\nvata \Device\0000007a IRP_MJ_CREATE_NAMED_PIPE 86F6F1E8
Device \Driver\nvata \Device\0000007a IRP_MJ_CLOSE 86F6F1E8
Device \Driver\nvata \Device\0000007a IRP_MJ_READ 86F6F1E8
Device \Driver\nvata \Device\0000007a IRP_MJ_WRITE 86F6F1E8
Device \Driver\nvata \Device\0000007a IRP_MJ_QUERY_INFORMATION 86F6F1E8
Device \Driver\nvata \Device\0000007a IRP_MJ_SET_INFORMATION 86F6F1E8
Device \Driver\nvata \Device\0000007a IRP_MJ_QUERY_EA 86F6F1E8
Device \Driver\nvata \Device\0000007a IRP_MJ_SET_EA 86F6F1E8
Device \Driver\nvata \Device\0000007a IRP_MJ_FLUSH_BUFFERS 86F6F1E8
Device \Driver\nvata \Device\0000007a IRP_MJ_QUERY_VOLUME_INFORMATION 86F6F1E8
Device \Driver\nvata \Device\0000007a IRP_MJ_SET_VOLUME_INFORMATION 86F6F1E8
Device \Driver\nvata \Device\0000007a IRP_MJ_DIRECTORY_CONTROL 86F6F1E8
Device \Driver\nvata \Device\0000007a IRP_MJ_FILE_SYSTEM_CONTROL 86F6F1E8
Device \Driver\nvata \Device\0000007a IRP_MJ_DEVICE_CONTROL 86F6F1E8
Device \Driver\nvata \Device\0000007a IRP_MJ_INTERNAL_DEVICE_CONTROL 86F6F1E8
Device \Driver\nvata \Device\0000007a IRP_MJ_SHUTDOWN 86F6F1E8
Device \Driver\nvata \Device\0000007a IRP_MJ_LOCK_CONTROL 86F6F1E8
Device \Driver\nvata \Device\0000007a IRP_MJ_CLEANUP 86F6F1E8
Device \Driver\nvata \Device\0000007a IRP_MJ_CREATE_MAILSLOT 86F6F1E8
Device \Driver\nvata \Device\0000007a IRP_MJ_QUERY_SECURITY 86F6F1E8
Device \Driver\nvata \Device\0000007a IRP_MJ_SET_SECURITY 86F6F1E8
Device \Driver\nvata \Device\0000007a IRP_MJ_POWER 86F6F1E8
Device \Driver\nvata \Device\0000007a IRP_MJ_SYSTEM_CONTROL 86F6F1E8
Device \Driver\nvata \Device\0000007a IRP_MJ_DEVICE_CHANGE 86F6F1E8
Device \Driver\nvata \Device\0000007a IRP_MJ_QUERY_QUOTA 86F6F1E8
Device \Driver\nvata \Device\0000007a IRP_MJ_SET_QUOTA 86F6F1E8
Device \Driver\nvata \Device\0000007a IRP_MJ_PNP 86F6F1E8
Device \Driver\usbehci \Device\USBFDO-1 IRP_MJ_CREATE 86DA14F8
Device \Driver\usbehci \Device\USBFDO-1 IRP_MJ_CLOSE 86DA14F8
Device \Driver\usbehci \Device\USBFDO-1 IRP_MJ_DEVICE_CONTROL 86DA14F8
Device \Driver\usbehci \Device\USBFDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL 86DA14F8
Device \Driver\usbehci \Device\USBFDO-1 IRP_MJ_POWER 86DA14F8
Device \Driver\usbehci \Device\USBFDO-1 IRP_MJ_SYSTEM_CONTROL 86DA14F8
Device \Driver\usbehci \Device\USBFDO-1 IRP_MJ_PNP 86DA14F8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_CREATE 86F6F1E8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_CREATE_NAMED_PIPE 86F6F1E8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_CLOSE 86F6F1E8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_READ 86F6F1E8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_WRITE 86F6F1E8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_QUERY_INFORMATION 86F6F1E8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_SET_INFORMATION 86F6F1E8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_QUERY_EA 86F6F1E8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_SET_EA 86F6F1E8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_FLUSH_BUFFERS 86F6F1E8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_QUERY_VOLUME_INFORMATION 86F6F1E8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_SET_VOLUME_INFORMATION 86F6F1E8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_DIRECTORY_CONTROL 86F6F1E8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_FILE_SYSTEM_CONTROL 86F6F1E8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_DEVICE_CONTROL 86F6F1E8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_INTERNAL_DEVICE_CONTROL 86F6F1E8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_SHUTDOWN 86F6F1E8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_LOCK_CONTROL 86F6F1E8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_CLEANUP 86F6F1E8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_CREATE_MAILSLOT 86F6F1E8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_QUERY_SECURITY 86F6F1E8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_SET_SECURITY 86F6F1E8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_POWER 86F6F1E8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_SYSTEM_CONTROL 86F6F1E8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_DEVICE_CHANGE 86F6F1E8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_QUERY_QUOTA 86F6F1E8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_SET_QUOTA 86F6F1E8
Device \Driver\nvata \Device\NvAta0 IRP_MJ_PNP 86F6F1E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE 86C63980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_NAMED_PIPE 86C63980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLOSE 86C63980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 86C63980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_WRITE 86C63980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_INFORMATION 86C63980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_INFORMATION 86C63980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_EA 86C63980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_EA 86C63980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FLUSH_BUFFERS 86C63980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_VOLUME_INFORMATION 86C63980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_VOLUME_INFORMATION 86C63980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DIRECTORY_CONTROL 86C63980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FILE_SYSTEM_CONTROL 86C63980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CONTROL 86C63980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_INTERNAL_DEVICE_CONTROL 86C63980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SHUTDOWN 86C63980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_LOCK_CONTROL 86C63980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLEANUP 86C63980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_MAILSLOT 86C63980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_SECURITY 86C63980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_SECURITY 86C63980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_POWER 86C63980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SYSTEM_CONTROL 86C63980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CHANGE 86C63980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_QUOTA 86C63980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_QUOTA 86C63980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP 86C63980
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [EB623CC0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [EB623CC0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [EB623CC0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [EB623CC0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [EB623CC0] vsdatant.sys
Device \Driver\nvata \Device\NvAta1 IRP_MJ_CREATE 86F6F1E8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_CREATE_NAMED_PIPE 86F6F1E8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_CLOSE 86F6F1E8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_READ 86F6F1E8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_WRITE 86F6F1E8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_QUERY_INFORMATION 86F6F1E8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_SET_INFORMATION 86F6F1E8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_QUERY_EA 86F6F1E8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_SET_EA 86F6F1E8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_FLUSH_BUFFERS 86F6F1E8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_QUERY_VOLUME_INFORMATION 86F6F1E8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_SET_VOLUME_INFORMATION 86F6F1E8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_DIRECTORY_CONTROL 86F6F1E8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_FILE_SYSTEM_CONTROL 86F6F1E8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_DEVICE_CONTROL 86F6F1E8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_INTERNAL_DEVICE_CONTROL 86F6F1E8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_SHUTDOWN 86F6F1E8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_LOCK_CONTROL 86F6F1E8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_CLEANUP 86F6F1E8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_CREATE_MAILSLOT 86F6F1E8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_QUERY_SECURITY 86F6F1E8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_SET_SECURITY 86F6F1E8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_POWER 86F6F1E8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_SYSTEM_CONTROL 86F6F1E8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_DEVICE_CHANGE 86F6F1E8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_QUERY_QUOTA 86F6F1E8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_SET_QUOTA 86F6F1E8
Device \Driver\nvata \Device\NvAta1 IRP_MJ_PNP 86F6F1E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE 86C63980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_NAMED_PIPE 86C63980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLOSE 86C63980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 86C63980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_WRITE 86C63980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_INFORMATION 86C63980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_INFORMATION 86C63980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_EA 86C63980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_EA 86C63980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FLUSH_BUFFERS 86C63980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_VOLUME_INFORMATION 86C63980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_VOLUME_INFORMATION 86C63980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DIRECTORY_CONTROL 86C63980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FILE_SYSTEM_CONTROL 86C63980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CONTROL 86C63980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_INTERNAL_DEVICE_CONTROL 86C63980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SHUTDOWN 86C63980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_LOCK_CONTROL 86C63980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLEANUP 86C63980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_MAILSLOT 86C63980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_SECURITY 86C63980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_SECURITY 86C63980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_POWER 86C63980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SYSTEM_CONTROL 86C63980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CHANGE 86C63980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_QUOTA 86C63980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_QUOTA 86C63980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP 86C63980
Device \Driver\nvata \Device\0000007c IRP_MJ_CREATE 86F6F1E8
Device \Driver\nvata \Device\0000007c IRP_MJ_CREATE_NAMED_PIPE 86F6F1E8
Device \Driver\nvata \Device\0000007c IRP_MJ_CLOSE 86F6F1E8
Device \Driver\nvata \Device\0000007c IRP_MJ_READ 86F6F1E8
Device \Driver\nvata \Device\0000007c IRP_MJ_WRITE 86F6F1E8
Device \Driver\nvata \Device\0000007c IRP_MJ_QUERY_INFORMATION 86F6F1E8
Device \Driver\nvata \Device\0000007c IRP_MJ_SET_INFORMATION 86F6F1E8
Device \Driver\nvata \Device\0000007c IRP_MJ_QUERY_EA 86F6F1E8
Device \Driver\nvata \Device\0000007c IRP_MJ_SET_EA 86F6F1E8
Device \Driver\nvata \Device\0000007c IRP_MJ_FLUSH_BUFFERS 86F6F1E8
Device \Driver\nvata \Device\0000007c IRP_MJ_QUERY_VOLUME_INFORMATION 86F6F1E8
Device \Driver\nvata \Device\0000007c IRP_MJ_SET_VOLUME_INFORMATION 86F6F1E8
Device \Driver\nvata \Device\0000007c IRP_MJ_DIRECTORY_CONTROL 86F6F1E8
Device \Driver\nvata \Device\0000007c IRP_MJ_FILE_SYSTEM_CONTROL 86F6F1E8
Device \Driver\nvata \Device\0000007c IRP_MJ_DEVICE_CONTROL 86F6F1E8
Device \Driver\nvata \Device\0000007c IRP_MJ_INTERNAL_DEVICE_CONTROL 86F6F1E8
Device \Driver\nvata \Device\0000007c IRP_MJ_SHUTDOWN 86F6F1E8
Device \Driver\nvata \Device\0000007c IRP_MJ_LOCK_CONTROL 86F6F1E8
Device \Driver\nvata \Device\0000007c IRP_MJ_CLEANUP 86F6F1E8
Device \Driver\nvata \Device\0000007c IRP_MJ_CREATE_MAILSLOT 86F6F1E8
Device \Driver\nvata \Device\0000007c IRP_MJ_QUERY_SECURITY 86F6F1E8
Device \Driver\nvata \Device\0000007c IRP_MJ_SET_SECURITY 86F6F1E8
Device \Driver\nvata \Device\0000007c IRP_MJ_POWER 86F6F1E8
Device \Driver\nvata \Device\0000007c IRP_MJ_SYSTEM_CONTROL 86F6F1E8
Device \Driver\nvata \Device\0000007c IRP_MJ_DEVICE_CHANGE 86F6F1E8
Device \Driver\nvata \Device\0000007c IRP_MJ_QUERY_QUOTA 86F6F1E8
Device \Driver\nvata \Device\0000007c IRP_MJ_SET_QUOTA 86F6F1E8
Device \Driver\nvata \Device\0000007c IRP_MJ_PNP 86F6F1E8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_CREATE 86F6F1E8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_CREATE_NAMED_PIPE 86F6F1E8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_CLOSE 86F6F1E8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_READ 86F6F1E8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_WRITE 86F6F1E8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_QUERY_INFORMATION 86F6F1E8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_SET_INFORMATION 86F6F1E8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_QUERY_EA 86F6F1E8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_SET_EA 86F6F1E8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_FLUSH_BUFFERS 86F6F1E8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_QUERY_VOLUME_INFORMATION 86F6F1E8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_SET_VOLUME_INFORMATION 86F6F1E8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_DIRECTORY_CONTROL 86F6F1E8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_FILE_SYSTEM_CONTROL 86F6F1E8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_DEVICE_CONTROL 86F6F1E8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_INTERNAL_DEVICE_CONTROL 86F6F1E8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_SHUTDOWN 86F6F1E8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_LOCK_CONTROL 86F6F1E8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_CLEANUP 86F6F1E8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_CREATE_MAILSLOT 86F6F1E8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_QUERY_SECURITY 86F6F1E8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_SET_SECURITY 86F6F1E8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_POWER 86F6F1E8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_SYSTEM_CONTROL 86F6F1E8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_DEVICE_CHANGE 86F6F1E8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_QUERY_QUOTA 86F6F1E8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_SET_QUOTA 86F6F1E8
Device \Driver\nvata \Device\NvAta2 IRP_MJ_PNP 86F6F1E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CREATE 86F721E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_READ 86F721E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_WRITE 86F721E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_FLUSH_BUFFERS 86F721E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_DEVICE_CONTROL 86F721E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_INTERNAL_DEVICE_CONTROL 86F721E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SHUTDOWN 86F721E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CLEANUP 86F721E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_POWER 86F721E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SYSTEM_CONTROL 86F721E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_PNP 86F721E8
Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE 86D251E8
Device \FileSystem\Fastfat \Fat IRP_MJ_CLOSE 86D251E8
Device \FileSystem\Fastfat \Fat IRP_MJ_READ 86D251E8
Device \FileSystem\Fastfat \Fat IRP_MJ_WRITE 86D251E8
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION 86D251E8
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION 86D251E8
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA 86D251E8
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_EA 86D251E8
Device \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS 86D251E8
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION 86D251E8
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION 86D251E8
Device \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL 86D251E8
Device \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL 86D251E8
Device \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL 86D251E8
Device \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN 86D251E8
Device \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL 86D251E8
Device \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP 86D251E8
Device \FileSystem\Fastfat \Fat IRP_MJ_PNP 86D251E8

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE [F72A61DE] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_NAMED_PIPE [F72A61DE] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLOSE [F7299F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_READ [F7299F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_WRITE [F7299F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION [F7299F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION [F7299F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA [F7299F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_EA [F7299F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS [F7299F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [F7299F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION [F7299F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL [F7299F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [F72A6454] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL [F7299F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [F7299F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN [F7299F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL [F7299F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP [F7299F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_MAILSLOT [F72A61DE] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_SECURITY [F7299F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_SECURITY [F7299F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_POWER [F7299F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SYSTEM_CONTROL [F7299F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CHANGE [F7299F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_QUOTA [F7299F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_QUOTA [F7299F4C] fltMgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_NAMED_PIPE [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLOSE [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_READ [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_WRITE [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_EA [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_MAILSLOT [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_SECURITY [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_SECURITY [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_POWER [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SYSTEM_CONTROL [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CHANGE [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_QUOTA [F2B92404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_QUOTA [F2B92404] avg7rsw.sys

Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE 86CAA980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLOSE 86CAA980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ 86CAA980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_INFORMATION 86CAA980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SET_INFORMATION 86CAA980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_VOLUME_INFORMATION 86CAA980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DIRECTORY_CONTROL 86CAA980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL 86CAA980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL 86CAA980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SHUTDOWN 86CAA980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_LOCK_CONTROL 86CAA980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLEANUP 86CAA980
Device \FileSystem\Cdfs \Cdfs IRP_MJ_PNP 86CAA980

---- Threads - GMER 1.0.13 ----

Thread 4:160 86F76310

---- Registry - GMER 1.0.13 ----

Reg \Registry\USER\S-1-5-21-484763869-573735546-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{537E314E-8C94-0EB0-13E3-CE6C724A540A}@hakifjihbgjnimfl 0x6B 0x61 0x6B 0x6E ...
Reg \Registry\USER\S-1-5-21-484763869-573735546-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{537E314E-8C94-0EB0-13E3-CE6C724A540A}@jamjnlmbjhokjmpachpa 0x6B 0x61 0x6B 0x6E ...

---- EOF - GMER 1.0.13 ----




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users