Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please help! Malware/Anti-Spyware scanners will not run, Display settings changed, etc.


  • This topic is locked This topic is locked
26 replies to this topic

#1 klfrancois

klfrancois

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:55 PM

Posted 01 November 2008 - 08:29 AM

I usually logon under another user account with admin. rights, but when I logged onto the Administrator account yesterday all of the context menus and display properties were altered (i.e. colors, size, etc.) and after trying to run all the anti-spyware, malware programs that normally run when i'm on my other user account (Ad-Aware, SUPERAntiSpyware, Spybot) none would run; they would not even update. Also, I am unable to change the folder settings to view hidden folders. Once I change the settings in My Computer and click "OK", when I go back into the folder settings they have reverted back to the previous setting of 'do not show hidden files' or system files. Would someone please take a look at my HijackThis log? Thanks. Any help is greatly appreciated!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:28:12 AM, on 11/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Safari\Safari.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\HJT\hijackthis.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1224972744265
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: McAfee Application Installer Cleanup (0042901223912352) (0042901223912352mcinstcleanup) - Unknown owner - C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\004290~1.EXE (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 7185 bytes

Edited by klfrancois, 01 November 2008 - 08:33 AM.


BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 PM

Posted 06 November 2008 - 12:09 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you with your log.

I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following so I can have a look at the current condition of your machine.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
Download and Run OTScanIt
Download OTScanIt2 by OldTimer to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.
  • Open the OTScanIt2 folder and double-click on OTScanIt2.exe to start the program. If you are running on Vista then right-click the program and choose Run as Administrator.
  • Check the Scan all users box.
  • Under the Additional Scans bar, click "Extras". Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Close Notepad (saving the change if necessary).
  • Use the Add Reply button in the forum and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt2 folder and named OTScanIt.txt.


Please also tell me of any changes you have made to your computer since your topic was started.

If you do not make a reply in 5 days, we will need to close your topic.

With Regards,
The Panda

Important Note to Other Users Reading this Topic: The instructions provided in this topic below this point are for the original topic starter only. Even if you have similar problems or log entries to those given here, please do not follow the directions, especially those involving specific tools and scripts. Doing so can result in serious damage to your computer. Instead, please start your own topic. Feel free to link to any relevant topics as needed.

#3 klfrancois

klfrancois
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:55 PM

Posted 06 November 2008 - 08:36 PM

Attached File  OTScanIt.Txt   174.32KB   35 downloadsHi, PropagandaPanda! To answer your question, I have not made any changes to my computer since first posting in this forum on Saturday, 11/1. I ran the scan you asked for logged in under the account I mentioned as having problems (the built-in administrator account) and have attached it for your review.

Thanks in advance for helping me!

Edited by klfrancois, 06 November 2008 - 08:37 PM.


#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 PM

Posted 07 November 2008 - 08:15 AM

Hello.

I don't see any evidence of malware in your logs.

Have you tried to reinstall your security software?

Was your antivirus disabled when you tried to make the changes?

To disable Avira:
  • Navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: Posted Image )
  • right click it-> untick the option AntiVir Guard enable.
  • You should now see a closed, white umbrella on a red background (looks to this: Posted Image )
Run Fix with OTScanIt
We will run OTScanIt again, but the directions are slightly different. If you have lost your copy of OTScanIt, download it here and extract it like you did last time.
  • Double click the OTScanIt.exe icon in the OTScanIt folder on your desktop. If you are using Windows Vista, right click OTScanIt.exe and select Run as Administrator.
  • Copy the contents of the codebox below into the "Paste fix here" box.
    [Registry - Safe List]
    < CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    YN -> \\"HonorAutoRunSetting" -> [1]
    YN -> \\"NoFolderOptions" -> [0]
    < CurrentVersion Policy Settings - Explorer [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    YN -> \\"NoFolderOptions" -> [0]
    < CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-2068952817-818587887-3723621831-500] > -> HKEY_USERS\S-1-5-21-2068952817-818587887-3723621831-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    YN -> \\"NoFolderOptions" -> [0]
  • Close all windows except OTScanIt.
  • Click it Run Fix button.
When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click OK and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt2 will finish moving any files that could not be moved during the fix. Notepad will open with the final results at that time. Post that log back here in your next reply.

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.


Re-enable your protection at this time.

Please post back with:
-the OTMoveIt fix log
-the Kaspersky log
-a new HijackThis log

Does the folder options problem still occur?

With Regards,
The Panda

#5 klfrancois

klfrancois
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:55 PM

Posted 07 November 2008 - 09:47 AM

Good Morning!

No, I have not tried to re-install my security software. I am unsure as to what changes you are referring to when you asked "Was your antivirus disabled when you tried to make the changes"? I haven't been trying to make any changes; I first noticed these issues after logging on the built-in administrator account which looked noticably different as all the display settings were altered (browser windows, message windows, search assistant, etc.) I then tried to run a virus scan and was unable to even open the program, and that's also when I found out I was unable to view hidden files/folders (which, unfortunately, still doesn't work) When I open IE I do not get my normal home page, it is as if I have re-installed IE and I get the "run once" page which allows you to customize your own settings. Same thing when I try to run SUPERAntiSpyware. I have had it installed for awhile, but everytime I open it, it contains an empty definitions database and is as if it has been freshly installed. I am receiving a lot of popups from Sygate about dll files having been changed and asking permission to run with explorer.exe, Avira, etc. I have included an example below of the popups I am receiving from Sygate, which I do not allow..they popup and disappear automatically:

Application has changed since the last time you opened it, process id: 2276
Filename: C:\WINDOWS\explorer.exe
The change was allowed by user

---- Modules changed: 0 ----
---- New modules: 53 ----
C:\WINDOWS\system32\qedit.dll
C:\WINDOWS\system32\avifil32.dll
C:\WINDOWS\system32\msvfw32.dll
C:\WINDOWS\system32\shmedia.dll
C:\WINDOWS\system32\strmdll.dll
C:\WINDOWS\system32\drmclien.dll
C:\WINDOWS\system32\dxmasf.dll
C:\WINDOWS\system32\wmpasf.dll
C:\WINDOWS\system32\quartz.dll
C:\Program Files\HP\DVDPlay\Kernel\Video\CLMedia.dll
C:\Program Files\QuickTime\QTSystem\QuickTime.cpl
C:\Program Files\Avira\AntiVir PersonalEdition Classic\rcimage.dll
C:\PROGRA~1\Avira\ANTIVI~1\avconfig.cpl
C:\Program Files\Common Files\Microsoft Shared\Speech\sapi.cpl
C:\WINDOWS\system32\wuaucpl.cpl
C:\WINDOWS\system32\wscui.cpl
C:\WINDOWS\system32\timedate.cpl
C:\WINDOWS\system32\telephon.cpl
C:\WINDOWS\system32\usp10.dll
C:\WINDOWS\system32\sysdm.cpl
C:\WINDOWS\system32\RTSndMgr.CPL
C:\WINDOWS\system32\powercfg.cpl
C:\WINDOWS\system32\nwprovau.dll
C:\WINDOWS\system32\nwc.cpl
C:\WINDOWS\system32\nvtuicpl.cpl
C:\WINDOWS\system32\nusrmgr.cpl
C:\WINDOWS\system32\netsetup.cpl
C:\WINDOWS\system32\mmsys.cpl
C:\WINDOWS\system32\main.cpl
C:\WINDOWS\system32\dinput8.dll
C:\WINDOWS\system32\joy.cpl
C:\WINDOWS\system32\javacpl.cpl
C:\WINDOWS\system32\irprops.cpl
C:\WINDOWS\system32\sfcfiles.dll
C:\WINDOWS\system32\sfc_os.dll
C:\WINDOWS\system32\sfc.dll
C:\WINDOWS\system32\syssetup.dll
C:\WINDOWS\system32\intl.cpl
C:\WINDOWS\system32\rasdlg.dll
C:\WINDOWS\system32\msls31.dll
C:\WINDOWS\system32\mshtml.dll
C:\WINDOWS\system32\inetcpl.cpl
C:\WINDOWS\system32\hdwwiz.cpl
C:\WINDOWS\system32\firewall.cpl
C:\WINDOWS\system32\wmi.dll
C:\WINDOWS\system32\devmgr.dll
C:\WINDOWS\system32\bthprops.cpl
C:\WINDOWS\system32\oleacc.dll
C:\WINDOWS\system32\appwiz.cpl
C:\WINDOWS\system32\winspool.drv
C:\WINDOWS\system32\ALSNDMGR.CPL
C:\WINDOWS\system32\access.cpl
C:\WINDOWS\system32\sxs.dll


I've posted the OTScanIT log and a fresh HijackThis log below. I wanted to ask for your assistance before running Kaspersky because Avira is not in my system tray, although the splash screen loaded when I logged on so I believe it is running. I also have Spybot and am not sure if TeaTimer is running, so how should I go about disabling these programs since they are not showing in my system tray?

I appreciate your help!

-------------------------------------------------------------------


[Registry - Safe List]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\HonorAutoRunSetting deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoFolderOptions deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoFolderOptions deleted successfully.
Registry key HKEY_USERS\Microsoft\Windows\CurrentVersion\policies\Explorer not found.
< End of fix log >
OTScanIt2 by OldTimer - Version 1.0.0.30b fix logfile created on 11072008_093244

-------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:34:59 AM, on 11/7/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1224972744265
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: McAfee Application Installer Cleanup (0219471225593497) (0219471225593497mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\021947~1.EXE (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 6945 bytes

Edited by klfrancois, 07 November 2008 - 10:05 AM.


#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 PM

Posted 07 November 2008 - 11:52 AM

Hello.

By changes I had meant changing the folder view settings.

If the icon is not in the tray, go ahead without disabling it. It usually won't be problem.

These signs do sound like an infection though. Please take a scan with GMER after Kaspersky to see if anything is hiding.
Download and Run Scan with GMER
We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close all other running programs. There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>.
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • Click OK.
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in Safe Mode
Important!:Please do not select the Show all checkbox during the scan..


With Regards,
The Panda

#7 klfrancois

klfrancois
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:55 PM

Posted 07 November 2008 - 10:26 PM

I have attempted to run the Kaspersky scan 3 times to no avail. When I am about to connect to the webpage, IE shuts itself down - the browser window just disappears. I was able to run the GMER scan and have posted the log below.


GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-11-07 22:20:29
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwAllocateVirtualMemory [0xF77C2B30]
SSDT F7D676DC ZwCreateThread
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwMapViewOfSection [0xF77C2470]
SSDT F7D676C8 ZwOpenProcess
SSDT F7D676CD ZwOpenThread
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwProtectVirtualMemory [0xF77C2C50]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwShutdownSystem [0xF77C2990]
SSDT F7D676D7 ZwTerminateProcess
SSDT F7D676D2 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.14 ----

.text tcpip.sys!IPTransmit + 10FC F3FB5D3A 6 Bytes CALL F72A6E50 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!IPTransmit + 2A52 F3FB7690 6 Bytes CALL F72A6E50 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!IPRegisterProtocol + 930 F3FCD454 6 Bytes CALL F72A6E50 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text wanarp.sys F78053FD 4 Bytes CALL F72A6FA0 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text wanarp.sys F7805402 2 Bytes [ 90, 90 ]

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F72A7C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F72A7BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [F72A7B10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F72A78E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F72A78E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F72A7BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F72A7C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F72A7B10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F72A7B10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F72A78E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F72A7BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F72A7C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F72A78E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F72A7B10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F72A7C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F72A7BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F72A7C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F72A7BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F72A78E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F72A7B10] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F72A78E0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F72A7BD0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F72A7C70] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

---- Devices - GMER 1.0.14 ----

Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)

Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\Tcpip \Device\IPMULTICAST wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs B4565400

---- EOF - GMER 1.0.14 ----

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 PM

Posted 08 November 2008 - 09:45 AM

Hello.

That GMER log looks clean.

Please reinstall the applications that you were having problems with.

After, open OTScanIt, and click Run Scan without change any settings. Attach the new log.

With Regards,
The Panda

#9 klfrancois

klfrancois
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:55 PM

Posted 08 November 2008 - 10:14 AM

I am not having problems with the applications on the user account I am now on (HP_Administrator), but once I log on as the built-in administrator account, and open the programs it is as if I am using them for the first time (there are no definitions saved, etc.) and I am still unable to view hidden files and folders. I can run the Kaspersky scan on this account, but when attempting to use it when logged on as the built-in administrator IE closes automatically. Also my pagefile has a file size of 1,474,560 kb and my computer keeps crashing.

I suppose I will uninstall and re-install, but i'm not sure what that will do to fix the other issues I am having. Thanks.

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 PM

Posted 08 November 2008 - 10:24 AM

Hello klfrancois.

If it's just one account that is having problems, it would be much easier to backup the data, delete that account, and recreate it. Would you be willing to do this?

You have 1 gig of RAM, so that is the appropriate size of the pagefile.

With Regards,
The Panda

#11 klfrancois

klfrancois
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:55 PM

Posted 08 November 2008 - 12:04 PM

I would, but I am not sure how to go about doing this since it is the built-in admin account. I changed the User Account options from logging on via the Windows welcome screen (where you can click on a user's name/picture) to manual user name entry because the Administrator account is normally hidden from the other welcome screen. Can you please advise on how to go about backing up and deleting this account? Any help is much appreciated. Thanks again.

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 PM

Posted 08 November 2008 - 12:18 PM

Hello.

First of all, you will need to give the second account, HP_Administrator, administrative priviledges, if it does not have them already. Do this by logging into the original Administrator account, going to User Accounts, selecting the other account, selecting "Change the account type" and changing the type to Administrator.

Copy all the documents there that you need either into the other account's profile, or to a removable drive.

Now log on to HP_Administrator. In User Accounts, select "Administrator" then "Delete the account". When asked if you want to delete the profile items, click "No".

With Regards,
The Panda

#13 klfrancois

klfrancois
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:55 PM

Posted 08 November 2008 - 12:31 PM

I followed your instructions, and the HP_Administrator account already has admin. privileges. I logged back on to the HP_Administrator account and went to User Accounts and the only users that are listed there are the HP_Administrator account (which seems to be working fine) and my Guest account (which is currently disabled). The built-in "Administrator" account is not listed there.

#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 PM

Posted 08 November 2008 - 12:39 PM

Hello.

Using the HP_Administrator account, please download Tweak IU by Microsoft to the desktop. Run the setup.

Open Tweak IU. In the Logon, select the Administrator account to be shown in the welcome screen.

Reboot. Can you see the Administrator account in the User Accounts now?

With Regards,
The Panda

#15 klfrancois

klfrancois
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:55 PM

Posted 08 November 2008 - 12:50 PM

I ran the GMER program under the account that appeared to be working fine (HP_Administrator) and after the scan finished received a message that GMER had detected rootkit activity. I am not sure if this is a f/p because I know you said the other log was clean, so I pasted the log below for you to review.

I just saw your last reply and will do that now, and let you know how I make out. Thanks again.

-------------------------------------------------------------------------------

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-11-08 12:45:10
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT F7D39A3C ZwCreateThread
SSDT F7D39A28 ZwOpenProcess
SSDT F7D39A2D ZwOpenThread
SSDT F7D39A37 ZwTerminateProcess
SSDT F7D39A32 ZwWriteVirtualMemory

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.14 ----

Service C:\WINDOWS\system32\tlntsvr.exe (*** hidden *** ) [MANUAL] TlntSvr <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg@Description Registry Server
Reg HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths
Reg HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths@Machine System\CurrentControlSet\Control\ProductOptions?System\CurrentControlSet\Control\Print\Printers?System\CurrentControlSet\Control\Server Applications?System\CurrentControlSet\Services\Eventlog?Software\Microsoft\OLAP Server?Software\Microsoft\Windows NT\CurrentVersion?System\CurrentControlSet\Control\ContentIndex?System\CurrentControlSet\Control\Terminal Server?System\CurrentControlSet\Control\Terminal Server\UserConfig?System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration?
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security@DisplayNameFile %SystemRoot%\System32\els.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security@DisplayNameID 257
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security@File %SystemRoot%\System32\config\SecEvent.Evt
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security@MaxSize 524288
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security@PrimaryModule Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security@Retention 604800
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security@Sources Spooler?Security Account Manager?SC Manager?NetDDE Object?LSA?DS?Security?
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security@RestrictGuestAccess 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\DS
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\DS@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\DS\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\DS\ObjectNames@Directory Service Object 7680
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames@PolicyObject 5632
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames@SecretObject 5648
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames@TrustedDomainObject 5664
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames@UserAccountObject 5680
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\NetDDE Object
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\NetDDE Object@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\NetDDE Object\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\NetDDE Object\ObjectNames@DDE Share 7424
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\SC Manager
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\SC Manager@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\SC Manager\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\SC Manager\ObjectNames@SC_MANAGER Object 7168
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\SC Manager\ObjectNames@SERVICE Object 7184
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@CategoryCount 9
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@CategoryMessageFile %SystemRoot%\System32\MsAuditE.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@GuidMessageFile %SystemRoot%\System32\NtMarta.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@EventMessageFile %SystemRoot%\System32\MsAuditE.dll;%SystemRoot%\System32\xpsp2res.dll;%SystemRoot%\System32\xpsp3res.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@TypesSupported 28
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Channel 5120
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Desktop 6672
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Device 4352
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Directory 4368
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Event 4384
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@EventPair 4400
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@File 4416
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@IoCompletion 4864
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Job 5136
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Key 4432
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@MailSlot 4416
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Mutant 4448
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@NamedPipe 4416
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Port 4464
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Process 4480
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Profile 4496
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Section 4512
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Semaphore 4528
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@SymbolicLink 4544
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Thread 4560
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Timer 4576
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Token 4592
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Type 4608
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@WaitablePort 4464
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@WindowStation 6656
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_ALIAS 5424
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_DOMAIN 5392
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_GROUP 5408
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_SERVER 5376
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_USER 5440
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler\ObjectNames
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler\ObjectNames@Document 6944
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler\ObjectNames@Printer 6928
Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler\ObjectNames@Server 6912
Reg HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr@Type 16
Reg HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr@Start 3
Reg HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr@ImagePath C:\WINDOWS\system32\tlntsvr.exe
Reg HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr@DisplayName Telnet
Reg HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr@DependOnService RPCSS?TCPIP?NTLMSSP?
Reg HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr@DependOnGroup
Reg HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr@Description Enables a remote user to log on to this computer and run programs, and supports various TCP/IP Telnet clients, including UNIX-based and Windows-based computers. If this service is stopped, remote user access to programs might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance
Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Library C:\WINDOWS\system32\wbem\wmiaprpl.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Open WmiOpenPerfData
Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Collect WmiCollectPerfData
Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Close WmiClosePerfData
Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Counter 3264
Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Help 3265
Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Counter 3252
Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Help 3253
Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Object List 3252 3258
Reg HKLM\SYSTEM\ControlSet002\Control\SecurePipeServers\winreg@Description Registry Server
Reg HKLM\SYSTEM\ControlSet002\Control\SecurePipeServers\winreg\AllowedPaths
Reg HKLM\SYSTEM\ControlSet002\Control\SecurePipeServers\winreg\AllowedPaths@Machine System\CurrentControlSet\Control\ProductOptions?System\CurrentControlSet\Control\Print\Printers?System\CurrentControlSet\Control\Server Applications?System\CurrentControlSet\Services\Eventlog?Software\Microsoft\OLAP Server?Software\Microsoft\Windows NT\CurrentVersion?System\CurrentControlSet\Control\ContentIndex?System\CurrentControlSet\Control\Terminal Server?System\CurrentControlSet\Control\Terminal Server\UserConfig?System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration?
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security@DisplayNameFile %SystemRoot%\System32\els.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security@DisplayNameID 257
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security@File %SystemRoot%\System32\config\SecEvent.Evt
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security@MaxSize 524288
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security@PrimaryModule Security
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security@Retention 604800
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security@Sources Spooler?Security Account Manager?SC Manager?NetDDE Object?LSA?DS?Security?
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security@RestrictGuestAccess 1
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\DS
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\DS@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\DS\ObjectNames
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\DS\ObjectNames@Directory Service Object 7680
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\LSA
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\LSA@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\LSA\ObjectNames
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\LSA\ObjectNames@PolicyObject 5632
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\LSA\ObjectNames@SecretObject 5648
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\LSA\ObjectNames@TrustedDomainObject 5664
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\LSA\ObjectNames@UserAccountObject 5680
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\NetDDE Object
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\NetDDE Object@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\NetDDE Object\ObjectNames
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\NetDDE Object\ObjectNames@DDE Share 7424
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\SC Manager
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\SC Manager@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\SC Manager\ObjectNames
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\SC Manager\ObjectNames@SC_MANAGER Object 7168
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\SC Manager\ObjectNames@SERVICE Object 7184
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security@CategoryCount 9
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security@CategoryMessageFile %SystemRoot%\System32\MsAuditE.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security@GuidMessageFile %SystemRoot%\System32\NtMarta.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security@EventMessageFile %SystemRoot%\System32\MsAuditE.dll;%SystemRoot%\System32\xpsp2res.dll;%SystemRoot%\System32\xpsp3res.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security@TypesSupported 28
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Channel 5120
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Desktop 6672
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Device 4352
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Directory 4368
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Event 4384
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@EventPair 4400
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@File 4416
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@IoCompletion 4864
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Job 5136
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Key 4432
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@MailSlot 4416
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Mutant 4448
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@NamedPipe 4416
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Port 4464
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Process 4480
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Profile 4496
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Section 4512
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Semaphore 4528
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@SymbolicLink 4544
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Thread 4560
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Timer 4576
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Token 4592
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Type 4608
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@WaitablePort 4464
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@WindowStation 6656
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security Account Manager
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security Account Manager@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security Account Manager\ObjectNames
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_ALIAS 5424
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_DOMAIN 5392
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_GROUP 5408
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_SERVER 5376
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_USER 5440
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Spooler
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Spooler@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Spooler\ObjectNames
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Spooler\ObjectNames@Document 6944
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Spooler\ObjectNames@Printer 6928
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Spooler\ObjectNames@Server 6912
Reg HKLM\SYSTEM\ControlSet002\Services\TlntSvr@Type 16
Reg HKLM\SYSTEM\ControlSet002\Services\TlntSvr@Start 3
Reg HKLM\SYSTEM\ControlSet002\Services\TlntSvr@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet002\Services\TlntSvr@ImagePath C:\WINDOWS\system32\tlntsvr.exe
Reg HKLM\SYSTEM\ControlSet002\Services\TlntSvr@DisplayName Telnet
Reg HKLM\SYSTEM\ControlSet002\Services\TlntSvr@DependOnService RPCSS?TCPIP?NTLMSSP?
Reg HKLM\SYSTEM\ControlSet002\Services\TlntSvr@DependOnGroup
Reg HKLM\SYSTEM\ControlSet002\Services\TlntSvr@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\TlntSvr@Description Enables a remote user to log on to this computer and run programs, and supports various TCP/IP Telnet clients, including UNIX-based and Windows-based computers. If this service is stopped, remote user access to programs might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\ControlSet002\Services\TlntSvr\Security
Reg HKLM\SYSTEM\ControlSet002\Services\TlntSvr\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\ControlSet002\Services\WmiApRpl\Performance
Reg HKLM\SYSTEM\ControlSet002\Services\WmiApRpl\Performance@Library C:\WINDOWS\system32\wbem\wmiaprpl.dll
Reg HKLM\SYSTEM\ControlSet002\Services\WmiApRpl\Performance@Open WmiOpenPerfData
Reg HKLM\SYSTEM\ControlSet002\Services\WmiApRpl\Performance@Collect WmiCollectPerfData
Reg HKLM\SYSTEM\ControlSet002\Services\WmiApRpl\Performance@Close WmiClosePerfData
Reg HKLM\SYSTEM\ControlSet002\Services\WmiApRpl\Performance@Last Counter 3264
Reg HKLM\SYSTEM\ControlSet002\Services\WmiApRpl\Performance@Last Help 3265
Reg HKLM\SYSTEM\ControlSet002\Services\WmiApRpl\Performance@First Counter 3252
Reg HKLM\SYSTEM\ControlSet002\Services\WmiApRpl\Performance@First Help 3253
Reg HKLM\SYSTEM\ControlSet002\Services\WmiApRpl\Performance@Object List 3252 3258
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS@StateIndex 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Wdf@
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF@
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF@LogEnable 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF@LogKd 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF@LogFlags 16777215
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF@LogLevel 3
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF@HostFailKdDebugBreak 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF@DefaultHostProcessGUID {193a1820-d9ac-4997-8c55-be817523f6aa}
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF@NumDeviceStacksMax 3
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF@LogFlushPeriodSeconds 300
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF@LogMinidumpType 288
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF\Services
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF\Services@
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF\Services\{193a1820-d9ac-4997-8c55-be817523f6aa}
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF\Services\{193a1820-d9ac-4997-8c55-be817523f6aa}@HostProcessImagePath C:\WINDOWS\System32\wudfhost.exe
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF\Services\{193a1820-d9ac-4997-8c55-be817523f6aa}@HostProcessDbgBreakOnStart 0
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\AppMgmt
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\GroupMembership
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\GroupMembership@Group0 S-1-5-21-2068952817-818587887-3723621831-513
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\GroupMembership@Group1 S-1-1-0
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\GroupMembership@Group2 S-1-5-32-544
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\GroupMembership@Group3 S-1-5-32-545
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\GroupMembership@Group4 S-1-5-4
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\GroupMembership@Group5 S-1-5-11
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\GroupMembership@Group6 S-1-2-0
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\GroupMembership@Count 7

---- EOF - GMER 1.0.14 ----




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users