Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

computer is slow?


  • This topic is locked This topic is locked
14 replies to this topic

#1 robinwisbech

robinwisbech

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 14 September 2009 - 02:13 PM

My computer i running slow and ie8 sometimes just freezes. I have run anti virus but nothing shows up.

DDS (Ver_09-07-30.01) - NTFSx86
Run by User at 19:58:30.56 on 14/09/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1534.736 [GMT 1:00]

AV: Kaspersky Internet Security *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Paragon Software\Drive Backup 9 Professional\Net Burner Service\NetBurnerService.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\2JUQMC6I\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - No File
BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe"
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [Samsung.PCSync] c:\program files\samsung\samsung pc studio 7\PcSync2.exe /NoDialog
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\air mouse.lnk - c:\program files\air mouse\air mouse\Air Mouse.exe
IE: Add to Banner Ad Blocker - c:\program files\kaspersky lab\kaspersky internet security 2009\ie_banner_deny.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\microsoft office\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} - hxxp://www.srtest.com/srl_bin/sysreqlab_ind.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1217096393890
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kaspersky lab\kaspersky internet security 2009\mzvkbd.dll,c:\progra~1\kaspersky lab\kaspersky internet security 2009\adialhk.dll,c:\progra~1\kaspersky lab\kaspersky internet security 2009\kloehk.dll ,c:\progra~1\kaspersky lab\kaspersky internet security 2009\mzvkbd3.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\windows defender\MpShHook.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2009-5-29 40464]
R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-27 64160]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-2-5 226832]
R1 NetBurn;Paragon NetBurning Driver;c:\windows\system32\drivers\NetBurn.sys [2008-6-7 84752]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-2-17 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe [2008-11-11 208616]
R2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2003-3-31 14336]
R2 NetBurnerService;Net Burner iSCSI Service;c:\program files\paragon software\drive backup 9 professional\net burner service\NetBurnerService.exe [2008-6-7 223248]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
R3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);c:\windows\system32\drivers\ZD1211BU.sys [2008-7-26 330240]
S1 archlp;archlp;c:\windows\system32\drivers\archlp.sys --> c:\windows\system32\drivers\archlp.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-2-28 1684736]
S3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2009-5-30 93696]
S3 DVBT_Loader;DVB-T Adapter firmware loader;c:\windows\system32\drivers\DVBT_Loader.sys [2008-10-13 44800]
S3 GenDTV;DVB-T receiver Driver;c:\windows\system32\drivers\Geniausb.sys [2008-10-13 84992]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys --> c:\windows\system32\drivers\ggflt.sys [?]
S3 IS360service;IS360service;c:\program files\iobit\iobit security 360\IS360srv.exe [2009-6-27 224528]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2009-2-27 138112]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2009-2-27 8320]
S3 nmwcdsa;Samsung USB Phone Parent;c:\windows\system32\drivers\nmwcdsa.sys [2009-4-3 135680]
S3 nmwcdsac;Samsung USB Generic;c:\windows\system32\drivers\nmwcdsac.sys [2009-4-3 8320]
S3 nmwcdsacj;Samsung USB Port;c:\windows\system32\drivers\nmwcdsacj.sys [2009-4-3 12288]
S3 nmwcdsacm;Samsung USB Modem;c:\windows\system32\drivers\nmwcdsacm.sys [2009-4-3 12288]
S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [2009-3-8 90536]
S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [2009-3-8 15016]
S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [2009-3-8 122152]
S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [2009-3-8 115496]
S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [2009-3-8 25768]
S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [2009-3-8 111912]
S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [2009-3-8 117672]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]

=============== Created Last 30 ================

2009-09-11 22:42 <DIR> --d----- C:\df0cdb894d20608f2fe408f85f99b56a
2009-09-10 16:54 <DIR> --d----- c:\program files\iPhone Configuration Utility
2009-09-10 16:52 <DIR> --d----- c:\program files\iPod
2009-09-10 16:52 <DIR> --d----- c:\program files\iTunes
2009-09-10 16:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-08 18:19 153,088 -c------ c:\windows\system32\dllcache\triedit.dll
2009-09-05 01:54 94,208 a------- c:\windows\system32\QuickTimeVR.qtx
2009-09-05 01:54 69,632 a------- c:\windows\system32\QuickTime.qts
2009-08-29 23:02 <DIR> --d----- c:\program files\Eidos
2009-08-29 22:41 <DIR> --d----- c:\docume~1\user\applic~1\Office Genuine Advantage
2009-08-29 22:20 <DIR> --d----- c:\docume~1\user\applic~1\GetRightToGo
2009-08-19 17:39 <DIR> --d----- c:\docume~1\user\applic~1\NeroDigital™

==================== Find3M ====================

2009-09-14 17:28 1,097,760 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-09-14 17:28 4,832 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-09-13 22:30 4,856,352 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-09-13 22:30 40,068 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-09-11 14:43 107,547 a------- c:\windows\system32\drivers\klin.dat
2009-09-11 14:43 95,259 a------- c:\windows\system32\drivers\klick.dat
2009-08-28 19:42 2,065,696 a------- c:\windows\system32\usbaaplrc.dll
2009-08-28 19:42 40,448 a------- c:\windows\system32\drivers\usbaapl.sys
2009-08-15 12:17 33,808 a------- c:\windows\system32\drivers\klbg.sys
2009-08-14 21:53 138,944 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-08-14 21:53 189,784 a------- c:\windows\system32\PnkBstrB.exe
2009-08-10 21:58 2,373,712 a------- c:\windows\system32\pbsvc.exe
2009-08-10 21:58 75,064 a------- c:\windows\system32\PnkBstrA.exe
2009-08-05 10:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-03 15:07 403,816 a------- c:\windows\system32\OGACheckControl.dll
2009-08-03 15:07 322,928 a------- c:\windows\system32\OGAAddin.dll
2009-08-03 15:07 230,768 a------- c:\windows\system32\OGAEXEC.exe
2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-17 20:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\wmpdxm.dll
2009-07-03 18:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-27 22:13 15,688 a------- c:\windows\system32\lsdelete.exe
2009-06-25 09:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 09:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 09:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 09:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 09:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 09:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-23 17:50 60,336 a---h--- c:\windows\system32\mlfcache.dat
2008-09-15 21:47 87,608 -------- c:\docume~1\user\applic~1\inst.exe
2008-09-15 21:47 47,360 -------- c:\docume~1\user\applic~1\pcouffin.sys

============= FINISH: 19:59:24.35 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:07 PM

Posted 30 September 2009 - 07:53 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Pleaseinclude a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 robinwisbech

robinwisbech
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 30 September 2009 - 12:27 PM

pinOTL logfile created on: 30/09/2009 18:23:47 - Run 1
OTL by OldTimer - Version 3.0.16.0 Folder = C:\Documents and Settings\User\My Documents
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.75 Gb Total Space | 346.28 Gb Free Space | 74.35% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: USER1-9F6KQ8A70
Current User Name: User
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/05/16 04:15:52 | 00,602,112 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\Ati2evxx.exe
PRC - [2006/11/03 19:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2009/05/16 04:15:52 | 00,602,112 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\Ati2evxx.exe
PRC - [2009/05/29 13:41:26 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/05/29 13:41:26 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008/12/12 12:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/04/14 01:12:22 | 00,015,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\inetsrv\inetinfo.exe
PRC - [2009/09/16 21:29:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2007/04/23 10:22:00 | 03,068,352 | ---- | M] (Kontiki Inc.) -- C:\Program Files\Kontiki\KService.exe
PRC - [2008/06/07 14:54:28 | 00,223,248 | ---- | M] (Paragon GmbH) -- C:\Program Files\Paragon Software\Drive Backup 9 Professional\Net Burner Service\NetBurnerService.exe
PRC - [2008/04/14 01:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2008/06/15 15:34:20 | 00,071,096 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe
PRC - [2006/12/19 23:23:00 | 00,272,024 | ---- | M] () -- C:\Program Files\CyberLink\Shared Files\RichVideo.exe
PRC - [2003/03/31 13:00:00 | 00,019,456 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\tcpsvcs.exe
PRC - [2008/04/14 01:12:36 | 00,033,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\snmp.exe
PRC - [2009/07/27 16:33:28 | 00,341,312 | ---- | M] (BillP Studios) -- C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
PRC - [2009/07/27 16:33:28 | 00,341,312 | ---- | M] (BillP Studios) -- C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
PRC - [2009/09/16 21:29:35 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/04/22 17:38:50 | 00,065,536 | ---- | M] (Advanced Micro Devices Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
PRC - [2009/04/22 17:37:16 | 00,065,536 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
PRC - [2008/04/14 01:12:28 | 00,060,416 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Outlook Express\msimn.exe
PRC - [2009/03/08 14:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\IEXPLORE.EXE
PRC - [2009/03/08 14:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\IEXPLORE.EXE
PRC - [2009/03/08 14:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\IEXPLORE.EXE
PRC - [2009/09/30 18:23:37 | 00,518,144 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\My Documents\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - File not found -- -- (ACDaemon [Auto | Stopped])
SRV - [2009/05/29 13:41:26 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Running])
SRV - [2008/07/25 12:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2009/05/16 04:15:52 | 00,602,112 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\Ati2evxx.exe -- (Ati HotKey Poller [Auto | Running])
SRV - [2009/05/15 21:05:00 | 00,593,920 | ---- | M] () -- C:\WINDOWS\System32\ati2sgag.exe -- (ATI Smart [Auto | Stopped])
SRV - [2009/07/21 12:50:31 | 00,208,616 | ---- | M] (Kaspersky Lab) -- C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe -- (AVP [Auto | Running])
SRV - [2008/12/12 12:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
SRV - [2008/07/25 12:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/07/29 22:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2008/04/14 01:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2008/07/29 20:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2008/04/14 01:12:22 | 00,015,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\inetsrv\inetinfo.exe -- (IISADMIN [Auto | Running])
SRV - [2009/09/21 16:36:02 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Stopped])
SRV - [2008/04/14 01:11:55 | 00,035,328 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\iprip.dll -- (Iprip [Auto | Running])
SRV - [2009/06/16 13:10:02 | 00,224,528 | ---- | M] () -- C:\Program Files\IObit\IObit Security 360\IS360srv.exe -- (IS360service [On_Demand | Stopped])
SRV - [2009/09/16 21:29:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2007/04/23 10:22:00 | 03,068,352 | ---- | M] (Kontiki Inc.) -- C:\Program Files\Kontiki\KService.exe -- (KService [Auto | Running])
SRV - [2009/09/21 22:13:14 | 01,028,432 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service [Auto | Stopped])
SRV - [2003/03/31 13:00:00 | 00,019,456 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\tcpsvcs.exe -- (LPDSVC [On_Demand | Stopped])
SRV - [2008/10/25 11:44:08 | 00,065,888 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service [On_Demand | Stopped])
SRV - [2008/04/14 01:12:22 | 00,015,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\inetsrv\inetinfo.exe -- (MSFtpsvc [Auto | Running])
SRV - [2008/04/14 01:12:27 | 00,004,608 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mqsvc.exe -- (MSMQ [Auto | Stopped])
SRV - [2008/04/14 01:12:27 | 00,117,248 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mqtgsvc.exe -- (MSMQTriggers [Auto | Stopped])
SRV - [2008/02/18 18:29:12 | 00,877,864 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe -- (Nero BackItUp Scheduler 3 [Disabled | Stopped])
SRV - [2008/06/07 14:54:28 | 00,223,248 | ---- | M] (Paragon GmbH) -- C:\Program Files\Paragon Software\Drive Backup 9 Professional\Net Burner Service\NetBurnerService.exe -- (NetBurnerService [Auto | Running])
SRV - [2008/07/29 20:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2008/02/28 19:07:48 | 00,529,704 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe -- (NMIndexingService [Disabled | Stopped])
SRV - [2008/06/15 15:34:20 | 00,071,096 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccessU [Auto | Running])
SRV - [2008/11/04 01:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand | Stopped])
SRV - [2006/10/26 15:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2006/12/19 11:30:26 | 00,081,920 | ---- | M] (Prolific Technology Inc.) -- C:\WINDOWS\System32\IoctlSvc.exe -- (PLFlash DeviceIoControl Service [Disabled | Stopped])
SRV - [2009/08/10 21:58:07 | 00,075,064 | ---- | M] () -- C:\WINDOWS\System32\PnkBstrA.exe -- (PnkBstrA [Disabled | Stopped])
SRV - [2006/12/19 23:23:00 | 00,272,024 | ---- | M] () -- C:\Program Files\CyberLink\Shared Files\RichVideo.exe -- (RichVideo [Auto | Running])
SRV - [2008/04/07 09:17:30 | 00,430,592 | ---- | M] (Nokia.) -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer [On_Demand | Stopped])
SRV - [2003/03/31 13:00:00 | 00,019,456 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\tcpsvcs.exe -- (SimpTcp [Auto | Running])
SRV - [2008/04/14 01:12:22 | 00,015,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\inetsrv\inetinfo.exe -- (SMTPSVC [Auto | Running])
SRV - [2008/04/14 01:12:36 | 00,033,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\snmp.exe -- (SNMP [Auto | Running])
SRV - [2008/04/14 01:12:22 | 00,015,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\inetsrv\inetinfo.exe -- (W3SVC [Auto | Running])
SRV - [2006/11/03 19:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend [Auto | Running])
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2005/02/23 14:58:56 | 00,011,776 | ---- | M] (Arcsoft, Inc.) -- C:\WINDOWS\System32\drivers\Afc.sys -- (Afc [On_Demand | Running])
DRV - [2008/08/05 21:10:12 | 01,684,736 | ---- | M] (Creative) -- C:\WINDOWS\System32\drivers\Ambfilt.sys -- (Ambfilt [On_Demand | Stopped])
DRV - [2008/12/31 00:53:28 | 00,103,360 | ---- | M] (SlySoft, Inc.) -- C:\WINDOWS\System32\Drivers\AnyDVD.sys -- (AnyDVD [On_Demand | Running])
DRV - [2009/05/16 04:58:45 | 04,069,888 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\DRIVERS\ati2mtag.sys -- (ati2mtag [On_Demand | Running])
DRV - [2008/05/21 00:53:36 | 00,093,696 | R--- | M] (ATI Research Inc.) -- C:\WINDOWS\System32\drivers\AtiHdmi.sys -- (AtiHdmiService [On_Demand | Stopped])
DRV - [2006/07/13 13:09:10 | 00,044,800 | R--- | M] (anchor chips) -- C:\WINDOWS\System32\Drivers\DVBT_Loader.sys -- (DVBT_Loader [On_Demand | Stopped])
DRV - [2008/12/31 14:59:13 | 00,024,872 | ---- | M] (Elaborate Bytes AG) -- C:\WINDOWS\System32\Drivers\ElbyCDIO.sys -- (ElbyCDIO [System | Running])
DRV - [2009/05/18 14:17:00 | 00,026,600 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2006/06/23 05:04:42 | 00,084,992 | R--- | M] (Windows ® 2000 DDK provider) -- C:\WINDOWS\System32\Drivers\Geniausb.sys -- (GenDTV [On_Demand | Stopped])
DRV - [2008/04/13 17:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\System32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2008/06/07 14:53:02 | 00,040,464 | ---- | M] (Paragon Software Group) -- C:\WINDOWS\system32\DRIVERS\hotcore3.sys -- (hotcore3 [Boot | Running])
DRV - [2009/01/21 11:42:56 | 06,278,560 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\igxpmp32.sys -- (ialm [On_Demand | Stopped])
DRV - [2009/02/18 19:31:04 | 05,028,352 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\System32\drivers\RtkHDAud.sys -- (IntcAzAudAddService [On_Demand | Running])
DRV - [2008/07/21 17:34:36 | 00,121,872 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\system32\drivers\kl1.sys -- (kl1 [Boot | Running])
DRV - [2009/08/15 12:17:23 | 00,033,808 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\system32\drivers\klbg.sys -- (klbg [Boot | Running])
DRV - [2008/03/13 18:02:46 | 00,026,640 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\System32\DRIVERS\klfltdev.sys -- (KLFLTDEV [On_Demand | Running])
DRV - [2009/08/15 12:17:23 | 00,226,832 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\System32\DRIVERS\klif.sys -- (KLIF [System | Running])
DRV - [2008/04/30 17:06:48 | 00,024,592 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\System32\DRIVERS\klim5.sys -- (klim5 [On_Demand | Running])
DRV - [2009/06/27 22:13:19 | 00,064,160 | ---- | M] (Lavasoft AB) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd [Boot | Running])
DRV - [2006/01/04 16:41:48 | 01,389,056 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\System32\drivers\Monfilt.sys -- (Monfilt [On_Demand | Stopped])
DRV - [2008/04/13 19:46:22 | 00,015,232 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\MPE.sys -- (MPE [On_Demand | Stopped])
DRV - [2008/04/13 19:39:44 | 00,092,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\mqac.sys -- (MQAC [On_Demand | Running])
DRV - [2008/06/07 14:54:28 | 00,084,752 | ---- | M] (Rocket Division Software) -- C:\WINDOWS\System32\DRIVERS\NetBurn.sys -- (NetBurn [System | Running])
DRV - [2008/09/15 08:56:24 | 00,017,664 | ---- | M] (Nokia) -- C:\WINDOWS\System32\drivers\ccdcmb.sys -- (nmwcd [On_Demand | Stopped])
DRV - [2008/09/15 08:56:24 | 00,022,016 | ---- | M] (Nokia) -- C:\WINDOWS\System32\drivers\ccdcmbo.sys -- (nmwcdc [On_Demand | Stopped])
DRV - [2008/02/01 16:17:12 | 00,138,112 | ---- | M] (Nokia) -- C:\WINDOWS\System32\drivers\nmwcdnsu.sys -- (nmwcdnsu [On_Demand | Stopped])
DRV - [2008/02/01 16:17:06 | 00,008,320 | ---- | M] (Nokia) -- C:\WINDOWS\System32\drivers\nmwcdnsuc.sys -- (nmwcdnsuc [On_Demand | Stopped])
DRV - [2007/05/02 16:32:34 | 00,135,680 | ---- | M] (Nokia) -- C:\WINDOWS\System32\drivers\nmwcdsa.sys -- (nmwcdsa [On_Demand | Stopped])
DRV - [2007/05/02 16:31:54 | 00,008,320 | ---- | M] (Nokia) -- C:\WINDOWS\System32\drivers\nmwcdsac.sys -- (nmwcdsac [On_Demand | Stopped])
DRV - [2007/05/02 16:31:54 | 00,012,288 | ---- | M] (Nokia) -- C:\WINDOWS\System32\drivers\nmwcdsacj.sys -- (nmwcdsacj [On_Demand | Stopped])
DRV - [2007/05/02 16:31:54 | 00,012,288 | ---- | M] (Nokia) -- C:\WINDOWS\System32\drivers\nmwcdsacm.sys -- (nmwcdsacm [On_Demand | Stopped])
DRV - [2007/09/17 15:53:26 | 00,021,632 | ---- | M] (Nokia) -- C:\WINDOWS\System32\DRIVERS\pccsmcfd.sys -- (pccsmcfd [On_Demand | Stopped])
DRV - [2008/09/15 21:47:43 | 00,047,360 | ---- | M] (VSO Software) -- C:\WINDOWS\System32\Drivers\pcouffin.sys -- (pcouffin [On_Demand | Running])
DRV - [2003/03/31 13:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2008/06/26 21:59:48 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2001/08/17 14:05:16 | 00,028,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\OVCD.sys -- (QCDonner [On_Demand | Stopped])
DRV - [2008/05/08 15:02:52 | 00,203,136 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\RMCast.sys -- (RMCAST [On_Demand | Running])
DRV - [2008/05/27 10:41:46 | 00,090,536 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\System32\DRIVERS\s0017bus.sys -- (s0017bus [On_Demand | Stopped])
DRV - [2008/05/27 10:41:46 | 00,015,016 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\System32\DRIVERS\s0017mdfl.sys -- (s0017mdfl [On_Demand | Stopped])
DRV - [2008/05/27 10:41:46 | 00,122,152 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\System32\DRIVERS\s0017mdm.sys -- (s0017mdm [On_Demand | Stopped])
DRV - [2008/05/27 10:41:44 | 00,115,496 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\System32\DRIVERS\s0017mgmt.sys -- (s0017mgmt [On_Demand | Stopped])
DRV - [2008/05/27 10:41:44 | 00,025,768 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\System32\DRIVERS\s0017nd5.sys -- (s0017nd5 [On_Demand | Stopped])
DRV - [2008/05/27 10:41:46 | 00,111,912 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\System32\DRIVERS\s0017obex.sys -- (s0017obex [On_Demand | Stopped])
DRV - [2008/05/27 10:41:46 | 00,117,672 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\System32\DRIVERS\s0017unic.sys -- (s0017unic [On_Demand | Stopped])
DRV - [2005/03/21 12:00:24 | 00,004,096 | ---- | M] (SuperAdBlocker.com) -- C:\WINDOWS\System32\sabprocenum.sys -- (SABProcEnum [On_Demand | Stopped])
DRV - [2009/03/29 18:38:02 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV [System | Running])
DRV - [2009/02/17 12:43:30 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM [On_Demand | Stopped])
DRV - [2009/02/17 12:43:28 | 00,055,024 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys -- (SASKUTIL [System | Running])
DRV - [2008/04/13 17:39:15 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2009/01/31 18:10:07 | 00,717,296 | ---- | M] () -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd [Boot | Running])
DRV - [2008/06/07 14:53:04 | 00,033,072 | ---- | M] (Paragon Software Group) -- C:\WINDOWS\System32\DRIVERS\UimBus.sys -- (UimBus [System | Running])
DRV - [2008/06/07 14:53:04 | 00,130,688 | ---- | M] (Paragon Software Group) -- C:\WINDOWS\System32\Drivers\Uim_IM.sys -- (Uim_IM [System | Running])
DRV - [2008/09/15 08:56:24 | 00,008,064 | ---- | M] (Windows ® Codename Longhorn DDK provider) -- C:\WINDOWS\System32\DRIVERS\usbser_lowerflt.sys -- (upperdev [On_Demand | Stopped])
DRV - [2009/08/28 19:42:52 | 00,040,448 | ---- | M] (Apple, Inc.) -- C:\WINDOWS\System32\Drivers\usbaapl.sys -- (USBAAPL [On_Demand | Stopped])
DRV - [2008/04/13 19:45:36 | 00,026,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\usbser.sys -- (usbser [On_Demand | Stopped])
DRV - [2008/09/15 08:56:34 | 00,008,064 | ---- | M] (Windows ® Codename Longhorn DDK provider) -- C:\WINDOWS\System32\DRIVERS\usbser_lowerfltj.sys -- (UsbserFilt [On_Demand | Stopped])
DRV - [2008/04/13 19:56:49 | 00,012,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\usb8023.sys -- (USB_RNDIS [On_Demand | Stopped])
DRV - [2005/08/17 15:43:20 | 00,330,240 | R--- | M] (ZyDAS Technology Corporation) -- C:\WINDOWS\System32\DRIVERS\zd1211Bu.sys -- (ZD1211BU(SMC) [On_Demand | Running])
DRV - [2005/08/17 15:43:20 | 00,330,240 | R--- | M] (ZyDAS Technology Corporation) -- C:\WINDOWS\System32\DRIVERS\zd1211Bu.sys -- (ZD1211BU(ZyDAS) [On_Demand | Stopped])
DRV - [2004/10/25 13:40:58 | 00,017,664 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) -- C:\WINDOWS\System32\Drivers\ZDPSp50.sys -- (ZDPSp50 [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-329068152-1563985344-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-329068152-1563985344-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\S-1-5-21-329068152-1563985344-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-329068152-1563985344-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.google.co.uk/ [binary data]
IE - HKU\S-1-5-21-329068152-1563985344-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKU\S-1-5-21-329068152-1563985344-839522115-1003\S-1-5-21-329068152-1563985344-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-329068152-1563985344-839522115-1003\S-1-5-21-329068152-1563985344-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/11 22:43:43 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/09/16 21:29:36 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\{eea12ec4-729d-4703-bc37-106ce9879ce2}: C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\THBExt [2009/08/15 11:15:26 | 00,000,000 | ---D | M]


O1 HOSTS File: (736 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (IEVkbdBHO Class) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll (Kaspersky Lab)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-329068152-1563985344-839522115-1003\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKU\S-1-5-21-329068152-1563985344-839522115-1003\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AVP] C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe (Kaspersky Lab)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [MsmqIntCert] C:\WINDOWS\System32\mqrt.dll (Microsoft Corporation)
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\System32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe (BillP Studios)
O4 - HKU\.DEFAULT..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\.DEFAULT..\Run: [Samsung.PCSync] C:\Program Files\Samsung\Samsung PC Studio 7\PcSync2.exe (Time Information Services Ltd.)
O4 - HKU\S-1-5-18..\Run: [DWQueuedReporting] C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKU\S-1-5-18..\Run: [Samsung.PCSync] C:\Program Files\Samsung\Samsung PC Studio 7\PcSync2.exe (Time Information Services Ltd.)
O4 - HKU\S-1-5-21-329068152-1563985344-839522115-1003..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe (PC Tools)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Air Mouse.lnk = C:\Program Files\Air Mouse\Air Mouse\Air Mouse.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 28
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-329068152-1563985344-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-329068152-1563985344-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm ()
O9 - Extra Button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll (Kaspersky Lab)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Reg Error: Value error.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/8/b...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.5.0.cab (DLM Control)
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} http://www.eset.eu/buxus/docs/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} http://www.srtest.com/srl_bin/sysreqlab_ind.cab (System Requirements Lab Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1217096393890 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Value error.)
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} http://www.superadblocker.com/activex/sabspx.cab (SABScanProcesses Class)
O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Value error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\PROGRA~1\Kaspersky) - File not found
O20 - AppInit_DLLs: (Lab\Kaspersky) - File not found
O20 - AppInit_DLLs: (Internet) - File not found
O20 - AppInit_DLLs: (Security) - C:\WINDOWS\System32\Security.dll (Microsoft Corporation)
O20 - AppInit_DLLs: (2009\mzvkbd.dll) - File not found
O20 - AppInit_DLLs: (C:\PROGRA~1\Kaspersky) - File not found
O20 - AppInit_DLLs: (Lab\Kaspersky) - File not found
O20 - AppInit_DLLs: (Internet) - File not found
O20 - AppInit_DLLs: (Security) - C:\WINDOWS\System32\Security.dll (Microsoft Corporation)
O20 - AppInit_DLLs: (2009\adialhk.dll) - File not found
O20 - AppInit_DLLs: (C:\PROGRA~1\Kaspersky) - File not found
O20 - AppInit_DLLs: (Lab\Kaspersky) - File not found
O20 - AppInit_DLLs: (Internet) - File not found
O20 - AppInit_DLLs: (Security) - C:\WINDOWS\System32\Security.dll (Microsoft Corporation)
O20 - AppInit_DLLs: (2009\kloehk.dll) - File not found
O20 - AppInit_DLLs: (C:\PROGRA~1\Kaspersky) - File not found
O20 - AppInit_DLLs: (Lab\Kaspersky) - File not found
O20 - AppInit_DLLs: (Internet) - File not found
O20 - AppInit_DLLs: (Security) - C:\WINDOWS\System32\Security.dll (Microsoft Corporation)
O20 - AppInit_DLLs: (2009\mzvkbd3.dll) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\Ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\klogon: DllName - C:\WINDOWS\system32\klogon.dll - C:\WINDOWS\System32\klogon.dll (Kaspersky Lab)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/07/25 18:14:46 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{49503889-beda-11dd-a189-000e8e092c34}\Shell - "" = AutoRun
O33 - MountPoints2\{49503889-beda-11dd-a189-000e8e092c34}\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()

========== Files/Folders - Created Within 30 Days ==========

[3 C:\Documents and Settings\All Users\Application Data\*.tmp files]
[2009/09/30 18:23:30 | 00,518,144 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\User\My Documents\OTL.exe
[2009/09/28 20:56:05 | 00,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\OpenOffice.org
[2009/09/27 11:52:05 | 00,007,469 | ---- | C] () -- C:\Documents and Settings\User\My Documents\jamies xmas list 2009.odt
[2009/09/26 13:45:52 | 00,052,877 | ---- | C] () -- C:\Documents and Settings\User\My Documents\brendans xmas dad 2009.odt
[2009/09/24 20:20:01 | 00,000,000 | ---D | C] -- C:\Program Files\iPod
[2009/09/24 20:19:59 | 00,000,000 | ---D | C] -- C:\Program Files\iTunes
[2009/09/17 21:08:10 | 00,010,388 | ---- | C] () -- C:\Documents and Settings\User\My Documents\Haydens cashback.odt
[2009/09/16 21:34:40 | 00,000,905 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\OpenOffice.org 3.1.lnk
[2009/09/16 21:33:49 | 00,000,000 | ---D | C] -- C:\Program Files\JRE
[2009/09/16 21:29:53 | 00,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2009/09/16 21:29:53 | 00,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2009/09/16 21:29:53 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2009/09/16 21:29:53 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2009/09/14 20:14:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\Bleeping bits
[2009/09/13 20:17:38 | 00,000,000 | ---D | C] -- C:\Program Files\Registry Mechanic
[2009/09/12 21:35:40 | 00,024,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\STKIT432.DLL
[2009/09/11 22:42:11 | 00,000,000 | ---D | C] -- C:\df0cdb894d20608f2fe408f85f99b56a
[2009/09/11 21:45:18 | 00,008,098 | ---- | C] () -- C:\Documents and Settings\User\My Documents\CHAMPIONSHIP MANAGER KEY.odt
[2009/09/10 16:54:52 | 00,000,000 | ---D | C] -- C:\Program Files\iPhone Configuration Utility
[2009/09/10 16:52:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/09/10 16:44:54 | 00,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2009/09/08 18:19:26 | 00,153,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\triedit.dll
[2009/09/05 01:54:48 | 00,094,208 | ---- | C] (Apple Inc.) -- C:\WINDOWS\System32\QuickTimeVR.qtx
[2009/09/05 01:54:48 | 00,069,632 | ---- | C] (Apple Inc.) -- C:\WINDOWS\System32\QuickTime.qts
[2009/09/01 21:45:23 | 00,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Download Manager
[2009/08/14 21:44:22 | 00,138,944 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2009/08/03 15:07:42 | 00,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/07/20 17:55:50 | 00,000,010 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2009/06/15 20:24:54 | 00,198,144 | ---- | C] () -- C:\WINDOWS\System32\_psisdecd.dll
[2009/01/31 18:10:06 | 00,717,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2008/12/19 16:15:58 | 04,338,246 | ---- | C] () -- C:\WINDOWS\System32\libavcodec.dll
[2008/12/17 18:41:18 | 00,884,237 | ---- | C] () -- C:\WINDOWS\System32\ff_x264.dll
[2008/12/17 18:22:58 | 00,093,184 | ---- | C] () -- C:\WINDOWS\System32\ff_wmv9.dll
[2008/12/17 18:22:48 | 00,057,344 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2008/12/17 18:17:34 | 00,239,247 | ---- | C] () -- C:\WINDOWS\System32\ff_theora.dll
[2008/12/17 17:59:54 | 00,560,802 | ---- | C] () -- C:\WINDOWS\System32\libmplayer.dll
[2008/12/11 12:27:02 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2008/11/12 20:56:33 | 00,499,200 | ---- | C] () -- C:\WINDOWS\System32\WZDPlay.dll
[2008/11/11 20:32:27 | 00,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/10/27 19:23:11 | 00,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.INI
[2008/10/17 22:19:54 | 00,069,707 | ---- | C] () -- C:\WINDOWS\System32\DISP_OPT1.dll
[2008/10/16 21:21:26 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\Hookdll.dll
[2008/10/16 21:21:23 | 00,221,184 | ---- | C] () -- C:\WINDOWS\System32\GTTunerCard.dll
[2008/10/16 21:21:19 | 00,118,784 | ---- | C] () -- C:\WINDOWS\System32\RmCard.dll
[2008/10/13 16:28:57 | 00,354,816 | ---- | C] () -- C:\WINDOWS\System32\PsisDecd.dll
[2008/08/13 20:34:06 | 00,164,352 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2008/08/13 20:34:03 | 01,559,040 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2008/08/13 20:34:03 | 00,282,624 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2008/08/05 18:00:08 | 00,000,952 | ---- | C] () -- C:\WINDOWS\QIII.INI
[2008/07/26 17:51:44 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\InsDrvZD.dll
[2008/07/26 17:51:44 | 00,015,872 | ---- | C] () -- C:\WINDOWS\System32\InsDrvZD64.DLL
[2008/07/26 07:01:38 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4820.dll
[2008/07/25 18:58:31 | 00,000,000 | ---- | C] () -- C:\WINDOWS\frontpg.ini
[2008/07/25 18:57:57 | 00,021,791 | ---- | C] () -- C:\WINDOWS\System32\smtpctrs.ini
[2008/07/25 18:57:57 | 00,001,037 | ---- | C] () -- C:\WINDOWS\System32\ntfsdrct.ini
[2008/07/25 18:57:50 | 00,007,909 | ---- | C] () -- C:\WINDOWS\System32\ftpctrs.ini
[2008/07/25 18:57:48 | 00,038,576 | ---- | C] () -- C:\WINDOWS\System32\w3ctrs.ini
[2008/07/25 18:57:48 | 00,010,225 | ---- | C] () -- C:\WINDOWS\System32\axperf.ini
[2008/07/25 18:57:45 | 00,011,435 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.ini
[2008/07/25 18:57:42 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2008/06/26 21:59:52 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/06/26 21:56:14 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2008/06/07 14:53:02 | 04,244,744 | ---- | C] () -- C:\WINDOWS\System32\qtp-mt334.dll
[2008/06/07 14:53:02 | 00,013,576 | ---- | C] () -- C:\WINDOWS\System32\wnaspi32.dll
[2008/06/07 14:52:56 | 00,247,560 | ---- | C] () -- C:\WINDOWS\System32\prgiso.dll
[2008/03/04 19:52:34 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\libcurl.dll
[2008/02/11 09:39:26 | 00,253,952 | ---- | C] () -- C:\WINDOWS\System32\OnlineScannerDLLA.dll
[2008/02/11 09:39:18 | 00,237,568 | ---- | C] () -- C:\WINDOWS\System32\OnlineScannerDLLW.dll
[2008/02/08 13:53:46 | 00,110,592 | ---- | C] () -- C:\WINDOWS\System32\OnlineScannerLang.dll
[2007/10/31 10:39:54 | 00,059,904 | ---- | C] () -- C:\WINDOWS\System32\zlib1.dll
[2007/07/27 14:49:02 | 00,225,355 | ---- | C] () -- C:\WINDOWS\System32\lnod32apiW.dll
[2007/07/27 14:49:02 | 00,196,683 | ---- | C] () -- C:\WINDOWS\System32\lnod32apiA.dll
[2007/05/17 14:58:10 | 00,143,360 | ---- | C] () -- C:\WINDOWS\System32\libexpatw.dll
[2005/12/07 12:31:00 | 00,202,752 | R--- | C] () -- C:\WINDOWS\System32\CddbCdda.dll
[2005/12/05 19:25:22 | 00,139,264 | ---- | C] () -- C:\WINDOWS\System32\lnod32umc.dll
[2005/12/05 12:37:10 | 00,106,496 | ---- | C] () -- C:\WINDOWS\System32\lnod32upd.dll
[2004/11/24 20:25:52 | 00,335,872 | ---- | C] ( ) -- C:\WINDOWS\System32\drvc.dll
[2004/10/03 18:50:54 | 00,129,024 | ---- | C] () -- C:\WINDOWS\System32\ff_mpeg2enc.dll
[2003/03/31 13:00:00 | 00,000,613 | ---- | C] () -- C:\WINDOWS\win.ini
[2003/03/31 13:00:00 | 00,000,231 | ---- | C] () -- C:\WINDOWS\system.ini

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[4 C:\WINDOWS\*.tmp files]
[3 C:\Documents and Settings\All Users\Application Data\*.tmp files]
[2009/09/30 18:23:37 | 00,518,144 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\My Documents\OTL.exe
[2009/09/30 18:10:57 | 00,000,420 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{A6E736E5-0413-4E2D-B784-48BA04865060}.job
[2009/09/30 16:49:07 | 00,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2009/09/30 16:46:41 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/09/30 16:46:17 | 00,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2009/09/30 16:46:03 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/09/30 16:46:00 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/09/29 22:23:03 | 01,097,760 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.dat
[2009/09/29 22:23:03 | 00,004,832 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.idx
[2009/09/29 22:23:02 | 04,856,352 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.dat
[2009/09/29 22:23:02 | 00,040,068 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.idx
[2009/09/29 22:22:35 | 16,045,638 | -H-- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\IconCache.db
[2009/09/27 11:56:54 | 00,007,469 | ---- | M] () -- C:\Documents and Settings\User\My Documents\jamies xmas list 2009.odt
[2009/09/26 22:13:09 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/09/26 13:45:53 | 00,052,877 | ---- | M] () -- C:\Documents and Settings\User\My Documents\brendans xmas dad 2009.odt
[2009/09/22 17:20:44 | 00,107,547 | ---- | M] () -- C:\WINDOWS\System32\drivers\klin.dat
[2009/09/22 17:20:44 | 00,095,259 | ---- | M] () -- C:\WINDOWS\System32\drivers\klick.dat
[2009/09/21 22:13:32 | 00,015,688 | ---- | M] () -- C:\WINDOWS\System32\lsdelete.exe
[2009/09/17 21:08:12 | 00,010,388 | ---- | M] () -- C:\Documents and Settings\User\My Documents\Haydens cashback.odt
[2009/09/17 17:11:57 | 00,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/09/17 16:26:30 | 00,074,584 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/09/17 16:23:23 | 00,287,704 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/09/16 21:34:40 | 00,000,905 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\OpenOffice.org 3.1.lnk
[2009/09/16 21:29:34 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deploytk.dll
[2009/09/16 21:29:34 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2009/09/16 21:29:34 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2009/09/16 21:29:34 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2009/09/16 21:29:34 | 00,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2009/09/12 21:35:56 | 01,081,616 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MSCOMCTL.OCX
[2009/09/11 22:41:51 | 00,601,294 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/09/11 22:41:51 | 00,514,402 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/09/11 22:41:51 | 00,095,168 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/09/11 21:45:20 | 00,008,098 | ---- | M] () -- C:\Documents and Settings\User\My Documents\CHAMPIONSHIP MANAGER KEY.odt
[2009/09/10 14:54:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/09/10 14:53:50 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/09/05 01:54:48 | 00,094,208 | ---- | M] (Apple Inc.) -- C:\WINDOWS\System32\QuickTimeVR.qtx
[2009/09/05 01:54:48 | 00,069,632 | ---- | M] (Apple Inc.) -- C:\WINDOWS\System32\QuickTime.qts

========== Alternate Data Streams ==========

@Alternate Data Stream - 24 bytes -> C:\WINDOWS:3B04F74283FBA48C
@Alternate Data Stream - 178 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0CE7F3C9
@Alternate Data Stream - 152 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6724CB45
@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >


OTL Extras logfile created on: 30/09/2009 18:23:47 - Run 1
OTL by OldTimer - Version 3.0.16.0 Folder = C:\Documents and Settings\User\My Documents
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.75 Gb Total Space | 346.28 Gb Free Space | 74.35% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: USER1-9F6KQ8A70
Current User Name: User
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
.js [@ = JSFile] -- C:\WINDOWS\System32\CScript.exe (Microsoft Corporation)
.jse [@ = JSEFile] -- C:\WINDOWS\System32\CScript.exe (Microsoft Corporation)
.vbe [@ = VBEFile] -- C:\WINDOWS\System32\CScript.exe (Microsoft Corporation)
.vbs [@ = VBSFile] -- C:\WINDOWS\System32\CScript.exe (Microsoft Corporation)
.wsf [@ = WSFFile] -- C:\WINDOWS\System32\CScript.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
chm.file [open] -- "C:\WINDOWS\hh.exe" %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
jsfile [open] -- %SystemRoot%\System32\CScript.exe "%1" %* (Microsoft Corporation)
jsefile [open] -- %SystemRoot%\System32\CScript.exe "%1" %* (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
vbefile [open] -- %SystemRoot%\System32\CScript.exe "%1" %* (Microsoft Corporation)
vbsfile [open] -- %SystemRoot%\System32\CScript.exe "%1" %* (Microsoft Corporation)
wsffile [open] -- %SystemRoot%\System32\CScript.exe "%1" %* (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\Microsoft Office\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring" = 1
"" =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\mqsvc.exe" = C:\WINDOWS\system32\mqsvc.exe:*:Enabled:Message Queuing -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Internet Explorer\iexplore.exe" = C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\Nokia\Nokia Software Updater\nsu_ui_client.exe" = C:\Program Files\Nokia\Nokia Software Updater\nsu_ui_client.exe:*:Enabled:Nokia Software Updater -- (Nokia Corporation)
"C:\Program Files\Common Files\Nokia\Service Layer\A\nsl_host_process.exe" = C:\Program Files\Common Files\Nokia\Service Layer\A\nsl_host_process.exe:*:Enabled:Nokia Service Layer Host Process -- (Nokia Corporation)
"C:\Program Files\Sony Ericsson\Sony Ericsson Media Manager\MediaManager.exe" = C:\Program Files\Sony Ericsson\Sony Ericsson Media Manager\MediaManager.exe:*:Enabled:Sony Ericsson Media Manager 1.2 -- (Sony Creative Software Inc.)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\Kontiki\KService.exe" = C:\Program Files\Kontiki\KService.exe:*:Enabled:Delivery Manager Service -- (Kontiki Inc.)
"C:\Program Files\Air Mouse\Air Mouse\Air Mouse.exe" = C:\Program Files\Air Mouse\Air Mouse\Air Mouse.exe:*:Enabled:AirMouse -- ()
"C:\Documents and Settings\User\Desktop\Utilities\Air Mouse.exe" = C:\Documents and Settings\User\Desktop\Utilities\Air Mouse.exe:*:Enabled:AirMouse -- ()
"C:\WINDOWS\system32\PnkBstrA.exe" = C:\WINDOWS\system32\PnkBstrA.exe:*:Enabled:PnkBstrA -- ()
"C:\WINDOWS\system32\PnkBstrB.exe" = C:\WINDOWS\system32\PnkBstrB.exe:*:Enabled:PnkBstrB -- ()
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{07B5FCA5-2B1F-E26C-95FF-57EBEF4C1989}" = Catalyst Control Center Localization All
"{0C34B801-6AEC-4667-B053-03A67E2D0415}" = Apple Application Support
"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
"{14592A8E-4DA6-4338-A9D5-E16449647EC3}" = Championship Manager 2010 (September Data Patch)
"{15AC0C5D-A6FB-4CE2-8CD0-28179EEB5625}" = Nokia Connectivity Cable Driver
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}" = Google Earth
"{22E4AC9C-9E05-47D5-B7EB-A9FC1D762A7B}" = Quake Live Internet Explorer Plugin
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java™ 6 Update 16
"{2958B04A-0905-4689-B8D8-2F511E03AEBA}" = Samsung PC Studio 7
"{2FFE93F0-BB72-4E52-8761-354D1AAA9387}" = Sony Ericsson PC Suite 4.005.00
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36AD13A4-AEE0-24F6-AA8F-0C6E681DECC1}" = Catalyst Control Center HydraVision Full
"{39CEE1F2-12B6-4C50-9131-04BFCA110578}" = PowerCinema NE for Everio
"{3A4FFB84-D070-4DA5-AB7B-D41D87FD8D19}" = Norton Security Scan
"{3C5F1B30-B10B-4579-86DD-D00F662E1033}" = Nero 8
"{3EA0E0DD-4203-C20C-2740-582DFBF1CC59}" = BBC iPlayer Desktop
"{41B60BE2-2AD5-4407-82A3-CAC011722891}" = CCC Help English
"{42929F0F-CE14-47AF-9FC7-FF297A603021}" = Dell Resource CD
"{485DF5E7-8379-4BFA-BAE1-9B8DBFE0D6B4}" = Paragon Drive Backup™ 9 Professional
"{5164E4B0-9CD0-454A-BAC0-6771A15EEB64}" = Air Mouse Server
"{555D5F00-9CEE-4FE5-8C2A-5856A4DF94F4}" = Intel® Network Connections 13.3.46.0
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{587FD9A4-65A2-423E-AB1D-3BE7F1890AD5}" = ArcSoft TotalMedia Theatre
"{59367F7E-D7C1-4629-8AEC-71AA24A68F31}" = Nokia Software Updater
"{5CA7899B-FFEC-4254-A05B-448420831F37}" = Championship Manager 2010
"{6428883D-64B5-A88F-7A53-355E7DD2D904}" = ccc-utility
"{6523912B-1853-8E2F-E7E7-BC81D4035B96}" = ccc-core-preinstall
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.3
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6D8D64BE-F500-55B6-705D-DFD08AFE0624}" = Acrobat.com
"{72736F5F-520D-472A-88CC-7B02872FD34E}" = ATI Catalyst Registration
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{75177B35-F07D-B593-67C6-A8B7A7F9A635}" = CCC Help Japanese
"{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}" = Avanquest update
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP
"{7E84FAC8-C518-40F9-9807-7455301D6D25}" = SamsungConnectivityCableDriver
"{7E8DB1E0-C2C4-F8B8-F794-9FDA6BBD053B}" = CCC Help Chinese Standard
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8B184BEE-318C-E789-D988-1BB0708D99FE}" = Catalyst Control Center Graphics Full Existing
"{8B7443F5-E141-42A0-AB61-ED2331AAD606}" = 4oD
"{8CB14A64-CEF4-4C8F-B1C8-1C3B8752CB55}" = Kaspersky Internet Security 2009
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{96E94E18-54D6-42C1-8FC4-24DACEDC3395}" = Nokia NSeries System Utilities
"{98736A65-3C79-49EC-B7E9-A3C77774B0E6}" = Google SketchUp 6
"{9EB1504E-FD95-4BCD-8E93-B4039F59C469}" = Sony Ericsson Media Manager 1.2
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A8C856AD-63CD-4613-AA29-E6C85607EA06}" = Nokia Software Launcher
"{AA4469D9-F78A-AD5E-857E-0083E183DC3C}" = Catalyst Control Center Graphics Full New
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC599724-5755-48C1-ABE7-ABB857652930}" = PC Connectivity Solution
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1.3
"{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8
"{AF145F8997B44EE9B106D018EF1DB58B}" = DivX Converter Mobile
"{B0020634-3C3E-A66A-1CB3-DD73B441C21C}" = Catalyst Control Center Core Implementation
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B307FBF9-C9B5-355A-E8E9-EAB36E702B31}" = CCC Help Korean
"{B3D8B2F8-3C2C-45BC-933E-8B60E78F6684}" = Google SketchUp 6
"{B5DE553F-E158-2468-1927-A7F6B255823D}" = ccc-core-static
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = PowerProducer
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C427E746-4EC9-4E3C-AACB-C6BB1F714D7F}" = Uniblue DriverScanner 2009
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5}" = WinZip 11.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF9CD37C-E29A-11D5-AE3D-005004B8E30C}" = Digital Photo Navigator 1.5
"{CFDF1790-24E0-8612-F72E-8CB557E87042}" = CCC Help Thai
"{D3B1C799-CB73-42DE-BA0F-2344793A095C}" = Catalyst Control Center - Branding
"{D99C322D-C21B-40C7-AE71-EE51AA096B6E}" = Nokia Flashing Cable Driver
"{DA34FE93-5DC5-48E0-ACC8-A5389E05BB51}" = iTunes
"{DA71A94B-3617-4935-8BBE-1566B2174C95}" = Drv
"{DD30C2FD-F485-46A8-8153-88EC2650BC79}" = Sky Anytime
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E02F11FF-DE47-7D17-2DAF-C914A4EF7935}" = Catalyst Control Center Graphics Light
"{E56D39F8-2A9F-44B4-B068-A72E45A073E6}" = Safari
"{E6B87DC4-2B3D-4483-ADFF-E483BF718991}" = OpenOffice.org 3.1
"{EDE721EC-870A-11D8-9D75-000129760D75}" = PowerDirector Express
"{F007BA11-5298-4457-AB2E-6C9C440172D4}" = Championship Manager 2010 Challenge Demo
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F4EE8763-EAA8-4BC1-8594-8501F5F00414}" = Nokia NSeries One Touch Access
"{F63932B1-635F-B28F-0F43-1CED483AF4F4}" = CCC Help Chinese Traditional
"{F779EC8D-6703-4C4A-817C-37B07898E647}" = Nokia NSeries Content Copier
"{F89E5AD8-AE47-49B5-B9F9-C498791E6255}" = Nokia NSeries Music Manager
"{FA25FAF6-3097-43C9-BBB2-A77CE8AF1881}" = Nokia NSeries Multimedia Player
"{FA54AFB1-5745-4389-B8C1-9F7509672ED1}" = iPhone Configuration Utility
"{FD349381-D79C-4E5C-8980-015DFFB962D5}" = Nokia NSeries Application Installer
"{FD93D7F1-9631-7477-F88D-FF53976D83C3}" = Catalyst Control Center Graphics Previews Common
"1Click DVD Copy 5_is1" = 1Click DVD Copy 5.4.3.8
"3A5DEFA413DDE699DBA6EBE0A63534ACA524D30F" = Windows Driver Package - Nokia pccsmcfd (10/12/2007 6.85.4.0)
"4oD" = 4oD
"7-Zip" = 7-Zip 4.65
"Ad-Aware" = Ad-Aware
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Advanced SystemCare 3_is1" = Advanced SystemCare 3
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"AviSynth" = AviSynth 2.5
"CCleaner" = CCleaner (remove only)
"CPUID CPU-Z_is1" = CPUID CPU-Z 1.51
"Demand Five Player_is1" = Demand Five Player
"Driver Genius Professional Edition_is1" = Driver Genius Professional Edition
"DVD Decrypter" = DVD Decrypter (Remove Only)
"ENTERPRISE" = Microsoft Office Enterprise 2007
"Entriq MediaSphere_is1" = Uninstall Entriq MediaSphere
"ESET Online Scanner" = ESET Online Scanner v3
"EsetOnlineScanner" = ESET Online Scanner
"FormatFactory" = FormatFactory 2.00
"HDMI" = Intel® Graphics Media Accelerator Driver
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie8" = Windows Internet Explorer 8
"InstallWIX_{8CB14A64-CEF4-4C8F-B1C8-1C3B8752CB55}" = Kaspersky Internet Security 2009
"IObit Security 360_is1" = IObit Security 360 Beta 1.1
"KLiteCodecPack_is1" = K-Lite Mega Codec Pack 4.4.5
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"PSP Media Server_is1" = PSP Media Server 3.01
"PSP Video 9" = PSP Video 9 4.04
"PunkBusterSvc" = PunkBuster Services
"Quake III Arena" = Quake III Arena
"Recover My Files_is1" = Recover My Files
"Registry Mechanic_is1" = Registry Mechanic 8.0
"Samsung PC Studio 7" = Samsung PC Studio 7
"Spell Checker For OE 2.1" = Spell Checker For OE 2.1
"SystemRequirementsLab" = System Requirements Lab
"Tansee iPhone Copy_is1" = Tansee iPhone Copy 5.0.0.0
"Tiger Woods 99 PGA TOUR Golf" = Tiger Woods 99 PGA TOUR Golf
"Tweak UI 2.10" = Tweak UI
"Uniblue DriverScanner 2009" = Uniblue DriverScanner 2009
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinPatrol" = WinPatrol 2009
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01005" = Microsoft User-Mode Driver Framework Feature Pack 1.5
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"YouTube Downloader App" = YouTube Downloader App 1.01

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-329068152-1563985344-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BitTorrent" = BitTorrent
"BitTorrent DNA" = DNA
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 05/08/2009 07:43:40 | Computer Name = USER1-9F6KQ8A70 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 80072ee2, P2 endsearch, P3 search, P4 1.1.1593.0,
P5 mpsigdwn.dll, P6 1.1.1593.0, P7 windows defender, P8 NIL, P9 NIL, P10 NIL.

Error - 14/08/2009 16:38:09 | Computer Name = USER1-9F6KQ8A70 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module mshtml.dll, version 8.0.6001.18812, fault address 0x000dc5d0.

Error - 31/08/2009 13:46:49 | Computer Name = USER1-9F6KQ8A70 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module unknown, version 0.0.0.0, fault address 0x56ec8b55.

Error - 08/09/2009 17:53:00 | Computer Name = USER1-9F6KQ8A70 | Source = Userenv | ID = 1068
Description = Windows ended GPO processing because the computer shut down or the
user logged off.

Error - 11/09/2009 17:41:42 | Computer Name = USER1-9F6KQ8A70 | Source = LoadPerf | ID = 3001
Description = The performance counter name string value in the registry is incorrectly
formatted.
The bogus string is 5620, the bogus index value is the first DWORD in Data section
while the last valid index values are the second and third DWORD in Data section.

Error - 11/09/2009 17:41:42 | Computer Name = USER1-9F6KQ8A70 | Source = LoadPerf | ID = 3011
Description = Unloading the performance counter strings for service ASP.NET_2.0.50727
(ASP.NET_2.0.50727) failed. The Error code is the first DWORD in Data section.

Error - 11/09/2009 17:41:50 | Computer Name = USER1-9F6KQ8A70 | Source = LoadPerf | ID = 3001
Description = The performance counter name string value in the registry is incorrectly
formatted.
The bogus string is 5620, the bogus index value is the first DWORD in Data section
while the last valid index values are the second and third DWORD in Data section.

Error - 11/09/2009 17:41:50 | Computer Name = USER1-9F6KQ8A70 | Source = LoadPerf | ID = 3011
Description = Unloading the performance counter strings for service aspnet_state
(ASP.NET State Service) failed. The Error code is the first DWORD in Data section.

Error - 11/09/2009 17:41:51 | Computer Name = USER1-9F6KQ8A70 | Source = LoadPerf | ID = 3001
Description = The performance counter name string value in the registry is incorrectly
formatted.
The bogus string is 5620, the bogus index value is the first DWORD in Data section
while the last valid index values are the second and third DWORD in Data section.

Error - 28/09/2009 12:06:43 | Computer Name = USER1-9F6KQ8A70 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 80240016, P2 begininstall, P3 install, P4
1.1.1593.0, P5 mpsigdwn.dll, P6 1.1.1593.0, P7 windows defender, P8 NIL, P9 NIL,
P10 NIL.

[ System Events ]
Error - 28/09/2009 14:10:11 | Computer Name = USER1-9F6KQ8A70 | Source = Service Control Manager | ID = 7001
Description = The Message Queuing Triggers service depends on the Message Queuing
service which failed to start because of the following error: %%1068

Error - 28/09/2009 14:10:27 | Computer Name = USER1-9F6KQ8A70 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
archlp

Error - 29/09/2009 07:17:50 | Computer Name = USER1-9F6KQ8A70 | Source = W3SVC | ID = 115
Description = The service could not bind instance 1. The data is the error code.

For
additional information specific to this message please visit the Microsoft Online
Support site located at: http://www.microsoft.com/contentredirect.asp.

Error - 29/09/2009 07:18:00 | Computer Name = USER1-9F6KQ8A70 | Source = Service Control Manager | ID = 7001
Description = The Message Queuing service depends on the NT LM Security Support
Provider service which failed to start because of the following error: %%1058

Error - 29/09/2009 07:18:00 | Computer Name = USER1-9F6KQ8A70 | Source = Service Control Manager | ID = 7001
Description = The Message Queuing Triggers service depends on the Message Queuing
service which failed to start because of the following error: %%1068

Error - 29/09/2009 07:18:00 | Computer Name = USER1-9F6KQ8A70 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
archlp

Error - 30/09/2009 11:46:26 | Computer Name = USER1-9F6KQ8A70 | Source = W3SVC | ID = 115
Description = The service could not bind instance 1. The data is the error code.

For
additional information specific to this message please visit the Microsoft Online
Support site located at: http://www.microsoft.com/contentredirect.asp.

Error - 30/09/2009 11:46:32 | Computer Name = USER1-9F6KQ8A70 | Source = Service Control Manager | ID = 7001
Description = The Message Queuing service depends on the NT LM Security Support
Provider service which failed to start because of the following error: %%1058

Error - 30/09/2009 11:46:32 | Computer Name = USER1-9F6KQ8A70 | Source = Service Control Manager | ID = 7001
Description = The Message Queuing Triggers service depends on the Message Queuing
service which failed to start because of the following error: %%1068

Error - 30/09/2009 11:46:37 | Computer Name = USER1-9F6KQ8A70 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
archlp


< End of report >

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:07 PM

Posted 30 September 2009 - 02:00 PM

Hi,

From what I have seen so far your logs look clean. I would like to run some further checks, but so far nothing is pointing to an infection.

Please run rootrepeal:
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract the contents of RootRepeal.zip, to your desktop.
  • Double click Posted Image on your desktop.
  • Click on the report tab, then click scan
  • Check all seven boxes:
    Drivers
    Files
    Processes
    SSDT
    Stealth Objects
    Hidden Services
    Shadow SSDT
  • Click Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, Click the Save Report button. Save the log as RootRepeal.txt and post it in your next reply.
as well as Malwarebytes:
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

Do you recall if you had Internet Explorer open, when you created the log with OTL?

Post back the logs from rootrepeal and malwarebytes in your next reply.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 robinwisbech

robinwisbech
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 30 September 2009 - 03:38 PM

hi.I did have IE8 open when i ran the logs so that i could follow your instructions.
Here are the logs you asked for.


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/30 21:13
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: PCI_PNP2078
Image Path: \Driver\PCI_PNP2078
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA7F03000 Size: 49152 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: spwl.sys
Image Path: spwl.sys
Address: 0xB9EA7000 Size: 1048576 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\System Volume Information\_restore{F97383D1-C2C3-43C2-935E-CB4846BDD16B}\RP657\A0114033.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{F97383D1-C2C3-43C2-935E-CB4846BDD16B}\RP657\A0114034.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{F97383D1-C2C3-43C2-935E-CB4846BDD16B}\RP657\A0114035.lnk
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{F97383D1-C2C3-43C2-935E-CB4846BDD16B}\RP657\A0114036.exe
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{F97383D1-C2C3-43C2-935E-CB4846BDD16B}\RP657\A0114037.exe
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{F97383D1-C2C3-43C2-935E-CB4846BDD16B}\RP657\A0114038.dll
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{F97383D1-C2C3-43C2-935E-CB4846BDD16B}\RP657\A0114039.sys
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{F97383D1-C2C3-43C2-935E-CB4846BDD16B}\RP657\A0114040.exe
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{F97383D1-C2C3-43C2-935E-CB4846BDD16B}\RP657\A0114041.ref
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{F97383D1-C2C3-43C2-935E-CB4846BDD16B}\RP657\A0114042.dll
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{F97383D1-C2C3-43C2-935E-CB4846BDD16B}\RP657\A0114043.sys
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{F97383D1-C2C3-43C2-935E-CB4846BDD16B}\RP657\A0114044.exe
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{F97383D1-C2C3-43C2-935E-CB4846BDD16B}\RP657\A0114045.ocx
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{F97383D1-C2C3-43C2-935E-CB4846BDD16B}\RP657\A0114046.dll
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{F97383D1-C2C3-43C2-935E-CB4846BDD16B}\RP657\A0114047.exe
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\system32\drivers\mbam.sys
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\mbamswissarmy.sys
Status: Invisible to the Windows API!

Path: c:\documents and settings\user\local settings\temp\~dfa0b2.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\user\local settings\temp\~dfd58b.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\User\Local Settings\Temp\~DF2F7D.tmp
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\User\Local Settings\Temp\~DFEB74.tmp
Status: Visible to the Windows API, but not on disk.

Path: c:\documents and settings\all users\application data\kaspersky lab\avp8\data\av1f.tmp
Status: Allocation size mismatch (API: 230031360, Raw: 0)

Path: c:\documents and settings\all users\application data\kaspersky lab\avp8\report\01\00000287_objbt.dat
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\all users\application data\kaspersky lab\avp8\report\01\00000287_objdt.dat
Status: Allocation size mismatch (API: 152, Raw: 0)

Path: c:\documents and settings\all users\application data\kaspersky lab\avp8\report\01\00000287_objid.dat
Status: Allocation size mismatch (API: 48, Raw: 0)

Path: c:\documents and settings\all users\application data\kaspersky lab\avp8\report\01\00000288_objdt.dat
Status: Allocation size mismatch (API: 152, Raw: 0)

Path: c:\documents and settings\all users\application data\kaspersky lab\avp8\report\01\00000288_objid.dat
Status: Allocation size mismatch (API: 48, Raw: 0)

Path: c:\documents and settings\all users\application data\kaspersky lab\avp8\report\01\0000028a_objdt.dat
Status: Allocation size mismatch (API: 152, Raw: 0)

Path: c:\documents and settings\all users\application data\kaspersky lab\avp8\report\01\0000028a_objid.dat
Status: Allocation size mismatch (API: 48, Raw: 0)

Path: c:\documents and settings\all users\application data\kaspersky lab\avp8\report\01\0000028b_objbt.dat
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\all users\application data\kaspersky lab\avp8\report\01\0000028b_objdt.dat
Status: Allocation size mismatch (API: 152, Raw: 0)

Path: c:\documents and settings\all users\application data\kaspersky lab\avp8\report\01\0000028b_objid.dat
Status: Allocation size mismatch (API: 48, Raw: 0)

Path: c:\documents and settings\all users\application data\kaspersky lab\avp8\report\01\0000028d_objbt.dat
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\all users\application data\kaspersky lab\avp8\report\01\0000028d_objdt.dat
Status: Allocation size mismatch (API: 152, Raw: 0)

Path: c:\documents and settings\all users\application data\kaspersky lab\avp8\report\01\0000028d_objid.dat
Status: Allocation size mismatch (API: 48, Raw: 0)

Path: c:\documents and settings\all users\application data\kaspersky lab\avp8\report\01\0000028e_objbt.dat
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\all users\application data\kaspersky lab\avp8\report\01\0000028e_objdt.dat
Status: Allocation size mismatch (API: 152, Raw: 0)

Path: c:\documents and settings\all users\application data\kaspersky lab\avp8\report\01\0000028e_objid.dat
Status: Allocation size mismatch (API: 48, Raw: 0)

Path: c:\documents and settings\all users\application data\kaspersky lab\avp8\report\01\0000028f_objdt.dat
Status: Allocation size mismatch (API: 152, Raw: 0)

Path: c:\documents and settings\all users\application data\kaspersky lab\avp8\report\01\0000028f_objid.dat
Status: Allocation size mismatch (API: 48, Raw: 0)

Path: c:\documents and settings\all users\application data\kaspersky lab\avp8\report\01\00000290_events.dat
Status: Size mismatch (API: 106902, Raw: 106832)

SSDT
-------------------
#: 011 Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b51da

#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b57ae

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b71ea

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b6b9c

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b4950

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b8b7c

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b55ae

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b4d92

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b4f92

#: 066 Function Name: NtDeviceIoControlFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b6eac

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b9084

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b50a8

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b5110

#: 084 Function Name: NtFsControlFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b6d5e

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b8620

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b69f8

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b4ab2

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b53b2

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b8ba6

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b52fe

#: 160 Function Name: NtQueryKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b5178

#: 161 Function Name: NtQueryMultipleValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b4e7c

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b4c5a

#: 180 Function Name: NtQueueApcThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b8888

#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b45d2

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b7a74

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b4734

#: 206 Function Name: NtResumeThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b8f56

#: 207 Function Name: NtSaveKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b43d0

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b708c

#: 213 Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b56ac

#: 237 Function Name: NtSetSecurityObject
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b871a

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b8bd0

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b4b08

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b8cb4

#: 254 Function Name: NtSuspendThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b8de0

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b854c

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b547e

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b54f0

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8b0071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8b0071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8b0071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8b0071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8b0071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8b0071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8b0071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8b0071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8b0071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8b0071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8b0071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8b0071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8b0071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8b0071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8b0071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8b0071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8b0071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8b0071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8b0071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8b0071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8b0071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8b0071f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x8abce1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x8abce1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x8abce1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x8abce1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8abce1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8abce1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8abce1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8abce1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x8abce1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8abce1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x8abce1f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_CREATE]
Process: System Address: 0x8a3b11f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_CLOSE]
Process: System Address: 0x8a3b11f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_READ]
Process: System Address: 0x8a3b11f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_WRITE]
Process: System Address: 0x8a3b11f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a3b11f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a3b11f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_POWER]
Process: System Address: 0x8a3b11f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a3b11f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_PNP]
Process: System Address: 0x8a3b11f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x8af961f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x8af961f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x8af961f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x8af961f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8af961f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8af961f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8af961f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8af961f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x8af961f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8af961f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x8af961f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x8ac571f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x8ac571f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8ac571f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8ac571f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x8ac571f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8ac571f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x8ac571f8 Size: 121

Object: Hidden Code [Driver: aa2wmpqdȅ扏煓䤐Ȃగ瑎卆 , IRP_MJ_CREATE]
Process: System Address: 0x8aae71f8 Size: 121

Object: Hidden Code [Driver: aa2wmpqdȅ扏煓䤐Ȃగ瑎卆 , IRP_MJ_CLOSE]
Process: System Address: 0x8aae71f8 Size: 121

Object: Hidden Code [Driver: aa2wmpqdȅ扏煓䤐Ȃగ瑎卆 , IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8aae71f8 Size: 121

Object: Hidden Code [Driver: aa2wmpqdȅ扏煓䤐Ȃగ瑎卆 , IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8aae71f8 Size: 121

Object: Hidden Code [Driver: aa2wmpqdȅ扏煓䤐Ȃగ瑎卆 , IRP_MJ_POWER]
Process: System Address: 0x8aae71f8 Size: 121

Object: Hidden Code [Driver: aa2wmpqdȅ扏煓䤐Ȃగ瑎卆 , IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8aae71f8 Size: 121

Object: Hidden Code [Driver: aa2wmpqdȅ扏煓䤐Ȃగ瑎卆 , IRP_MJ_PNP]
Process: System Address: 0x8aae71f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8b0091f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8b0091f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8b0091f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8b0091f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8b0091f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8b0091f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8b0091f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8b0091f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8b0091f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8b0091f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8b0091f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x8a44b500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x8a44b500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a44b500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a44b500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x8a44b500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x8a44b500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x8ac231f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x8ac231f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8ac231f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8ac231f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x8ac231f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8ac231f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x8ac231f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x8a3da1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a3da1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x8a3da1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x8a3da1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x8a3da1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a3da1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a3da1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a3da1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x8a3da1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a3da1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a3da1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a3da1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a3da1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a3da1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a3da1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a3da1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a3da1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a3da1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x8a3da1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a3da1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a3da1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a3da1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x8a3da1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a3da1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a3da1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a3da1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a3da1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x8a3da1f8 Size: 121

Object: Hidden Code [Driver: Cdfsȅ瑎捦ȁఈ浍浓䛰諅@, IRP_MJ_CREATE]
Process: System Address: 0x8a38f500 Size: 121

Object: Hidden Code [Driver: Cdfsȅ瑎捦ȁఈ浍浓䛰諅@, IRP_MJ_CLOSE]
Process: System Address: 0x8a38f500 Size: 121

Object: Hidden Code [Driver: Cdfsȅ瑎捦ȁఈ浍浓䛰諅@, IRP_MJ_READ]
Process: System Address: 0x8a38f500 Size: 121

Object: Hidden Code [Driver: Cdfsȅ瑎捦ȁఈ浍浓䛰諅@, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a38f500 Size: 121

Object: Hidden Code [Driver: Cdfsȅ瑎捦ȁఈ浍浓䛰諅@, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a38f500 Size: 121

Object: Hidden Code [Driver: Cdfsȅ瑎捦ȁఈ浍浓䛰諅@, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a38f500 Size: 121

Object: Hidden Code [Driver: Cdfsȅ瑎捦ȁఈ浍浓䛰諅@, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a38f500 Size: 121

Object: Hidden Code [Driver: Cdfsȅ瑎捦ȁఈ浍浓䛰諅@, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a38f500 Size: 121

Object: Hidden Code [Driver: Cdfsȅ瑎捦ȁఈ浍浓䛰諅@, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a38f500 Size: 121

Object: Hidden Code [Driver: Cdfsȅ瑎捦ȁఈ浍浓䛰諅@, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a38f500 Size: 121

Object: Hidden Code [Driver: Cdfsȅ瑎捦ȁఈ浍浓䛰諅@, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a38f500 Size: 121

Object: Hidden Code [Driver: Cdfsȅ瑎捦ȁఈ浍浓䛰諅@, IRP_MJ_CLEANUP]
Process: System Address: 0x8a38f500 Size: 121

Object: Hidden Code [Driver: Cdfsȅ瑎捦ȁఈ浍浓䛰諅@, IRP_MJ_PNP]
Process: System Address: 0x8a38f500 Size: 121

Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b6938

#: 227 Function Name: NtGdiMaskBlt
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b6998

#: 237 Function Name: NtGdiPlgBlt
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b69c8

#: 292 Function Name: NtGdiStretchBlt
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b6968

#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b5e28

#: 323 Function Name: NtUserCallOneParam
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b6ff8

#: 378 Function Name: NtUserFindWindowEx
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b6106

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b5d68

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b5dc8

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b5d98

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b849c

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b84f4

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b8520

#: 491 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b6fa2

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b60e0

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b5806

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xac2b59f2

==EOF==


Malwarebytes' Anti-Malware 1.41
Database version: 2878
Windows 5.1.2600 Service Pack 3

30/09/2009 21:33:59
mbam-log-2009-09-30 (21-33-59).txt

Scan type: Quick Scan
Objects scanned: 100870
Time elapsed: 3 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:07 PM

Posted 01 October 2009 - 12:04 AM

Hi,

Registry Cleaners

I notice the presence of Registry Mechanic Registry Cleaner on your pc.

I don't personally recommend the use of ANY registry cleaners.
Here is an excerpt from a discussion on regcleaners

Most reg cleaners aren't "bad" as such, but they aren't perfect and even the best have been known to cause problems.
The point we are trying to make is that the risk of using one far outweighs any benefit.
If it does work perfectly you will not see any difference
If it doesn't work properly you may end up with an expensive doorstop.


http://miekiemoes.blogspot.com/2008/02/reg...weaking_13.html
http://forums.whatthetech.com/Regcleaner_t42862.html


Your log(s) also show that you are using so called peer-to-peer or file-sharing programmes (in your case mTorrent). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

However your logs appear to be clean. I would like to ask you, to do an online scan with ESET to check your PC:
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
As your problems do not seem to originate from malware, maybe you can try the following tool to make your PC boot quicker:

Download and Run StartupLite
This program will identify and give you the option to remove uneeded startup items to free memory.
  • Download StartupLite.exe by MalwareBytes to your desktop.
  • Double click the icon to start the program. If you are using Windows Vista, right click the icon and select Run As Administrator.
  • A list of uneeded startup entries will be compiled. Leave all the items as Disabled and click Continue.
  • Restart your computer.
Please post back the log from Eset and let me know if your PC speed improved.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 robinwisbech

robinwisbech
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 01 October 2009 - 01:29 PM

Hi, i have run start up lite. it disabled 3 programs.
Below is the ESTAT log, it found two infected files, I normaly run this at least once a month and it has never found anything, are these 2 dangerous, I have deleted them.

C:\Documents and Settings\User\My Documents\My Downloads\FFSetup170.zip a variant of Win32/Adware.ADON application deleted - quarantined
C:\Documents and Settings\User\My Documents\My Downloads\FFSetup1_80.zip a variant of Win32/Adware.ADON application deleted - quarantined

The speed has increased a little, I normaly notice it the most when I surf the web. The little blue circle in the IE8 web browser tab seems to freeze for awhile then it restarts.
I will remove Registry Mechanic.
would you advise the use of CC Cleaner or Advanced Systemcare at all.

Many thanks for a brilliant service you provide.

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:07 PM

Posted 01 October 2009 - 03:09 PM

Hi,

I do not advise to use programs that "optimize the registry". There are very little benefits, Windows optimizes access to the registry by itself since XP and many times such programs actually delete still needed entries causing the system to become unstable or incredibly slow.
I don't know Advanced SystemCare well enough, but at least CCleaner offers more then a registry cleaner. It also removes temporary files. While this will usually not make your PC quicker, it is something that should be done once in a while in my opinion.

But I prefer smaller applications like TFC for this:

Please download TFC by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
Do you recall to which program belonged the setup-files that ESET deleted? Did you execute them?

regards _temp_

Edited by _temp_, 01 October 2009 - 03:09 PM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 robinwisbech

robinwisbech
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 01 October 2009 - 03:35 PM

i think it was format factory its a video encoding program, yes it is running but it has been on my computer before when estat has run and there has never been problems?

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:07 PM

Posted 02 October 2009 - 03:01 AM

Hi,

It seems that FormatFactory sponsors some links for Brothersoft and Ebay, thereby making it adware, as the program displays ads for other companies. However this seems rather harmless and as far as I can tell does not pose a serious security issue.

At this point I think we can say, that the problem does not come from malware. I have seen no indication for active malware in the logs.

Your computer may be sluggish due to a number of reasons. Please read the articles below, to see if one of them corresponds to your problem.
If you think the Internet Explorer to be the source of the problem, maybe try out an alternative browser like Firefox to see if the problem is resolved by switching programs.

Read the articles below to see if it applies to your computer problem with being slow to respond.
Slow Computer/browser? Check Here First; It May Not Be Malware
What to do if your Computer is running slowly
Help! My computer is slow!
50 Tips for a Super Fast PC
4 Ways to Speed Up Your Computer's Performance
It's not always malware: How to fix the top 10 Internet Explorer issues


Let me know if you get some improvement on speed when surfing with firefox instead of Internet Explorer and if any of the links did help improve speed on your PC.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 robinwisbech

robinwisbech
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 03 October 2009 - 03:51 AM

Hi, i also use safari sometimes but have not tried firefox, I didnt want too many broesers on my computer, i supose i'm just stuck in Internet Explorers ways. It does seem a bit quicker thanks. although some of the links you sent me, advised the use of Registry Cleaners. I have now removed mine apart from CCCleaner.
Thanks

#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:07 PM

Posted 03 October 2009 - 08:13 AM

Hi,

No need to install Firefox if you don't want to. :(
If you are still experiencing freezes with Internet Explorer, you may simply want to try to reinstall it. This may take care of the issue. Otherwise you could also ask for advice in the Windows forums here at bleepingcomputer.com. My field of expertise really lies in removing malware and I do not believe, that you are having a problem at this level.

Before finishing up, I would like to remove all the tools we use. Therefore simply start OTL one more time and press the "CleanUp" button.
I see that you have the Eset OnlineScanner installed twice on your PC. You can remove both of them and in case you need it again, you will be able to download it from Eset's website.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 robinwisbech

robinwisbech
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 06 October 2009 - 12:03 PM

ok many thanks for your help.

#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:07 PM

Posted 08 October 2009 - 04:49 AM

Hi,

Please read these advices, in order to prevent infecting your PC:
  • Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holeswill allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variantsevery single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.
Some more links you might find of interest:Have a nice day
regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:07 PM

Posted 12 October 2009 - 04:39 PM

Heya,

glad we could help! :(

Since this topic appears to be resolved, I will now close it.

If you need this topic re-opened please send me a PM.

Everyone else, please start a new topic.

With Regards,
_temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users