Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Slow and freeze at least once after each bootup


  • This topic is locked This topic is locked
27 replies to this topic

#1 Preceptor

Preceptor

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:10:30 PM

Posted 22 October 2009 - 10:29 AM

Hi,

currently having a problem at hand. My PC is slow and it always freeze after each bootup.
Event Viewer under System will give me :

The npkcrypt service failed to start due to the following error:
The system cannot find the path specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Did some search on the Net and it is assumed that it may be due to malware.
Need assistance here thanks :(

Pasting DDS and RootRepeal here.
Attached the Attach.txt

----------------------------------------------------------------------------------------------------------------------------------------------------------


DDS (Ver_09-10-13.01) - NTFSx86
Run by Abyss at 23:07:29.06 on Thu 10/22/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1534.813 [GMT 8:00]

AV: avast! antivirus 4.8.1351 [VPS 091021-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SkyTel.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Abyss\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyServer = proxy.singnet.com.sg:8080
uInternet Settings,ProxyOverride = *.local
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
Trusted Zone: ncs.com.sg\sam
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1216208984775
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\abyss\applic~1\mozilla\firefox\profiles\2s0l9wxr.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=58819&p=
FF - component: c:\documents and settings\abyss\application data\mozilla\firefox\profiles\2s0l9wxr.default\extensions\{916ab64c-bc3e-471b-8e60-29551922a7ba}\components\Engine.dll
FF - component: c:\program files\nokia\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\documents and settings\abyss\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-7-16 114768]
R1 prodrv04;Star Force copy protection driver v4;c:\windows\system32\drivers\prodrv04.sys [2009-6-24 114496]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-7-16 20560]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2008-10-28 54960]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;c:\windows\system32\drivers\csvirta.sys --> c:\windows\system32\drivers\CSVirtA.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\f:\ntglm7x.sys --> f:\NTGLM7X.sys [?]

=============== Created Last 30 ================

2009-10-22 22:34 116,224 ac------ c:\windows\system32\dllcache\OLDD3E.tmp
2009-10-22 22:34 27,648 ac------ c:\windows\system32\dllcache\OLDD32.tmp
2009-10-22 22:34 23,040 ac------ c:\windows\system32\dllcache\OLDD3A.tmp
2009-10-22 22:34 17,408 ac------ c:\windows\system32\dllcache\OLDD36.tmp
2009-10-22 22:34 4,608 ac------ c:\windows\system32\dllcache\OLDD2E.tmp
2009-10-22 22:34 99,865 ac------ c:\windows\system32\dllcache\OLDD2A.tmp
2009-10-22 22:34 16,970 ac------ c:\windows\system32\dllcache\OLDD26.tmp
2009-10-22 22:34 19,455 ac------ c:\windows\system32\dllcache\OLDD22.tmp
2009-10-22 22:34 19,328 ac------ c:\windows\system32\dllcache\OLDD1E.tmp
2009-10-22 22:34 12,063 ac------ c:\windows\system32\dllcache\OLDD1A.tmp
2009-10-22 22:34 8,192 ac------ c:\windows\system32\dllcache\OLDD16.tmp
2009-10-22 22:34 8,832 ac------ c:\windows\system32\dllcache\OLDD12.tmp
2009-10-22 22:32 42,496 ac------ c:\windows\system32\dllcache\OLDC1A.tmp
2009-10-22 22:31 150,144 ac------ c:\windows\system32\dllcache\OLDAA7.tmp
2009-10-22 22:30 16,128 ac------ c:\windows\system32\dllcache\OLD984.tmp
2009-10-22 22:29 21,888 ac------ c:\windows\system32\dllcache\OLD859.tmp
2009-10-22 22:28 26,442 ac------ c:\windows\system32\dllcache\OLD79A.tmp
2009-10-22 22:27 353,184 ac------ c:\windows\system32\dllcache\OLD6A1.tmp
2009-10-22 22:26 347,550 ac------ c:\windows\system32\dllcache\OLD50A.tmp
2009-10-22 22:25 175,104 ac------ c:\windows\system32\dllcache\OLD351.tmp
2009-10-22 22:25 <DIR> --d----- c:\documents and settings\abyss\.housecall6.6
2009-10-22 22:24 342,336 ac------ c:\windows\system32\dllcache\OLD18A.tmp
2009-10-22 22:23 101,888 ac------ c:\windows\system32\dllcache\OLDC0.tmp
2009-10-22 22:22 32,827 ac------ c:\windows\system32\dllcache\OLD5A.tmp
2009-10-18 01:38 <DIR> --d----- c:\windows\SQLTools9_KB970892_ENU
2009-10-18 01:36 <DIR> --d----- c:\windows\SQL9_KB970892_ENU
2009-09-26 19:09 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-09-26 19:09 <DIR> --d----- c:\program files\SmartDraw 2009
2009-09-26 19:08 <DIR> --d----- c:\program files\DWG TrueView 2010
2009-09-26 19:08 <DIR> --d----- c:\program files\Bonjour

==================== Find3M ====================

2009-09-11 22:33 133,632 a------- c:\windows\system32\msv1_0.dll
2009-09-05 04:45 58,880 a------- c:\windows\system32\msasn1.dll
2009-08-29 16:08 916,480 a------- c:\windows\system32\wininet.dll
2009-08-26 16:16 247,326 a------- c:\windows\system32\strmdll.dll
2009-08-17 23:33 1,193,832 a------- c:\windows\system32\FM20.DLL
2009-08-16 23:08 178,176 a------- c:\windows\system32\unrar.dll
2009-08-16 01:49 94,208 a------- c:\windows\system32\msstkprp.dll
2009-08-05 17:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-04 21:58 2,136,064 a------- c:\windows\system32\ntoskrnl.exe
2009-08-04 21:13 2,015,744 a------- c:\windows\system32\ntkrnlpa.exe
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll

============= FINISH: 23:08:11.48 ===============



----------------------------------------------------------------------------------------------------------------------------------------------------------

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/22 23:10
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB60E1000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBAE1C000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_PNP4422
Image Path: \Driver\PCI_PNP4422
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB439C000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spfz.sys
Image Path: spfz.sys
Address: 0xBA6A7000 Size: 1048576 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\System Volume Information\_restore{F9F14CEC-242C-4098-9BFC-AD7747A758BF}\RP297\A0096076.cfg
Status: Visible to the Windows API, but not on disk.

Path: c:\program files\microsoft sql server\mssql.1\mssql\log\log_195.trc
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\program files\microsoft sql server\mssql.1\mssql\log\log_196.trc
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\Documents and Settings\Abyss\Local Settings\Application Data\Mozilla\Firefox\Profiles\2s0l9wxr.default\Cache\25502AB6d01
Status: Invisible to the Windows API!

Path: c:\documents and settings\abyss\local settings\application data\mozilla\firefox\profiles\2s0l9wxr.default\cache\bdbe525bd01
Status: Size mismatch (API: 17538820, Raw: 16515072)

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb61016b8

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb6101574

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb6101a52

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb610114c

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spfz.sys" at address 0xba6c6ca2

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spfz.sys" at address 0xba6c7030

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb610164e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb610108c

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb61010f0

#: 160 Function Name: NtQueryKey
Status: Hooked by "spfz.sys" at address 0xba6c7108

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb610176e

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb610172e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb61018ae

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x89a651f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x89a651f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x89a651f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x89a651f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89a651f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89a651f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x89a651f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x89a651f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89a651f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89a651f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89a651f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89a651f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89a651f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89a651f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89a651f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89a651f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x89a651f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x89a651f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x89a651f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x89a651f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x89a651f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x89a651f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x89a661f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x89a661f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89a661f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89a661f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x89a661f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89a661f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x89a661f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x8986d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x8986d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x8986d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x8986d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8986d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8986d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8986d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8986d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x8986d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8986d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x8986d1f8 Size: 121

Object: Hidden Code [Driver: av0i5sq2ȅఉ瑎捦܉@考, IRP_MJ_CREATE]
Process: System Address: 0x898501f8 Size: 121

Object: Hidden Code [Driver: av0i5sq2ȅఉ瑎捦܉@考, IRP_MJ_CLOSE]
Process: System Address: 0x898501f8 Size: 121

Object: Hidden Code [Driver: av0i5sq2ȅఉ瑎捦܉@考, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x898501f8 Size: 121

Object: Hidden Code [Driver: av0i5sq2ȅఉ瑎捦܉@考, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x898501f8 Size: 121

Object: Hidden Code [Driver: av0i5sq2ȅఉ瑎捦܉@考, IRP_MJ_POWER]
Process: System Address: 0x898501f8 Size: 121

Object: Hidden Code [Driver: av0i5sq2ȅఉ瑎捦܉@考, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x898501f8 Size: 121

Object: Hidden Code [Driver: av0i5sq2ȅఉ瑎捦܉@考, IRP_MJ_PNP]
Process: System Address: 0x898501f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x898bb1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x898bb1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x898bb1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x898bb1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x898bb1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x898bb1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x898bb1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x89ad71f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x89ad71f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x89ad71f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89ad71f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89ad71f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89ad71f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89ad71f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x89ad71f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x89ad71f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89ad71f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x89ad71f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x896ba500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x896ba500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x896ba500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x896ba500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x896ba500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x896ba500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x88edb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x88edb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x88edb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x88edb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x88edb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x88edb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x88edb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x88edb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x88edb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x88edb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x88edb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x88edb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x88edb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x88edb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x88edb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x88edb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x88edb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x88edb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x88edb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x88edb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x88edb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x88edb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x88edb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x88edb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x88edb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x88edb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x88edb1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x88edb1f8 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ൓浍瑓ﻠ襢ń, IRP_MJ_CREATE]
Process: System Address: 0x894b4500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ൓浍瑓ﻠ襢ń, IRP_MJ_CLOSE]
Process: System Address: 0x894b4500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ൓浍瑓ﻠ襢ń, IRP_MJ_READ]
Process: System Address: 0x894b4500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ൓浍瑓ﻠ襢ń, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x894b4500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ൓浍瑓ﻠ襢ń, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x894b4500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ൓浍瑓ﻠ襢ń, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x894b4500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ൓浍瑓ﻠ襢ń, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x894b4500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ൓浍瑓ﻠ襢ń, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x894b4500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ൓浍瑓ﻠ襢ń, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x894b4500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ൓浍瑓ﻠ襢ń, IRP_MJ_SHUTDOWN]
Process: System Address: 0x894b4500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ൓浍瑓ﻠ襢ń, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x894b4500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ൓浍瑓ﻠ襢ń, IRP_MJ_CLEANUP]
Process: System Address: 0x894b4500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ൓浍瑓ﻠ襢ń, IRP_MJ_PNP]
Process: System Address: 0x894b4500 Size: 121

==EOF==

Attached Files

  • Attached File  ark.txt   30.2KB   0 downloads


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:30 AM

Posted 31 October 2009 - 10:53 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:30 AM

Posted 05 November 2009 - 05:27 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
_temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:30 AM

Posted 11 November 2009 - 08:26 AM

Topic has been reopened.

Please post your logs.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 Preceptor

Preceptor
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:10:30 PM

Posted 14 November 2009 - 12:03 AM

Hi,

Sorry for the delay.

Extras.txt

OTL Extras logfile created on: 11/14/2009 12:56:47 PM - Run 1
OTL by OldTimer - Version 3.1.5.0 Folder = C:\Documents and Settings\Abyss\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.50 Gb Total Physical Memory | 0.70 Gb Available Physical Memory | 46.88% Memory free
2.10 Gb Paging File | 1.39 Gb Available in Paging File | 66.18% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 39.06 Gb Total Space | 12.09 Gb Free Space | 30.96% Space Free | Partition Type: NTFS
Drive D: | 39.06 Gb Total Space | 0.83 Gb Free Space | 2.12% Space Free | Partition Type: NTFS
Drive E: | 49.87 Gb Total Space | 34.79 Gb Free Space | 69.77% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LIM
Current User Name: Abyss
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
.js [@ = jsfile] -- Reg Error: Key error. File not found
.txt [@ = Reg Error: Value error.] -- Reg Error: Key error. File not found

[HKEY_USERS\S-1-5-21-1757981266-152049171-725345543-1004\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
jsfile [open] -- Reg Error: Key error.
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\FlashGet\flashget.exe" = C:\Program Files\FlashGet\flashget.exe:*:Enabled:Flashget -- File not found
"C:\Program Files\EA Games\Ultima Online 2D Client\client.exe" = C:\Program Files\EA Games\Ultima Online 2D Client\client.exe:*:Enabled:Ultima Online Client -- (Electronic Arts)
"C:\Program Files\Orbitdownloader\orbitnet.exe" = C:\Program Files\Orbitdownloader\orbitnet.exe:*:Enabled:P2P service of Orbit Downloader -- (Orbitdownloader.com)
"C:\Program Files\Internet Explorer\iexplore.exe" = C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Java\jre6\bin\java.exe" = C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\Java\jdk1.6.0_11\bin\java.exe" = C:\Program Files\Java\jdk1.6.0_11\bin\java.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\VMware\VMware Workstation\vmware-authd.exe" = C:\Program Files\VMware\VMware Workstation\vmware-authd.exe:*:Enabled:VMware Authd -- (VMware, Inc.)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{00BD5A42-8283-4C1E-83A7-C95258BE68C5}" = LG_MobileSync
"{05EC21B8-4593-3037-A781-A6B5AFFCB19D}" = Microsoft Windows SDK for Visual Studio 2008 .NET Framework Tools
"{0B7BA3EE-D7AC-494E-999D-DA58D6D01DAC}" = LG_MobileSync
"{0C973594-7DDF-4BD0-84ED-3517F7622037}" = PC Connectivity Solution
"{0F25F02B-854E-49B3-8F68-6D27CE4D477E}" = Ultima Online 2D Client
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}" = Adobe AIR
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{212748BB-0DA5-46DE-82A1-403736DC9F27}" = MSVC80_x86
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{241F2BF7-69EB-42A4-9156-96B2426C7504}" = Microsoft SQL Server Compact 3.5 for Devices ENU
"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java™ 6 Update 15
"{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}" = Microsoft SQL Server 2005 Tools Express Edition
"{291B3A3B-F808-45B8-8113-DF232FCB6C82}" = Microsoft .NET Compact Framework 3.5
"{29C22873-B939-4EF9-B6E3-1EFE7FA391D1}" = ASUS nVidia Driver
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
"{2E5C075E-11AB-4BDD-918C-7B9A68953FF8}" = Microsoft SQL Server Compact 3.5 Design Tools ENU
"{315ACD04-BCEB-478B-9B1D-5431D0E6CB11}" = ASUS Enhanced Display Driver
"{3248F0A8-6813-11D6-A77B-00B0D0160040}" = Java™ 6 Update 4
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{32A3A4F4-B792-11D6-A78A-00B0D0160110}" = Java™ SE Development Kit 6 Update 11
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{384BDD6A-58AB-4556-B393-7084DD35EBF8}" = UltraEdit 14.10
"{388E4B09-3E71-4649-8921-F44A3A2954A7}" = Microsoft Visual Studio 2005 Tools for Office Runtime
"{39F6E2B4-CFE8-C30A-66E8-489651F0F34C}" = Adobe Media Player
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3D39E775-DDDA-4327-B747-0BDC5F191331}" = Nokia PC Suite
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{52D02A2B-03D2-4E34-A358-DC5D951FD296}" = Nokia Connectivity Cable Driver
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{56B4002F-671C-49F4-984C-C760FE3806B5}" = Microsoft SQL Server VSS Writer
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{64c5b887-b5ee-42b8-8596-78905a6b5f1f}" = Microsoft Windows SDK for Visual Studio 2008 SDK Reference Assemblies and IntelliSense
"{6753B40C-0FBD-3BED-8A9D-0ACAC2DCD85D}" = Microsoft Document Explorer 2008
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6C9F6D23-E9AD-43C9-B43A-011562AAF876}" = Windows Mobile 5.0 SDK R2 for Pocket PC
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}" = LiveUpdate BVRP Software
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{842FAF7C-50EF-4463-9B8F-6222E1384D7D}" = Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries
"{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}" = Bonjour
"{8A7CAA24-7B23-410B-A7C3-F994B0944160}" = Microsoft Virtual PC 2007
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8DC42D05-680B-41B0-8878-6C14D24602DB}" = QuickTime
"{8FB53850-246A-3507-8ADE-0060093FFEA6}" = Visual Studio Tools for the Office system 3.0 Runtime
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{3EC77D26-799B-4CD8-914F-C1565E796173}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0409-0000-0000000FF1CE}_VISPROR_{3EC77D26-799B-4CD8-914F-C1565E796173}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{430971B1-C31E-45DA-81E0-72C095BAB72C}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-040C-0000-0000000FF1CE}_VISPROR_{430971B1-C31E-45DA-81E0-72C095BAB72C}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{F7A31780-33C4-4E39-951A-5EC9B91D7BF1}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0C0A-0000-0000000FF1CE}_VISPROR_{F7A31780-33C4-4E39-951A-5EC9B91D7BF1}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0021-0000-0000-0000000FF1CE}" = Microsoft Office Visual Web Developer 2007
"{90120000-0021-0000-0000-0000000FF1CE}_VisualWebDeveloper_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0021-0409-0000-0000000FF1CE}" = Microsoft Office Visual Web Developer MUI (English) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{BEE75E01-DD3F-4D5F-B96C-609E6538D419}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0054-0409-0000-0000000FF1CE}" = Microsoft Office Visio MUI (English) 2007
"{90120000-0054-0409-0000-0000000FF1CE}_VISPROR_{EA35370F-586C-45E1-AC6C-A4E275C6B762}" = Microsoft Office Visio 2007 Service Pack 1 (SP1)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-006E-0409-0000-0000000FF1CE}_VISPROR_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0115-0409-0000-0000000FF1CE}_VISPROR_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{91120000-0051-0000-0000-0000000FF1CE}" = Microsoft Office Visio Professional 2007
"{91120000-0051-0000-0000-0000000FF1CE}_VISPROR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{91120000-0051-0000-0000-0000000FF1CE}_VISPROR_{AA4F2610-5FF1-4DCD-A6FB-BCA2D09A6443}" = Microsoft Office Visio 2007 Service Pack 1 (SP1)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9656F3AC-6BA9-43F0-ABED-F214B5DAB27B}" = Windows Mobile 5.0 SDK R2 for Smartphone
"{976C2B2A-CE59-4AB3-83FB-BF895E28F2E6}" = Apple Mobile Device Support
"{998D6972-F58E-479D-9248-8F179E55AE38}" = Java DB 10.4.1.3
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9A33B83D-FFC4-44CF-BEEF-632DECEF2FCD}" = Microsoft SQL Server Database Publishing Wizard 1.2
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A3FF5CB2-FB35-4658-8751-9EDE1D65B3AA}" = VMware Workstation
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A92A4DB0-CD37-42D1-BE1D-603D53C24328}" = Intel® Processor ID Utility
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AA467959-A1D6-4F45-90CD-11DC57733F32}" = Crystal Reports Basic for Visual Studio 2008
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B268E9A1-04A9-40D0-9866-846BE2B74BA7}" = Microsoft Windows SDK for Visual Studio 2008 Win32 Tools
"{B32E7732-B2FB-3FD0-81AC-6025B1104C66}" = Microsoft Device Emulator version 3.0 - ENU
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BCC899FE-2DAA-460C-A5FB-60291E73D9C3}" = Microsoft SQL Server Compact 3.5 ENU
"{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}" = Microsoft SQL Server Native Client
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CAA376AF-0DE8-4FCA-942E-C6AC579B94B3}" = Microsoft Windows SDK for Visual Studio 2008 Tools
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B8}" = WinZip 12.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D6A4078D-CCAD-4257-B65D-8BE9BF7AAAD2}_is1" = 3GP Player 2008
"{D7DAD1E4-45F4-3B2B-899A-EA728167EC4F}" = Microsoft Visual Studio 2008 Professional Edition - ENU
"{DDDE0BE3-0CBE-4BF6-B75A-E3F69C947843}" = iTunes
"{EDDF99D9-9FE3-4871-A7DB-D1522C51EE9A}" = Microsoft .NET Compact Framework 2.0 SP2
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F18E8A0F-BE99-4305-96A5-6C0FD9D7D999}" = mobile PhoneTools
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"504244733D18C8F63FF584AEB290E3904E791693" = Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
"AC3Filter" = AC3Filter (remove only)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"avast!" = avast! Antivirus
"CCleaner" = CCleaner (remove only)
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Dia" = Dia (remove only)
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"E8A6D621B6D3FC5D43C68C549D959DE76EEF5D84" = Windows Driver Package - Nokia Modem (06/01/2009 4.1)
"ENTERPRISE" = Microsoft Office Enterprise 2007
"F779F5541ABD99C95C03B0FD5E3C058B22DA0FF7" = Windows Driver Package - Nokia Modem (06/01/2009 7.01.0.3)
"FLV Player" = FLV Player 2.0 (build 25)
"Free WMA to MP3 Converter_is1" = Free WMA to MP3 Converter 1.16
"Free YouTube to MP3 Converter_is1" = Free YouTube to MP3 Converter version 3.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie8" = Windows Internet Explorer 8
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Document Explorer 2008" = Microsoft Document Explorer 2008
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Microsoft Visual Studio 2005 Tools for Office Runtime" = Visual Studio 2005 Tools for Office Second Edition Runtime
"Microsoft Visual Studio 2008 Professional Edition - ENU" = Microsoft Visual Studio 2008 Professional Edition - ENU
"Mozilla Firefox (3.0.15)" = Mozilla Firefox (3.0.15)
"MP3 Cutter_is1" = MP3 Cutter 1.3
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Nokia PC Suite" = Nokia PC Suite
"NVIDIA Drivers" = NVIDIA Drivers
"Orbit_is1" = Orbit Downloader
"Qemu" = Qemu 0.7.2 (remove only)
"SpywareBlaster_is1" = SpywareBlaster 4.2
"StarUML_is1" = StarUML 5.0.2.1570
"Uninstall_is1" = Uninstall 1.0.0.1
"UOAM" = UO Auto-Map
"VISPROR" = Microsoft Office Visio Professional 2007
"Visual Studio Tools for the Office system 3.0 Runtime" = Visual Studio Tools for the Office system 3.0 Runtime
"VisualWebDeveloper" = Microsoft Visual Studio Web Authoring Component
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 2
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01007" = Microsoft User-Mode Driver Framework Feature Pack 1.7
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"Xvid_is1" = Xvid 1.2.2 final uninstall

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1757981266-152049171-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"FrameDemo2" = FrameDemo2
"Icon Demo Application" = Icon Demo Application
"JWSFileChooserDemo" = JWSFileChooserDemo
"SmartDraw 2009" = SmartDraw 2009

========== Last 10 Event Log Errors ==========

[ Antivirus Events ]
Error - 4/21/2009 10:19:51 AM | Computer Name = LIM | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://www.sitacs.uow.edu.au/subjects/over...server-i386.iso
failed, 00000084.

Error - 5/21/2009 11:16:06 AM | Computer Name = LIM | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://mirror.nus.edu.sg/centos/5.3/isos/i...86-bin-4of6.iso failed,
00000084.

Error - 5/21/2009 11:16:06 AM | Computer Name = LIM | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://mirror.nus.edu.sg/centos/5.3/isos/i...386-bin-DVD.iso failed,
00000084.

Error - 7/4/2009 1:27:36 PM | Computer Name = LIM | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Documents and Settings\Abyss\Desktop\Misc\digsby_setup.exe failed, 00000005.


Error - 9/6/2009 5:53:19 AM | Computer Name = LIM | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\DOCUMENTS AND SETTINGS\ABYSS\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\VISIO\THUMBS.DAT
failed, 00000005.

Error - 9/6/2009 5:53:20 AM | Computer Name = LIM | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\DOCUMENTS AND SETTINGS\ABYSS\DESKTOP\UNIVERSITY\FINAL PROJECT\ACTUAL\ER DIAGRAM\PROJECT.VSD
failed, 00000005.

Error - 11/5/2009 7:19:57 AM | Computer Name = LIM | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://widget-93.slide.com/fsnapshot/12249...FFFFF/image.jpg
failed, 0000A413.

Error - 11/7/2009 5:34:19 AM | Computer Name = LIM | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://clients1.google.com.sg/complete/sea...em%20p&cp=9
failed, 0000A413.

Error - 11/8/2009 10:15:32 PM | Computer Name = LIM | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://imgs.zhangmen.baidu.com/mp3index/2009/ma.js failed, 0000A413.

Error - 11/9/2009 11:21:41 AM | Computer Name = LIM | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://www.neopets.com/timestamp.phtml failed, 0000A413.

[ Application Events ]
Error - 10/17/2009 12:50:51 AM | Computer Name = LIM | Source = Ci | ID = 4128
Description = Error 3221225529 detected in content index on c:\documents and settings\all
users\application data\microsoft\visio\catalog.wci.

Error - 10/21/2009 11:54:20 AM | Computer Name = LIM | Source = .NET Runtime 2.0 Error Reporting | ID = 5000
Description = EventType clr20r3, P1 razor.exe, P2 1.0.12.4, P3 4ab38bd2, P4 mscorlib,
P5 2.0.0.0, P6 4a7cd8f7, P7 343f, P8 119, P9 system.io.directorynotfound, P10 NIL.

Error - 10/22/2009 10:09:32 AM | Computer Name = LIM | Source = Ci | ID = 4124
Description = Content index on e:\system volume information\catalog.wci is corrupt.
Please shutdown and restart the Indexing Service (cisvc).

Error - 10/22/2009 10:09:32 AM | Computer Name = LIM | Source = Ci | ID = 4126
Description = Cleaning up corrupt content index metadata on e:\system volume information\catalog.wci.
Index will be automatically restored by refiltering all documents.

Error - 10/24/2009 5:42:42 AM | Computer Name = LIM | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.3156, faulting
module unknown, version 0.0.0.0, fault address 0x00000000.

Error - 10/24/2009 5:44:32 AM | Computer Name = LIM | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.3156, faulting
module unknown, version 0.0.0.0, fault address 0x00000000.

Error - 11/9/2009 7:47:55 AM | Computer Name = LIM | Source = Windows Live Messenger | ID = 1000
Description =

Error - 11/10/2009 9:02:57 AM | Computer Name = LIM | Source = MsiInstaller | ID = 10005
Description = Product: Windows Live Communications Platform -- The installer has
encountered an unexpected error installing this package. This may indicate a problem
with this package. The error code is 2762. The arguments are: , ,

Error - 11/10/2009 9:02:58 AM | Computer Name = LIM | Source = MsiInstaller | ID = 10005
Description = Product: Windows Live Communications Platform -- The installer has
encountered an unexpected error installing this package. This may indicate a problem
with this package. The error code is 2762. The arguments are: , ,

Error - 11/13/2009 1:05:20 PM | Computer Name = LIM | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ OSession Events ]
Error - 4/19/2009 3:45:38 AM | Computer Name = LIM | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6331.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 30
seconds with 0 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 11/8/2009 8:30:57 PM | Computer Name = LIM | Source = Service Control Manager | ID = 7000
Description = The npkcrypt service failed to start due to the following error: %%3

Error - 11/9/2009 2:56:08 AM | Computer Name = LIM | Source = Service Control Manager | ID = 7000
Description = The npkcrypt service failed to start due to the following error: %%3

Error - 11/9/2009 7:41:19 AM | Computer Name = LIM | Source = Service Control Manager | ID = 7000
Description = The npkcrypt service failed to start due to the following error: %%3

Error - 11/10/2009 9:00:53 AM | Computer Name = LIM | Source = Service Control Manager | ID = 7000
Description = The npkcrypt service failed to start due to the following error: %%3

Error - 11/11/2009 8:12:13 AM | Computer Name = LIM | Source = Service Control Manager | ID = 7000
Description = The npkcrypt service failed to start due to the following error: %%3

Error - 11/11/2009 8:18:01 AM | Computer Name = LIM | Source = Service Control Manager | ID = 7000
Description = The npkcrypt service failed to start due to the following error: %%3

Error - 11/11/2009 9:09:59 AM | Computer Name = LIM | Source = Service Control Manager | ID = 7000
Description = The npkcrypt service failed to start due to the following error: %%3

Error - 11/12/2009 7:34:48 AM | Computer Name = LIM | Source = Service Control Manager | ID = 7000
Description = The npkcrypt service failed to start due to the following error: %%3

Error - 11/13/2009 8:29:28 AM | Computer Name = LIM | Source = Service Control Manager | ID = 7000
Description = The npkcrypt service failed to start due to the following error: %%3

Error - 11/13/2009 10:48:44 PM | Computer Name = LIM | Source = Service Control Manager | ID = 7000
Description = The npkcrypt service failed to start due to the following error: %%3


< End of report >


=======================================================================================
=======================================================================================
=======================================================================================

OTL.txt

OTL logfile created on: 11/14/2009 12:56:47 PM - Run 1
OTL by OldTimer - Version 3.1.5.0 Folder = C:\Documents and Settings\Abyss\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.50 Gb Total Physical Memory | 0.70 Gb Available Physical Memory | 46.88% Memory free
2.10 Gb Paging File | 1.39 Gb Available in Paging File | 66.18% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 39.06 Gb Total Space | 12.09 Gb Free Space | 30.96% Space Free | Partition Type: NTFS
Drive D: | 39.06 Gb Total Space | 0.83 Gb Free Space | 2.12% Space Free | Partition Type: NTFS
Drive E: | 49.87 Gb Total Space | 34.79 Gb Free Space | 69.77% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LIM
Current User Name: Abyss
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/11/14 12:56:15 | 00,529,408 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Abyss\Desktop\OTL.exe
PRC - [2009/10/29 20:07:51 | 00,307,704 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/08/18 00:07:23 | 00,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/08/18 00:07:17 | 00,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/08/18 00:07:01 | 00,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009/08/18 00:04:21 | 00,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009/08/17 23:58:55 | 00,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/07/26 16:44:34 | 03,883,856 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe
PRC - [2009/07/25 05:23:12 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/07/25 05:23:10 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/05/27 03:27:04 | 29,262,680 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
PRC - [2009/02/06 17:07:48 | 00,027,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Contacts\wlcomm.exe
PRC - [2008/11/24 22:31:12 | 00,087,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2008/11/24 22:31:08 | 00,239,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
PRC - [2008/10/28 23:08:44 | 00,326,192 | ---- | M] (VMware, Inc.) -- C:\WINDOWS\system32\vmnetdhcp.exe
PRC - [2008/10/28 23:07:56 | 00,113,200 | ---- | M] (VMware, Inc.) -- C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
PRC - [2008/10/28 23:07:20 | 00,399,920 | ---- | M] (VMware, Inc.) -- C:\WINDOWS\system32\vmnat.exe
PRC - [2008/10/01 13:06:14 | 00,116,040 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008/08/29 10:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/05/16 14:01:00 | 00,159,812 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2007/06/13 18:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/09/04 13:49:52 | 00,241,664 | ---- | M] (ASUSTeK COMPUTER INC.) -- C:\WINDOWS\ATKKBService.exe
PRC - [2006/05/04 15:59:16 | 16,206,848 | R--- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.exe
PRC - [2006/04/24 15:20:56 | 01,448,960 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SkyTel.exe
PRC - [2001/08/18 20:00:00 | 00,008,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\cidaemon.exe
PRC - [2001/08/18 20:00:00 | 00,008,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\cidaemon.exe


========== Modules (SafeList) ==========

MOD - [2009/11/14 12:56:15 | 00,529,408 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Abyss\Desktop\OTL.exe
MOD - [2006/08/25 23:45:55 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
MOD - [2004/08/04 15:56:42 | 00,185,856 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\framedyn.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/08/18 00:07:17 | 00,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/08/18 00:07:01 | 00,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/08/18 00:04:21 | 00,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/08/17 23:58:55 | 00,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2009/07/25 05:23:10 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/06/02 10:10:08 | 00,637,952 | ---- | M] (Nokia.) -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2009/05/27 03:27:04 | 29,262,680 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$SQLEXPRESS)
SRV - [2008/11/24 22:31:12 | 00,087,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2008/11/24 22:31:08 | 00,239,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2008/11/24 22:31:08 | 00,045,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)
SRV - [2008/10/28 23:08:44 | 00,326,192 | ---- | M] (VMware, Inc.) -- C:\WINDOWS\system32\vmnetdhcp.exe -- (VMnetDHCP)
SRV - [2008/10/28 23:07:56 | 00,113,200 | ---- | M] (VMware, Inc.) -- C:\Program Files\VMware\VMware Workstation\vmware-authd.exe -- (VMAuthdService)
SRV - [2008/10/28 23:07:20 | 00,399,920 | ---- | M] (VMware, Inc.) -- C:\WINDOWS\system32\vmnat.exe -- (VMware NAT Service)
SRV - [2008/10/02 18:25:42 | 00,191,024 | ---- | M] (VMware, Inc.) -- C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe -- (ufad-ws60)
SRV - [2008/10/01 18:57:00 | 00,536,872 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2008/10/01 13:06:14 | 00,116,040 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2008/08/29 10:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0)
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc)
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing)
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state)
SRV - [2008/05/16 14:01:00 | 00,159,812 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2007/11/07 08:58:18 | 03,004,416 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe -- (msvsmon90)
SRV - [2007/08/24 06:59:20 | 00,068,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service)
SRV - [2007/08/24 03:19:12 | 00,443,776 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc)
SRV - [2006/09/04 13:49:52 | 00,241,664 | ---- | M] (ASUSTeK COMPUTER INC.) -- C:\WINDOWS\ATKKBService.exe -- (ATKKeyboardService)
SRV - [2005/04/04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2004/08/04 15:56:44 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\pchsvc.dll -- (helpsvc)


========== Driver Services (SafeList) ==========

DRV - [2009/08/18 00:06:43 | 00,094,160 | ---- | M] (ALWIL Software) -- C:\WINDOWS\system32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2009/08/18 00:05:52 | 00,114,768 | ---- | M] (ALWIL Software) -- C:\WINDOWS\system32\drivers\aswSP.sys -- (aswSP)
DRV - [2009/08/18 00:05:37 | 00,020,560 | ---- | M] (ALWIL Software) -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2009/08/18 00:04:40 | 00,051,376 | ---- | M] (ALWIL Software) -- C:\WINDOWS\system32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2009/08/18 00:04:29 | 00,023,152 | ---- | M] (ALWIL Software) -- C:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2009/08/18 00:03:21 | 00,026,944 | ---- | M] (ALWIL Software) -- C:\WINDOWS\system32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2009/08/13 23:59:09 | 00,229,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\VMM.sys -- (vmm)
DRV - [2009/06/24 20:57:14 | 00,114,496 | ---- | M] (Protection Technology Co.) -- C:\WINDOWS\System32\drivers\prodrv04.sys -- (prodrv04)
DRV - [2009/04/11 10:53:10 | 00,717,296 | ---- | M] () -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2009/02/09 08:37:56 | 00,007,808 | ---- | M] (Nokia) -- C:\WINDOWS\system32\drivers\usbser_lowerfltj.sys -- (UsbserFilt)
DRV - [2009/02/09 08:37:48 | 00,007,808 | ---- | M] (Nokia) -- C:\WINDOWS\system32\drivers\usbser_lowerflt.sys -- (upperdev)
DRV - [2009/02/09 08:37:46 | 00,022,016 | ---- | M] (Nokia) -- C:\WINDOWS\system32\drivers\ccdcmbo.sys -- (nmwcdc)
DRV - [2009/02/09 08:37:46 | 00,017,664 | ---- | M] (Nokia) -- C:\WINDOWS\system32\drivers\ccdcmb.sys -- (nmwcd)
DRV - [2008/11/07 00:37:28 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2008/10/28 23:08:58 | 00,054,960 | ---- | M] (VMware, Inc.) -- C:\WINDOWS\system32\drivers\vmci.sys -- (vmci)
DRV - [2008/10/28 23:08:58 | 00,026,288 | ---- | M] (VMware, Inc.) -- C:\WINDOWS\system32\drivers\vmnetuserif.sys -- (VMnetuserif)
DRV - [2008/10/28 23:08:56 | 00,023,216 | ---- | M] (VMware, Inc.) -- C:\WINDOWS\system32\drivers\VMkbd.sys -- (vmkbd)
DRV - [2008/10/28 23:08:54 | 00,857,392 | ---- | M] (VMware, Inc.) -- C:\WINDOWS\system32\drivers\vmx86.sys -- (vmx86)
DRV - [2008/10/28 23:08:52 | 00,032,304 | ---- | M] (VMware, Inc.) -- C:\WINDOWS\system32\drivers\hcmon.sys -- (hcmon)
DRV - [2008/10/28 23:08:42 | 00,014,896 | ---- | M] (VMware, Inc.) -- C:\WINDOWS\system32\drivers\vmparport.sys -- (VMparport)
DRV - [2008/10/28 17:03:28 | 00,031,280 | R--- | M] (VMware, Inc.) -- C:\WINDOWS\system32\drivers\vmnetbridge.sys -- (VMnetBridge)
DRV - [2008/10/28 17:03:28 | 00,016,560 | R--- | M] (VMware, Inc.) -- C:\WINDOWS\system32\drivers\vmnetadapter.sys -- (VMnetAdapter)
DRV - [2008/10/02 18:24:48 | 00,022,448 | ---- | M] (VMware, Inc.) -- C:\Program Files\VMware\VMware Workstation\vstor2-ws60.sys -- (vstor2-ws60)
DRV - [2008/08/26 10:26:12 | 00,018,816 | ---- | M] (Nokia) -- C:\WINDOWS\system32\drivers\pccsmcfd.sys -- (pccsmcfd)
DRV - [2008/05/16 14:01:00 | 06,557,408 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2008/04/17 13:12:54 | 00,015,464 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2007/11/13 18:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/01/29 06:20:34 | 00,059,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\VMNetSrv.sys -- (VPCNetS2)
DRV - [2006/06/14 13:56:00 | 00,012,288 | R--- | M] (ASUSTeK Computer Inc.) -- C:\WINDOWS\system32\drivers\EIO.sys -- (EIO)
DRV - [2006/05/04 16:13:52 | 04,271,616 | R--- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys -- (IntcAzAudAddService)
DRV - [2006/02/27 05:46:20 | 00,081,408 | R--- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2005/10/18 15:01:00 | 00,011,008 | ---- | M] (ASUSTeK COMPUTER INC.) -- C:\WINDOWS\system32\drivers\atkkbnt.sys -- (asuskbnt)
DRV - [2005/01/07 17:07:18 | 00,138,752 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)
DRV - [2004/08/04 14:08:42 | 00,025,600 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\usbser.sys -- (usbser)
DRV - [2002/09/23 14:49:44 | 00,068,672 | ---- | M] (2Wire, Inc.) -- C:\WINDOWS\system32\drivers\2WirePCP.sys -- (2WIREPCP)
DRV - [2001/08/18 20:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1757981266-152049171-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-1757981266-152049171-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\S-1-5-21-1757981266-152049171-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-1757981266-152049171-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-1757981266-152049171-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-1757981266-152049171-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-1757981266-152049171-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = EA F5 E3 00 28 3D CA 01 [binary data]
IE - HKU\S-1-5-21-1757981266-152049171-725345543-1004\S-1-5-21-1757981266-152049171-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1757981266-152049171-725345543-1004\S-1-5-21-1757981266-152049171-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
IE - HKU\S-1-5-21-1757981266-152049171-725345543-1004\S-1-5-21-1757981266-152049171-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = proxy.singnet.com.sg:8080

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "www.google.com"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}:6.0.04
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}:6.0.07
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}:6.0.12
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}:6.0.14
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}:6.0.15
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:0.0.0
FF - prefs.js..extensions.enabledItems: {916ab64c-bc3e-471b-8e60-29551922a7ba}:1.300.244
FF - prefs.js..extensions.enabledItems: bkmrksync@nokia.com:1.0.0.713
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.15
FF - prefs.js..keyword.URL: "http://search.freecause.com/search?fr=freecause&ourmark=3&type=58819&p="

FF - HKLM\software\mozilla\Firefox\extensions\\bkmrksync@nokia.com: C:\Program Files\Nokia\Nokia PC Suite 7\bkmrksync\ [2009/08/10 23:53:38 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/04 00:08:00 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/03/18 15:38:42 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.15\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/11/11 20:22:11 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.15\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/10/29 20:08:01 | 00,000,000 | ---D | M]

[2008/07/16 21:00:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Abyss\Application Data\Mozilla\Extensions
[2008/07/16 21:00:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Abyss\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/11/14 00:00:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Abyss\Application Data\Mozilla\Firefox\Profiles\2s0l9wxr.default\extensions
[2009/10/07 20:08:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Abyss\Application Data\Mozilla\Firefox\Profiles\2s0l9wxr.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2009/06/11 23:17:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Abyss\Application Data\Mozilla\Firefox\Profiles\2s0l9wxr.default\extensions\{916ab64c-bc3e-471b-8e60-29551922a7ba}
[2009/08/13 23:37:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Abyss\Application Data\Mozilla\Firefox\Profiles\2s0l9wxr.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/06/19 21:19:40 | 00,001,595 | ---- | M] () -- C:\Documents and Settings\Abyss\Application Data\Mozilla\Firefox\Profiles\2s0l9wxr.default\searchplugins\amazondotcom.xml
[2009/06/19 21:19:41 | 00,001,595 | ---- | M] () -- C:\Documents and Settings\Abyss\Application Data\Mozilla\Firefox\Profiles\2s0l9wxr.default\searchplugins\ebay.xml
[2009/06/11 23:17:12 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\Abyss\Application Data\Mozilla\Firefox\Profiles\2s0l9wxr.default\searchplugins\search-the-web.xml
[2009/11/13 20:42:12 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/10/29 20:08:01 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2008/07/18 23:15:58 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
[2008/07/19 12:00:14 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
[2009/03/18 15:39:03 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
[2009/03/27 20:35:25 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
[2009/06/10 11:14:36 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
[2009/08/26 20:48:27 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
[2009/10/29 20:07:51 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
[2009/10/29 20:07:51 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
[2009/09/26 00:41:48 | 01,044,480 | ---- | M] (The OpenSSL Project, http://www.openssl.org/) -- C:\Program Files\Mozilla Firefox\plugins\libdivx.dll
[2009/07/25 05:23:01 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
[2009/09/26 00:41:24 | 01,650,992 | ---- | M] (DivX,Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdivx32.dll
[2009/09/26 00:41:34 | 00,098,304 | ---- | M] (DivX, Inc) -- C:\Program Files\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll
[2009/10/29 20:07:53 | 00,065,528 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
[2006/10/26 20:12:16 | 00,016,192 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPOFF12.DLL
[2009/02/27 12:13:42 | 00,103,792 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
[2008/12/25 00:41:56 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
[2008/12/25 00:41:56 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
[2008/12/25 00:41:56 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
[2008/12/25 00:41:56 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
[2008/12/25 00:41:56 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
[2008/12/25 00:41:56 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
[2008/12/25 00:41:56 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
[2009/09/26 00:41:48 | 00,200,704 | ---- | M] (The OpenSSL Project, http://www.openssl.org/) -- C:\Program Files\Mozilla Firefox\plugins\ssldivx.dll
[2009/08/06 23:12:01 | 00,001,394 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml
[2009/08/06 23:12:01 | 00,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml
[2009/08/06 23:12:01 | 00,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
[2009/08/06 23:12:01 | 00,002,343 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml
[2009/08/06 23:12:01 | 00,001,706 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml
[2009/08/06 23:12:01 | 00,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml
[2009/08/06 23:12:01 | 00,000,792 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml

O1 HOSTS File: (335189 bytes) - C:\WINDOWS\system32\drivers\etc\HOSTS
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 11489 more lines...
O2 - BHO: (Octh Class) - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll (Orbitdownloader.com)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Grab Pro) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll ()
O3 - HKU\S-1-5-21-1757981266-152049171-725345543-1004\..\Toolbar\WebBrowser: (Grab Pro) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll ()
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SkyTel] C:\WINDOWS\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-1757981266-152049171-725345543-1004\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-1757981266-152049171-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1757981266-152049171-725345543-1004_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Download by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: &Grab video by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Do&wnload selected by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Down&load all by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\VMware\VMware Workstation\vsocklib.dll (VMware, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files\VMware\VMware Workstation\vsocklib.dll (VMware, Inc.)
O15 - HKLM\..Trusted Domains: 59 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 58 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-1757981266-152049171-725345543-1004\..Trusted Domains: ncs.com.sg ([sam] https in Trusted sites)
O15 - HKU\S-1-5-21-1757981266-152049171-725345543-1004\..Trusted Domains: 66 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {00000055-9980-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/fhg.CAB (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1216208984775 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} https://fpdownload.macromedia.com/get/shock...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/07/16 19:43:37 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{c926e590-554e-11dd-8d57-001fb3a97cd2}\Shell - "" = AutoRun
O33 - MountPoints2\{c926e590-554e-11dd-8d57-001fb3a97cd2}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{c926e590-554e-11dd-8d57-001fb3a97cd2}\Shell\AutoRun\command - "" = H:\Autorun.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/11/14 12:56:07 | 00,529,408 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Abyss\Desktop\OTL.exe
[2009/11/10 21:03:39 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft
[2009/10/24 17:48:32 | 00,000,000 | ---D | C] -- C:\Program Files\AC3Filter
[2009/10/24 17:46:07 | 00,000,000 | ---D | C] -- C:\Program Files\Xvid
[2009/10/24 17:45:21 | 00,652,794 | ---- | C] (Xvid team ) -- C:\Documents and Settings\Abyss\Desktop\XviD-1.2.2-07062009.exe
[2009/10/24 00:48:57 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\Abyss\Recent
[2009/10/24 00:44:24 | 00,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2009/10/22 22:25:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Abyss\.housecall6.6
[2009/10/22 22:19:20 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Abyss\Desktop\RootRepeal.exe
[2009/10/18 01:38:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\SQLTools9_KB970892_ENU
[2009/10/18 01:36:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\SQL9_KB970892_ENU
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[155 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2009/11/14 12:56:15 | 00,529,408 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Abyss\Desktop\OTL.exe
[2009/11/14 10:48:47 | 00,178,598 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/11/14 10:48:17 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/11/14 10:48:12 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/11/14 01:38:48 | 11,010,048 | ---- | M] () -- C:\Documents and Settings\Abyss\ntuser.dat
[2009/11/14 01:38:25 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Abyss\ntuser.ini
[2009/11/14 01:30:39 | 00,016,896 | ---- | M] () -- C:\Documents and Settings\Abyss\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/11/13 20:29:00 | 00,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/11/13 20:28:55 | 00,294,072 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/11/12 23:50:02 | 00,001,308 | ---- | M] () -- C:\Documents and Settings\Abyss\Desktop\2005111811453992.mp3
[2009/11/12 23:49:45 | 00,000,311 | ---- | M] () -- C:\Documents and Settings\Abyss\Desktop\%a7%f5%b8t%b3%c7%20-%20%b7%f6%a4%df%b5%b4%b9%ef.mp3
[2009/11/11 21:32:55 | 00,022,528 | ---- | M] () -- C:\Documents and Settings\Abyss\Desktop\JY_WASP.doc
[2009/11/09 16:48:16 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/11/09 09:06:01 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/11/06 01:36:21 | 26,768,832 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/11/02 22:20:18 | 00,017,920 | ---- | M] () -- C:\Documents and Settings\Abyss\Desktop\Sampire.xls
[2009/10/26 22:06:50 | 02,986,038 | ---- | M] () -- C:\Documents and Settings\Abyss\Desktop\hui.bmp
[2009/10/26 00:21:19 | 02,110,812 | -H-- | M] () -- C:\Documents and Settings\Abyss\Local Settings\Application Data\IconCache.db
[2009/10/24 17:51:19 | 00,000,795 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\DivX Player.lnk
[2009/10/24 17:51:07 | 00,000,831 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\DivX Converter.lnk
[2009/10/24 17:50:21 | 00,001,469 | ---- | M] () -- C:\Documents and Settings\Abyss\Desktop\DivX Movies.lnk
[2009/10/24 17:48:21 | 00,760,708 | ---- | M] () -- C:\Documents and Settings\Abyss\Desktop\ac3filter_1_11.exe
[2009/10/24 17:45:34 | 00,652,794 | ---- | M] (Xvid team ) -- C:\Documents and Settings\Abyss\Desktop\XviD-1.2.2-07062009.exe
[2009/10/24 00:51:47 | 00,304,702 | ---- | M] () -- C:\Documents and Settings\Abyss\Desktop\cc_20091024_005121.reg
[2009/10/24 00:44:25 | 00,001,548 | ---- | M] () -- C:\Documents and Settings\Abyss\Desktop\CCleaner.lnk
[2009/10/22 23:05:45 | 00,331,264 | ---- | M] () -- C:\Documents and Settings\Abyss\Desktop\dds.scr
[2009/10/22 22:19:31 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Abyss\Desktop\settings.dat
[2009/10/22 22:19:24 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Abyss\Desktop\RootRepeal.exe
[2009/10/22 22:15:06 | 00,000,683 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/10/22 22:15:06 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/10/22 22:15:06 | 00,000,211 | RHS- | M] () -- C:\boot.ini
[2009/10/22 17:19:04 | 05,939,712 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mshtml.dll
[2009/10/22 17:19:04 | 05,939,712 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll
[2009/10/18 01:47:16 | 00,579,170 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/10/18 01:47:16 | 00,496,064 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/10/18 01:47:16 | 00,091,996 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[155 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/11/12 23:49:57 | 00,001,308 | ---- | C] () -- C:\Documents and Settings\Abyss\Desktop\2005111811453992.mp3
[2009/11/12 23:49:45 | 00,000,311 | ---- | C] () -- C:\Documents and Settings\Abyss\Desktop\%a7%f5%b8t%b3%c7%20-%20%b7%f6%a4%df%b5%b4%b9%ef.mp3
[2009/11/11 21:32:55 | 00,022,528 | ---- | C] () -- C:\Documents and Settings\Abyss\Desktop\JY_WASP.doc
[2009/11/09 16:48:14 | 00,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2009/11/02 21:08:09 | 00,017,920 | ---- | C] () -- C:\Documents and Settings\Abyss\Desktop\Sampire.xls
[2009/10/26 22:06:50 | 02,986,038 | ---- | C] () -- C:\Documents and Settings\Abyss\Desktop\hui.bmp
[2009/10/24 17:51:19 | 00,000,795 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\DivX Player.lnk
[2009/10/24 17:51:07 | 00,000,831 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\DivX Converter.lnk
[2009/10/24 17:50:21 | 00,001,469 | ---- | C] () -- C:\Documents and Settings\Abyss\Desktop\DivX Movies.lnk
[2009/10/24 17:48:08 | 00,760,708 | ---- | C] () -- C:\Documents and Settings\Abyss\Desktop\ac3filter_1_11.exe
[2009/10/24 17:46:08 | 00,819,200 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/10/24 17:46:07 | 00,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/10/24 00:51:28 | 00,304,702 | ---- | C] () -- C:\Documents and Settings\Abyss\Desktop\cc_20091024_005121.reg
[2009/10/24 00:44:25 | 00,001,548 | ---- | C] () -- C:\Documents and Settings\Abyss\Desktop\CCleaner.lnk
[2009/10/22 23:05:44 | 00,331,264 | ---- | C] () -- C:\Documents and Settings\Abyss\Desktop\dds.scr
[2009/10/22 22:19:31 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Abyss\Desktop\settings.dat
[2009/09/21 19:46:44 | 00,178,176 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009/09/21 18:56:49 | 02,392,064 | ---- | C] () -- C:\WINDOWS\System32\videotrans.dll
[2009/09/21 18:56:49 | 00,215,040 | ---- | C] () -- C:\WINDOWS\System32\videoformat.dll
[2009/09/21 18:56:49 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\imgscaler.dll
[2009/09/21 18:56:49 | 00,022,016 | ---- | C] () -- C:\WINDOWS\System32\img_utils.dll
[2009/09/21 18:56:49 | 00,017,920 | ---- | C] () -- C:\WINDOWS\System32\videocore.dll
[2009/09/21 18:56:47 | 00,128,512 | ---- | C] () -- C:\WINDOWS\System32\xvid.dll
[2009/08/15 12:11:50 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Abyss\Application Data\Unknown Organization
[2009/08/10 01:03:58 | 00,055,856 | R--- | C] () -- C:\WINDOWS\System32\vnetinst.dll
[2009/04/11 10:53:10 | 00,717,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2008/11/01 12:39:58 | 00,000,306 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/10/28 23:37:39 | 00,074,666 | ---- | C] () -- C:\Documents and Settings\Abyss\Local Settings\Application Data\rational_state.log
[2008/07/19 15:53:28 | 00,196,608 | ---- | C] () -- C:\WINDOWS\System32\TDCOMG12_DLL.dll
[2008/07/19 15:53:28 | 00,139,264 | ---- | C] () -- C:\WINDOWS\System32\TDCFileShlCtxt.dll
[2008/07/19 15:53:28 | 00,098,304 | ---- | C] () -- C:\WINDOWS\System32\TDCFileIconDisplay.dll
[2008/07/19 14:40:48 | 00,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2008/07/19 14:40:48 | 00,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2008/07/19 14:40:48 | 00,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll
[2008/07/19 01:02:09 | 00,016,896 | ---- | C] () -- C:\Documents and Settings\Abyss\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/07/17 03:34:54 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2008/07/16 21:57:40 | 00,010,496 | ---- | C] () -- C:\WINDOWS\System32\ATKOSDMini.DLL
[2008/07/16 21:57:40 | 00,000,018 | ---- | C] () -- C:\WINDOWS\System32\atkid.ini
[2008/07/16 21:57:39 | 00,046,592 | ---- | C] () -- C:\WINDOWS\System32\asfrench.dll
[2008/07/16 21:57:39 | 00,046,080 | ---- | C] () -- C:\WINDOWS\System32\asrussian.dll
[2008/07/16 21:57:39 | 00,046,080 | ---- | C] () -- C:\WINDOWS\System32\asgerman.dll
[2008/07/16 21:57:39 | 00,046,080 | ---- | C] () -- C:\WINDOWS\System32\aseng.dll
[2008/07/16 21:57:39 | 00,045,568 | ---- | C] () -- C:\WINDOWS\System32\askorean.dll
[2008/07/16 21:57:39 | 00,045,568 | ---- | C] () -- C:\WINDOWS\System32\asjapan.dll
[2008/07/16 21:57:39 | 00,045,568 | ---- | C] () -- C:\WINDOWS\System32\ASCHT.dll
[2008/07/16 21:57:39 | 00,045,568 | ---- | C] () -- C:\WINDOWS\System32\aschs.dll
[2008/07/16 21:33:19 | 00,135,168 | R--- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2008/07/16 20:38:45 | 00,080,864 | ---- | C] () -- C:\Documents and Settings\Abyss\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2008/07/16 19:51:59 | 02,110,812 | -H-- | C] () -- C:\Documents and Settings\Abyss\Local Settings\Application Data\IconCache.db
[2008/07/16 19:46:26 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\Abyss\Application Data\desktop.ini
[2006/08/11 21:45:20 | 00,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/08/11 21:43:00 | 01,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/08/11 21:43:00 | 01,486,848 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/08/11 21:43:00 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/08/11 21:43:00 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/08/11 21:43:00 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/06/29 14:58:52 | 00,030,808 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont
[2006/06/29 14:53:56 | 00,026,489 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 15:39:28 | 00,029,779 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/04/18 15:39:28 | 00,026,040 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2003/09/23 20:14:42 | 01,099,264 | ---- | C] () -- C:\WINDOWS\System32\cygxml2-2.dll
[2003/08/10 22:59:20 | 00,980,992 | ---- | C] () -- C:\WINDOWS\System32\cygiconv-2.dll
[2003/08/09 08:28:16 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\cygz.dll
[2001/08/18 20:00:00 | 00,000,683 | ---- | C] () -- C:\WINDOWS\win.ini
[2001/08/18 20:00:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini

========== Files - Unicode (All) ==========
[2009/11/09 23:50:13 | 06,535,511 | ---- | M] ()(C:\Documents and Settings\Abyss\Desktop\??? - ????.mp3) -- C:\Documents and Settings\Abyss\Desktop\陈晓东 - 比我幸福.mp3
[2009/11/09 23:30:19 | 06,535,511 | ---- | C] ()(C:\Documents and Settings\Abyss\Desktop\??? - ????.mp3) -- C:\Documents and Settings\Abyss\Desktop\陈晓东 - 比我幸福.mp3
[2009/11/08 14:37:30 | 00,000,000 | ---D | M](C:\Documents and Settings\Abyss\Desktop\??????) -- C:\Documents and Settings\Abyss\Desktop\超級星光大道
[2009/11/08 14:18:55 | 00,000,000 | ---D | C](C:\Documents and Settings\Abyss\Desktop\??????) -- C:\Documents and Settings\Abyss\Desktop\超級星光大道
[2009/11/12 23:43:52 | 06,370,198 | ---- | M] ()(C:\Documents and Settings\Abyss\Desktop\??? -???.MP3) -- C:\Documents and Settings\Abyss\Desktop\李圣杰 -手放开.MP3
[2009/11/12 23:41:13 | 06,370,198 | ---- | C] ()(C:\Documents and Settings\Abyss\Desktop\??? -???.MP3) -- C:\Documents and Settings\Abyss\Desktop\李圣杰 -手放开.MP3
[2009/11/12 23:41:53 | 06,479,872 | ---- | M] ()(C:\Documents and Settings\Abyss\Desktop\??? - ????.MP3) -- C:\Documents and Settings\Abyss\Desktop\李圣杰 - 远走高飞.MP3
[2009/11/12 23:35:17 | 06,479,872 | ---- | C] ()(C:\Documents and Settings\Abyss\Desktop\??? - ????.MP3) -- C:\Documents and Settings\Abyss\Desktop\李圣杰 - 远走高飞.MP3

========== Alternate Data Streams ==========

@Alternate Data Stream - 1492 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1D344800
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
< End of report >

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:30 AM

Posted 15 November 2009 - 06:58 PM

Hi,


I don't see direct indication for malware in your logs.

The service you mention belongs to nprotect: link. Does this ring a bell? It might also have been installed by another program to protect you.
I also see that you have installed Daemon Tools as well as the StarForce, those two don't go along to well and may actually be causing some trouble.

Please run a scan with Malwarebytes and gmer to see if there is any malware on your system, that wasn't showing in the logs:

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

Please also run gmer:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 Preceptor

Preceptor
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:10:30 PM

Posted 17 November 2009 - 09:49 AM

Hi Myrti,

Sorry for the late reply again.

NProtect ... MapleStory maybe ? But I removed that application like a million years ago ...
Is it possible to stop the process that is accessing the npkcrypt service ?

Daemon Tools yes, but the Starforce thing, I am completely clueless.
Shall I remove them all ?


Seems that I have a Trojan ... remove it ?

===================================================================================

Malwarebytes' Anti-Malware 1.41
Database version: 3186
Windows 5.1.2600 Service Pack 2

11/17/2009 9:00:07 PM
mbam-log-2009-11-17 (21-00-00).txt

Scan type: Quick Scan
Objects scanned: 110430
Time elapsed: 4 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\videocore.dll (Trojan.Vundo) -> No action taken.


==================================================================================

GMER 1.0.15.15227 - http://www.gmer.net
Rootkit scan 2009-11-17 22:39:37
Windows 5.1.2600 Service Pack 2
Running: qdro5eyi.exe; Driver: C:\DOCUME~1\Abyss\LOCALS~1\Temp\pxtdapob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB60CF6B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB60CF574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB60CFA52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB60CF14C]
SSDT spgk.sys ZwEnumerateKey [0xBA6C6CA2]
SSDT spgk.sys ZwEnumerateValueKey [0xBA6C7030]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB60CF64E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB60CF08C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB60CF0F0]
SSDT spgk.sys ZwQueryKey [0xBA6C7108]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB60CF76E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB60CF72E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB60CF8AE]

INT 0x63 ? 898CCBF8
INT 0x73 ? 89A66BF8
INT 0x73 ? 89A66BF8
INT 0x73 ? 89A66BF8
INT 0x73 ? 89A66BF8
INT 0x73 ? 898CCBF8
INT 0x73 ? 89A66BF8
INT 0x83 ? 89A66BF8
INT 0x83 ? 89A66BF8
INT 0x83 ? 898CCBF8
INT 0x83 ? 89A66BF8
INT 0x94 ? 898CCBF8
INT 0xA4 ? 898CCBF8

---- Kernel code sections - GMER 1.0.15 ----

? spgk.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B967362C 5 Bytes JMP 898CC1D8
.text afyb6ilv.SYS B95B5386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text afyb6ilv.SYS B95B53AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text afyb6ilv.SYS B95B53C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text afyb6ilv.SYS B95B53C9 1 Byte [2E]
.text afyb6ilv.SYS B95B53C9 11 Bytes [2E, 00, 00, 00, 5C, 02, 00, ...] {ADD CS:[EAX], AL; ADD [EDX+EAX+0x0], BL; ADD [EAX], AL; ADD [EAX], AL}
.text ...

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6A9040] spgk.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6A913C] spgk.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6A90BE] spgk.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6A97FC] spgk.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6A96D2] spgk.sys
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [BA6B9048] spgk.sys
IAT \SystemRoot\System32\Drivers\afyb6ilv.SYS[HAL.dll!KfAcquireSpinLock] 8A000002
IAT \SystemRoot\System32\Drivers\afyb6ilv.SYS[HAL.dll!READ_PORT_UCHAR] 83880846
IAT \SystemRoot\System32\Drivers\afyb6ilv.SYS[HAL.dll!KeGetCurrentIrql] 000001C0
IAT \SystemRoot\System32\Drivers\afyb6ilv.SYS[HAL.dll!KfRaiseIrql] 2C4EB70F
IAT \SystemRoot\System32\Drivers\afyb6ilv.SYS[HAL.dll!KfLowerIrql] 8303C183
IAT \SystemRoot\System32\Drivers\afyb6ilv.SYS[HAL.dll!HalGetInterruptVector] D103FCE1
IAT \SystemRoot\System32\Drivers\afyb6ilv.SYS[HAL.dll!HalTranslateBusAddress] 2E7E8366
IAT \SystemRoot\System32\Drivers\afyb6ilv.SYS[HAL.dll!KeStallExecutionProcessor] 8D1C7400
IAT \SystemRoot\System32\Drivers\afyb6ilv.SYS[HAL.dll!KfReleaseSpinLock] 83893204
IAT \SystemRoot\System32\Drivers\afyb6ilv.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 00000218
IAT \SystemRoot\System32\Drivers\afyb6ilv.SYS[HAL.dll!READ_PORT_USHORT] 2E4EB70F
IAT \SystemRoot\System32\Drivers\afyb6ilv.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 021C8B89
IAT \SystemRoot\System32\Drivers\afyb6ilv.SYS[HAL.dll!WRITE_PORT_UCHAR] B70F0000
IAT \SystemRoot\System32\Drivers\afyb6ilv.SYS[WMILIB.SYS!WmiSystemControl] 03D00304
IAT \SystemRoot\System32\Drivers\afyb6ilv.SYS[WMILIB.SYS!WmiCompleteRequest] 0CB389F2

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[1004] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[1004] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 89A651F8

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 VMkbd.sys (VMware keyboard filter driver (32-bit)/VMware, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 VMkbd.sys (VMware keyboard filter driver (32-bit)/VMware, Inc.)

Device \Driver\usbuhci \Device\USBPDO-0 898CB1F8
Device \Driver\usbuhci \Device\USBPDO-1 898CB1F8
Device \Driver\usbuhci \Device\USBPDO-2 898CB1F8
Device \Driver\usbuhci \Device\USBPDO-3 898CB1F8
Device \Driver\prodrv04 \Device\ProDrv04 88BE7320
Device \Driver\usbuhci \Device\USBPDO-4 898CB1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{DBBE0336-BA1B-4E03-AE0C-79EDF31909B7} 88F2A1F8

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Ftdisk \Device\HarddiskVolume1 89AD71F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 89AD71F8
Device \Driver\Cdrom \Device\CdRom0 8987E1F8
Device \Driver\PCI_PNP1190 \Device\00000059 spgk.sys
Device \Driver\Ftdisk \Device\HarddiskVolume3 89AD71F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{3EC1FB59-17E9-4AA7-AA9D-4E88BDADC8E4} 88F2A1F8
Device \Driver\Cdrom \Device\CdRom1 8987E1F8
Device \Driver\atapi \Device\Ide\IdePort0 89A661F8
Device \Driver\atapi \Device\Ide\IdePort1 89A661F8
Device \Driver\atapi \Device\Ide\IdePort2 89A661F8
Device \Driver\atapi \Device\Ide\IdePort3 89A661F8
Device \Driver\atapi \Device\Ide\IdePort4 89A661F8
Device \Driver\atapi \Device\Ide\IdePort5 89A661F8
Device \Driver\atapi \Device\Ide\IdeDeviceP5T0L0-16 89A661F8
Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-9 89A661F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 88F2A1F8
Device \Driver\usbhub \Device\00000083 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\sptd \Device\3337921190 spgk.sys
Device \Driver\NetBT \Device\NetbiosSmb 88F2A1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{8A18AB98-8805-4D45-A03E-43D20C688794} 88F2A1F8

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\usbuhci \Device\USBFDO-0 898CB1F8
Device \Driver\usbuhci \Device\USBFDO-0 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBFDO-1 898CB1F8
Device \Driver\usbuhci \Device\USBFDO-1 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBFDO-2 898CB1F8
Device \Driver\usbuhci \Device\USBFDO-2 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 88F5B1F8
Device \Driver\usbuhci \Device\USBFDO-3 898CB1F8
Device \Driver\usbuhci \Device\USBFDO-3 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \FileSystem\MRxSmb \Device\LanmanRedirector 88F5B1F8
Device \Driver\usbuhci \Device\USBFDO-4 898CB1F8
Device \Driver\usbuhci \Device\USBFDO-4 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\0000007d hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\Ftdisk \Device\FtControl 89AD71F8
Device \Driver\usbhub \Device\0000007e hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\afyb6ilv \Device\Scsi\afyb6ilv1Port6Path0Target0Lun0 898601F8
Device \Driver\afyb6ilv \Device\Scsi\afyb6ilv1 898601F8
Device \FileSystem\Cdfs \Cdfs 898381F8
Device \Driver\atapi -> \Driver\atapi \Device\Harddisk0\DR0 89A661F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xA3 0x1F 0x57 0xF1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xC7 0x7A 0xF3 0xBA ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x83 0x32 0xE9 0xAA ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xCD 0xD2 0x95 0xC7 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xA3 0x1F 0x57 0xF1 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xC7 0x7A 0xF3 0xBA ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x83 0x32 0xE9 0xAA ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xCD 0xD2 0x95 0xC7 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\@\x2039\x2039T\x20ac` 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\@\x2039\x2039\x201c\x008feQ 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\@\20\x90\20nc:y 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\@\26Y\1xc:y 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\@czz<h 0
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\@IQ\ah\x8d\x8f\x2013 1

---- EOF - GMER 1.0.15 ----

Regards

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:30 AM

Posted 17 November 2009 - 11:30 AM

Hi,
Please remove those programs, in order to check if the freezes stop afterwards:

To remove Starforce follow these instructions:
  • Download the StarForce Removal Tool as a ZIP archive here.
  • Extract and store sfdrvrem.exe anywhere on your hard disk.
  • Run sfdrvrem.exe.
If the protected application requires a StarForce driver, this driver will be re-installed as soon as you launch the application again.

To remove Daemon Tools entirely:

Please uninstall Daemon Tools through add/remove.
How To Remove An Installed Program From Your Computer

please uninstall also sptd, it was installed by DaemonTools, but left behind, since it may be used by other programs as well.

Please download SPTD-installer and double-click it to run. Select uninstall to remove the program.

Please also remove the file found by MBAM. Once you removed Daemon Tools and SPTD please also run a new scan with gmer. Please download a new copy of gmer for that scan.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 Preceptor

Preceptor
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:10:30 PM

Posted 18 November 2009 - 10:59 AM

Hi Myrti,

Did everything as requested.

Maybe we monitor for a few days ?


GMER 1.0.15.15227 - http://www.gmer.net
Rootkit scan 2009-11-18 23:57:57
Windows 5.1.2600 Service Pack 2
Running: qdro5eyi.exe; Driver: C:\DOCUME~1\Abyss\LOCALS~1\Temp\pxtdapob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB61E06B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB61E0574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB61E0A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB61E014C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB61E064E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB61E008C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB61E00F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB61E076E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB61E072E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB61E08AE]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[988] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[988] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 VMkbd.sys (VMware keyboard filter driver (32-bit)/VMware, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 VMkbd.sys (VMware keyboard filter driver (32-bit)/VMware, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\usbuhci \Device\USBFDO-0 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBFDO-1 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\0000007a hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBFDO-2 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\0000007b hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBFDO-3 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBFDO-4 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\0000007e hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\0000007f hcmon.sys (VMware USB monitor/VMware, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xA3 0x1F 0x57 0xF1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x1B 0xBB 0xBC 0xA0 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xA3 0x1F 0x57 0xF1 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x1B 0xBB 0xBC 0xA0 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\@\x2039\x2039T\x20ac` 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\@\x2039\x2039\x201c\x008feQ 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\@\20\x90\20nc:y 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\@\26Y\1xc:y 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\@czz<h 0
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\@IQ\ah\x8d\x8f\x2013 1

---- EOF - GMER 1.0.15 ----

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:30 AM

Posted 18 November 2009 - 04:29 PM

Hi,

yes, please observe for a day or two and let me know if your PC has become less slow.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 Preceptor

Preceptor
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:10:30 PM

Posted 18 November 2009 - 08:11 PM

Hi Myrti,

my thanks.

Will let you know in a few days time :(

Regards

#12 Preceptor

Preceptor
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:10:30 PM

Posted 24 November 2009 - 10:03 AM

Hi Myrti,

I received the npkcrypt error message again ...

Not sure if this topic should still stay here though.

Please let me know thanks :(

Regards

#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:30 AM

Posted 24 November 2009 - 03:43 PM

Hi,

we can try to remove the service npkcrypt and see if that solves the problem, otherwise yes, I would advise you ask in the windows subforums.

Has your PC stopped freezing or is this issue still present as well?


regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 Preceptor

Preceptor
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:10:30 PM

Posted 25 November 2009 - 03:26 AM

Hi Myrti,

it froze last night.

Is it possible to track the process that will trigger this npkcrypt thing since it seems to me that it is trying to find it (Or what you think is best).

Thank you very much for your help.

I will open another track in the windows forum if the last resort fail.

Regards

#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:30 AM

Posted 25 November 2009 - 07:09 AM

Hi,

let's do a regsearch for npkcrypt and see where it is stored and if it is referenced:

Please download SystemLook from jpshortstuff and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Double-click the SystemLook and copy/paste the following into the box
    :regfind
    npkcrypt
  • Hit the Look button. Let it finish the scan
  • A log will then pop-up to your Desktop.. Post the content of the log here in your next reply
regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users