Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

INFECTED WITH MULTIPLE THREATS: Trojan Horse Agents, Crypt, Generic 26 and 27 as well as Backdoor


  • This topic is locked This topic is locked
49 replies to this topic

#1 van der Linde

van der Linde

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 24 February 2012 - 07:10 AM

Hello, there!
First up, I have to mention how glad I am at coming across this amazing forum. I have a problem so I thought I'd do a Google about what could be done about it.Came across the forum, here, and read through several topics that had virus/malware trouble. Was quite amazed, and very pleased, to see how each topic was dealt with, in such a personal, step-by-step manner giving positive results in all cases. Anyway, here goes my bit of a kerfuffle........
Downloaded a file which I required. Checked the ZIP file using my AVG Internet Security 2011. All was fine. Opened up the file and placed on my desktop temporarily. Inside the file were the setup.exe and other files I required. On opening one of them (the setup.exe was fine, by the way, and was exactly what I needed) a Malicious Threat warning popped up from my AVG. I had AVG deal with it but now this important file had vanished!
I had to re-download the ZIP file again. This I did and followed the same procedure as outlined previously. Yet, again, the AVG popped up! Same thing happened. By the time I downloaded the third time the file was allowed upon my decision: Yep, you guessed it............! The file opened for a split second and then it vanished again. It was late at night so I left everything and turned off the PC until the next day.
When I started my PC this is when I noticed I had a problem: Very slow start (about 3 minutes), HDD chattering away for a further minute before the Start Up Menu items began to load, programs took a long time to run before opening........this is when I decided to run my AVG for a full scan, followed by my Malware-bytes program and, eventually, my AVG PC Tuneup 2011 and CCleaner programs. This is when it became apparent that I had a multiple threat situation on my hands! About 12, in fact: Trojan Horse Agents, Generics 26 and 27, Crypt and Backdoor............!!!
Immediately, I tried to eradicate them and re-ran the AVG. No success. By this time I had pulled the plug on my Netgear Wireless connection.
Having found this forum I am now following the steps laid out in 'Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help', hoping that someone, here, can guide me through this disaster that I have created. Here is what I have done, so far, following the steps laid out in the aforementioned guide:-

1/. Am waiting for my nephew to bring round a borrowed, portable HDD to Backup all my Data, from my C: drive, at 5pm today. This is where all programs are held, etc whereas my USB connected HDD contains photos, music, designs, films, etc. My USB HDD only has 72Gb of space left on it while I need between 120 and 150Gb of data to be backed up from my C: drive, according to the Cobian Backup that I have downloaded. My laptop, which I am using here, has bugger all on it, really. ^.75Gb on one disc and 43Gb on the other :( Hence, the borrowed portable HDD. My only worry is the length of time I can borrow this for as he has acquired it from hiw workplace. Also, how safe it is if it has to be given back before I finish this job! Maybe you could suggest another method by which I could save this amount of data?

2/. Definitely have malware and threats. Came up on the reports logged by AVG and Malware-bytes.

3/. Have made an account, otherwise you wouldn't be reading this............ :)

4/. I have Enabled the Topic Reply by Default.

5/. Disabling the Firewall: I have tried to set AVG Firewall but all buttons are greyed out. This infection will not allow me to turn it on. Have managed to turn on the Windows firewall and this is now set.

6/. DeFogger downloaded to my laptop then transfered to my PC via USB SanDisk Cruzer. Programme opened and procedure followed to completion. CD Emulation software now disabled on PC.

7/. The DDS Download link is not working. Have tried several times. No luck. Any ideas?

8/. Downloaded Gmer to laptop and transferred to my PC via USB stick. Followed setup procedure and ran programme. FAILED THREE TIMES during process!!! Managed to be patient and saved log file just before Gmer vanished each time. Have managed to save log file of what it managed to a point!

9/. Posting Topic right now.......!

I will be attaching the Gmer file as well as the files logged by Malwarebytes for you to look at, if this helps. I have tried to log and record the files found in AVG but can't find a way to copy and paste them...bit frustrating!I do have a log produced by AVG of my system. It is pretty big so I didn't know if this should be attached just yet, but it does give FULL details of my system :)
Looking forward to getting this sorted out. First time I've been caught out in just over 10 years!
Best regards,
Andy van der Linde

Here is the GMER LOG (or what I managed to get before it kept crashing!)

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-02-24 11:34:04
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\&e\LOCALS~1\Temp\pxtdipob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xA8D4A6C0]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xA8D4A770]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xA8D4A810]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xA8D4A8B0]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwAcceptConnectPort [0x805A4630]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwAccessCheck [0x805F140E]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwAccessCheckAndAuditAlarm [0x805F4C44]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwAccessCheckByType [0x805F1440]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwAccessCheckByTypeAndAuditAlarm [0x805F4C7E]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwAccessCheckByTypeResultList [0x805F1476]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwAccessCheckByTypeResultListAndAuditAlarm [0x805F4CC2]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwAccessCheckByTypeResultListAndAuditAlarmByHandle [0x805F4D06]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwAddAtom [0x80615CEE]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwAddBootEntry [0x80616A30]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwAdjustGroupsToken [0x805EC80C]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwAdjustPrivilegesToken [0x805EC464]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwAlertResumeThread [0x805D4B7E]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwAlertThread [0x805D4B2E]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwAllocateLocallyUniqueId [0x80616314]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwAllocateUserPhysicalPages [0x805B5FB6]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwAllocateUuids [0x80615930]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwAllocateVirtualMemory [0x805A8ABA]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwAreMappedFilesTheSame [0x805B05CA]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwAssignProcessToJobObject [0x805D6642]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCallbackReturn [0x8050189C]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCancelDeviceWakeupRequest [0x80616A22]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCancelIoFile [0x80576B0A]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCancelTimer [0x80538C30]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwClearEvent [0x8060EEFE]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwClose [0x805BC530]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCloseObjectAuditAlarm [0x805F517E]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCompactKeys [0x80623CC0]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCompareTokens [0x805F9692]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCompleteConnectPort [0x805A4D1E]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCompressKey [0x80623F14]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwConnectPort [0x805A45D0]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwContinue [0x80544EE4]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCreateDebugObject [0x80642A54]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCreateDirectoryObject [0x805BE4E0]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCreateEvent [0x8060EF4E]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCreateEventPair [0x806172A6]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCreateFile [0x805790A8]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCreateIoCompletion [0x80578A86]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCreateJobObject [0x805D5606]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCreateJobSet [0x805D533E]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCreateKey [0x806240F0]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCreateMailslotFile [0x805791B6]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCreateMutant [0x8061769E]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCreateNamedPipeFile [0x805790E2]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCreatePagingFile [0x805AB9EE]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCreatePort [0x805A50EC]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCreateProcess [0x805D1230]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCreateProcessEx [0x805D117A]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCreateProfile [0x80617ABE]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCreateSection [0x805AB3C8]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCreateSemaphore [0x8061504E]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCreateSymbolicLinkObject [0x805C39FA]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCreateThread [0x805D1018]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCreateTimer [0x80616F6E]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCreateToken [0x805F9A3A]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCreateWaitablePort [0x805A5110]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwDebugActiveProcess [0x80643B30]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwDebugContinue [0x80643C80]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwDelayExecution [0x80616972]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwDeleteAtom [0x806161A4]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwDeleteFile [0x80576C50]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwDeleteKey [0x8062458C]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwDeleteObjectAuditAlarm [0x805F528A]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwDeleteValueKey [0x8062475C]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwDeviceIoControlFile [0x8057926E]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwDisplayString [0x80612FCC]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwDuplicateObject [0x805BE008]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwDuplicateToken [0x805ED6BA]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwEnumerateKey [0x8062493C]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwEnumerateSystemEnvironmentValuesEx [0x80616A14]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwEnumerateValueKey [0x80624BA6]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwExtendSection [0x805B3CD6]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwFilterToken [0x805ED866]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwFindAtom [0x80615F58]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwFlushBuffersFile [0x80576D1C]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwFlushInstructionCache [0x805B684A]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwFlushKey [0x80624E10]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwFlushVirtualMemory [0x805AC71C]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwFlushWriteBuffer [0x805B67EC]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwFreeUserPhysicalPages [0x805B6358]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwFreeVirtualMemory [0x805B2FB2]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwFsControlFile [0x805792A2]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwGetContextThread [0x805D152A]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwGetDevicePowerState [0x805C8684]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwGetPlugPlayEvent [0x8059913C]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwGetWriteWatch [0x805211AA]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwImpersonateAnonymousToken [0x805F9386]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwImpersonateClientOfPort [0x805A517A]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwImpersonateThread [0x805D7802]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwInitializeRegistry [0x80622232]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwInitiatePowerAction [0x805C846A]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwIsProcessInJob [0x805D5202]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwIsSystemResumeAutomatic [0x805C8670]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwListenPort [0x805A5386]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwLoadDriver [0x80584160]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwLoadKey [0x80626314]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwLoadKey2 [0x80625F20]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwLockFile [0x805792D6]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwLockProductActivationKeys [0x806135BE]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwLockRegistryKey [0x80623FC0]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwLockVirtualMemory [0x805B6952]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwMakePermanentObject [0x805BE2D6]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwMakeTemporaryObject [0x805BC5D4]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwMapUserPhysicalPages [0x805B5416]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwMapUserPhysicalPagesScatter [0x805B5966]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwMapViewOfSection [0x805B203A]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwNotifyChangeDirectoryFile [0x80579EEE]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwNotifyChangeKey [0x806262DE]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwNotifyChangeMultipleKeys [0x80624F12]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwOpenDirectoryObject [0x805BE5B2]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwOpenEvent [0x8060F04E]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwOpenEventPair [0x8061737E]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwOpenFile [0x8057A1A6]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwOpenIoCompletion [0x80578B5E]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwOpenJobObject [0x805D578C]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwOpenKey [0x806254CE]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwOpenMutant [0x80617776]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwOpenObjectAuditAlarm [0x805F4D4C]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwOpenProcessToken [0x805EE054]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwOpenProcessTokenEx [0x805EDCB8]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwOpenSection [0x805AA3EC]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwOpenSemaphore [0x80615148]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwOpenSymbolicLinkObject [0x805C3BE0]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwOpenThread [0x805CB6CC]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwOpenThreadToken [0x805EE072]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwOpenThreadTokenEx [0x805EDE28]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwOpenTimer [0x80617090]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwPlugPlayControl [0x80645D22]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwPowerInformation [0x805C94F2]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwPrivilegeCheck [0x805F8438]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwPrivilegeObjectAuditAlarm [0x805F405E]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwPrivilegedServiceAuditAlarm [0x805F424A]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwProtectVirtualMemory [0x805B841E]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwPulseEvent [0x8060F106]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryAttributesFile [0x80576EFA]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryDebugFilterState [0x8053FC16]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryDefaultLocale [0x80610CF8]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryDefaultUILanguage [0x80611958]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryDirectoryFile [0x80579E88]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryDirectoryObject [0x805BE652]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryEaFile [0x8057A1D6]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryEvent [0x8060F1CE]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryFullAttributesFile [0x8057704E]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryInformationAtom [0x806161CC]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryInformationFile [0x8057AA42]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryInformationJobObject [0x805D5C5E]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryInformationPort [0x805A53E4]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryInformationProcess [0x805CCF94]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryInformationThread [0x805CBBC2]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryInformationToken [0x805EE152]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryInstallUILanguage [0x806110F6]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryIntervalProfile [0x80617F40]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryIoCompletion [0x80578C06]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryKey [0x80625810]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryMultipleValueKey [0x8062323E]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryMutant [0x8061781E]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryObject [0x805C52CC]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryOpenSubKeys [0x806238EA]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryPerformanceCounter [0x80617FCE]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryQuotaInformationFile [0x8057B824]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQuerySection [0x805B85E0]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQuerySecurityObject [0x805C009A]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQuerySemaphore [0x80615200]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQuerySymbolicLinkObject [0x805C3C80]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQuerySystemEnvironmentValue [0x80616A4C]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQuerySystemEnvironmentValueEx [0x80616A06]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQuerySystemInformation [0x806119D8]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQuerySystemTime [0x80613198]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryTimer [0x80617148]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryTimerResolution [0x8061322A]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryValueKey [0x80622314]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryVirtualMemory [0x805B8C6E]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryVolumeInformationFile [0x8057BD0E]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueueApcThread [0x805D1276]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwRaiseException [0x80544F2C]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwRaiseHardError [0x80614E72]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwReadFile [0x8057C4AE]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwReadFileScatter [0x8057CA18]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwReadRequestData [0x805A5E6C]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwReadVirtualMemory [0x805B42C2]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwRegisterThreadTerminatePort [0x805D2798]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwReleaseMutant [0x80617956]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwReleaseSemaphore [0x80615330]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwRemoveIoCompletion [0x80578EFE]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwRemoveProcessDebug [0x80643C00]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwRenameKey [0x80623B12]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwReplaceKey [0x806261C4]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwReplyPort [0x805A54EC]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwReplyWaitReceivePort [0x805A64B4]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwReplyWaitReceivePortEx [0x805A5EBC]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwReplyWaitReplyPort [0x805A57D6]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwRequestDeviceWakeup [0x805C8602]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwRequestPort [0x805A2A4A]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwRequestWaitReplyPort [0x805A2D76]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwRequestWakeupLatency [0x805C8410]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwResetEvent [0x8060F2E0]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwResetWriteWatch [0x80521692]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwRestoreKey [0x80625AD0]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwResumeProcess [0x805D4AD8]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwResumeThread [0x805D49BA]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSaveKey [0x80625BCC]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSaveKeyEx [0x80625CB2]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSaveMergedKeys [0x80625DDA]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSecureConnectPort [0x805A3D64]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSetContextThread [0x805D173A]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSetDebugFilterState [0x806468B8]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSetDefaultHardErrorPort [0x80614D1C]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSetDefaultLocale [0x80610E48]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSetDefaultUILanguage [0x806116BA]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSetEaFile [0x8057A6EA]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSetEvent [0x8060F3A0]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSetEventBoostPriority [0x8060F46A]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSetHighEventPair [0x8061763A]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSetHighWaitLowEventPair [0x8061756A]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSetInformationDebugObject [0x806435CA]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSetInformationFile [0x8057B034]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSetInformationJobObject [0x805D696C]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSetInformationKey [0x80622E0A]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSetInformationObject [0x805C4842]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSetInformationProcess [0x805CDE8A]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSetInformationThread [0x805CC10E]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSetInformationToken [0x805FA7B4]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSetIntervalProfile [0x80617AA2]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSetIoCompletion [0x80578E9C]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSetLdtEntries [0x805D3904]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSetLowEventPair [0x806175D6]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSetLowWaitHighEventPair [0x806174FE]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSetQuotaInformationFile [0x8057B802]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSetSecurityObject [0x805C062E]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSetSystemEnvironmentValue [0x80616CD0]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSetSystemInformation [0x8060FD06]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSetSystemPowerState [0x80653E18]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSetSystemTime [0x806144A0]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSetThreadExecutionState [0x805C8324]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSetTimer [0x80538DC0]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSetTimerResolution [0x80613972]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSetUuidSeed [0x806157E6]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSetValueKey [0x80622662]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSetVolumeInformationFile [0x8057C118]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwShutdownSystem [0x80612F90]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSignalAndWaitForSingleObject [0x80526788]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwStartProfile [0x80617CEC]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwStopProfile [0x80617E96]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSuspendProcess [0x805D4A82]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSuspendThread [0x805D48F4]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSystemDebugControl [0x806180BA]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwTerminateJobObject [0x805D7500]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwTestAlert [0x805D4C42]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwTraceEvent [0x80535156]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwTranslateFilePath [0x80616A3E]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwUnloadDriver [0x805842F4]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwUnloadKey [0x8062298C]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwUnloadKeyEx [0x80622BAE]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwUnlockFile [0x8057967A]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwUnlockVirtualMemory [0x805B6EE0]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwUnmapViewOfSection [0x805B2E48]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwVdmControl [0x805FBB6C]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwWaitForDebugEvent [0x80643332]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwWaitForMultipleObjects [0x805C07E4]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwWaitForSingleObject [0x805C06FA]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwWaitHighEventPair [0x8061749A]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwWaitLowEventPair [0x80617436]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwWriteFile [0x8057CF16]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwWriteFileGather [0x8057D4FA]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwWriteRequestData [0x805A5E94]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwYieldExecution [0x80504B08]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCreateKeyedEvent [0x80618512]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwOpenKeyedEvent [0x806185FC]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwReleaseKeyedEvent [0x806186AE]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwWaitForKeyedEvent [0x8061890A]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryPortInformationProcess [0x805CB942]

INT 0x00 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80542200
INT 0x01 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 8054237C
INT 0x03 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80542790
INT 0x04 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80542910
INT 0x05 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80542A70
INT 0x06 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80542BE4
INT 0x07 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 8054325C
INT 0x09 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80543660
INT 0x0A \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80543780
INT 0x0B \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 805438C0
INT 0x0C \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80543B20
INT 0x0D \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80543E0C
INT 0x0E \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80544520
INT 0x0F \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80544858
INT 0x10 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80544978
INT 0x11 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80544AB4
INT 0x12 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80544858
INT 0x13 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80544C1C
INT 0x14 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80544858
INT 0x15 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80544858
INT 0x16 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80544858
INT 0x17 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80544858
INT 0x18 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80544858
INT 0x19 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80544858
INT 0x1A \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80544858
INT 0x1B \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80544858
INT 0x1C \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80544858
INT 0x1D \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80544858
INT 0x1E \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80544858
INT 0x1F \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 806E710C
INT 0x2A \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80541A2E
INT 0x2B \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80541B30
INT 0x2C \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80541CE0
INT 0x2D \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 8054266C
INT 0x2E \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 805414B1
INT 0x2F \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80544858
INT 0x30 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540B70
INT 0x31 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540B7A
INT 0x32 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540B84
INT 0x33 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540B8E
INT 0x34 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540B98
INT 0x35 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540BA2
INT 0x36 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540BAC
INT 0x37 \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 806E6864
INT 0x38 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540BC0
INT 0x39 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540BCA
INT 0x3A \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540BD4
INT 0x3B \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540BDE
INT 0x3C \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540BE8
INT 0x3D \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 806E7E2C
INT 0x3E \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540BFC
INT 0x3F \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540C06
INT 0x40 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540C10
INT 0x41 \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 806E7C88
INT 0x42 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540C24
INT 0x43 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540C2E
INT 0x44 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540C38
INT 0x45 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540C42
INT 0x46 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540C4C
INT 0x47 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540C56
INT 0x48 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540C60
INT 0x49 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540C6A
INT 0x4A \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540C74
INT 0x4B \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540C7E
INT 0x4C \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540C88
INT 0x4D \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540C92
INT 0x4E \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540C9C
INT 0x4F \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540CA6
INT 0x50 \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 806E693C
INT 0x51 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540CBA
INT 0x52 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540CC4
INT 0x53 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540CCE
INT 0x54 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540CD8
INT 0x55 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540CE2
INT 0x56 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540CEC
INT 0x57 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540CF6
INT 0x58 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540D00
INT 0x59 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540D0A
INT 0x5A \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540D14
INT 0x5B \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540D1E
INT 0x5C \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540D28
INT 0x5D \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540D32
INT 0x5E \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540D3C
INT 0x5F \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540D46
INT 0x60 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540D50
INT 0x61 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540D5A
INT 0x62 atapi.sys (IDE/ATAPI Port Driver/Microsoft Corporation) B9F3667E
INT 0x63 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS (Video Port Driver/Microsoft Corporation) B9D04CB8
INT 0x64 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540D78
INT 0x65 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540D82
INT 0x66 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540D8C
INT 0x67 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540D96
INT 0x68 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540DA0
INT 0x69 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540DAA
INT 0x6A \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540DB4
INT 0x6B \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540DBE
INT 0x6C \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540DC8
INT 0x6D \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540DD2
INT 0x6E \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540DDC
INT 0x6F \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540DE6
INT 0x70 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540DF0
INT 0x71 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540DFA
INT 0x72 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540E04
INT 0x73 atapi.sys (IDE/ATAPI Port Driver/Microsoft Corporation) B9F3667E
INT 0x73 atapi.sys (IDE/ATAPI Port Driver/Microsoft Corporation) B9F3667E
INT 0x73 \SystemRoot\System32\DRIVERS\USBPORT.SYS (USB 1.1 & 2.0 Port Driver/Microsoft Corporation) B9CF9E54
INT 0x73 atapi.sys (IDE/ATAPI Port Driver/Microsoft Corporation) B9F3667E
INT 0x74 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540E18
INT 0x75 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540E22
INT 0x76 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540E2C
INT 0x77 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540E36
INT 0x78 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540E40
INT 0x79 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540E4A
INT 0x7A \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540E54
INT 0x7B \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540E5E
INT 0x7C \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540E68
INT 0x7D \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540E72
INT 0x7E \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540E7C
INT 0x7F \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540E86
INT 0x80 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540E90
INT 0x81 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540E9A
INT 0x82 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540EA4
INT 0x83 ohci1394.sys (1394 OpenHCI Port Driver/Microsoft Corporation) BA0BE2F0
INT 0x84 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540EB8
INT 0x85 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540EC2
INT 0x86 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540ECC
INT 0x87 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540ED6
INT 0x88 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540EE0
INT 0x89 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540EEA
INT 0x8A \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540EF4
INT 0x8B \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540EFE
INT 0x8C \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540F08
INT 0x8D \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540F12
INT 0x8E \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540F1C
INT 0x8F \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540F26
INT 0x90 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540F30
INT 0x91 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540F3A
INT 0x92 \SystemRoot\System32\DRIVERS\serial.sys (Serial Device Driver/Microsoft Corporation) BA1889C0
INT 0x93 \SystemRoot\System32\DRIVERS\i8042prt.sys (i8042 Port Driver/Microsoft Corporation) BA198495
INT 0x94 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540F58
INT 0x95 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540F62
INT 0x96 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540F6C
INT 0x97 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540F76
INT 0x98 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540F80
INT 0x99 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540F8A
INT 0x9A \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540F94
INT 0x9B \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540F9E
INT 0x9C \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540FA8
INT 0x9D \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540FB2
INT 0x9E \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540FBC
INT 0x9F \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540FC6
INT 0xA0 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540FD0
INT 0xA1 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540FDA
INT 0xA2 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80540FE4
INT 0xA3 \SystemRoot\System32\DRIVERS\i8042prt.sys (i8042 Port Driver/Microsoft Corporation) BA19FC90
INT 0xA4 \SystemRoot\system32\drivers\portcls.sys (Port Class (Class Driver for Port/Miniport Devices)/Microsoft Corporation) B98CD954
INT 0xA5 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80541002
INT 0xA6 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 8054100C
INT 0xA7 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80541016
INT 0xA8 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80541020
INT 0xA9 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 8054102A
INT 0xAA \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80541034
INT 0xAB \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 8054103E
INT 0xAC \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80541048
INT 0xAD \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80541052
INT 0xAE \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 8054105C
INT 0xAF \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80541066
INT 0xB0 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80541070
INT 0xB1 ACPI.sys (ACPI Driver for NT/Microsoft Corporation) B9F8431E
INT 0xB2 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80541084
INT 0xB3 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 8054108E
INT 0xB4 \SystemRoot\System32\DRIVERS\USBPORT.SYS (USB 1.1 & 2.0 Port Driver/Microsoft Corporation) B9CF9E54
INT 0xB5 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 805410A2
INT 0xB6 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 805410AC
INT 0xB7 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 805410B6
INT 0xB8 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 805410C0
INT 0xB9 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 805410CA
INT 0xBA \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 805410D4
INT 0xBB \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 805410DE
INT 0xBC \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 805410E8
INT 0xBD \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 805410F2
INT 0xBE \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 805410FC
INT 0xBF \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80541106
INT 0xC0 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80541110
INT 0xC1 \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 806E6AC0
INT 0xC2 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80541124
INT 0xC3 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 8054112E
INT 0xC4 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80541138
INT 0xC5 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80541142
INT 0xC6 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 8054114C
INT 0xC7 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80541156
INT 0xC8 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80541160
INT 0xC9 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 8054116A
INT 0xCA \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80541174
INT 0xCB \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 8054117E
INT 0xCC \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80541188
INT 0xCD \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80541192
INT 0xCE \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 8054119C
INT 0xCF \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 805411A6
INT 0xD0 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 805411B0
INT 0xD1 \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 806E62A0
INT 0xD2 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 805411C4
INT 0xD3 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 805411CE
INT 0xD4 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 805411D8
INT 0xD5 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 805411E2
INT 0xD6 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 805411EC
INT 0xD7 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 805411F6
INT 0xD8 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80541200
INT 0xD9 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 8054120A
INT 0xDA \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80541214
INT 0xDB \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 8054121E
INT 0xDC \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80541228
INT 0xDD \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80541232
INT 0xDE \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 8054123C
INT 0xDF \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80541246
INT 0xE0 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80541250
INT 0xE1 \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 806E7048
INT 0xE2 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80541264
INT 0xE3 \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 806E6DAC
INT 0xE4 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80541278
INT 0xE5 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80541282
INT 0xE6 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 8054128C
INT 0xE7 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80541296
INT 0xE8 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 805412A0
INT 0xE9 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 805412AA
INT 0xEA \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 805412B4
INT 0xEB \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 805412BE
INT 0xEC \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 805412C8
INT 0xED \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 805412D2
INT 0xEE \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 805412D9
INT 0xEF \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 805412E0
INT 0xF0 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 805412E7
INT 0xF1 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 805412EE
INT 0xF2 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 805412F5
INT 0xF3 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 805412FC
INT 0xF4 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80541303
INT 0xF5 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 8054130A
INT 0xF6 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80541311
INT 0xF7 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80541318
INT 0xF8 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 8054131F
INT 0xF9 \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80541326
INT 0xFA \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 8054132D
INT 0xFB \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80541334
INT 0xFC \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 8054133B
INT 0xFD \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 806E75A8
INT 0xFE \WINDOWS\system32\hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 806E7748
INT 0xFF \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) 80541350

SYSENTER \WINDOWS\system32\ntkrnlpa.exe 80541580

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2DCC 80504668 4 Bytes [C0, A6, D4, A8]
.text ntkrnlpa.exe!ZwCallbackReturn + 2FE8 80504884 8 Bytes [70, A7, D4, A8, 10, A8, D4, ...]
.text ntkrnlpa.exe!ZwCallbackReturn + 3038 805048D4 4 Bytes [B0, A8, D4, A8] {MOV AL, 0xa8; AAM 0xa8}
.text ntkrnlpa.exe!KeReleaseInStackQueuedSpinLockFromDpcLevel + C72 8054177A 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 2BE 80545CEE 18 Bytes [E0, 25, 7F, FF, FF, FF, 0F, ...]
.text ntkrnlpa.exe!KiDispatchInterrupt + 2D6 80545D06 1 Byte [00]
.text ntkrnlpa.exe!RtlPrefetchMemoryNonTemporal 805466F4 1 Byte [90]
.text hal.dll!HalBeginSystemInterrupt + 998 806E8900 7 Bytes [D4, 03, A0, 3A, 80, E3, 11] {AAM 0x3; MOV AL, [0x11e3803a]}
.text hal.dll!HalBeginSystemInterrupt + 9A0 806E8908 10 Bytes [D4, 03, 68, 33, 02, E3, 20, ...]
.text hal.dll!HalBeginSystemInterrupt + 9AB 806E8913 11 Bytes [F0, 5E, 0A, 6C, 09, 22, 09, ...]
.text hal.dll!HalBeginSystemInterrupt + 9B8 806E8920 4 Bytes [C0, 03, 88, 24]
.text hal.dll!HalBeginSystemInterrupt + 9BD 806E8925 1 Byte [C0]
.text ...
C:\Program Files\CyberLink\PowerDVD8\000.fcl entry point in "" section [0xA826941C]
.clc C:\Program Files\CyberLink\PowerDVD8\000.fcl unknown last code section [0xA826A000, 0x1000, 0xE0000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Cobian Backup 10\cbVSCService.exe[176] CobStringList.dll 00DE3D12 1 Byte [40]
CODE C:\WINDOWS\explorer.exe[1908] C:\PROGRA~1\EAST-T~1\eteshell.dll entry point in "CODE" section [0x01415E04]
? C:\WINDOWS\TEMP\slnlce\setup.exe[3964] time/date stamp mismatch; unknown module: DNSAPI.dll
UPX1 C:\WINDOWS\TEMP\slnlce\setup.exe[3964] C:\WINDOWS\TEMP\slnlce\setup.exe entry point in "UPX1" section [0x00412B20]
UPX1 C:\Documents and Settings\&e\Desktop\gmer.exe[4080] C:\Documents and Settings\&e\Desktop\gmer.exe entry point in "UPX1" section [0x004B8360]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device \FileSystem\Ntfs \Ntfs ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \FileSystem\Ntfs \Ntfs ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

Device \FileSystem\Fastfat \FatCdrom Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
Device \FileSystem\Fastfat \FatCdrom ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \FileSystem\Fastfat \FatCdrom ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \FileSystem\Mup \Dfs Mup.sys (Multiple UNC Provider driver/Microsoft Corporation)
Device \FileSystem\InCDfs \InCDFsDisk InCDFs.sys (InCD File System Driver/Nero AG)
Device \FileSystem\InCDfs \InCDFsDisk ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Driver\KSecDD \Device\KsecDD KSecDD.sys (Kernel Security Support Provider Interface/Microsoft Corporation)
Device \Driver\KSecDD \Device\KsecDD ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Driver\NDIS \Device\Ndis NDIS.sys (NDIS 5.1 wrapper driver/Microsoft Corporation)
Device \Device\00000019
Device \Device\00000025
Device \Device\00000032
Device \Device\{8F1EDD3B-BE7C-4755-9B64-435D5050D01A}
Device \Driver\Beep \Device\Beep Beep.SYS (BEEP Driver/Microsoft Corporation)
Device \Driver\Beep \Device\Beep ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Device\00000026
Device \Device\00000033
Device \FileSystem\NetBIOS \Device\Netbios netbios.sys (NetBIOS interface driver/Microsoft Corporation)
Device \FileSystem\NetBIOS \Device\Netbios ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Driver\Tcpip \Device\Ip tcpip.sys (TCP/IP Protocol Driver/Microsoft Corporation)
Device \Driver\PnpManager \Device\00000040 ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Driver\PnpManager \Device\00000040 ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Device\00000027
Device \Driver\TermDD \Device\RDP_CONSOLE0 termdd.sys (Terminal Server Driver/Microsoft Corporation)
Device \Device\00000034
Device \Driver\swenum \Device\KSENUM#00000001 swenum.sys (Plug and Play Software Device Enumerator/Microsoft Corporation)
Device \Driver\swenum \Device\KSENUM#00000001 ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Driver\swenum \Device\KSENUM#00000002 swenum.sys (Plug and Play Software Device Enumerator/Microsoft Corporation)
Device \Driver\swenum \Device\KSENUM#00000002 ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Driver\Kbdclass \Device\KeyboardClass0 kbdclass.sys (Keyboard Class Driver/Microsoft Corporation)
Device \Driver\Kbdclass \Device\KeyboardClass0 ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Device\00000028
Device \Device\00000041
Device \Driver\TermDD \Device\RDP_CONSOLE1 termdd.sys (Terminal Server Driver/Microsoft Corporation)
Device \Driver\PnpManager \Device\00000035 ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Driver\PnpManager \Device\00000035 ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Device\Video0
Device \Driver\Fips \Device\Fips Fips.SYS (FIPS Crypto Driver/Microsoft Corporation)
Device \Driver\Fips \Device\Fips ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Driver\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} \Device\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} 000.fcl (FCL Driver/Cyberlink Corp.)
Device \Driver\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} \Device\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054} ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Driver\Kbdclass \Device\KeyboardClass1 kbdclass.sys (Keyboard Class Driver/Microsoft Corporation)
Device \Driver\Kbdclass \Device\KeyboardClass1 ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Device\00000029
Device \Device\00000042
Device \Driver\PnpManager \Device\00000036 ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Driver\PnpManager \Device\00000036 ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Device\Video1
Device \Driver\NDProxy \Device\NDProxy NDProxy.SYS (NDIS Proxy/Microsoft Corporation)
Device \Driver\NDProxy \Device\NDProxy ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Device\0000000a
Device \Driver\ACPI \Device\00000050 ACPI.sys (ACPI Driver for NT/Microsoft Corporation)
Device \Driver\Mouclass \Device\PointerClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)
Device \Driver\Mouclass \Device\PointerClass0 ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Driver\PnpManager \Device\00000037 ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Driver\PnpManager \Device\00000037 ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Driver\Serial \Device\Serial0 serial.sys (Serial Device Driver/Microsoft Corporation)
Device \Driver\Serial \Device\Serial0 ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Device\KeyboardClass2
Device \Device\Video2
Device \Device\0000000b
Device \Driver\ACPI_HAL \Device\00000044 ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Driver\ACPI_HAL \Device\00000044 hal.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
Device \Driver\ACPI \Device\00000051 ACPI.sys (ACPI Driver for NT/Microsoft Corporation)
Device \Driver\Mouclass \Device\PointerClass1 mouclass.sys (Mouse Class Driver/Microsoft Corporation)
Device \Driver\Mouclass \Device\PointerClass1 ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Device\Processor
Device \Driver\Avgfwdx \Device\Avgfwfd NDIS.sys (NDIS 5.1 wrapper driver/Microsoft Corporation)
Device \Driver\PnpManager \Device\00000038 ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Driver\PnpManager \Device\00000038 ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Device\Video3
Device \Driver\usbuhci \Device\USBPDO-0 USBPORT.SYS (USB 1.1 & 2.0 Port Driver/Microsoft Corporation)
Device \Driver\usbuhci \Device\USBPDO-0 ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Driver\NIC1394 \Device\{84477E75-463A-4E67-A6FD-A4727777EE47} NDIS.sys (NDIS 5.1 wrapper driver/Microsoft Corporation)
Device \Driver\WMIxWDM \Device\WMIDataDevice ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Driver\WMIxWDM \Device\WMIDataDevice ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Driver\Avgldx86 \Device\AvgAviLdrDev avgldx86.sys (AVG AVI Loader Driver/AVG Technologies CZ, s.r.o.)
Device \Driver\Avgldx86 \Device\AvgAviLdrDev ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Device\0000000c
Device \Device\00000039
Device \FileSystem\RAW \Device\RawTape ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \FileSystem\RAW \Device\RawTape ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Driver\ACPI \Device\00000052 ACPI.sys (ACPI Driver for NT/Microsoft Corporation)
Device \Device\00000045
Device \Driver\usbuhci \Device\USBPDO-1 USBPORT.SYS (USB 1.1 & 2.0 Port Driver/Microsoft Corporation)
Device \Driver\usbuhci \Device\USBPDO-1 ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Device\FloppyPDO0
Device \Device\0000000d
Device \Device\0000001a
Device \Device\NTPNP_PCI0000
Device \Driver\ACPI \Device\00000053 ACPI.sys (ACPI Driver for NT/Microsoft Corporation)
Device \Device\00000046
Device \FileSystem\MRxDAV \Device\WebDavRedirector mrxdav.sys (Windows NT WebDav Minirdr/Microsoft Corporation)
Device \FileSystem\MRxDAV \Device\WebDavRedirector ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \FileSystem\Avgrkx86 \Device\AvgAntiRootkit avgrkx86.sys (AVG Anti-Rootkit Driver/AVG Technologies CZ, s.r.o.)
Device \FileSystem\Avgrkx86 \Device\AvgAntiRootkit ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Driver\usbuhci \Device\USBPDO-2 USBPORT.SYS (USB 1.1 & 2.0 Port Driver/Microsoft Corporation)
Device \Driver\usbuhci \Device\USBPDO-2 ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Device\0000000e
Device \Device\0000001b
Device \Driver\ACPI \Device\00000047 ACPI.sys (ACPI Driver for NT/Microsoft Corporation)
Device \Driver\ACPI \Device\00000054 ACPI.sys (ACPI Driver for NT/Microsoft Corporation)
Device \Device\00000060
Device \Device\Usbscan0
Device \Driver\PCI \Device\NTPNP_PCI0001 ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Driver\PCI \Device\NTPNP_PCI0001 pci.sys (NT Plug and Play PCI Enumerator/Microsoft Corporation)
Device \Driver\usbuhci \Device\USBPDO-3 USBPORT.SYS (USB 1.1 & 2.0 Port Driver/Microsoft Corporation)
Device \Driver\usbuhci \Device\USBPDO-3 ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Driver\RasAcd \Device\RasAcd rasacd.sys (RAS Automatic Connection Driver/Microsoft Corporation)
Device \Driver\RasAcd \Device\RasAcd ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Device\0000000f
Device \Device\0000001c
Device \Device\00000048
Device \Device\00000055
Device \Driver\ACPI \Device\00000061 ACPI.sys (ACPI Driver for NT/Microsoft Corporation)
Device \Driver\GEARAspiWDM \Device\GEARAspiWDMDevice GEARAspiWDM.sys (CD DVD Filter/GEAR Software Inc.)
Device \Driver\PCI \Device\NTPNP_PCI0002 ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Driver\PCI \Device\NTPNP_PCI0002 pci.sys (NT Plug and Play PCI Enumerator/Microsoft Corporation)
Device \Driver\PSched \Device\PSched NDIS.sys (NDIS 5.1 wrapper driver/Microsoft Corporation)
Device \Driver\IpNat \Device\IPNAT ipnat.sys (IP Network Address Translator/Microsoft Corporation)
Device \Driver\IpNat \Device\IPNAT ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Driver\usbehci \Device\USBPDO-4 USBPORT.SYS (USB 1.1 & 2.0 Port Driver/Microsoft Corporation)
Device \Driver\usbehci \Device\USBPDO-4 ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Driver\Tcpip \Device\Tcp tcpip.sys (TCP/IP Protocol Driver/Microsoft Corporation)
Device \Device\0000001d
Device \Device\00000049
Device \Device\NTPNP_PCI0010
Device \Device\00000056
Device \Device\{03F3582A-BEB7-4E6F-B215-FE9976EFAB54}
Device \Driver\PCI \Device\NTPNP_PCI0003 ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Driver\PCI \Device\NTPNP_PCI0003 pci.sys (NT Plug and Play PCI Enumerator/Microsoft Corporation)
Device \Driver\ACPI \Device\00000062 ACPI.sys (ACPI Driver for NT/Microsoft Corporation)
Device \Device\{434E6237-1597-4B00-A15A-188A8D020AFA}
Device \Driver\Parport \Device\ParallelPort0 parport.sys (Parallel Port Driver/Microsoft Corporation)
Device \Driver\Parport \Device\ParallelPort0 ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Driver\ParVdm \Device\ParallelVdm0 ParVdm.SYS (VDM Parallel Driver/Microsoft Corporation)
Device \Driver\ParVdm \Device\ParallelVdm0 ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Driver\usbhub \Device\USBPDO-5 usbhub.sys (Default Hub Driver for USB/Microsoft Corporation)
Device \Driver\usbhub \Device\USBPDO-5 ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Driver\InCDPass \Device\INCD_PSEUDO_DEVICE InCDPass.sys (Ahead RW Filter Driver/Nero AG)
Device \Device\0000001e
Device \Device\0000002a
Device \Device\NTPNP_PCI0011
Device \Device\00000057
Device \Device\00000070
Device \Device\{8DB32FB6-DE27-4F6F-941B-B8086A354323}
Device \Driver\PCI \Device\NTPNP_PCI0004 ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Driver\PCI \Device\NTPNP_PCI0004 pci.sys (NT Plug and Play PCI Enumerator/Microsoft Corporation)
Device \Driver\ACPI \Device\00000063 ACPI.sys (ACPI Driver for NT/Microsoft Corporation)
Device \Driver\Avgfwdx \Device\{0374F12E-DDB9-4E44-9E9F-1F5AF5602E8D} NDIS.sys (NDIS 5.1 wrapper driver/Microsoft Corporation)
Device \Driver\usbhub \Device\USBPDO-6 usbhub.sys (Default Hub Driver for USB/Microsoft Corporation)
Device \Driver\usbhub \Device\USBPDO-6 ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Driver\Ftdisk \Device\HarddiskVolume1 ftdisk.sys (FT Disk Driver/Microsoft Corporation)
Device \Driver\Ftdisk \Device\HarddiskVolume1 ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Device\0000001f
Device \Device\0000002b
Device \Device\NTPNP_PCI0012
Device \Device\00000058
Device \Driver\usbhub \Device\00000071 usbhub.sys (Default Hub Driver for USB/Microsoft Corporation)
Device \Driver\usbhub \Device\00000071 ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Driver\PCI \Device\NTPNP_PCI0005 ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \Driver\PCI \Device\NTPNP_PCI0005 pci.sys (NT Plug and Play PCI Enumerator/Microsoft Corporation)
Device \Driver\ACPI \Device\00000064 ACPI.sys (ACPI Driver for NT/Microsoft Corporation)
Device \Device\Http\Filter
Device \Device\Http\AppPool
Device \Device\Http\Control
Device \Driver\usbhub \Device\USBPDO-7 usbhub.sys (Default Hub Driver for USB/Microsoft Corporation)
Device \Driver\usbhub \Device\USBPDO-7 ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
Device \FileSystem\Avgmfx86 \Device\Avg7Rs avgmfx86.sys (AVG Resident Shield Minifilter Driver/AVG Technologies CZ, s.r.o.)
Device \FileSystem\Avgmfx86 \Device\Avg7Rs ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)


Here is the MBAM LOG (if this helps):

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.22.01

Windows XP Service Pack 3 x86 FAT32
Internet Explorer 8.0.6001.18702
&e :: XPC [administrator]

23/02/2012 09:22:59
mbam-log-2012-02-23 (11-26-15).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 403178
Time elapsed: 2 hour(s), 2 minute(s), 8 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Shell (Backdoor.Agent.Gen) -> Data: C:\Documents and Settings\&e\Local Settings\Application Data\ce56d436\X -> No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 12
C:\Documents and Settings\&e\Desktop\Xara6 download\patch\Patch.exe (PUP.RiskwareTool.CK) -> No action taken.
C:\Documents and Settings\&e\Local Settings\Application Data\ce56d436\X (Rootkit.0Access) -> No action taken.
C:\Documents and Settings\&e\Local Settings\Application Data\ce56d436\U\00000001.@_1329933313.arl (Backdoor.0Access) -> No action taken.
C:\Documents and Settings\&e\Local Settings\Application Data\ce56d436\U\000000c0.@_1329933313.arl (Trojan.Agent) -> No action taken.
C:\Documents and Settings\&e\Local Settings\Application Data\ce56d436\U\000000cb.@_1329933313.arl (Trojan.Agent) -> No action taken.
C:\Documents and Settings\&e\Local Settings\Application Data\ce56d436\U\000000cf.@_1329933313.arl (Trojan.Agent) -> No action taken.
C:\Documents and Settings\&e\Local Settings\Application Data\ce56d436\U\800000c0.@_1329933313.arl (Rootkit.0Access) -> No action taken.
C:\Documents and Settings\&e\My Documents\Downloads\MediaMonkey\CORE10k.EXE (Dont.Steal.Our.Software) -> No action taken.
C:\Documents and Settings\&e\My Documents\Downloads\MediaMonkey\Setup Folder\CORE10k.EXE (Dont.Steal.Our.Software) -> No action taken.
C:\Documents and Settings\&e\My Documents\Downloads\MediaMonkey\Setup Folder\keygen.exe (Trojan.Dropper.PGen) -> No action taken.
C:\Documents and Settings\E\MY DOCUMENTS\DOWNLOADS\TUNEUP MEDIA V1.1.9 (ITUNES PLUGIN)\TUNEUPMEDIA_FIX.EXE (HackTool.GamesCheat.Gen) -> No action taken.
C:\Documents and Settings\E\MY DOCUMENTS\DOWNLOADS\TUNEUP MEDIA V1.1.9 (ITUNES PLUGIN)\TUNEUP MEDIA V1.1.9 (ITUNES PLUGIN)\TUNEUPMEDIA_FIX.EXE (HackTool.GamesCheat.Gen) -> No action taken.

(end)
I hope I haven't missed anything out!

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:02 AM

Posted 28 February 2012 - 12:51 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


The first thing I would like you to do is run this for me - http://download.bleepingcomputer.com/grinler/unhide.exe after it is complete restart the computer and continue with these steps


Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Under the Custom Scan box paste this in

    %TEMP%\smtmp\*.* /s

  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTListIt.txt in your next reply.


information and logs:

  • In your next post I need the following

  • .logs from OTL
  • let me know of any problems you may have had

Gringo

Edited by gringo_pr, 28 February 2012 - 12:52 AM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 van der Linde

van der Linde
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 28 February 2012 - 05:49 AM

Hi, Gringo!
Thank you for taking me through this process. Am looking forward to the journey..........
Here is the OTL Log you requested. Oh, and by the way, I came across no problems while following the steps laid out in your reply to me :)


OTL LOG REPORT:


OTL logfile created on: 28/02/2012 10:35:56 - Run 1
OTL by OldTimer - Version 3.2.33.2 Folder = C:\Documents and Settings\&e\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1.49 Gb Total Physical Memory | 0.81 Gb Available Physical Memory | 54.52% Memory free
2.08 Gb Paging File | 1.54 Gb Available in Paging File | 73.92% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 152.66 Gb Total Space | 23.38 Gb Free Space | 15.32% Space Free | Partition Type: NTFS

Computer Name: XPC | User Name: &e | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\&e\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Garmin\Lifetime Updater\GarminLifetime.exe (Garmin)
PRC - C:\Program Files\Plusnet Assist\btbb\PlusnetHelpNotifier.exe (Alcatel-Lucent)
PRC - C:\Program Files\Secunia\PSI\psia.exe (Secunia)
PRC - C:\Program Files\Secunia\PSI\sua.exe (Secunia)
PRC - C:\Program Files\Secunia\PSI\psi_tray.exe (Secunia)
PRC - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSMonitor.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG10\avgfws.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG10\avgemcx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\NTP\bin\ntpd.exe ()
PRC - C:\Program Files\AVG\AVG10\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG10\avgtray.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG10\avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG10\avgcsrvx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG10\avgchsvx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG10\avgam.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\Cobian Backup 10\cbVSCService.exe (CobianSoft, Luis Cobian)
PRC - C:\Program Files\NETGEAR\WNA3100\WifiSvc.exe ()
PRC - C:\Program Files\NETGEAR\WNA3100\WNA3100.exe ()
PRC - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (Protexis Inc.)
PRC - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe (Nero AG)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Shuttle\XPC Tools\XPCTools.exe (Shuttle Inc.)
PRC - C:\Program Files\RocketDock\RocketDock.exe ()
PRC - C:\Program Files\EPSON\ESM2\eEBSvc.exe (SEIKO EPSON CORPORATION)
PRC - C:\Program Files\EPSON\ESM2\eEBAgent.exe (SEIKO EPSON CORPORATION)


========== Modules (No Company Name) ==========

MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\11dcb806c92f55111f5fa9f1a90e3bdd\System.ServiceProcess.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Core\0a6d6717e76be12295711ff02c7aa1d4\System.Core.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\9e3803cd2a11f056291862e306a8e2b2\System.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Xml.Linq\95417c8454d37af7aeccb002b0ae2de6\System.Xml.Linq.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Xaml\4e7e9b07db31551c887d5c80552e3885\System.Xaml.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\PresentationFramewo#\8a2a9287a39972a655346abcb1453fc9\PresentationFramework.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Xml\fd4bcc08668bb561ba59e57a30de6bcf\System.Xml.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\PresentationFramewo#\46346f2c0efd589a524f42d57d17938c\PresentationFramework.Luna.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Security\6391cea31e8d8c3e41a7bd7c4e85e630\System.Security.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\PresentationCore\980130114bd7169de0d4f68bbc6d8559\PresentationCore.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\ae33325d95b86d18adfe3b2b76deb55e\System.Windows.Forms.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Core\06f187eb8b9da275bdf8c146b8a9dfb6\System.Core.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Drawing\2f6d092e53fd5fe14e5a2e6ba7055cef\System.Drawing.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\WindowsBase\d99143e827c2bc46871c85a04a0a3313\WindowsBase.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System\2f52fc9cf3baf5181d1897788d9678f4\System.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\ca87ba84221991839abbe7d4bc9c6721\mscorlib.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\mscorlib\f3b6f64941ee3b90d6abb16e415ceb3b\mscorlib.ni.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll ()
MOD - C:\Program Files\NETGEAR\WNA3100\WifiSvc.exe ()
MOD - C:\Program Files\NETGEAR\WNA3100\WNA3100.exe ()
MOD - C:\Program Files\NETGEAR\WNA3100\WifiLib.dll ()
MOD - C:\Program Files\WinRAR\RarExt.dll ()
MOD - C:\Program Files\NETGEAR\WNA3100\WifiSvcLib.dll ()
MOD - C:\Program Files\RocketDock\RocketDock.exe ()
MOD - C:\Program Files\RocketDock\RocketDock.dll ()
MOD - C:\Program Files\Shuttle\XPC Tools\UsbHidDll.dll ()


========== Win32 Services (SafeList) ==========

SRV - (NeroRegInCDSrv) -- File not found
SRV - (MTDVC2_ENUM) -- File not found
SRV - (lanmanserver) -- File not found
SRV - (L6POD) -- File not found
SRV - (HidServ) -- File not found
SRV - (helpsvc) -- File not found
SRV - (FastUserSwitchingCompatibility) -- File not found
SRV - (ati2mpaa) -- File not found
SRV - (AresChatServer) -- File not found
SRV - (AppMgmt) -- File not found
SRV - (Secunia PSI Agent) -- C:\Program Files\Secunia\PSI\PSIA.exe (Secunia)
SRV - (Secunia Update Agent) -- C:\Program Files\Secunia\PSI\sua.exe (Secunia)
SRV - (AVGIDSAgent) -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe (AVG Technologies CZ, s.r.o.)
SRV - (avgfws) -- C:\Program Files\AVG\AVG10\avgfws.exe (AVG Technologies CZ, s.r.o.)
SRV - (NTP) -- C:\Program Files\NTP\bin\ntpd.exe ()
SRV - (AVG Security Toolbar Service) -- C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe ()
SRV - (avgwd) -- C:\Program Files\AVG\AVG10\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (cbVSCService) -- C:\Program Files\Cobian Backup 10\cbVSCService.exe (CobianSoft, Luis Cobian)
SRV - (WSWNA3100) -- C:\Program Files\NETGEAR\WNA3100\WifiSvc.exe ()
SRV - (PSI_SVC_2) -- c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (Protexis Inc.)
SRV - (InCDsrv) -- C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe (Nero AG)
SRV - (EpsonBidirectionalService) -- C:\Program Files\EPSON\ESM2\eEBSvc.exe (SEIKO EPSON CORPORATION)
SRV - (EpsonBidirectionalAgent) -- C:\Program Files\EPSON\ESM2\eEBAgent.exe (SEIKO EPSON CORPORATION)


========== Driver Services (SafeList) ==========

DRV - (mbamchameleon) -- C:\WINDOWS\system32\drivers\mbamchameleon.sys ()
DRV - (MREMP50) -- C:\Program Files\Common Files\Motive\MREMP50.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (MRESP50) -- C:\Program Files\Common Files\Motive\MRESP50.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (AVGIDSEH) -- C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys (AVG Technologies CZ, s.r.o. )
DRV - (Avgmfx86) -- C:\WINDOWS\system32\drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (Avgldx86) -- C:\WINDOWS\system32\drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (Avgrkx86) -- C:\WINDOWS\system32\DRIVERS\avgrkx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (PSI) -- C:\WINDOWS\system32\drivers\psi_mf.sys (Secunia)
DRV - (AVGIDSFilter) -- C:\WINDOWS\system32\drivers\AVGIDSFilter.sys (AVG Technologies CZ, s.r.o. )
DRV - (AVGIDSDriver) -- C:\WINDOWS\system32\drivers\AVGIDSDriver.sys (AVG Technologies CZ, s.r.o. )
DRV - (AVGIDSShim) -- C:\WINDOWS\system32\drivers\AVGIDSShim.sys (AVG Technologies CZ, s.r.o. )
DRV - (Avgfwfd) -- C:\WINDOWS\system32\drivers\avgfwdx.sys (AVG Technologies CZ, s.r.o.)
DRV - (Avgfwdx) -- C:\WINDOWS\system32\drivers\avgfwdx.sys (AVG Technologies CZ, s.r.o.)
DRV - (NPF) -- C:\WINDOWS\system32\drivers\npf.sys (CACE Technologies, Inc.)
DRV - (BCMH43XX) -- C:\WINDOWS\system32\drivers\bcmwlhigh5.sys (Broadcom Corporation)
DRV - ({FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}) -- C:\Program Files\CyberLink\PowerDVD8\000.fcl (Cyberlink Corp.)
DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINDOWS\system32\drivers\alcxwdm.sys (Realtek Semiconductor Corp.)
DRV - (incdrm) -- C:\WINDOWS\system32\drivers\InCDRm.sys (Nero AG)
DRV - (InCDfs) -- C:\WINDOWS\system32\drivers\InCDfs.sys (Nero AG)
DRV - (InCDPass) -- C:\WINDOWS\system32\drivers\InCDPass.sys (Nero AG)
DRV - (XPCDriver) -- C:\WINDOWS\system32\drivers\XPCDriver.sys ()
DRV - (BT4501G) -- C:\WINDOWS\system32\drivers\BT4501G.sys (THOMSON Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.foxtab.com/?s=0&chnl=dcom&cd=2XzutBtN2Y1L1QzutDtDtCtB0B0FtDzztBzytCtB0C0CtB0EyEtN0D0TzutBtDtCtCtDzztDyD&cr=200228697


IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-839522115-616249376-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-839522115-616249376-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKU\S-1-5-21-839522115-616249376-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-839522115-616249376-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://portal.plus.net
IE - HKU\S-1-5-21-839522115-616249376-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-839522115-616249376-682003330-1004\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-839522115-616249376-682003330-1004\..\URLSearchHook: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuz2.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-839522115-616249376-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-839522115-616249376-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-21-839522115-616249376-682003330-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Foxtab Web Search"
FF - prefs.js..browser.search.defaultthis.engineName: "Google Powered Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2504091&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "chrome://foxtab/content/homepage.html"
FF - prefs.js..extensions.enabledItems: en-GB@dictionaries.addons.mozilla.org:1.19.1
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: personas@christopher.beard:1.6.2
FF - prefs.js..extensions.enabledItems: {22119944-ED35-4ab1-910B-E619EA06A115}:7.3.2
FF - prefs.js..extensions.enabledItems: smarterwiki@wikiatic.com:4.3.7
FF - prefs.js..extensions.enabledItems: {ba14329e-9550-4989-b3f2-9732e92d17cc}:3.5.0.12
FF - prefs.js..extensions.enabledItems: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E}:2.9.3.1
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:10.0.0.1167
FF - prefs.js..extensions.enabledItems: avg@igeared:6.010.023.001
FF - prefs.js..extensions.enabledItems: engine@conduit.com:3.3.3.2
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26
FF - prefs.js..extensions.enabledItems: {ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a}:1.4.3
FF - prefs.js..extensions.enabledItems: {e2c58150-9d72-11dd-ad8b-0800200c9a66}:1.3.1
FF - prefs.js..extensions.enabledItems: {07b2a769-ed19-4483-87ce-c643914c81b1}:2.2
FF - prefs.js..extensions.enabledItems: {07b2a769-ed19-4483-87ce-c643914c81bb}:3.0.0.91
FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2504091&q="
FF - prefs.js..network.proxy.no_proxies_on: "*.local"

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@garmin.com/GpsControl: C:\Program Files\Garmin GPS Plugin\npGarmin.dll (GARMIN Corp.)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa2,version=2.0.0: C:\Program Files\Picasa2\npPicasa2.dll File not found
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/VirtualEarth3D,version=3.0: C:\Program Files\Virtual Earth 3D\ [2011/07/09 18:13:02 | 000,000,000 | ---D | M]
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Motive.com/NpMotive,version=1.0: C:\Program Files\Common Files\Motive\npMotive.dll (Motive, Inc.)
FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=14: C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll (Google)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG10\Firefox\ [2010/11/24 08:34:52 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\avg@igeared: C:\Program Files\AVG\AVG10\Toolbar\Firefox\avg@igeared [2010/12/13 13:21:21 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{22119944-ED35-4ab1-910B-E619EA06A115}: C:\Program Files\Siber Systems\AI RoboForm\Firefox [2011/10/11 08:32:18 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/02/17 17:55:36 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/01/21 11:13:51 | 000,000,000 | ---D | M]

[2009/10/26 11:46:31 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\&e\Application Data\Mozilla\Extensions
[2012/02/20 06:50:43 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\&e\Application Data\Mozilla\Firefox\Profiles\kzpgqgbd.default\extensions
[2010/04/11 10:27:26 | 000,000,000 | ---D | M] (Vista on XP) -- C:\Documents and Settings\&e\Application Data\Mozilla\Firefox\Profiles\kzpgqgbd.default\extensions\{07b2a769-ed19-4483-87ce-c643914c81b1}
[2010/06/13 10:08:03 | 000,000,000 | ---D | M] (Vista-aero) -- C:\Documents and Settings\&e\Application Data\Mozilla\Firefox\Profiles\kzpgqgbd.default\extensions\{07b2a769-ed19-4483-87ce-c643914c81bb}
[2012/02/12 10:20:30 | 000,000,000 | ---D | M] (Garmin Communicator) -- C:\Documents and Settings\&e\Application Data\Mozilla\Firefox\Profiles\kzpgqgbd.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
[2010/05/13 10:26:05 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\&e\Application Data\Mozilla\Firefox\Profiles\kzpgqgbd.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2012/01/11 09:29:55 | 000,000,000 | ---D | M] (Vuze Remote Community Toolbar) -- C:\Documents and Settings\&e\Application Data\Mozilla\Firefox\Profiles\kzpgqgbd.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}
[2009/11/28 11:08:30 | 000,000,000 | ---D | M] (Black Steel) -- C:\Documents and Settings\&e\Application Data\Mozilla\Firefox\Profiles\kzpgqgbd.default\extensions\{e2c58150-9d72-11dd-ad8b-0800200c9a66}
[2010/12/23 18:58:54 | 000,000,000 | ---D | M] (British English Dictionary) -- C:\Documents and Settings\&e\Application Data\Mozilla\Firefox\Profiles\kzpgqgbd.default\extensions\en-GB@dictionaries.addons.mozilla.org
[2011/03/30 13:49:16 | 000,000,000 | ---D | M] (Conduit Engine) -- C:\Documents and Settings\&e\Application Data\Mozilla\Firefox\Profiles\kzpgqgbd.default\extensions\engine@conduit.com
[2011/03/17 10:18:38 | 000,000,000 | ---D | M] (Personas) -- C:\Documents and Settings\&e\Application Data\Mozilla\Firefox\Profiles\kzpgqgbd.default\extensions\personas@christopher.beard
[2010/06/13 10:08:03 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\&e\Application Data\Mozilla\Firefox\Profiles\kzpgqgbd.default\extensions\{07b2a769-ed19-4483-87ce-c643914c81bb}\chrome\mozapps\extensions
[2010/07/07 07:47:59 | 000,000,903 | ---- | M] () -- C:\Documents and Settings\&e\Application Data\Mozilla\Firefox\Profiles\kzpgqgbd.default\searchplugins\conduit.xml
[2011/08/05 07:48:46 | 000,005,423 | ---- | M] () -- C:\Documents and Settings\&e\Application Data\Mozilla\Firefox\Profiles\kzpgqgbd.default\searchplugins\Foxtab Web Search.xml
[2012/02/07 09:30:07 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
() (No name found) -- C:\DOCUMENTS AND SETTINGS\&E\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\KZPGQGBD.DEFAULT\EXTENSIONS\{EF4E370E-D9F0-4E00-B93E-A4F274CFDD5A}.XPI
[2012/02/17 17:55:35 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/10/03 04:06:04 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2012/01/29 14:08:59 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2012/01/29 13:50:55 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/01/29 14:08:59 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2012/01/29 14:08:59 | 000,001,180 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2012/01/29 14:08:59 | 000,001,135 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

========== Chrome ==========

CHR - default_search_provider: Google ()
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\10.0.648.134\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: QuickTime Plug-in 7.6.8 (Enabled) = C:\Program Files\Mozilla Firefox 3.6 Beta 5\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.6.8 (Enabled) = C:\Program Files\Mozilla Firefox 3.6 Beta 5\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.6.8 (Enabled) = C:\Program Files\Mozilla Firefox 3.6 Beta 5\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.6.8 (Enabled) = C:\Program Files\Mozilla Firefox 3.6 Beta 5\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.6.8 (Enabled) = C:\Program Files\Mozilla Firefox 3.6 Beta 5\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.6.8 (Enabled) = C:\Program Files\Mozilla Firefox 3.6 Beta 5\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.6.8 (Enabled) = C:\Program Files\Mozilla Firefox 3.6 Beta 5\plugins\npqtplugin7.dll
CHR - plugin: Java Deployment Toolkit 6.0.190.4 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeploytk.dll
CHR - plugin: Java™ Platform SE 6 U19 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Java Deployment Toolkit 6.0.170.4 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.0.60129.0\npctrl.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\10.0.648.134\pdf.dll
CHR - plugin: Google Gears 0.5.33.0 (Enabled) = C:\Program Files\Google\Chrome\Application\10.0.648.134\gears.dll
CHR - plugin: Embed-style Roboform Adapter for GoogleChrome/Opera/etc. (Enabled) = C:\Program Files\Siber Systems\AI RoboForm\Chrome\plugin/nprobo1.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Garmin Communicator Plug-In (Enabled) = C:\Program Files\Garmin GPS Plugin\npGarmin.dll
CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll
CHR - plugin: Google Updater (Enabled) = C:\Program Files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
CHR - plugin: Picasa (Enabled) = C:\Program Files\Picasa2\npPicasa2.dll
CHR - plugin: Picasa (Enabled) = C:\Program Files\Picasa2\npPicasa3.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: Entanglement = C:\Documents and Settings\&e\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aciahcmjmecflokailenpkdchphgkefd\2.1.1_0\
CHR - Extension: Poppit = C:\Documents and Settings\&e\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi\2.2_0\

Hosts file not found
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Reg Error: Value error.) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O2 - BHO: (Easy Photo Print) - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll (SEIKO EPSON CORPORATION / CyCom Technology Corp.)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
O2 - BHO: (Vuze Remote Toolbar) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuz2.dll (Conduit Ltd.)
O2 - BHO: (EpsonToolBandKicker Class) - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION)
O3 - HKLM\..\Toolbar: (&RoboForm) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKLM\..\Toolbar: (Easy Photo Print) - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll (SEIKO EPSON CORPORATION / CyCom Technology Corp.)
O3 - HKLM\..\Toolbar: (Vuze Remote Toolbar) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuz2.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
O3 - HKLM\..\Toolbar: (EPSON Web-To-Page) - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION)
O3 - HKU\S-1-5-21-839522115-616249376-682003330-1004\..\Toolbar\WebBrowser: (&RoboForm) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKU\S-1-5-21-839522115-616249376-682003330-1004\..\Toolbar\WebBrowser: (Vuze Remote Toolbar) - {BA14329E-9550-4989-B3F2-9732E92D17CC} - C:\Program Files\Vuze_Remote\prxtbVuz2.dll (Conduit Ltd.)
O3 - HKU\S-1-5-21-839522115-616249376-682003330-1004\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
O3 - HKU\S-1-5-21-839522115-616249376-682003330-1004\..\Toolbar\WebBrowser: (EPSON Web-To-Page) - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [btbb_McciTrayApp] C:\Program Files\Plusnet Assist\btbb\PlusnetHelpNotifier.exe (Alcatel-Lucent)
O4 - HKLM..\Run: [Garmin Lifetime Updater] C:\Program Files\Garmin\Lifetime Updater\GarminLifetime.exe (Garmin)
O4 - HKLM..\Run: [UpdatePDRShortCut] C:\Program Files\CyberLink\PowerDirector10\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [XPC Tools] C:\Program Files\Shuttle\XPC Tools\XPCTools.exe (Shuttle Inc.)
O4 - HKU\S-1-5-21-839522115-616249376-682003330-1004..\Run: [Garmin Lifetime Updater] C:\Program Files\Garmin\Lifetime Updater\GarminLifetime.exe (Garmin)
O4 - HKU\S-1-5-21-839522115-616249376-682003330-1004..\Run: [RocketDock] C:\Program Files\RocketDock\RocketDock.exe ()
O4 - HKU\S-1-5-21-839522115-616249376-682003330-1006..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe (Nero AG)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NETGEAR WNA3100 Smart Wizard.lnk = C:\Program Files\NETGEAR\WNA3100\WNA3100.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk = C:\Program Files\Secunia\PSI\psi_tray.exe (Secunia)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableStatusMessages = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: VerboseStatus = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-839522115-616249376-682003330-1004\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-839522115-616249376-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKU\S-1-5-21-839522115-616249376-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O7 - HKU\S-1-5-21-839522115-616249376-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoUserNameInStartMenu = 0
O7 - HKU\S-1-5-21-839522115-616249376-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: GreyMSIAds = 0
O7 - HKU\S-1-5-21-839522115-616249376-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCABattery = 1
O7 - HKU\S-1-5-21-839522115-616249376-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 1
O7 - HKU\S-1-5-21-839522115-616249376-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoInternetOpenWith = 1
O7 - HKU\S-1-5-21-839522115-616249376-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 0
O7 - HKU\S-1-5-21-839522115-616249376-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogOff = 0
O7 - HKU\S-1-5-21-839522115-616249376-682003330-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O7 - HKU\S-1-5-21-839522115-616249376-682003330-1006\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-839522115-616249376-682003330-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Customize Menu - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html ()
O8 - Extra context menu item: Fill Forms - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O8 - Extra context menu item: RoboForm Toolbar - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O8 - Extra context menu item: Save Forms - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra Button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra 'Tools' menuitem : Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra Button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra 'Tools' menuitem : Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra Button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O9 - Extra 'Tools' menuitem : RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229338491140 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229338476937 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7BA3361B-35D5-48BD-AD03-0DD83E985549}: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{BE8F367D-16B1-4D5A-B9CE-766C67D80601}: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\avgsecuritytoolbar {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKU\S-1-5-21-839522115-616249376-682003330-1004 Winlogon: Shell - (C:\Documents and Settings\&e\Local Settings\Application Data\ce56d436\X) - File not found
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\&e\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\&e\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/10/29 19:24:50 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgrsx.exe /sync /restart)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/02/28 10:24:30 | 000,583,680 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\&e\Desktop\OTL.exe
[2012/02/23 11:48:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\&e\Local Settings\Application Data\Safe mirror
[2012/02/23 11:48:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Cobian Backup 10
[2012/02/23 11:47:23 | 000,000,000 | ---D | C] -- C:\Program Files\Cobian Backup 10
[2012/02/22 12:39:56 | 000,000,000 | R--D | C] -- C:\Documents and Settings\&e\Recent
[2012/02/21 18:01:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2012/02/21 17:59:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2012/02/21 17:49:56 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\&e\Local Settings\Application Data\ce56d436
[2012/02/21 10:10:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iTunes
[2012/02/21 10:09:06 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/02/28 10:44:01 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/02/28 10:44:01 | 000,000,874 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/02/28 10:42:05 | 000,000,182 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2012/02/28 10:22:56 | 000,000,313 | ---- | M] () -- C:\Documents and Settings\&e\BiosStr.ini
[2012/02/28 10:21:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At22.job
[2012/02/28 10:21:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At21.job
[2012/02/28 10:19:20 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/02/28 10:07:34 | 000,583,680 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\&e\Desktop\OTL.exe
[2012/02/28 10:03:00 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2012/02/28 09:46:40 | 058,282,065 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2012/02/28 09:39:16 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{642B556B-CFE3-44B5-993D-242930F74871}.job
[2012/02/28 09:35:13 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/02/25 13:21:03 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At28.job
[2012/02/25 13:21:03 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At27.job
[2012/02/25 12:21:07 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At26.job
[2012/02/25 12:21:06 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At25.job
[2012/02/25 11:21:04 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At24.job
[2012/02/25 11:21:04 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At23.job
[2012/02/25 09:21:02 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At20.job
[2012/02/25 09:21:01 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At19.job
[2012/02/25 08:21:01 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At18.job
[2012/02/25 08:21:01 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At17.job
[2012/02/25 08:15:31 | 000,622,194 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\iavifw.avm
[2012/02/25 07:21:01 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At16.job
[2012/02/25 07:21:01 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At15.job
[2012/02/25 06:21:01 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At14.job
[2012/02/25 06:21:01 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At13.job
[2012/02/25 05:21:02 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At12.job
[2012/02/25 05:21:02 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At11.job
[2012/02/25 04:21:01 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At10.job
[2012/02/25 04:21:01 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At9.job
[2012/02/25 03:21:02 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At8.job
[2012/02/25 03:21:02 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At7.job
[2012/02/25 02:21:01 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At6.job
[2012/02/25 02:21:01 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At5.job
[2012/02/25 01:21:02 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
[2012/02/25 01:21:02 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
[2012/02/25 00:21:01 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2012/02/25 00:21:01 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2012/02/24 22:21:01 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At46.job
[2012/02/24 22:21:01 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At45.job
[2012/02/24 21:21:01 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At44.job
[2012/02/24 21:21:01 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At43.job
[2012/02/24 20:21:01 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At42.job
[2012/02/24 20:21:01 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At41.job
[2012/02/24 19:21:01 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At40.job
[2012/02/24 19:21:01 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At39.job
[2012/02/24 18:21:02 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At38.job
[2012/02/24 18:21:02 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At37.job
[2012/02/24 10:04:10 | 000,294,216 | ---- | M] () -- C:\Documents and Settings\&e\Desktop\gmer.zip
[2012/02/24 10:00:46 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\&e\defogger_reenable
[2012/02/23 14:21:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At30.job
[2012/02/23 14:21:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At29.job
[2012/02/22 15:21:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At32.job
[2012/02/22 15:21:00 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At31.job
[2012/02/22 15:16:00 | 000,000,234 | ---- | M] () -- C:\WINDOWS\tasks\Epson Printer Software Downloader.job
[2012/02/22 10:28:03 | 000,000,152 | ---- | M] () -- C:\WINDOWS\Smile-Pps2Jpg.ini
[2012/02/22 09:59:56 | 000,000,000 | -HS- | M] () -- C:\WINDOWS\System32\dds_trash_log.cmd
[2012/02/22 07:49:37 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At36.job
[2012/02/22 07:49:37 | 000,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At34.job
[2012/02/22 07:49:37 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At35.job
[2012/02/22 07:49:37 | 000,000,348 | ---- | M] () -- C:\WINDOWS\tasks\At33.job
[2012/02/21 13:33:59 | 000,001,723 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Garmin Lifetime Updater.lnk
[2012/02/21 10:10:50 | 000,001,542 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2012/02/21 09:51:48 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2012/02/20 14:24:53 | 000,044,544 | ---- | M] () -- C:\Documents and Settings\&e\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/02/20 06:35:01 | 001,493,781 | ---- | M] () -- C:\Documents and Settings\&e\My Documents\0038GardenPressSignage.pdf
[2012/02/16 17:50:53 | 000,456,994 | ---- | M] () -- C:\Documents and Settings\&e\Desktop\Exhibition Stands 3X2 Booth Setup Page 3.jpg
[2012/02/16 17:50:34 | 000,520,406 | ---- | M] () -- C:\Documents and Settings\&e\Desktop\Exhibition Stands 3X2 Booth Setup Page 2.jpg
[2012/02/16 17:50:10 | 000,554,352 | ---- | M] () -- C:\Documents and Settings\&e\Desktop\Exhibition Stands 3X2 Booth Setup Page 1.jpg
[2012/02/16 17:44:54 | 000,358,584 | ---- | M] () -- C:\Documents and Settings\&e\Desktop\Exhibition Stands Back Wall.jpg
[2012/02/16 13:03:19 | 001,257,232 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/02/16 12:22:38 | 000,502,678 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/02/16 12:22:38 | 000,086,762 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/02/13 16:15:27 | 001,484,008 | ---- | M] () -- C:\Documents and Settings\&e\My Documents\0037GardenPressBuild.pdf
[2012/02/13 15:47:05 | 001,484,269 | ---- | M] () -- C:\Documents and Settings\&e\My Documents\0036GardenPressBuildUp.pdf
[2012/02/13 15:22:37 | 001,483,849 | ---- | M] () -- C:\Documents and Settings\&e\My Documents\0035GardenPressBuildUp.pdf
[2012/02/13 12:07:52 | 001,483,758 | ---- | M] () -- C:\Documents and Settings\&e\My Documents\0034PeckingMillAccommodation.pdf
[2012/02/13 11:58:58 | 001,484,169 | ---- | M] () -- C:\Documents and Settings\&e\My Documents\0033XmasIdealHome.pdf
[2012/02/07 16:16:34 | 000,024,064 | ---- | M] () -- C:\WINDOWS\System32\drivers\mbamchameleon.sys
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/02/24 10:20:08 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\&e\Desktop\gmer.exe
[2012/02/24 10:04:08 | 000,294,216 | ---- | C] () -- C:\Documents and Settings\&e\Desktop\gmer.zip
[2012/02/24 10:00:46 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\&e\defogger_reenable
[2012/02/22 07:49:37 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At46.job
[2012/02/22 07:49:36 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At44.job
[2012/02/22 07:49:36 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At42.job
[2012/02/22 07:49:36 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At45.job
[2012/02/22 07:49:36 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At43.job
[2012/02/22 07:49:35 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At40.job
[2012/02/22 07:49:35 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At38.job
[2012/02/22 07:49:35 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At36.job
[2012/02/22 07:49:35 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At34.job
[2012/02/22 07:49:35 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At32.job
[2012/02/22 07:49:35 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At41.job
[2012/02/22 07:49:35 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At39.job
[2012/02/22 07:49:35 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At37.job
[2012/02/22 07:49:35 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At35.job
[2012/02/22 07:49:35 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At33.job
[2012/02/22 07:49:34 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At30.job
[2012/02/22 07:49:34 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At28.job
[2012/02/22 07:49:34 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At26.job
[2012/02/22 07:49:34 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At31.job
[2012/02/22 07:49:34 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At29.job
[2012/02/22 07:49:34 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At27.job
[2012/02/22 07:49:33 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At24.job
[2012/02/22 07:49:33 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At22.job
[2012/02/22 07:49:33 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At20.job
[2012/02/22 07:49:33 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At25.job
[2012/02/22 07:49:33 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At23.job
[2012/02/22 07:49:33 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At21.job
[2012/02/22 07:49:33 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At19.job
[2012/02/22 07:49:32 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At18.job
[2012/02/22 07:49:32 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At16.job
[2012/02/22 07:49:32 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At17.job
[2012/02/22 07:49:32 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At15.job
[2012/02/22 07:49:31 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At14.job
[2012/02/22 07:49:31 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At13.job
[2012/02/22 07:49:30 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At12.job
[2012/02/22 07:49:30 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At10.job
[2012/02/22 07:49:30 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At11.job
[2012/02/22 07:49:29 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At8.job
[2012/02/22 07:49:29 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At6.job
[2012/02/22 07:49:29 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At9.job
[2012/02/22 07:49:29 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At7.job
[2012/02/22 07:49:29 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At5.job
[2012/02/22 07:49:28 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At4.job
[2012/02/22 07:49:28 | 000,000,350 | ---- | C] () -- C:\WINDOWS\tasks\At2.job
[2012/02/22 07:49:28 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At3.job
[2012/02/22 07:49:27 | 000,000,348 | ---- | C] () -- C:\WINDOWS\tasks\At1.job
[2012/02/21 17:47:44 | 000,000,000 | -HS- | C] () -- C:\WINDOWS\System32\dds_trash_log.cmd
[2012/02/21 13:33:59 | 000,001,723 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Garmin Lifetime Updater.lnk
[2012/02/21 10:10:50 | 000,001,542 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2012/02/16 17:50:46 | 000,456,994 | ---- | C] () -- C:\Documents and Settings\&e\Desktop\Exhibition Stands 3X2 Booth Setup Page 3.jpg
[2012/02/16 17:50:27 | 000,520,406 | ---- | C] () -- C:\Documents and Settings\&e\Desktop\Exhibition Stands 3X2 Booth Setup Page 2.jpg
[2012/02/16 17:50:04 | 000,554,352 | ---- | C] () -- C:\Documents and Settings\&e\Desktop\Exhibition Stands 3X2 Booth Setup Page 1.jpg
[2012/02/16 17:44:53 | 000,358,584 | ---- | C] () -- C:\Documents and Settings\&e\Desktop\Exhibition Stands Back Wall.jpg
[2012/02/16 09:51:01 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/02/16 09:51:01 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\dllcache\iacenc.dll
[2012/02/13 16:57:07 | 001,493,781 | ---- | C] () -- C:\Documents and Settings\&e\My Documents\0038GardenPressSignage.pdf
[2012/02/13 16:12:30 | 001,484,008 | ---- | C] () -- C:\Documents and Settings\&e\My Documents\0037GardenPressBuild.pdf
[2012/02/13 15:47:01 | 001,484,269 | ---- | C] () -- C:\Documents and Settings\&e\My Documents\0036GardenPressBuildUp.pdf
[2012/02/13 15:22:33 | 001,483,849 | ---- | C] () -- C:\Documents and Settings\&e\My Documents\0035GardenPressBuildUp.pdf
[2012/02/13 12:07:48 | 001,483,758 | ---- | C] () -- C:\Documents and Settings\&e\My Documents\0034PeckingMillAccommodation.pdf
[2012/02/13 11:58:54 | 001,484,169 | ---- | C] () -- C:\Documents and Settings\&e\My Documents\0033XmasIdealHome.pdf
[2012/02/07 16:04:21 | 000,024,064 | ---- | C] () -- C:\WINDOWS\System32\drivers\mbamchameleon.sys
[2012/02/07 09:03:50 | 000,004,987 | ---- | C] () -- C:\Documents and Settings\&e\Desktop\Layout 60 Stands @ 3x2m Ref MCAL.pdf
[2011/12/16 18:31:24 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2011/11/26 13:00:49 | 000,001,153 | ---- | C] () -- C:\WINDOWS\CDPlayer.ini
[2011/10/20 12:04:28 | 001,864,992 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/11/24 15:52:11 | 000,802,686 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-839522115-616249376-682003330-1004-0.dat
[2010/11/24 15:52:09 | 000,802,686 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2010/06/08 06:59:51 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\&e\Local Settings\Application Data\prvlcl.dat
[2010/05/16 14:04:26 | 000,111,932 | ---- | C] () -- C:\WINDOWS\System32\EPPICPrinterDB.dat
[2010/05/16 14:04:26 | 000,031,053 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern131.dat
[2010/05/16 14:04:26 | 000,027,417 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern121.dat
[2010/05/16 14:04:26 | 000,026,154 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern1.dat
[2010/05/16 14:04:26 | 000,024,903 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern3.dat
[2010/05/16 14:04:26 | 000,021,390 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern5.dat
[2010/05/16 14:04:26 | 000,020,148 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern2.dat
[2010/05/16 14:04:26 | 000,011,811 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern4.dat
[2010/05/16 14:04:26 | 000,004,943 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern6.dat
[2010/05/16 14:04:26 | 000,001,146 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_DU.dat
[2010/05/16 14:04:26 | 000,001,139 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_PT.dat
[2010/05/16 14:04:26 | 000,001,139 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_BP.dat
[2010/05/16 14:04:26 | 000,001,136 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_ES.dat
[2010/05/16 14:04:26 | 000,001,129 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_FR.dat
[2010/05/16 14:04:26 | 000,001,129 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_CF.dat
[2010/05/16 14:04:26 | 000,001,120 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_IT.dat
[2010/05/16 14:04:26 | 000,001,107 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_GE.dat
[2010/05/16 14:04:26 | 000,001,104 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_EN.dat
[2010/05/16 14:04:26 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini

========== Custom Scans ==========


< %TEMP%\smtmp\*.*/s >

========== Alternate Data Streams ==========

@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\Temp:0B4227B4

< End of report >

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:02 AM

Posted 28 February 2012 - 07:39 AM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 van der Linde

van der Linde
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 28 February 2012 - 12:15 PM

Hi!
I followed the steps you gave. These are the problems I encountered:-

Combofix told me that my AVG was still running, although it was not as I followed the instructions on how to temporarily turn off AVG while running this programme.
Ran Combofix three times before it found that the AVG was not running.
Combofix said it found a bad threat. Something to do with not allowing the internet to be connected and was particularly difficult. Had 'zero' in the name title.......should have written it down, shouldn't I!!!
Once it completed I collected the log for you.
My PC still took a long time to start each time Combofix rebooted the system.
As of yet I have not checked any further as to how it is running now that Combofix is completed.


Here is the Combofix log report:-




ComboFix 12-02-27.02 - &e 28/02/2012 16:54:32.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1527.677 [GMT 0:00]
Running from: c:\documents and settings\&e\Desktop\ComboFix.exe
AV: AVG Internet Security 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *Enabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Thumbs.db
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Thumbs.db
.
.
((((((((((((((((((((((((( Files Created from 2012-01-28 to 2012-02-28 )))))))))))))))))))))))))))))))
.
.
2012-02-28 15:12 . 2012-02-28 15:12 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-02-23 11:48 . 2012-02-23 11:48 -------- d-----w- c:\documents and settings\&e\Local Settings\Application Data\Safe mirror
2012-02-23 11:47 . 2012-02-23 11:48 -------- d-----w- c:\program files\Cobian Backup 10
2012-02-21 17:49 . 2012-02-27 08:58 -------- d-sh--w- c:\documents and settings\&e\Local Settings\Application Data\ce56d436
2012-02-21 17:47 . 2012-02-22 09:59 0 --sh--w- c:\windows\system32\dds_trash_log.cmd
2012-02-21 10:09 . 2012-02-21 10:09 -------- d-----w- c:\program files\iPod
2012-02-16 13:04 . 2012-02-16 13:04 -------- d-sh--w- c:\documents and settings\ntp accurate clock\IETldCache
2012-02-16 09:51 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-02-16 09:51 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2012-02-07 16:04 . 2012-02-07 16:16 24064 ------w- c:\windows\system32\drivers\mbamchameleon.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-21 09:51 . 2011-05-24 14:39 414368 ------w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-12 16:53 . 2002-08-29 12:00 1859968 ------w- c:\windows\system32\win32k.sys
2012-01-12 00:19 . 2012-01-12 00:19 4448256 ------w- c:\windows\system32\GPhotos.scr
2011-12-17 19:46 . 2002-08-29 12:00 916992 ------w- c:\windows\system32\wininet.dll
2011-12-17 19:46 . 2002-08-29 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46 . 2002-08-29 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22 . 2004-08-04 05:59 385024 ------w- c:\windows\system32\html.iec
2011-12-10 15:24 . 2010-01-23 10:03 20464 ------w- c:\windows\system32\drivers\mbam.sys
2012-02-17 17:55 . 2011-09-27 15:50 134104 ------w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\prxtbVuz2.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-10-25 09:01 2475336 ------w- c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
2011-05-09 09:49 176936 ------w- c:\program files\Vuze_Remote\prxtbVuz2.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\prxtbVuz2.dll" [2011-05-09 176936]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2010-10-25 2475336]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2010-10-25 2475336]
"{BA14329E-9550-4989-B3F2-9732E92D17CC}"= "c:\program files\Vuze_Remote\prxtbVuz2.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-02 39408]
"Garmin Lifetime Updater"="c:\program files\Garmin\Lifetime Updater\GarminLifetime.exe" [2012-01-06 1446760]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"XPC Tools"="c:\program files\Shuttle\XPC Tools\XPCTools.exe" [2007-11-21 5042249]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2010-10-22 2745696]
"btbb_McciTrayApp"="c:\program files\Plusnet Assist\btbb\PlusnetHelpNotifier.exe" [2011-09-07 1841664]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"Garmin Lifetime Updater"="c:\program files\Garmin\Lifetime Updater\GarminLifetime.exe" [2012-01-06 1446760]
"UpdatePDRShortCut"="c:\program files\CyberLink\PowerDirector10\MUITransfer\MUIStartMenu.exe" [2010-09-17 222504]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WNA3100 Smart Wizard.lnk - c:\program files\NETGEAR\WNA3100\WNA3100.exe [2011-12-16 4577760]
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-4-19 291896]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"GreyMSIAds"= 0 (0x0)
"HideSCABattery"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpeedTouch 121g Wireless USB Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SpeedTouch 121g Wireless USB Monitor.lnk
backup=c:\windows\pss\SpeedTouch 121g Wireless USB Monitor.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 13:10 843712 ------w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]
2009-04-07 08:13 673616 ------w- c:\progra~1\Epson Software\Event Manager\EEventManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON SX510W Series]
2008-11-20 06:00 199680 ------w- c:\windows\system32\spool\drivers\w32x86\3\E_FATIFIE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IncrediMail]
2011-08-22 16:18 366024 ------w- c:\program files\IncrediMail\bin\IncMail.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-01-16 17:22 421736 ------w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 14:28 421888 ------w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 12:06 254696 ------w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-11-02 09:43 39408 ------w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-18 20:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"HotKeysCmds"=c:\windows\system32\hkcmd.exe
"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
"InCD"=c:\program files\Nero\Nero 7\InCD\InCD.exe
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe"
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe"
"BDRegion"=c:\program files\Cyberlink\Shared Files\brs.exe
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"IgfxTray"=c:\windows\system32\igfxtray.exe
"SoundMan"=SOUNDMAN.EXE
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"EPSON Stylus C84 Series"=c:\windows\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84"
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"PRISMSVR.EXE"="c:\program files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\PRISMSVR.EXE" /APPLY
"UpdatePDRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "c:\program files\CyberLink\PowerDirector" UpdateWithCreateOnce "Software\CyberLink\PowerDirector\9.0"
"Beoplayertray"=e:\new programmes\Beotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Windows Defender\\MSASCui.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgam.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Plusnet Assist\\btbb\\PlusnetHelpBrowser.exe"=
"c:\\Program Files\\Plusnet Assist\\btbb\\PlusnetHelpNotifier.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"8078:TCP"= 8078:TCP:*:Disabled:eMule Port TCP
"6700:TCP"= 6700:TCP:*:Disabled:eMule Port UDP
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [13/09/2010 15:27 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [07/09/2010 02:48 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [07/09/2010 02:48 249424]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\CyberLink\PowerDVD8\000.fcl [07/10/2008 20:31 61424]
R2 avgfws;AVG Firewall;c:\program files\AVG\AVG10\avgfws.exe [09/11/2010 22:22 3229728]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [22/10/2010 04:58 265400]
R2 BulkUsb;USB Scanner;c:\windows\system32\drivers\usbscan.sys [06/05/2009 08:42 15104]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\Cobian Backup 10\cbVSCService.exe [23/02/2012 11:47 67584]
R2 NTP;Network Time Protocol Daemon;c:\program files\NTP\bin\ntpd.exe -U 3 -M -g -c "c:\program files\NTP\etc\ntp.conf" --> c:\program files\NTP\bin\ntpd.exe -U 3 -M -g -c c:\program files\NTP\etc\ntp.conf [?]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [19/04/2011 06:44 993848]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [19/04/2011 06:44 399416]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [12/07/2010 04:33 30432]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [19/08/2010 20:42 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [19/08/2010 20:42 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [19/08/2010 20:42 26192]
R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\drivers\bcmwlhigh5.sys [16/12/2011 18:31 642432]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys --> c:\windows\system32\DRIVERS\avgtdix.sys [?]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [10/11/2010 19:08 6127184]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [28/11/2009 11:54 135664]
S2 NeroRegInCDSrv;Nero Registry InCD Service; [x]
S2 WSWNA3100;WSWNA3100;c:\program files\NETGEAR\WNA3100\WifiSvc.exe [16/12/2011 18:33 285152]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [28/10/2010 09:08 517448]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [12/07/2010 04:33 30432]
S3 BT4501G;SpeedTouch 121g Wireless USB Adapter Driver;c:\windows\system32\drivers\BT4501G.sys [05/10/2011 08:17 380128]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [28/11/2009 11:54 135664]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [07/02/2012 16:04 24064]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [28/02/2012 15:12 40776]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [01/09/2010 08:30 15544]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - XPCDriver
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
L6POD
ati2mpaa
MTDVC2_ENUM
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:57]
.
2012-02-28 c:\windows\Tasks\Defraggler Volume C Task.job
- c:\program files\Defraggler\df.exe [2010-07-30 19:18]
.
2012-02-28 c:\windows\Tasks\Epson Printer Software Downloader.job
- c:\program files\EPSON\EPAPDL\E_SAPDL2.EXE [2009-05-26 10:43]
.
2012-02-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-02 08:25]
.
2012-02-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-28 11:54]
.
2012-02-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-28 11:54]
.
2012-02-28 c:\windows\Tasks\User_Feed_Synchronization-{642B556B-CFE3-44B5-993D-242930F74871}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://portal.plus.net
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://search.foxtab.com/?s=0&chnl=dcom&cd=2XzutBtN2Y1L1QzutDtDtCtB0B0FtDzztBzytCtB0C0CtB0EyEtN0D0TzutBtDtCtCtDzztDyD&cr=200228697
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
TCP: DhcpNameServer = 192.168.1.254
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\&e\Application Data\Mozilla\Firefox\Profiles\kzpgqgbd.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2504091&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - chrome://foxtab/content/homepage.html
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2504091&q=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-28 17:04
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
XPC Tools = c:\program files\Shuttle\XPC Tools\XPCTools.exe RunOnStart?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"
.
Completion time: 2012-02-28 17:07:06
ComboFix-quarantined-files.txt 2012-02-28 17:07
ComboFix2.txt 2012-02-28 16:46
.
Pre-Run: 25,266,618,368 bytes free
Post-Run: 25,247,866,880 bytes free
.
- - End Of File - - D377F5652C16372489BACA532CCE1286

That's all I have to report at present until I hear back from you.
Regards.

Edited by van der Linde, 28 February 2012 - 12:18 PM.


#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:02 AM

Posted 28 February 2012 - 07:29 PM

Hello

Run this custom script and when it is complete I need to know how the computer is doing

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word Code
    :OTL
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
    FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa2,version=2.0.0: C:\Program Files\Picasa2\npPicasa2.dll File not found
    O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
    O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
    O20 - HKU\S-1-5-21-839522115-616249376-682003330-1004 Winlogon: Shell - (C:\Documents and Settings\&e\Local Settings\Application Data\ce56d436\X) - File not found
    FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2504091&SearchSource=3&q={searchTerms}"
    FF - prefs.js..extensions.enabledItems: engine@conduit.com:3.3.3.2
    FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2504091&q="
    [2011/03/30 13:49:16 | 000,000,000 | ---D | M] (Conduit Engine) -- C:\Documents and Settings\&e\Application Data\Mozilla\Firefox\Profiles\kzpgqgbd.default\extensions\engine@conduit.com
    [2010/07/07 07:47:59 | 000,000,903 | ---- | M] () -- C:\Documents and Settings\&e\Application Data\Mozilla\Firefox\Profiles\kzpgqgbd.default\searchplugins\conduit.xml
    O2 - BHO: (Vuze Remote Toolbar) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuz2.dll (Conduit Ltd.)
    O3 - HKLM\..\Toolbar: (Vuze Remote Toolbar) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\prxtbVuz2.dll (Conduit Ltd.)
    O3 - HKU\S-1-5-21-839522115-616249376-682003330-1004\..\Toolbar\WebBrowser: (Vuze Remote Toolbar) - {BA14329E-9550-4989-B3F2-9732E92D17CC} - C:\Program Files\Vuze_Remote\prxtbVuz2.dll (Conduit Ltd.)
    [2012/02/22 09:59:56 | 000,000,000 | -HS- | M] () -- C:\WINDOWS\System32\dds_trash_log.cmd
    :Files
    ipconfig /flushdns /c
    C:\windows\tasks\At*.job
    :Commands
    [PURITY]
    [EMPTYTEMP]
    [emptyjava]
    [EMPTYFLASH]
    [RESETHOSTS]
    
  • Then click the Run Fix button at the top.
  • Click Posted Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

Let me know How things are doing

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 van der Linde

van der Linde
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 29 February 2012 - 02:16 AM

Hi.
Started PC. Took ages to load up but did so without any internet connection via my wireless adaptor.
Ran OTL programme and pasted the above coding into the box by using my USB stick to transfer this from my laptop.
Programme ran then said it needed to reboot, so I clicked the OK button.
Started the process of shutting but got to the 'Windows is shutting down screen.....' and has been sat there for 5minutes now!
What do I do?
Regards
van der Linde


#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:02 AM

Posted 29 February 2012 - 09:44 AM

Hello

from the task manager stop OTL and come back and let me know if all is ok


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 van der Linde

van der Linde
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 29 February 2012 - 11:15 AM

Hi.
I had to manually reboot the PC as I could not get access to the Task Manager while the screen sat on 'Windows is closing down.......'.
On reboot, the PC still quite some time to start. Again, no internet connection but at least there was a log report from the OTL programme that you asked me to perform in the previous post.And here it is......



All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@Apple.com/iTunes,version=\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@google.com/npPicasa2,version=2.0.0\ deleted successfully.
File Animation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab not found.
Starting removal of ActiveX control DirectAnimation Java Classes
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\DirectAnimation Java Classes\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\DirectAnimation Java Classes\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\DirectAnimation Java Classes\ not found.
File oft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab not found.
Starting removal of ActiveX control Microsoft XML Parser for Java
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Microsoft XML Parser for Java\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Microsoft XML Parser for Java\ not found.
Registry value HKEY_USERS\S-1-5-21-839522115-616249376-682003330-1004\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell not found.
Prefs.js: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2504091&SearchSource=3&q={searchTerms}" removed from browser.search.defaulturl
Prefs.js: engine@conduit.com:3.3.3.2 removed from extensions.enabledItems
Prefs.js: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2504091&q=" removed from keyword.URL
C:\Documents and Settings\&e\Application Data\Mozilla\Firefox\Profiles\kzpgqgbd.default\extensions\engine@conduit.com\searchplugin folder moved successfully.
C:\Documents and Settings\&e\Application Data\Mozilla\Firefox\Profiles\kzpgqgbd.default\extensions\engine@conduit.com\META-INF folder moved successfully.
C:\Documents and Settings\&e\Application Data\Mozilla\Firefox\Profiles\kzpgqgbd.default\extensions\engine@conduit.com\lib folder moved successfully.
C:\Documents and Settings\&e\Application Data\Mozilla\Firefox\Profiles\kzpgqgbd.default\extensions\engine@conduit.com\DualPackage folder moved successfully.
C:\Documents and Settings\&e\Application Data\Mozilla\Firefox\Profiles\kzpgqgbd.default\extensions\engine@conduit.com\defaults folder moved successfully.
C:\Documents and Settings\&e\Application Data\Mozilla\Firefox\Profiles\kzpgqgbd.default\extensions\engine@conduit.com\components folder moved successfully.
C:\Documents and Settings\&e\Application Data\Mozilla\Firefox\Profiles\kzpgqgbd.default\extensions\engine@conduit.com\chrome folder moved successfully.
C:\Documents and Settings\&e\Application Data\Mozilla\Firefox\Profiles\kzpgqgbd.default\extensions\engine@conduit.com folder moved successfully.
C:\Documents and Settings\&e\Application Data\Mozilla\Firefox\Profiles\kzpgqgbd.default\searchplugins\conduit.xml moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ba14329e-9550-4989-b3f2-9732e92d17cc}\ deleted successfully.
C:\Program Files\Vuze_Remote\prxtbVuz2.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{ba14329e-9550-4989-b3f2-9732e92d17cc} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ba14329e-9550-4989-b3f2-9732e92d17cc}\ not found.
File C:\Program Files\Vuze_Remote\prxtbVuz2.dll not found.
Registry value HKEY_USERS\S-1-5-21-839522115-616249376-682003330-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{BA14329E-9550-4989-B3F2-9732E92D17CC} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BA14329E-9550-4989-B3F2-9732E92D17CC}\ not found.
File C:\Program Files\Vuze_Remote\prxtbVuz2.dll not found.
C:\WINDOWS\system32\dds_trash_log.cmd moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\&e\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\&e\Desktop\cmd.txt deleted successfully.
File\Folder C:\windows\tasks\At*.job not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: &e
->Temp folder emptied: 2757 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 48571518 bytes
->Google Chrome cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 578 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: E

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 1654918 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 870 bytes

User: ntp accurate clock
->Temp folder emptied: 552 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 56475 bytes

%systemdrive% .tmp files removed: 107344800 bytes
%systemroot% .tmp files removed: 1385640 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33728 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 152.00 mb


[EMPTYJAVA]

User: &e
->Java cache emptied: 0 bytes

User: All Users

User: Default User

User: E

User: LocalService

User: NetworkService

User: ntp accurate clock

Total Java Files Cleaned = 0.00 mb


[EMPTYFLASH]

User: &e
->Flash cache emptied: 0 bytes

User: All Users

User: Default User

User: E

User: LocalService

User: NetworkService
->Flash cache emptied: 0 bytes

User: ntp accurate clock
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.33.2 log created on 02292012_071912

Files\Folders moved on Reboot...
C:\Documents and Settings\&e\Local Settings\Temp\WCESLog.log moved successfully.
C:\Documents and Settings\ntp accurate clock\Local Settings\Temp\ntpda02248 moved successfully.

Registry entries deleted on Reboot...


I see you will not be able to reply to this until, maybe, the 4th March due to your work committments.I, too, will not be available from 4th March through to 8th March. I will be patient...........
Best regards,
van der Linde


#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:02 AM

Posted 29 February 2012 - 11:41 AM

Hello

Lets check your internet connection

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure all the boxes are checked
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 van der Linde

van der Linde
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 29 February 2012 - 12:36 PM

Here is the FFS text report.............

Farbar Service Scanner Version: 22-02-2012
Ran by &e (administrator) on 29-02-2012 at 17:45:05
Running from "C:\Documents and Settings\&e\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Avgfwfd(19) Avgtdix(18) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x2100000005000000010000000200000003000000040000000B0000001300000012000000060000000700000008000000090000000A0000000C0000000D0000000E0000000F00000010000000110000001400000015000000160000001700000018000000190000001A0000001B0000001C0000001D0000001E0000001F0000002000000021000000


**** End of log ****

Regards,
van der Linde


#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:02 AM

Posted 29 February 2012 - 12:38 PM

Hello

here is what I want you to try next

1. Locate the file - C:\Windows\inf\Nettcpip.inf
  • It's important that you first make a copy of the file. Place the copy on your Desktop.
  • Once you have done that, use Notepad open the original file for editing.

Posted Image

2. Locate the [MS_TCPIP.PrimaryInstall] section.

3. Edit the Characteristics = 0xa0 entry and replace 0xa0 with 0×80.

Posted Image

4. Save the file, and then exit Notepad.

Posted Image

5. In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.

Posted Image Posted Image

6. On the General tab, click Install, select Protocol, and then click Add.

Posted Image

7. In the Select Network Protocols window, click Have Disk.

Posted Image

8. In the Copy manufacturer’s files from: text box, type c:\windows\inf, and then click OK.

Posted Image

9. Select Internet Protocol (TCP/IP), and then click OK.

Posted Image

Note This step will return you to the Local Area Connection Properties screen, but now the Uninstall button is available.

10. Select Internet Protocol (TCP/IP), click Uninstall, and then click Yes.

11. It is important that you restart the computer to complete the uninstall.

------------

Step #2 - Reinstall of TCP/IP

Posted Image

Take the nettcpip.inf which you have earlier copied to Desktop. Move it back to the directory C:\Windows\INF\ overwriting the existing copy. The file shall now look exactly like the sample above.

Redo sub-steps 4-11 to re-install TCP/IP
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 van der Linde

van der Linde
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 29 February 2012 - 02:06 PM

Hi.
Followed all steps but still have no connection.
Can I ask, where it says in STEP 5 (to go into control panel and click on Network Connections), when I do this there is no LOCAL AREA CONNECTION. There are two available: One is for my WIRELESS NETWORK (which is a Netgear WNA1300) and the other is 1394 CONNECTION. It was this latter one that I worked with. Was this the correct thing to do or should I have followed your precedure using the Wireless Network?
Regards,
van der Linde


#14 van der Linde

van der Linde
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 01 March 2012 - 07:23 AM

Hi, Gringo.
Just wanted to let you know that I re-tried the steps that you gave, previously, this morning. But, this time, I connected an ethernet cable from my router to the PC. I still used the 1394 Connection that I have and followed the steps. I'm afraid, to say, there is still no internet connection.
Also, as a note, my wireless connection is not working. Should I try and re-install the Netgear adaptor or do you have any other ideas that will help?
Regards,
van der Linde.

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:02 AM

Posted 01 March 2012 - 02:58 PM

Make sure, your settings are correct.
1. Go Start>Settings>Control Panel (Vista/7 users: Start>Control Panel)
2. Double click Network Connections (Vista/7 users: Network and Sharing Center)
3. Vista/7 users - From the list of tasks on the left, click Manage network connections.
4. For a wired network connection, right-click Local Area Connection, and then select Properties.
For a wireless network connection, right-click Wireless Network Connection, and then select Properties.
5. From the General tab (Vista/7 users: Networking tab), click Internet Protocol version 4 (TCP/IPv4), make sure it is checked, and then click Properties
6. Make sure Obtain an IP Address Automatically and Obtain DNS server address Automatically are checked.
7. Click on "Advanced" button and make sure "IP Settings" tab looks like this:
Posted Image
Make sure "DNS" tab looks like this:
Posted Image
Make sure "WINS" tab looks like this:
Posted Image
8. Still in Control Panel double click on "Internet options" then "Connections" tab then "LAN Settings" button. Make sure "Automatically detect settings" is checked.
If you made any changes OK your way out.
Restart computer.

------------------------------------------------

If that doesn't work...
Turn off computer. Disconnect router, and modem from power source for 1 minute. At the same time disconnect ethernet cable as well.
Reconnect everything.
Restart computer.

------------------------------------------

If that doesn't work, bypass router, and connect computer straight to the modem.

---------------------------------------------

If that doesn't work...
Go Start>Run (Start search in Vista), type in:
cmd
Click OK (in Vista and 7, while holding CTRL, and SHIFT, press Enter).

In Command Prompt window, type in following commands, and hit Enter after each one:
ipconfig /flushdns
ipconfig /registerdns
ipconfig /release
ipconfig /renew
net stop "dns client"
net start "dns client"


Restart computer.

-------------------------------------------------------

If that doesn't work...
Go Start>Run (Start search in Vista and 7), type in:
cmd
Click OK (in Vista, while holding CTRL, and SHIFT, press Enter).

At Command Prompt, type in:
netsh int ip reset reset.log
Hit Enter.
Type in:
netsh winsock reset catalog
Hit Enter.

Restart computer.


----------------------------------------



If that doesn't work...
Download, install, and run WinSockFix: http://www.softpedia.com/get/Tweak/Network-Tweak/WinSockFix.shtml (doesn't work in Vista and 7)
Restart computer, and check again.


-------------------------------------------------------------

If that doesn't work...
Download Dial-A-Fix (DAF) (doesn't work in Vista and 7):
http://wiki.lunarsoft.net/wiki/Dial-a-fix#Mirrors.2Fdownload_locations.2C_and_articles

Have XP CD available in case DAF needs a file. Likely not!

Check all boxes on the screen (clear any restrictions if it shows any)
Then click GO!

When the entire page is finished click the HammerHead at bottom to go to the second DAF page.

Here, one at a time, do the below:

Reinstall BITS
Reinstall Windows Firewall
Repair Permissions
Reset networking

Watch for any File not found or other errors and make note as this may lead to the fix!

Restart computer.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users