37 replies to this topic

[KYGuy731]

I am having basicly the same problem everyone posting here is atm.

I try to run anti virus/or/ antimalware progs an they just terminate/crash/disapear after sconds of starting scans. MY virus programs, AntiVir/Vipre/AVG can find viruses but when i do a removal at the end of the scans they do same as other progs... either lock up [vipre durring removal], or just disappear.

So far I have tried these progs in turn....

[All updated to newest before running]

Antivirus programs tried
--------------------------
Avira AntiVir -for virus scans, finds virus's but cant remove them.. then wont ever scan again.
AVG [8.5] - same as above... then cant scan again... just doesnt ever start... "assume locked"
Vipre - scans then locks durring removal.

Malware programs tried
---------------------------
Malwarebytes - tried renaming... same prob, kills after 2-3 seconds of scanning
...an then mbam fix... nadda
Spyware Doctor runs for about 30 seconds... then same as first one above
Spybot S&D
Spyhunter 3 security Suite - crashes about 30 seconds in... then locked as others are
AdAware 6 - same as others.

Other progs
--------------------------
combo-fix
Killbox
Hijackthis
Regcure



This is the ONLY logging program that has worked so far and not crashed before making its logs...

DDs. scr

here is the dds log [ btw... if no one can help me my final choice is to do a total restore.. so PLEASE someone help me]...

-----------------------------------------------------

DDS (Ver_09-07-30.01) - NTFSx86
Run by Anthony at 12:37:04.76 on Sat 08/08/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2619 [GMT -4:00]

AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Anthony\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.garfield.com/
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: BHO Class: {8b3868b4-eba8-48fa-a19b-e1dfb99066fa} - c:\program files\flashcapture\FCBHO.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Groove Folder Synchronization: {2a541ae1-5bf6-4665-a8a3-cfa9672e4291} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [HijackThis startup scan] c:\program files\trend micro\hijackthis8\HijackThis.exe /startupscan
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
IE: &Save Flash In This Page - c:\progra~1\flashs~1.0\save.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Save F&lash with FlashCapture - c:\program files\flashcapture\FCIEXT.dll/FCIEXT.htm
IE: Save Flash - c:\program files\unh solutions\flash saving plugin\FlashSButton.dll/210
IE: {09EA1F80-F40A-11D1-B792-444553540001} - c:\progra~1\flashs~1.0\save.htm
IE: {753BBC4B-CC73-4fb8-A5B5-CA09C804C1DD} - res://c:\program files\flashcapture\FCIEXT.dll/FCIEXT.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {17492023-c23a-453e-a040-c7c580bbf700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {2bc66f54-93a8-11d3-beb6-00105aa9b6ae} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1240717898421
DPF: {644e432f-49d3-41a1-8dd5-e099162eeec5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6e32070a-766d-4ee6-879c-dc1fa91d2fc3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1245856334609
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl.sun.com/webapps/download/AutoDL?BundleId=29223
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9c23d886-43cb-43de-b2db-112a68d7e10a} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: gotoassist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {0f147d1d-5b44-4a4d-bc33-96dac3c7ed6e}: {e6de7c3c-ad69-33cb-d4a4-44b5d1d741f0}
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File

============= SERVICES / DRIVERS ===============

R0 avgrkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-8-6 12552]
R0 gxc108b;gxc108b;c:\windows\system32\drivers\gxc108b.sys [2009-4-26 137216]
R0 gxc108p;gxc108p;c:\windows\system32\drivers\gxc108p.sys [2009-4-26 5248]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-8-7 11608]
R1 avgldx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-6 335240]
R1 avgmfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-8-6 27784]
R1 avgtdix;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-6 108552]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2009-8-8 13360]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2009-8-8 202928]
R2 antivirschedulerservice;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-8-7 108289]
R2 antivirservice;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-8-7 185089]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-8-6 297752]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-4-26 55656]
S0 cerc6;cerc6; [x]
S0 fith;fith; [x]
S0 fssvvigd;fssvvigd; [x]
S0 gsfl;gsfl; [x]
S0 ilgeyrra;ilgeyrra; [x]
S0 kfzaocai;kfzaocai; [x]
S0 pctcore;PCTools KDS;c:\windows\system32\drivers\pctcore.sys --> c:\windows\system32\drivers\PCTCore.sys [?]
S0 pletnup;pletnup; [x]
S0 qihwewl;qihwewl; [x]
S0 wkapbfet;wkapbfet; [x]
S0 xpfcw;xpfcw; [x]
S0 yflbyg;yflbyg; [x]
S1 saskutil;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]
S2 lavasoft ad-aware service;Lavasoft Ad-Aware Service; [x]
S2 neroregincdsrv;Nero Registry InCD Service;c:\program files\nero\nero8\incd\NBHRegInCDSrv.exe [2008-2-28 53032]
S2 sbamsvc;VIPRE Antivirus + Antispyware;c:\program files\sunbelt software\vipre2\SBAMSvc.exe [2009-6-10 980264]
S2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2009-8-8 69936]
S2 sdauxservice;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsauxs.exe --> c:\program files\spyware doctor\pctsAuxs.exe [?]
S2 sdcoreservice;PC Tools Security Service;c:\program files\spyware doctor\pctssvc.exe --> c:\program files\spyware doctor\pctsSvc.exe [?]
S2 Uniblue DiskRescue;Uniblue DiskRescue;c:\program files\uniblue\diskrescue\UBDiskRescueSrv.exe [2008-9-10 229648]
S2 wwEngineSvc;Window Washer Engine;c:\program files\webroot\washer\WasherSvc.exe [2009-4-29 598856]
S2 ytjuy;ytjuy;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
S3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2009-4-25 84992]

=============== Created Last 30 ================

2009-08-08 11:00 <DIR> --d----- C:\VundoFix Backups
2009-08-08 01:37 0 a------- c:\windows\system32\SBRC.dat
2009-08-08 01:35 69,936 a------- c:\windows\system32\drivers\sbapifs.sys
2009-08-08 01:35 13,360 a------- c:\windows\system32\drivers\sbaphd.sys
2009-08-08 00:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sunbelt
2009-08-08 00:42 <DIR> --d----- c:\docume~1\anthony\applic~1\Sunbelt
2009-08-08 00:41 202,928 a------- c:\windows\system32\drivers\sbtis.sys
2009-08-07 22:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-08-07 22:30 <DIR> --d----- c:\program files\Sunbelt Software
2009-08-07 15:44 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware2
2009-08-07 11:01 <DIR> --d----- c:\program files\Zone Labs
2009-08-07 11:00 <DIR> --d----- c:\windows\Internet Logs
2009-08-07 10:01 <DIR> --d----- c:\program files\common files\PC Tools
2009-08-07 09:45 <DIR> --d----- c:\documents and settings\anthony\.housecall6.6
2009-08-07 09:30 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-07 09:30 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-07 09:30 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-07 00:20 93,180 a------- c:\windows\system32\drivers\847b4010.sys
2009-08-06 23:29 <DIR> --d----- c:\program files\Trend Micro
2009-08-06 21:48 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-08-06 21:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-08-06 20:50 <DIR> --d----- c:\documents and settings\anthony\DoctorWeb
2009-08-06 18:28 <DIR> --d----- c:\program files\BulletProofSoft.com
2009-08-06 15:29 <DIR> --d----- C:\!KillBox
2009-08-06 15:00 <DIR> --d----- c:\program files\Spyware Doctor
2009-08-06 14:59 141,312 a------- c:\windows\system32\drivers\sp_rsdrv2.sys
2009-08-06 14:59 <DIR> --d----- c:\docume~1\anthony\applic~1\Spyware Terminator
2009-08-06 14:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spyware Terminator
2009-08-06 14:59 <DIR> --d----- c:\program files\Spyware Terminator
2009-08-06 14:49 <DIR> --d----- c:\windows\RegCure
2009-08-06 14:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-08-06 14:44 <DIR> --d----- c:\docume~1\anthony\applic~1\SUPERAntiSpyware.com
2009-08-06 14:39 61,440 a------- c:\windows\system32\drivers\bivuu.sys
2009-08-06 14:27 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-06 14:27 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-08-06 14:27 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-08-06 14:27 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-06 14:27 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-08-06 14:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-08-06 14:07 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}(2)
2009-08-06 14:00 <DIR> --d----- c:\program files\Lavasoft
2009-08-06 13:27 <DIR> --d----- c:\program files\GoldEsel
2009-08-06 13:23 1,238,456 a------- c:\windows\system32\NMSDVDXU.dll
2009-08-06 13:23 877,568 a------- c:\windows\system32\NCTAudioFile2.dll
2009-08-06 13:23 376,832 a------- c:\windows\system32\cmd22.dll
2009-08-06 13:23 102,400 a------- c:\windows\system32\ccrpprg6.ocx
2009-08-06 13:23 724,992 a------- c:\windows\system32\ebCrypt.dll
2009-08-06 13:23 401,408 a------- c:\windows\system32\srmInfo.dll
2009-08-06 13:23 253,952 a------- c:\windows\system32\SkinBoxer43.dll
2009-08-06 13:21 <DIR> --d----- c:\program files\Exact Audio Copy
2009-08-05 15:33 <DIR> --d----- c:\program files\Autodesk
2009-07-29 13:16 <DIR> --d----- c:\docume~1\anthony\applic~1\Star Trek Armada II Fleet Operations
2009-07-21 14:50 10,240 a------- c:\windows\system32\virport.dll
2009-07-21 14:42 176,235 a------- c:\windows\system32\Primomonnt.dll
2009-07-19 18:17 <DIR> --d----- C:\DOWNLOADS
2009-07-19 18:17 <DIR> --d----- C:\!Temp
2009-07-16 18:25 5,632 a------- c:\windows\system32\ptpusb.dll
2009-07-16 18:25 159,232 a------- c:\windows\system32\ptpusd.dll
2009-07-15 19:23 <DIR> --d----- c:\windows\Logs
2009-07-15 19:23 <DIR> --d-h--- c:\windows\msdownld.tmp
2009-07-15 19:23 <DIR> --d----- c:\program files\Utherverse Digital Inc
2009-07-15 13:40 <DIR> --d----- c:\windows\Downloaded Installations
2009-07-11 19:56 32 a------- c:\windows\Start.INI

==================== Find3M ====================

2009-07-28 16:33 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-06-10 06:00 68,392 a------- c:\windows\system32\sbbd.exe
2009-06-04 23:21 113,116 a------- c:\windows\xobglu32.dll
2009-06-04 23:21 63,488 a------- c:\windows\xobglu16.dll
2009-05-22 18:33 217,088 -------- c:\windows\system32\SpaceBattleSS.scr
2009-05-05 09:56 88,576 a---h--- c:\docume~1\anthony\applic~1\rbap550.dll
2005-01-31 20:38 1,340,416 a------- c:\program files\mplayerc.exe
2003-09-16 01:19 99,544 a------- c:\windows\inf\virprn.exe
2003-09-16 01:19 18,950 a------- c:\windows\inf\virpntd.dll
2003-09-16 01:19 10,240 a------- c:\windows\inf\virport.dll
2003-09-16 01:19 90,624 a------- c:\windows\inf\prtproc.dll

============= FINISH: 12:37:14.59 ===============

the attach.txt is linked here...

http://www.megaupload.com/?d=O1OPKHJU

[megaupload was only place I could find to link it]

[KYGuy731]

Update

Here is an aditional scan using root repeal....
couldnt post it here ... said it was too long.

http://www.megaupload.com/?d=DY1Q31TZ

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/08 13:23
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name:
Image Path:
Address: 0xB9DAC000 Size: 98304 File Visible: No Signed: -
Status: -

Name: 847b4010.sys
Image Path: C:\WINDOWS\System32\drivers\847b4010.sys
Address: 0xBA288000 Size: 47488 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xACAE1000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5E8000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_PNP1036
Image Path: \Driver\PCI_PNP1036
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA9AA2000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spmt.sys
Image Path: spmt.sys
Address: 0xB9EAA000 Size: 1036288 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xBA490000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xBA298000 Size: 61440 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\scecli.dll
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\drivers\847b4010.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "a347bus.sys" at address 0xb9e78028

#: 035 Function Name: NtCreateEvent
Status: Hooked by "C:\WINDOWS\System32\drivers\847b4010.sys" at address 0xba28ebad

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\drivers\847b4010.sys" at address 0xba28cc85

#: 045 Function Name: NtCreatePagingFile
Status: Hooked by "a347bus.sys" at address 0xb9e6bb00

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xba6c8a7c

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xba6c8a8b

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xba6c8a95

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "a347bus.sys" at address 0xb9e6c5dc

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "a347bus.sys" at address 0xb9e78120

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xba6c8a9a

#: 116 Function Name: NtOpenFile
Status: Hooked by "a347bus.sys" at address 0xb9e6bb40

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\drivers\847b4010.sys" at address 0xba28cd45

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xba6c8a68

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xba6c8a6d

#: 160 Function Name: NtQueryKey
Status: Hooked by "a347bus.sys" at address 0xb9e6c5fc

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "a347bus.sys" at address 0xb9e78076

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xba6c8aa4

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xba6c8a9f

#: 241 Function Name: NtSetSystemPowerState
Status: Hooked by "a347bus.sys" at address 0xb9e77550

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xba6c8a90

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xba6c8a77

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8a7071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8a71687c Size: 11

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8a7071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a7071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a7071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a7071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8a7071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a7071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a7071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a7071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a7071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a7071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a7071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a7071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a7071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8a7071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a7071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a7071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a7071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a7071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8a7071f8 Size: 121

Object: Hidden Code [Driver: incdrec, IRP_MJ_READ]
Process: System Address: 0x8a014d64 Size: 11

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x89eac500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x89eac500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x899c517c Size: 11

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x89eac500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89eac500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89eac500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x89eac500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x89eac500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89eac500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89eac500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89eac500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89eac500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89eac500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89eac500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89eac500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89eac500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x89eac500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x89eac500 Size: 121

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CREATE]
Process: System Address: 0x8a7081f8 Size: 121

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CLOSE]
Process: System Address: 0x8a7081f8 Size: 121

Object: Hidden Code [Driver: a347scsi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a7081f8 Size: 121

Object: Hidden Code [Driver: a347scsi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a7081f8 Size: 121

Object: Hidden Code [Driver: a347scsi, IRP_MJ_POWER]
Process: System Address: 0x8a7081f8 Size: 121

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a7081f8 Size: 121

Object: Hidden Code [Driver: a347scsi, IRP_MJ_PNP]
Process: System Address: 0x8a7081f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_READ]
Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_WRITE]
Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_EA]
Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CLEANUP]
Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_EA]
Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLEANUP]
Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: usbstor, IRP_MJ_CREATE]
Process: System Address: 0x89f941f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_CLOSE]
Process: System Address: 0x89f941f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_READ]
Process: System Address: 0x89f941f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_WRITE]
Process: System Address: 0x89f941f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89f941f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89f941f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_POWER]
Process: System Address: 0x89f941f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89f941f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_PNP]
Process: System Address: 0x89f941f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x8a6971f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x8a6971f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x8a6971f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x8a6971f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a6971f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a6971f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a6971f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a6971f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x8a6971f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a6971f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x8a6971f8 Size: 121

Object: Hidden Code [Driver: gxc108p, IRP_MJ_CREATE]
Process: System Address: 0x8a6961f8 Size: 121

Object: Hidden Code [Driver: gxc108p, IRP_MJ_CLOSE]
Process: System Address: 0x8a6961f8 Size: 121

Object: Hidden Code [Driver: gxc108p, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a6961f8 Size: 121

Object: Hidden Code [Driver: gxc108p, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a6961f8 Size: 121

Object: Hidden Code [Driver: gxc108p, IRP_MJ_POWER]
Process: System Address: 0x8a6961f8 Size: 121

Object: Hidden Code [Driver: gxc108p, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a6961f8 Size: 121

Object: Hidden Code [Driver: gxc108p, IRP_MJ_PNP]
Process: System Address: 0x8a6961f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x8a5f51f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x8a5f51f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a5f51f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a5f51f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x8a5f51f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a5f51f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x8a5f51f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8a70a1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8a70a1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8a70a1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a70a1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a70a1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a70a1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a70a1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8a70a1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8a70a1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a70a1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8a70a1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x89fd51f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x89fd51f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89fd51f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89fd51f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x89fd51f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x89fd51f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x8a5a5500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x8a5a5500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a5a5500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a5a5500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x8a5a5500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a5a5500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x8a5a5500 Size: 121

Object: Hidden Code [Driver: Rdbss, IRP_MJ_READ]
Process: System Address: 0x8a212dec Size: 11

Object: Hidden Code [Driver: Srv, IRP_MJ_READ]
Process: System Address: 0x89c95314 Size: 11

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x8a1b3404 Size: 11

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: Npfsࠅఊ晤睤Internal Hig, IRP_MJ_READ]
Process: System Address: 0x8a018e8c Size: 11

Object: Hidden Code [Driver: Msfsࠅం扏楄鵐瀰訣ࠂఅ瑎獆ꆐ, IRP_MJ_READ]
Process: System Address: 0x8a017b1c Size: 11

Object: Hidden Code [Driver: Fs_Rec, IRP_MJ_READ]
Process: System Address: 0x8a015c2c Size: 11

Object: Hidden Code [Driver: Vo, IRP_MJ_CREATE]
Process: System Address: 0x89ea3500 Size: 121

Object: Hidden Code [Driver: Vo, IRP_MJ_CLOSE]
Process: System Address: 0x89ea3500 Size: 121

Object: Hidden Code [Driver: Vo, IRP_MJ_READ]
Process: System Address: 0x8a5f40ec Size: 11

Object: Hidden Code [Driver: Vo, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89ea3500 Size: 121

Object: Hidden Code [Driver: Vo, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89ea3500 Size: 121

Object: Hidden Code [Driver: Vo, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89ea3500 Size: 121

Object: Hidden Code [Driver: Vo, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89ea3500 Size: 121

Object: Hidden Code [Driver: Vo, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89ea3500 Size: 121

Object: Hidden Code [Driver: Vo, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89ea3500 Size: 121

Object: Hidden Code [Driver: Vo, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89ea3500 Size: 121

Object: Hidden Code [Driver: Vo, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89ea3500 Size: 121

Object: Hidden Code [Driver: Vo, IRP_MJ_CLEANUP]
Process: System Address: 0x89ea3500 Size: 121

Object: Hidden Code [Driver: Vo, IRP_MJ_PNP]
Process: System Address: 0x89ea3500 Size: 121

Hidden Services
-------------------
Service Name: 847b4010
Image Path: C:\WINDOWS\System32\drivers\847b4010.sys

==EOF==

Attached Files

•  Root_Repeal_scan.txt   214.03K   29 downloads

[KYGuy731]

help???

hello??

....starting to think it would be faster to do a total system restore about now cause I have been out of ideas for 2 days now, problem still same... no improvement...

[LonnyRJ]

Sorry for the late reply KYGuy731
Post back if your still in need of assistance

[KYGuy731]

yes PLZ!!!! I am at wits end... still same situation... have prog failure updates to help narrow down prob...


...I have now lost my antivir scan ability. the program control center will open but I did a scan after a update this morning an it found 57 virus files. I checked to delete them. an it got swatted like all the other programs I have tried. I reopenned the control center but when I click scan... nadda. PC acts like I ddint click anything. No response to scan. I clicked the exe directly an I got the previous "permissions popup box".

I have tried ewido security suite, vipre antivir/malware, Avast, pyware doctor, an spyhunter, an another malwayre bytes install to a alt location on Hd... same problem.. no solution in sight..


PLZ HELP!!

[LonnyRJ]

Copy the contents of the code (dont include the word code) box below into a new notepad document (not wordpad or another text editor).
Click file> save as...> call it check.bat > file types *all files*> and save it to your desktop.

cd %windir%
For /F "TOKENS=*" %%g IN ('DIR /a/s/b/og scecli.dll,netlogon.dll,ntelogon.dll,eventlog.dll') Do @(
	  echo.%%~fg %%~zg 
	  )>>chkit.txt
start notepad chkit.txt&exit

Run check.bat then post the text that will open please

[KYGuy731]

this was all it showed when it finished...

C:\WINDOWS\system32\netlogon.dll 407040
C:\WINDOWS\system32\eventlog.dll 56320
C:\WINDOWS\system32\scecli.dll
C:\WINDOWS\system32\dllcache\netlogon.dll 407040
C:\WINDOWS\system32\dllcache\eventlog.dll 56320
C:\WINDOWS\system32\dllcache\scecli.dll 181248

[KYGuy731]

I tried it again an got this...

C:\WINDOWS\system32\netlogon.dll 407040
C:\WINDOWS\system32\eventlog.dll 56320
C:\WINDOWS\system32\scecli.dll
C:\WINDOWS\system32\dllcache\netlogon.dll 407040
C:\WINDOWS\system32\dllcache\eventlog.dll 56320
C:\WINDOWS\system32\dllcache\scecli.dll 181248
C:\WINDOWS\system32\netlogon.dll 407040
C:\WINDOWS\system32\eventlog.dll 56320
C:\WINDOWS\system32\scecli.dll
C:\WINDOWS\system32\dllcache\netlogon.dll 407040
C:\WINDOWS\system32\dllcache\eventlog.dll 56320
C:\WINDOWS\system32\dllcache\scecli.dll 181248

[LonnyRJ]

Download/save this program to your desktop (special version of combofix)
http://download.bleepingcomputer.com/sUBs/...x++/
Or if nessesary to a usb stick from another PC
Fallow the prompts, let it install the recovery console if the infected pc has internet access.
Post its log please

[KYGuy731]

ok, I never seen any log... where does it appear. I ran the program on my desktop. Halfway thru all my desktop icons flashed an it changed its name to combofix.exe from the one you provided. It said I had AVG sntivirus realtime scanner installed but this is incorrect. I had it an had to force uninstall it as it became locked the day my problems started. Also I can not reinstall AVg back now due ot a locked registry file regarding AVG.
I did continue with the scan tho, it scanned to Completed Stage_50. an found these an said it was deleteing them...

C:\WINDOWS\installer\d8b04f.msi
C:\WINDOWS\jestertb.dll
C:\WINDOWS\system32\cool.dll
C:\WINDOWS\system32\mfc45.dll

It then procedded to say. Rebooting please wait.

this lasted over some serious extended time... till i finally had to crash it out to get the system to try to shutdown by closing some of my system progs in alt+ctrl+delete menu... this crashed the system providing the system auto shutdown msg in 30secs... which counted down an things acted like it was closing.. but the window saying the msg stayed an nothing else ever occurred... I eventually had to forcepower the system of another bit of time later to get it to actually reboot.

When the system relogged it said I was no longer using internet explorer as my default explorer. Also no pages would display. I had to switch it to the internet explorer to make the internet work again to get back here to post this info.

If this helps I have a internet explorer folder in my program files... this I found odd.. as I was sure that exe was suppossed to be in the windows dir.
I updated to the newest updates for my system day before yeterday... but I am unsure if that was part of the changes that were suppossed to happen with the upgrade.

Hope this helps some... eagerly awaiting further input.

[KYGuy731]

I did a scan with silent runner.vbs i found here. here is its start programs txt log...


"Silent Runners.vbs", revision 59, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"SpyZooka" = "C:\Program Files\SpyZooka\SpyZookaLdr.exe" ["BluePenguin Software Inc."]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy2\TeaTimer.exe" ["Safer-Networking Ltd."]
"UnHackMe Monitor" = "C:\Program Files\UnHackMe0\hackmon.exe" ["Greatis Software"]
"Registry Cleaner Scheduler" = ""C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe" /startup" ["CleanMyPC Software"]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{18df081c-e8ad-4283-a596-fa578c2ebdc3}\(Default) = "AcroIEHelperStub"
-> {HKLM...CLSID} = "Adobe PDF Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy2\SDHelper.dll" ["Safer Networking Limited"]
{8b3868b4-eba8-48fa-a19b-e1dfb99066fa}\(Default) = "FCBHOBHO Class"
-> {HKLM...CLSID} = "BHO Class"
\InProcServer32\(Default) = "C:\Program Files\FlashCapture\FCBHO.dll" ["Dreamingsoft, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
-> {HKLM...CLSID} = "History Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}" = "Groove GFS Browser Helper"
-> {HKLM...CLSID} = "Groove GFS Browser Helper"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}" = "Groove GFS Explorer Bar"
-> {HKLM...CLSID} = "Groove Folder Synchronization"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{A449600E-1DC6-4232-B948-9BD794D62056}" = "Groove GFS Stub Icon Handler"
-> {HKLM...CLSID} = "Groove GFS Stub Icon Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{6C467336-8281-4E60-8204-430CED96822D}" = "Groove GFS Context Menu Handler"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{387E725D-DC16-4D76-B310-2C93ED4752A0}" = "Groove XML Icon Handler"
-> {HKLM...CLSID} = "Groove XML Icon Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{16F3DD56-1AF5-4347-846D-7C10C4192619}" = "Groove Explorer Icon Overlay 3 (GFS Folder)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 3 (GFS Folder)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}" = "Groove Explorer Icon Overlay 2 (GFS Stub)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2 (GFS Stub)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}" = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{99FD978C-D287-4F50-827F-B2C658EDA8E7}" = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{920E6DB1-9907-4370-B3A0-BAFC03D81399}" = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL" [MS]
"{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
-> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONFILTER.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]
"{6EE51AA0-77A0-11D7-B4E1-000347126E46}" = "Window Washer Shredding Utility"
-> {HKLM...CLSID} = "Window Washer Shredding Utility"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\Webroot Shared\ShellWash.dll" ["Webroot Software"]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll" ["Advanced Micro Devices, Inc."]
"{8D2223A2-B3C6-4e32-B096-CDD11F628C60}" = "NBHShellExt extension"
-> {HKLM...CLSID} = "NBHShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\Nero\Nero8\InCD\NBHShx.dll" ["Nero AG"]

[KYGuy731]

pardon... here is the complete scan results

"Silent Runners.vbs", revision 59, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"SpyZooka" = "C:\Program Files\SpyZooka\SpyZookaLdr.exe" ["BluePenguin Software Inc."]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy2\TeaTimer.exe" ["Safer-Networking Ltd."]
"UnHackMe Monitor" = "C:\Program Files\UnHackMe0\hackmon.exe" ["Greatis Software"]
"Registry Cleaner Scheduler" = ""C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe" /startup" ["CleanMyPC Software"]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{18df081c-e8ad-4283-a596-fa578c2ebdc3}\(Default) = "AcroIEHelperStub"
-> {HKLM...CLSID} = "Adobe PDF Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy2\SDHelper.dll" ["Safer Networking Limited"]
{8b3868b4-eba8-48fa-a19b-e1dfb99066fa}\(Default) = "FCBHOBHO Class"
-> {HKLM...CLSID} = "BHO Class"
\InProcServer32\(Default) = "C:\Program Files\FlashCapture\FCBHO.dll" ["Dreamingsoft, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
-> {HKLM...CLSID} = "History Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}" = "Groove GFS Browser Helper"
-> {HKLM...CLSID} = "Groove GFS Browser Helper"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}" = "Groove GFS Explorer Bar"
-> {HKLM...CLSID} = "Groove Folder Synchronization"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{A449600E-1DC6-4232-B948-9BD794D62056}" = "Groove GFS Stub Icon Handler"
-> {HKLM...CLSID} = "Groove GFS Stub Icon Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{6C467336-8281-4E60-8204-430CED96822D}" = "Groove GFS Context Menu Handler"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{387E725D-DC16-4D76-B310-2C93ED4752A0}" = "Groove XML Icon Handler"
-> {HKLM...CLSID} = "Groove XML Icon Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{16F3DD56-1AF5-4347-846D-7C10C4192619}" = "Groove Explorer Icon Overlay 3 (GFS Folder)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 3 (GFS Folder)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}" = "Groove Explorer Icon Overlay 2 (GFS Stub)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2 (GFS Stub)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}" = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{99FD978C-D287-4F50-827F-B2C658EDA8E7}" = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{920E6DB1-9907-4370-B3A0-BAFC03D81399}" = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL" [MS]
"{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
-> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONFILTER.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]
"{6EE51AA0-77A0-11D7-B4E1-000347126E46}" = "Window Washer Shredding Utility"
-> {HKLM...CLSID} = "Window Washer Shredding Utility"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\Webroot Shared\ShellWash.dll" ["Webroot Software"]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll" ["Advanced Micro Devices, Inc."]
"{8D2223A2-B3C6-4e32-B096-CDD11F628C60}" = "NBHShellExt extension"
-> {HKLM...CLSID} = "NBHShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\Nero\Nero8\InCD\NBHShx.dll" ["Nero AG"]
"{09bffb91-ecda-4149-bcfd-d87a345c219e}" = "InCDShellExt extension"
-> {HKLM...CLSID} = "InCDShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\Nero\Nero8\InCD\InCDshx.dll" ["Nero AG"]
"{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}" = "NeroCoverEd Live Icons"
-> {HKLM...CLSID} = "NeroCoverEdLiveIcons Class"
\InProcServer32\(Default) = "C:\Program Files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]
"{692eb3b0-d034-403e-b742-2407bd43bf9b}" = "InCDUdfPerm extension"
-> {HKLM...CLSID} = "InCDUdfPerm Class"
\InProcServer32\(Default) = "C:\Program Files\Nero\Nero8\InCD\InCDUP.dll" ["Nero AG"]
"{8932AEFE-9DB6-4f43-AFB2-5682F55E773A}" = "VPCHostCopyHook"
-> {HKLM...CLSID} = "VPCHostCopyHook"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Virtual PC\VPCShExH.DLL" [MS]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {HKLM...CLSID} = "AlcoholShellEx"
\InProcServer32\(Default) = "C:\PROGRA~1\Alcohol Soft\Alcohol 120\AXShlEx.dll" ["Alcohol Soft Development Team"]
"{BD88A479-9623-4897-8546-BC62B9628F44}" = "SPTHandler"
-> {HKLM...CLSID} = "SPTHandler"
\InProcServer32\(Default) = "C:\Program Files\Spyware Terminator\sptcontmenu.dll" ["Crawler.com"]
"{11016101-E366-4D22-BC06-4ADA335C892B}" = "IE History and Feeds Shell Data Source for Windows Search"
-> {HKLM...CLSID} = "IE History and Feeds Shell Data Source for Windows Search"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{D468BCE5-D18E-49A4-8EA7-34BD583659D5}" = "SpyZooka Service Hook"
-> {HKLM...CLSID} = "SpyZooka Service Hook"
\InProcServer32\(Default) = "C:\PROGRA~1\SpyZooka\spyguard.dll" ["BluePenguin Software Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Aedebug\
<<!>> "Debugger" = "Drwtsn32 -p %ld -e %ld" [MS]

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"aswBoot.exe /A:"*" /L:"English" /KBD:2" [file not found]|"Partizan" ["Greatis Software"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
<<!>> avgrsstarter\DLLName = "avgrsstx.dll" [file not found]
<<!>> gotoassist\DLLName = "C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll" ["Citrix Online, a division of Citrix Systems, Inc."]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{f9db5320-233e-11d1-9f84-707f02c10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
cover designer\(Default) = "{73FCA462-9BD5-4065-A73F-A8E5F6904EF7}"
-> {HKLM...CLSID} = "NeroCoverEdContextMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]
nbhshellext\(Default) = "{8D2223A2-B3C6-4e32-B096-CDD11F628C60}"
-> {HKLM...CLSID} = "NBHShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\Nero\Nero8\InCD\NBHShx.dll" ["Nero AG"]
sptcontmenu\(Default) = "{BD88A479-9623-4897-8546-BC62B9628F44}"
-> {HKLM...CLSID} = "SPTHandler"
\InProcServer32\(Default) = "C:\Program Files\Spyware Terminator\sptcontmenu.dll" ["Crawler.com"]
Washer\(Default) = "{6EE51AA0-77A0-11D7-B4E1-000347126E46}"
-> {HKLM...CLSID} = "Window Washer Shredding Utility"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\Webroot Shared\ShellWash.dll" ["Webroot Software"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
nbhshellext\(Default) = "{8D2223A2-B3C6-4e32-B096-CDD11F628C60}"
-> {HKLM...CLSID} = "NBHShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\Nero\Nero8\InCD\NBHShx.dll" ["Nero AG"]
Washer\(Default) = "{6EE51AA0-77A0-11D7-B4E1-000347126E46}"
-> {HKLM...CLSID} = "Window Washer Shredding Utility"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\Webroot Shared\ShellWash.dll" ["Webroot Software"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
nbhshellext\(Default) = "{8D2223A2-B3C6-4e32-B096-CDD11F628C60}"
-> {HKLM...CLSID} = "NBHShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\Nero\Nero8\InCD\NBHShx.dll" ["Nero AG"]
sptcontmenu\(Default) = "{BD88A479-9623-4897-8546-BC62B9628F44}"
-> {HKLM...CLSID} = "SPTHandler"
\InProcServer32\(Default) = "C:\Program Files\Spyware Terminator\sptcontmenu.dll" ["Crawler.com"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
sptcontmenu\(Default) = "{BD88A479-9623-4897-8546-BC62B9628F44}"
-> {HKLM...CLSID} = "SPTHandler"
\InProcServer32\(Default) = "C:\Program Files\Spyware Terminator\sptcontmenu.dll" ["Crawler.com"]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]


Default executables:
--------------------

<<!>> HKLM\SOFTWARE\Classes\.com\(Default) = "ComFile"


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoLowDiskSpaceChecks" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"HonorAutoRunSetting" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKCU\Software\Policies\Microsoft\Windows\System\

"DisableCMD" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|System|
Disable the command prompt}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Anthony\My Documents\My Pictures\Desktop Wallpaper\Tiled_bg_planet.bmp"


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

alcoholautoplayv2.burndisc\
"Provider" = "Alcohol 120%"
"InvokeProgID" = "AlcoholAutoPlayV2"
"InvokeVerb" = "BurnDisc"
HKLM\SOFTWARE\Classes\AlcoholAutoPlayV2\shell\BurnDisc\command\(Default) = ""C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe" %1" ["Alcohol Soft Development Team"]

alcoholautoplayv2.readdisc\
"Provider" = "Alcohol 120%"
"InvokeProgID" = "AlcoholAutoPlayV2"
"InvokeVerb" = "ReadDisc"
HKLM\SOFTWARE\Classes\AlcoholAutoPlayV2\shell\ReadDisc\command\(Default) = ""C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe" %1" ["Alcohol Soft Development Team"]

dmfmadfolder\
"Provider" = "Ulead DVD MovieFactory 5"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 5 Plus\Ulead DVD MovieFactory 5\DVDMF.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

MSWPDShellNamespaceHandler\
"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = " "
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]

neroautoplay8audiotonerodigital\
"Provider" = "Nero Burning ROM"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "AudioToNeroDigital_PlayCDAudioOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\AudioToNeroDigital_PlayCDAudioOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe /Dialog:SaveTracks %L" ["Nero AG"]

neroautoplay8cdaudio\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "CDAudio_HandleCDBurningOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\CDAudio_HandleCDBurningOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe -w /New:AudioCD" ["Nero AG"]

neroautoplay8copycd\
"Provider" = "Nero Burning ROM"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "CopyCD_PlayMusicFilesOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\CopyCD_PlayMusicFilesOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe /Dialog:DiscCopy %L" ["Nero AG"]

neroautoplay8datadisc_cd\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "DataDisc_CD_HandleCDBurningOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\DataDisc_CD_HandleCDBurningOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe -w /New:ISODisc /Media:CD %L" ["Nero AG"]

neroautoplay8datadisc_dvd\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "DataDisc_DVD_HandleDVDBurningOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\DataDisc_DVD_HandleDVDBurningOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe -w /New:ISODisc /Media:DVD %L" ["Nero AG"]

neroautoplay8launchnerostartsmart\
"Provider" = "Nero StartSmart"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "LaunchNeroStartSmart_HandleDVDBurningOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\LaunchNeroStartSmart_HandleDVDBurningOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero StartSmart\NeroStartSmart.exe /AutoPlay" ["Nero AG"]

neroautoplay8ripcd\
"Provider" = "Nero Burning ROM"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "RipCD_PlayCDAudioOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\RipCD_PlayCDAudioOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe /Dialog:SaveTracks %L" ["Nero AG"]

neroautoplay8transcodevideo\
"Provider" = "Nero Recode"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "TranscodeVideo_PlayDVDMovieOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\TranscodeVideo_PlayDVDMovieOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Recode\Recode.exe /New:CopyDVDVideo" ["Nero AG"]

neroautoplay8videocapture\
"Provider" = "Nero Vision"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = ""C:\Program Files\Nero\Nero8\Nero Vision\NeroVision.exe" /New:VideoCapture"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

neroautoplay8viewphotos\
"Provider" = "Nero PhotoSnap Viewer"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "ViewPhotos_ShowPicturesOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\ViewPhotos_ShowPicturesOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero PhotoSnap\PhotoSnapViewer.exe /" ["Nero AG"]

WinampMTPHandler\
"Provider" = "Winamp"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:\Program Files\Winamp\winamp.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

WinampPlayMediaOnArrival\
"Provider" = "Winamp"
"InvokeProgID" = "Winamp.File"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command\(Default) = ""C:\Program Files\Winamp\winamp.exe" "%1"" ["Nullsoft"]
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\droptarget\CLSID = "{46986115-84D6-459c-8F95-52DD653E532E}"
-> {HKLM...CLSID} = (no title provided)
\LocalServer32\(Default) = ""C:\Program Files\Winamp\winamp.exe"" ["Nullsoft"]


Enabled Scheduled Tasks:
------------------------

"Ad-Aware Update (Daily)" -> launches: "C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe update all silent" [file not found]
"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]
"Malwarebytes' Scheduled Update for Anthony" -> launches: "C:\Program Files\Malwarebytes' Anti-Malware3\mbam.exe /runupdate" [file not found]
"RegCure Program Check" -> launches: "C:\Program Files\RegCure\RegCure.exe ShowReminders" [null data]
"RegCure" -> launches: "C:\Program Files\RegCure\RegCure.exe -t" [null data]
"SpyHunter Scanner" -> launches: "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe -scan" [file not found]
"Uniblue DiskRescue 2009" -> launches: "C:\Program Files\Uniblue\DiskRescue\UBDiskRescue.exe -schedule C" ["Uniblue"]
"Uniblue SpeedUpMyPC Nag" -> launches: "C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s" [file not found]
"Uniblue SpeedUpMyPC" -> launches: "C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s" [file not found]
"Uniblue SpyEraser" -> launches: "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe -s" [file not found]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\(Default) = "Groove Folder Synchronization"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKCU\Software\Microsoft\Internet Explorer\Extensions\
{43CF38F3-5AEC-45A3-AD31-04EB06E9C6CA}\
"ButtonText" = "Flash"
"CLSIDExtension" = "{F81D52BF-F2F1-4F49-BF5F-05664E803039}"
-> {HKLM...CLSID} = "IEButton Class"
\InProcServer32\(Default) = "C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll" ["UnH Solutions"]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{09EA1F80-F40A-11D1-B792-444553540001}\
"ButtonText" = "Flash Saver"
"MenuText" = "Flash Saver"
"Script" = "C:\PROGRA~1\FLASHS~1.0\save.htm" [null data]

{2670000A-7350-4F3C-8081-5663EE0C6C49}\
"ButtonText" = "Send to OneNote"
"MenuText" = "S&end to OneNote"
"CLSIDExtension" = "{48E73304-E1D6-4330-914C-F5F514E3486C}"
-> {HKLM...CLSID} = "Send to OneNote from Internet Explorer button"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll" [MS]

{753BBC4B-CC73-4FB8-A5B5-CA09C804C1DD}\
"ButtonText" = "FlashCapture"
"Script" = "res://C:\Program Files\FlashCapture\FCIEXT.dll/FCIEXT.htm" ["Dreamingsoft, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
"MenuText" = "Spybot - Search && Destroy Configuration"
"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy2\SDHelper.dll" ["Safer Networking Limited"]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
[Strings]: MS_START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"

Missing lines (compared with English-language version):
[Strings]: 2 lines

HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\
<<H>> "InPrivate" = "res://ieframe.dll/inprivate.htm" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Java Quick Starter, JavaQuickStarterService, ""C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"" ["Sun Microsystems, Inc."]
Machine Debug Manager, mdm, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
Nero BackItUp Scheduler 3, nero backitup scheduler 3, "C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe" ["Nero AG"]
Nero Registry InCD Service, neroregincdsrv, "C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe" ["Nero AG"]
PLFlash DeviceIoControl Service, plflash deviceiocontrol service, "C:\WINDOWS\system32\IoctlSvc.exe" ["Prolific Technology Inc."]
Spyware Terminator Realtime Shield Service, sp_rssrv, ""C:\Program Files\Spyware Terminator\sp_rsser.exe"" ["Crawler.com"]
Ulead Burning Helper, uleadburninghelper, "C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe" ["Ulead Systems, Inc."]
Uniblue DiskRescue, Uniblue DiskRescue, ""C:\Program Files\Uniblue\DiskRescue\UBDiskRescueSrv.exe" " ["Uniblue"]
Window Washer Engine, wwEngineSvc, "C:\Program Files\Webroot\Washer\WasherSvc.exe" ["Webroot Software, Inc."]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Dell 922 Port\Driver = "dlbtlmpm.DLL" [" "]
Send To Microsoft OneNote Monitor\Driver = "msonpmon.dll" [MS]


---------- (launch time: 2009-08-17 11:15:41)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 73 seconds.
---------- (total run time: 102 seconds)

[LonnyRJ]

Run that special version of combofix while the PC is in safe mode.
When/IF the pc reboots, go back to into safe mode.
When its finished, reboot back to normal mode and post the c:\combofix.txt

[KYGuy731]

same problem again... ran scan. didnt show anything other than going to stage 50. changed to restarting.... an stayed that way for over 2hrs... I gave up an restarted the system.

Got any ideas, because I dont. this is without a doubt the oddest pc ...virus?? or adware??? I have ever had.

[KYGuy731]

also of note. I dont have a combofix log.. but i do now have a duplicate pc on my system labled as combofix under C: folder

[KYGuy731]

also, I did a search for combofix.... it found the folder that looks like a pc [the duplicate of my system I mentioned] and the combofix.exe under [documents and settings\administrator].

It found both... then kept REfinding both ...over and over. the scan continues.. an atm I have over 50 of both... an it just keeps finding it again.

[LonnyRJ]

Please download The Avenger2 by SwanDog46. http://swandog46.gee...com/avenger.zip
Unzip avenger.exe to your desktop.
Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy" (dont include the word code)

Files to move:
c:\WINDOWS\system32\dllcache\scecli.dll | C:\WINDOWS\system32\scecli.dll

Now start The Avenger2 by double clicking avenger.exe on your desktop.
Read the prompt that appears, and press OK.
Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
(what you pasted in must be at the very top) Press the "Execute" button.
You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
Note: It is possible that Avenger will reboot your system TWICE.
Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open.
Please paste that log here in your next post.


Edit for typeo

[KYGuy731]

Here is what came up upon reboot...

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not open file "c:\WINDOWS\system32\dllcahe\scecli.dll" for move operation
File move operation "c:\WINDOWS\system32\dllcahe\scecli.dll|C:\WINDOWS\system32\scecli.dll" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Completed script processing.

*******************

Finished! Terminate.


also... I have a [Windows - No Disk] window poped up. Not sure if its suppossed to do that using this program or not.
Which says...

Windows - No Disk
Exception Processing Message c0000013 Parameters 75b6bf7c 4 75b6bf7c 75b6bf7c
[Cancel] [Try Again] [Continue]

[LonnyRJ]

KYGuy731

That windows no disk error should go away

Try this once more, there was a misspelling

Files to move:
c:\WINDOWS\system32\dllcache\scecli.dll | C:\WINDOWS\system32\scecli.dll

[KYGuy731]

it came back with this attempt also. After a few clicks of continue it disappeared.

Here is the log from the latest scan...


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "c:\WINDOWS\system32\dllcache\scecli.dll|C:\WINDOWS\system32\scecli.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.