Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Desktop replaced by ad wallpaper


  • Please log in to reply

#1
Alim

Alim

    Member

  • Member
  • PipPip
  • 22 posts
Hi. i am really sorry for maybe giving too much info but i am getting really desperate spending last week trying to solve this on my own. and i really hope i will get help here.
I have exactly the same problem as smb named "Kyossed" in this topic http://www.geekstogo...it-t208785.html except that in my case it got a little more complicated. I will not repeat everything Kyossed mentioned in his topic. At first i tried to solve it on my own:
1. I installed "AVG 8" and "Ad-Aware" and "Hijackthis".
2. Did complete scan with AVG, Ad-Aware and fixed smthing called "phc52fj04.." with Hijackthis.
It solved the problem with Desktop Ad. Or at least i was able to see my Desktop tab again and change it in Display properties.

But.. when i opened IE(Firefox) to look at "Kyossed" post again i was unable to do it due to "The page cannot be displayed" window.The strange thing is that it opens some sites like msn.com, google.com but it is not opening some other sites like Site of AVG, or Adaware or Geekstogo.com(sites are not in down i was able to access them on my laptop). I am 100% sure that internet is working and its not "working offline" glitch. I was able to access all this sites before that Desktop spyware crisis. Trying to solve the problem i did following:
1. Turned off all firewalls.(didnt helped)
2. Disabled AVG (didnt helped)
3. Restarted my Wi-Fi Adapter and PC several times(didnt helped)
Than i decided to Uninstall AVG completely. During the uninstall AVG got completely stuck so i had to terminate the process, and Manually delete AVG folder in Program Files. Than i used "Revo Uninstaller" to delete AVG. And is showed this message :
"Local machine:installation failed
Installation:
Error: Action failed for registry key HKLM\SOFTWARE\Microsoft\\Windows NT\CurrentVersion\\Windows: creating registry key...
Error 0x80070005"
So i decided to leave AVG alone for a while. Since the problem with Opening some websites and not opening other Websites started immediately after my Desktop problems I decided to look for more information on this Desktop problem in Kyossed topic (cause i think they related). When i opened "Kyossed" post on my laptop I found out that staff member "andrewuk" started offering some other solution.
He suggested fixing this by installing ComboFix.exe. I did that but when i activated this ComboFix.exe by dragging icon of WindowsXP-KB310994-SP2-Pro_BootDisk-ENU.exe over icon of ComboFix.exe. I got following message "ComboFix encountered Rootkit, and need to restart computer". After succesfull restart Nothing happening. I did a couple of times and got the same result. Message of Rootkit-----> restart and nothing happens afterthat just normal Windows login.
So now that i described everything my questions are:
1. Why i cant access half of sites(working) that i enter in IE(same with Firefox,Opera)
2. If this is connected with Desktop Problem(as in http://www.geekstogo...t-t208785.html) that i had previosly how can i solve this Rootkit problem with ComboFix.
3. Will partiall/manual uninstall of AVG affect any of this.
THANK YOU FOR TAKING TIME AND READING ALL OF THIS. =)

This is my Hijack log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:20:55, on 23.08.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\AOL\1135840234\ee\AOLSoftware.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\PrintDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\NETGEAR\WG111T\wlan111t.exe
C:\Documents and Settings\Alim\Start Menu\Programs\Startup\prkiller.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yandex.ru/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: VirtualNetwork module - {6C517674-DE1C-4493-977C-34A1BFAB35BA} - C:\Program Files\VirtualNetwork\VirtualNetwork.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135840234\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [PrintDisp] C:\WINDOWS\system32\PrintDisp.exe
O4 - HKCU\..\Run: [Download Master] C:\Program Files\Download Master\dmaster.exe -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ6\ICQ.exe" silent
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Startup: prkiller.CFG
O4 - Startup: prkiller.exe
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgemc.exe (file missing)
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgfws8.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

--
End of file - 5004 bytes


BTW i noticed this in log from supposed to be uninstalled AVG, i thought i deleted AVG with Revo Uninstaller...

O23 - Service: AVG8 E-mail Scanner (avg8emc) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgemc.exe (file missing)
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgfws8.exe (file missing)
  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello Alim

Welcome to G2Go.
===============
Download GMER from here:
http://www.gmer.net/files.php

Unzip it to the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for Show All.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.
  • 0

#3
Alim

Alim

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
ok here is the log

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-08-24 15:42:16
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateKey [0xEBB077A6]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcess [0xEBB04794]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcessEx [0xEBB04F1E]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwDeleteKey [0xEBB081F0]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwDeleteValueKey [0xEBB0842A]
SSDT spas.sys ZwEnumerateKey [0xF8676CA2]
SSDT spas.sys ZwEnumerateValueKey [0xF8677030]
SSDT spas.sys ZwOpenKey [0xF86590C0]
SSDT spas.sys ZwQueryKey [0xF8677108]
SSDT spas.sys ZwQueryValueKey [0xF8676F88]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwRenameKey [0xEBB0912A]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwSetValueKey [0xEBB0883C]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwTerminateProcess [0xEBB03D0A]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwWriteVirtualMemory [0xEBB03384]

INT 0x01 \SystemRoot\system32\DRIVERS\ati2mtag.sys (ATI Radeon WindowsNT Miniport Driver/ATI Technologies Inc.) F7876541
INT 0x03 \SystemRoot\system32\DRIVERS\ati2mtag.sys (ATI Radeon WindowsNT Miniport Driver/ATI Technologies Inc.) F78765E7
INT 0x39 ? 83373BF8
INT 0x39 ? 82E15E90
INT 0x39 ? 82E15E90
INT 0x39 ? 82E15E90
INT 0x39 ? 82E15E90
INT 0x39 ? 82E15E90
INT 0x3E ? 833DEBF8
INT 0x3F ? 833DEBF8

---- Kernel code sections - GMER 1.0.14 ----

? dyzophla.sys The system cannot find the file specified. !
? spas.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F765A62C 5 Bytes JMP 82E15470
.text asprkh2g.SYS F755C384 1 Byte [ 20 ]
.text asprkh2g.SYS F755C386 35 Bytes [ 00, 68, 00, 00, 00, 00, 00, ... ]
.text asprkh2g.SYS F755C3AA 24 Bytes [ 00, 00, 20, 00, 00, E0, 00, ... ]
.text asprkh2g.SYS F755C3C4 3 Bytes [ 00, 00, 00 ]
.text asprkh2g.SYS F755C3C9 1 Byte [ 00 ]
.text ...
? system32\DRIVERS\avgfwdx.sys The system cannot find the file specified. !
? System32\Drivers\avgmfx86.sys The system cannot find the file specified. !
? System32\Drivers\avgldx86.sys The system cannot find the file specified. !
? System32\Drivers\avgtdix.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\mchInjDrv.sys The system cannot find the file specified. !
.text ntdll.dll!NtClose 7C90D586 3 Bytes [ FF, 25, 1E ]
.text ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [ 2C, 5F ]
.text ntdll.dll!NtCreateFile 7C90D682 1 Byte [ FF ]
.text ntdll.dll!NtCreateFile + 2 7C90D684 1 Byte [ 1E ]
.text ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [ 17, 5F ]
.text ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [ FF, 25, 1E ]
.text ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [ 05, 5F ]
.text ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 23, 5F ]
.text ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [ FF, 25, 1E ]
.text ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [ 0B, 5F ]
.text ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ]
.text ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 11, 5F ]
.text ntdll.dll!NtRenameKey 7C90E339 3 Bytes [ FF, 25, 1E ]
.text ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [ 14, 5F ]
.text ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [ FF, 25, 1E ]
.text ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [ 20, 5F ]
.text ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 0E, 5F ]
.text ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 26, 5F ]
.text ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ]
.text ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 1A, 5F ]
.text ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [ FF, 25, 1E ]
.text ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [ 1D, 5F ]
.text ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 29, 5F ]

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[332] ntdll.dll!NtClose 7C90D586 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[332] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [ 2C, 5F ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[332] ntdll.dll!NtCreateFile 7C90D682 1 Byte [ FF ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[332] ntdll.dll!NtCreateFile + 2 7C90D684 1 Byte [ 1E ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[332] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [ 17, 5F ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[332] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[332] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [ 05, 5F ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[332] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[332] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 23, 5F ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[332] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[332] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[332] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[332] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 11, 5F ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[332] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[332] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [ 14, 5F ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[332] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[332] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [ 20, 5F ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[332] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[332] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[332] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[332] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 26, 5F ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[332] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[332] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 1A, 5F ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[332] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[332] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [ 1D, 5F ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[332] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[332] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 29, 5F ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[332] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, F1, 83 ]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[332] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[332] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[500] ntdll.dll!NtClose 7C90D586 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[500] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [ 2C, 5F ]
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[500] ntdll.dll!NtCreateFile 7C90D682 1 Byte [ FF ]
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[500] ntdll.dll!NtCreateFile + 2 7C90D684 1 Byte [ 1E ]
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[500] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [ 17, 5F ]
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[500] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[500] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [ 05, 5F ]
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[500] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[500] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 23, 5F ]
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[500] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[500] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [ 0B, 5F ]
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[500] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[500] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 11, 5F ]
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[500] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[500] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [ 14, 5F ]
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[500] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[500] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [ 20, 5F ]
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[500] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[500] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[500] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[500] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 26, 5F ]
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[500] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[500] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 1A, 5F ]
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[500] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[500] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [ 1D, 5F ]
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[500] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[500] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 29, 5F ]
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[500] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, B8, 87 ]
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[500] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[500] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\svchost.exe[764] ntdll.dll!NtClose 7C90D586 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[764] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [ 2C, 5F ]
.text C:\WINDOWS\system32\svchost.exe[764] ntdll.dll!NtCreateFile 7C90D682 1 Byte [ FF ]
.text C:\WINDOWS\system32\svchost.exe[764] ntdll.dll!NtCreateFile + 2 7C90D684 1 Byte [ 1E ]
.text C:\WINDOWS\system32\svchost.exe[764] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [ 17, 5F ]
.text C:\WINDOWS\system32\svchost.exe[764] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[764] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\svchost.exe[764] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[764] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 23, 5F ]
.text C:\WINDOWS\system32\svchost.exe[764] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[764] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\svchost.exe[764] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[764] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\system32\svchost.exe[764] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[764] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\system32\svchost.exe[764] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[764] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [ 20, 5F ]
.text C:\WINDOWS\system32\svchost.exe[764] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[764] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\svchost.exe[764] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[764] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 26, 5F ]
.text C:\WINDOWS\system32\svchost.exe[764] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[764] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 1A, 5F ]
.text C:\WINDOWS\system32\svchost.exe[764] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[764] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [ 1D, 5F ]
.text C:\WINDOWS\system32\svchost.exe[764] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[764] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 29, 5F ]
.text C:\WINDOWS\system32\svchost.exe[764] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, ED, 83 ]
.text C:\WINDOWS\system32\svchost.exe[764] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\svchost.exe[764] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\msiexec.exe[848] ntdll.dll!NtClose 7C90D586 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\msiexec.exe[848] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [ 2C, 5F ]
.text C:\WINDOWS\system32\msiexec.exe[848] ntdll.dll!NtCreateFile 7C90D682 1 Byte [ FF ]
.text C:\WINDOWS\system32\msiexec.exe[848] ntdll.dll!NtCreateFile + 2 7C90D684 1 Byte [ 1E ]
.text C:\WINDOWS\system32\msiexec.exe[848] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [ 17, 5F ]
.text C:\WINDOWS\system32\msiexec.exe[848] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\msiexec.exe[848] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\msiexec.exe[848] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\msiexec.exe[848] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 23, 5F ]
.text C:\WINDOWS\system32\msiexec.exe[848] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\msiexec.exe[848] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\msiexec.exe[848] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\msiexec.exe[848] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\system32\msiexec.exe[848] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\msiexec.exe[848] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\system32\msiexec.exe[848] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\msiexec.exe[848] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [ 20, 5F ]
.text C:\WINDOWS\system32\msiexec.exe[848] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\msiexec.exe[848] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\msiexec.exe[848] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\msiexec.exe[848] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 26, 5F ]
.text C:\WINDOWS\system32\msiexec.exe[848] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\msiexec.exe[848] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 1A, 5F ]
.text C:\WINDOWS\system32\msiexec.exe[848] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\msiexec.exe[848] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [ 1D, 5F ]
.text C:\WINDOWS\system32\msiexec.exe[848] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\msiexec.exe[848] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 29, 5F ]
.text C:\WINDOWS\system32\msiexec.exe[848] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 04, 84 ]
.text C:\WINDOWS\system32\msiexec.exe[848] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\WINDOWS\system32\msiexec.exe[848] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\msiexec.exe[848] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\Explorer.EXE[960] ntdll.dll!NtClose 7C90D586 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\Explorer.EXE[960] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [ 2C, 5F ]
.text C:\WINDOWS\Explorer.EXE[960] ntdll.dll!NtCreateFile 7C90D682 1 Byte [ FF ]
.text C:\WINDOWS\Explorer.EXE[960] ntdll.dll!NtCreateFile + 2 7C90D684 1 Byte [ 1E ]
.text C:\WINDOWS\Explorer.EXE[960] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [ 17, 5F ]
.text C:\WINDOWS\Explorer.EXE[960] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\Explorer.EXE[960] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\Explorer.EXE[960] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\Explorer.EXE[960] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 23, 5F ]
.text C:\WINDOWS\Explorer.EXE[960] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\Explorer.EXE[960] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\Explorer.EXE[960] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\Explorer.EXE[960] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\Explorer.EXE[960] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\Explorer.EXE[960] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\Explorer.EXE[960] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\Explorer.EXE[960] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [ 20, 5F ]
.text C:\WINDOWS\Explorer.EXE[960] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\Explorer.EXE[960] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\Explorer.EXE[960] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\Explorer.EXE[960] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 26, 5F ]
.text C:\WINDOWS\Explorer.EXE[960] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\Explorer.EXE[960] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 1A, 5F ]
.text C:\WINDOWS\Explorer.EXE[960] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\Explorer.EXE[960] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [ 1D, 5F ]
.text C:\WINDOWS\Explorer.EXE[960] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\Explorer.EXE[960] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 29, 5F ]
.text C:\WINDOWS\Explorer.EXE[960] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, A2, 85 ]
.text C:\WINDOWS\Explorer.EXE[960] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\Explorer.EXE[960] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text C:\Documents and Settings\Alim\Desktop\gmer\gmer.exe[1056] ntdll.dll!NtClose 7C90D586 3 Bytes [ FF, 25, 1E ]
.text C:\Documents and Settings\Alim\Desktop\gmer\gmer.exe[1056] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [ 2C, 5F ]
.text C:\Documents and Settings\Alim\Desktop\gmer\gmer.exe[1056] ntdll.dll!NtCreateFile 7C90D682 1 Byte [ FF ]
.text C:\Documents and Settings\Alim\Desktop\gmer\gmer.exe[1056] ntdll.dll!NtCreateFile + 2 7C90D684 1 Byte [ 1E ]
.text C:\Documents and Settings\Alim\Desktop\gmer\gmer.exe[1056] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [ 17, 5F ]
.text C:\Documents and Settings\Alim\Desktop\gmer\gmer.exe[1056] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [ FF, 25, 1E ]
.text C:\Documents and Settings\Alim\Desktop\gmer\gmer.exe[1056] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [ 05, 5F ]
.text C:\Documents and Settings\Alim\Desktop\gmer\gmer.exe[1056] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text C:\Documents and Settings\Alim\Desktop\gmer\gmer.exe[1056] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 23, 5F ]
.text C:\Documents and Settings\Alim\Desktop\gmer\gmer.exe[1056] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [ FF, 25, 1E ]
.text C:\Documents and Settings\Alim\Desktop\gmer\gmer.exe[1056] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [ 0B, 5F ]
.text C:\Documents and Settings\Alim\Desktop\gmer\gmer.exe[1056] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ]
.text C:\Documents and Settings\Alim\Desktop\gmer\gmer.exe[1056] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 11, 5F ]
.text C:\Documents and Settings\Alim\Desktop\gmer\gmer.exe[1056] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [ FF, 25, 1E ]
.text C:\Documents and Settings\Alim\Desktop\gmer\gmer.exe[1056] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [ 14, 5F ]
.text C:\Documents and Settings\Alim\Desktop\gmer\gmer.exe[1056] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [ FF, 25, 1E ]
.text C:\Documents and Settings\Alim\Desktop\gmer\gmer.exe[1056] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [ 20, 5F ]
.text C:\Documents and Settings\Alim\Desktop\gmer\gmer.exe[1056] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\Documents and Settings\Alim\Desktop\gmer\gmer.exe[1056] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 0E, 5F ]
.text C:\Documents and Settings\Alim\Desktop\gmer\gmer.exe[1056] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Documents and Settings\Alim\Desktop\gmer\gmer.exe[1056] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 26, 5F ]
.text C:\Documents and Settings\Alim\Desktop\gmer\gmer.exe[1056] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ]
.text C:\Documents and Settings\Alim\Desktop\gmer\gmer.exe[1056] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 1A, 5F ]
.text C:\Documents and Settings\Alim\Desktop\gmer\gmer.exe[1056] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [ FF, 25, 1E ]
.text C:\Documents and Settings\Alim\Desktop\gmer\gmer.exe[1056] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [ 1D, 5F ]
.text C:\Documents and Settings\Alim\Desktop\gmer\gmer.exe[1056] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text C:\Documents and Settings\Alim\Desktop\gmer\gmer.exe[1056] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 29, 5F ]
.text C:\Documents and Settings\Alim\Desktop\gmer\gmer.exe[1056] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, BA, 83 ]
.text C:\Documents and Settings\Alim\Desktop\gmer\gmer.exe[1056] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\Documents and Settings\Alim\Desktop\gmer\gmer.exe[1056] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text C:\Documents and Settings\Alim\Desktop\gmer\gmer.exe[1056] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1076] ntdll.dll!NtClose 7C90D586 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\spoolsv.exe[1076] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [ 2C, 5F ]
.text C:\WINDOWS\system32\spoolsv.exe[1076] ntdll.dll!NtCreateFile 7C90D682 1 Byte [ FF ]
.text C:\WINDOWS\system32\spoolsv.exe[1076] ntdll.dll!NtCreateFile + 2 7C90D684 1 Byte [ 1E ]
.text C:\WINDOWS\system32\spoolsv.exe[1076] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [ 17, 5F ]
.text C:\WINDOWS\system32\spoolsv.exe[1076] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\spoolsv.exe[1076] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\spoolsv.exe[1076] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\spoolsv.exe[1076] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 23, 5F ]
.text C:\WINDOWS\system32\spoolsv.exe[1076] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\spoolsv.exe[1076] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\spoolsv.exe[1076] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\spoolsv.exe[1076] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\system32\spoolsv.exe[1076] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\spoolsv.exe[1076] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\system32\spoolsv.exe[1076] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\spoolsv.exe[1076] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [ 20, 5F ]
.text C:\WINDOWS\system32\spoolsv.exe[1076] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\spoolsv.exe[1076] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\spoolsv.exe[1076] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\spoolsv.exe[1076] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 26, 5F ]
.text C:\WINDOWS\system32\spoolsv.exe[1076] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\spoolsv.exe[1076] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 1A, 5F ]
.text C:\WINDOWS\system32\spoolsv.exe[1076] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\spoolsv.exe[1076] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [ 1D, 5F ]
.text C:\WINDOWS\system32\spoolsv.exe[1076] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\spoolsv.exe[1076] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 29, 5F ]
.text C:\WINDOWS\system32\spoolsv.exe[1076] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 7E, 84 ]
.text C:\WINDOWS\system32\spoolsv.exe[1076] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\spoolsv.exe[1076] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\csrss.exe[1128] ntdll.dll!NtClose 7C90D586 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\csrss.exe[1128] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [ 2C, 5F ]
.text C:\WINDOWS\system32\csrss.exe[1128] ntdll.dll!NtCreateFile 7C90D682 1 Byte [ FF ]
.text C:\WINDOWS\system32\csrss.exe[1128] ntdll.dll!NtCreateFile + 2 7C90D684 1 Byte [ 1E ]
.text C:\WINDOWS\system32\csrss.exe[1128] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [ 17, 5F ]
.text C:\WINDOWS\system32\csrss.exe[1128] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\csrss.exe[1128] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\csrss.exe[1128] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\csrss.exe[1128] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 23, 5F ]
.text C:\WINDOWS\system32\csrss.exe[1128] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\csrss.exe[1128] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\csrss.exe[1128] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\csrss.exe[1128] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\system32\csrss.exe[1128] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\csrss.exe[1128] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\system32\csrss.exe[1128] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\csrss.exe[1128] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [ 20, 5F ]
.text C:\WINDOWS\system32\csrss.exe[1128] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\csrss.exe[1128] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\csrss.exe[1128] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\csrss.exe[1128] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 26, 5F ]
.text C:\WINDOWS\system32\csrss.exe[1128] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\csrss.exe[1128] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 1A, 5F ]
.text C:\WINDOWS\system32\csrss.exe[1128] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\csrss.exe[1128] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [ 1D, 5F ]
.text C:\WINDOWS\system32\csrss.exe[1128] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\csrss.exe[1128] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 29, 5F ]
.text C:\WINDOWS\system32\csrss.exe[1128] KERNEL32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, D5, 84 ]
.text C:\WINDOWS\system32\csrss.exe[1128] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\csrss.exe[1128] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\winlogon.exe[1164] ntdll.dll!NtClose 7C90D586 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\winlogon.exe[1164] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [ 2C, 5F ]
.text C:\WINDOWS\system32\winlogon.exe[1164] ntdll.dll!NtCreateFile 7C90D682 1 Byte [ FF ]
.text C:\WINDOWS\system32\winlogon.exe[1164] ntdll.dll!NtCreateFile + 2 7C90D684 1 Byte [ 1E ]
.text C:\WINDOWS\system32\winlogon.exe[1164] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [ 17, 5F ]
.text C:\WINDOWS\system32\winlogon.exe[1164] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\winlogon.exe[1164] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\winlogon.exe[1164] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\winlogon.exe[1164] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 23, 5F ]
.text C:\WINDOWS\system32\winlogon.exe[1164] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\winlogon.exe[1164] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\winlogon.exe[1164] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\winlogon.exe[1164] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\system32\winlogon.exe[1164] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\winlogon.exe[1164] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\system32\winlogon.exe[1164] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\winlogon.exe[1164] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [ 20, 5F ]
.text C:\WINDOWS\system32\winlogon.exe[1164] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\winlogon.exe[1164] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\winlogon.exe[1164] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\winlogon.exe[1164] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 26, 5F ]
.text C:\WINDOWS\system32\winlogon.exe[1164] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\winlogon.exe[1164] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 1A, 5F ]
.text C:\WINDOWS\system32\winlogon.exe[1164] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\winlogon.exe[1164] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [ 1D, 5F ]
.text C:\WINDOWS\system32\winlogon.exe[1164] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\winlogon.exe[1164] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 29, 5F ]
.text C:\WINDOWS\system32\winlogon.exe[1164] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, D7, 84 ]
.text C:\WINDOWS\system32\winlogon.exe[1164] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\winlogon.exe[1164] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\services.exe[1212] ntdll.dll!NtClose 7C90D586 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\services.exe[1212] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [ 2C, 5F ]
.text C:\WINDOWS\system32\services.exe[1212] ntdll.dll!NtCreateFile 7C90D682 1 Byte [ FF ]
.text C:\WINDOWS\system32\services.exe[1212] ntdll.dll!NtCreateFile + 2 7C90D684 1 Byte [ 1E ]
.text C:\WINDOWS\system32\services.exe[1212] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [ 17, 5F ]
.text C:\WINDOWS\system32\services.exe[1212] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\services.exe[1212] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\services.exe[1212] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\services.exe[1212] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [ 23, 5F ]
.text C:\WINDOWS\system32\services.exe[1212] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\services.exe[1212] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [ 0B, 5F ]
.text C:\WINDOWS\system32\services.exe[1212] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\services.exe[1212] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [ 11, 5F ]
.text C:\WINDOWS\system32\services.exe[1212] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\services.exe[1212] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [ 14, 5F ]
.text C:\WINDOWS\system32\services.exe[1212] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\services.exe[1212] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [ 20, 5F ]
.text C:\WINDOWS\system32\services.exe[1212] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\services.exe[1212] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\services.exe[1212] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\services.exe[1212] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 26, 5F ]
.text C:\WINDOWS\system32\services.exe[1212] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\services.exe[1212] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 1A, 5F ]
.text C:\WINDOWS\system32\services.exe[1212] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\services.exe[1212] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [ 1D, 5F ]
.text C:\WINDOWS\system32\services.exe[1212] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\services.exe[1212] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [ 29, 5F ]
.text C:\WINDOWS\system32\services.exe[1212] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, FB, 83 ]
.text C:\WINDOWS\system32\services.exe[1212] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\services.exe[1212] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\lsass.exe[1224] ntdll.dll!NtClose 7C90D586 3 Bytes [ FF, 25, 1E ]
.text C:\WIND
  • 0

#4
Alim

Alim

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
I tried installing today Kaspersky 2009 Internet Security but it wouldnt let me do it saying that AVG8 is still present on my computer.
I coud not find anything connected with AVG through Windows search or Revo Uninstaller. The only AVG files i found are in Hijackthis log

O23 - Service: AVG8 E-mail Scanner (avg8emc) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgemc.exe (file missing)
O23 - Service: AVG8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (file missing)
O23 - Service: AVG8 Firewall (avgfws8) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgfws8.exe (file missing)

i tried fixing them but they reappear on next scan.
  • 0

#5
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Thanks for your donation.
Those reappear because they are services set to start up with your computer.

I will need to see if anything else is present before we can proceed.
PLease send me an e-mail with this next log file as an attachment so I can read it all thanks.
=======================================
Download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      File - Additional Folder Scans
      Rootkit Search -Yes
      Drivers -Non Microsoft
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. Make sure that the first line is code with brackets around it [] and that the last line is /code with brackets around it [].

If, after posting, the last line is not <End of Report> then the log is too big to fit into a single post and you will need to split it into multiple posts or attach it as a file.
  • 0

#6
Alim

Alim

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
ok i think its complete
[code=auto:0]OTScanIt logfile created on: 24.08.2008 16:33:29
OTScanIt by OldTimer - Version 1.0.16.2 Folder = C:\Documents and Settings\Alim\Desktop\OTScanIt
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000419 | Country: Russia | Language: RUS | Date Format: dd.MM.yyyy

511,47 Mb Total Physical Memory | 167,87 Mb Available Physical Memory | 32,82% Memory free
3,40 Gb Paging File | 2,79 Gb Available in Paging File | 82,24% Paging File free
Paging file location(s): C:\pagefile.sys 3000 4000;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74,52 Gb Total Space | 8,36 Gb Free Space | 11,22% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 7,91 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: CDFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HOME-C1AD84D1C5
Current User Name: Alim
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user

[Processes - Non-Microsoft Only]
ati2evxx.exe -> %SystemRoot%\system32\ati2evxx.exe -> ATI Technologies Inc. [Ver = 6.14.10.4180 | Size = 495616 bytes | Modified Date = 01.11.2007 23:59:21 | Attr = ]
ati2evxx.exe -> %SystemRoot%\system32\ati2evxx.exe -> ATI Technologies Inc. [Ver = 6.14.10.4180 | Size = 495616 bytes | Modified Date = 01.11.2007 23:59:21 | Attr = ]
aawservice.exe -> %ProgramFiles%\Lavasoft\Ad-Aware\aawservice.exe -> Lavasoft [Ver = 7,1,0,3 | Size = 611664 bytes | Modified Date = 12.05.2008 12:38:28 | Attr = ]
wlan111t.exe -> %ProgramFiles%\NETGEAR\WG111T\wlan111t.exe -> NETGEAR [Ver = 1, 3, 0, 1 | Size = 884840 bytes | Modified Date = 25.01.2006 15:49:02 | Attr = ]
prkiller.exe -> %UserProfile%\Start Menu\Programs\Startup\prkiller.exe -> [Ver = 1.4.1 | Size = 29184 bytes | Modified Date = 30.07.2003 0:04:32 | Attr = ]
pctsauxs.exe -> %ProgramFiles%\Spyware Doctor\pctsAuxs.exe -> PC Tools [Ver = 6, 0, 0, 3 | Size = 356920 bytes | Modified Date = 13.06.2008 15:29:14 | Attr = ]
pctssvc.exe -> %ProgramFiles%\Spyware Doctor\pctsSvc.exe -> PC Tools [Ver = 6.0.0.16 | Size = 1073544 bytes | Modified Date = 07.08.2008 12:12:38 | Attr = ]
pctstray.exe -> %ProgramFiles%\Spyware Doctor\pctsTray.exe -> PC Tools [Ver = 6.0.0.10 | Size = 1166216 bytes | Modified Date = 16.07.2008 9:16:20 | Attr = ]
otscanit.exe -> %UserProfile%\Desktop\OTScanIt\OTScanIt.exe -> OldTimer Tools [Ver = 1.0.16.2 | Size = 397312 bytes | Modified Date = 12.07.2008 9:29:54 | Attr = ]

[Win32 Services - Non-Microsoft Only]
(aawservice) Lavasoft Ad-Aware Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Lavasoft\Ad-Aware\aawservice.exe -> Lavasoft [Ver = 7,1,0,3 | Size = 611664 bytes | Modified Date = 12.05.2008 12:38:28 | Attr = ]
(Ati HotKey Poller) Ati HotKey Poller [Win32_Own | Auto | Running] -> %SystemRoot%\system32\ati2evxx.exe -> ATI Technologies Inc. [Ver = 6.14.10.4180 | Size = 495616 bytes | Modified Date = 01.11.2007 23:59:21 | Attr = ]
(ATI Smart) ATI Smart [Win32_Own | Auto | Stopped] -> %SystemRoot%\system32\ati2sgag.exe -> [Ver = 5.13.0027 | Size = 593920 bytes | Modified Date = 01.11.2007 21:05:00 | Attr = ]
(avg8emc) AVG8 E-mail Scanner [Win32_Own | Auto | Stopped] -> %SystemDrive%\PROGRA~1\AVG\AVG8\avgemc.exe -> File not found
(avg8wd) AVG8 WatchDog [Win32_Own | Auto | Stopped] -> %SystemDrive%\PROGRA~1\AVG\AVG8\avgwdsvc.exe -> File not found
(avgfws8) AVG8 Firewall [Win32_Own | Auto | Stopped] -> %SystemDrive%\PROGRA~1\AVG\AVG8\avgfws8.exe -> File not found
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %SystemRoot%\system32\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 04.08.2004 0:56:50 | Attr = ]
(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\InstallShield\Driver\11\Intel 32\IDriverT.exe -> Macrovision Corporation [Ver = 11.00.28844 | Size = 69632 bytes | Modified Date = 04.04.2005 1:41:10 | Attr = ]
(iPod Service) iPod Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\iPod\bin\iPodService.exe -> File not found
(sdAuxService) PC Tools Auxiliary Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Spyware Doctor\pctsAuxs.exe -> PC Tools [Ver = 6, 0, 0, 3 | Size = 356920 bytes | Modified Date = 13.06.2008 15:29:14 | Attr = ]
(sdCoreService) PC Tools Security Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Spyware Doctor\pctsSvc.exe -> PC Tools [Ver = 6.0.0.16 | Size = 1073544 bytes | Modified Date = 07.08.2008 12:12:38 | Attr = ]

[Driver Services - Non-Microsoft Only]
(AegisP) AEGIS Protocol (IEEE 802.1x) v3.2.0.3 [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\AegisP.sys -> Meetinghouse Data Communications [Ver = 3.2.0.3 | Size = 17801 bytes | Modified Date = 10.06.2008 20:40:45 | Attr = ]
(amdagp) AMD AGP Bus Filter Driver [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\AMDAGP.SYS -> Advanced Micro Devices, Inc. [Ver = 5.00 (xpsp_sp2_rtm.040803-2158) | Size = 43008 bytes | Modified Date = 03.08.2004 19:07:44 | Attr = ]
(AN983) ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\an983.sys -> ADMtek Incorporated. [Ver = 2.17.1025.2001 built by: WinDDK | Size = 36224 bytes | Modified Date = 03.08.2004 18:31:20 | Attr = ]
(AR5523) NETGEAR WG111T USB2.0 Wireless Card Service [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\WG11TND5.sys -> NETGEAR, Inc. [Ver = 1.5.0.2102 | Size = 362944 bytes | Modified Date = 05.09.2005 11:21:06 | Attr = ]
(ati2mtag) ati2mtag [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ati2mtag.sys -> ATI Technologies Inc. [Ver = 6.14.10.6734 | Size = 2644480 bytes | Modified Date = 02.11.2007 1:52:04 | Attr = ]
(atksgt) atksgt [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\atksgt.sys -> [Ver = | Size = 278728 bytes | Modified Date = 26.02.2008 0:11:18 | Attr = ]
(Avgfwdx) Avgfwdx [Kernel | On_Demand | Running] -> %SystemRoot%\System32\DRIVERS\avgfwdx.sys -> File not found
(Avgfwfd) AVG network filter service [Kernel | On_Demand | Stopped] -> %SystemRoot%\System32\DRIVERS\avgfwdx.sys -> File not found
(AvgLdx86) AVG AVI Loader Driver x86 [Kernel | System | Running] -> %SystemRoot%\System32\Drivers\avgldx86.sys -> File not found
(AvgMfx86) AVG On-access Scanner Minifilter Driver x86 [File_System | System | Running] -> %SystemRoot%\System32\Drivers\avgmfx86.sys -> File not found
(AvgRkx86) avgrkx86.sys [File_System | Boot | Stopped] -> %SystemRoot%\System32\Drivers\avgrkx86.sys -> File not found
(AvgTdiX) AVG8 Network Redirector [Kernel | Auto | Running] -> %SystemRoot%\System32\Drivers\avgtdix.sys -> File not found
(cmpci) C-Media PCI Audio Driver (WDM) [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\cmaudio.sys -> C-Media Inc [Ver = 5.12.01.0638 | Size = 379150 bytes | Modified Date = 12.06.2002 19:28:50 | Attr = R ]
(dmboot) dmboot [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\dmboot.sys -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 799744 bytes | Modified Date = 03.08.2004 23:07:18 | Attr = ]
(dmio) Logical Disk Manager Driver [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\dmio.sys -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 153344 bytes | Modified Date = 03.08.2004 23:07:18 | Attr = ]
(dmload) dmload [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\dmload.sys -> Microsoft Corp., Veritas Software. [Ver = 2600.0.503.0 | Size = 5888 bytes | Modified Date = 23.08.2001 8:00:00 | Attr = ]
(DNINDIS5) DNINDIS5 NDIS Protocol Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\DNINDIS5.sys -> Printing Communications Assoc., Inc. (PCAUSA) [Ver = 5.03.16.55 | Size = 17149 bytes | Modified Date = 24.07.2003 12:10:34 | Attr = ]
(EUSBMSD) eUSB SmartMedia Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\EUSBMSD.SYS -> SCM Microsystems Inc. [Ver = 2.17 | Size = 51072 bytes | Modified Date = 03.10.2001 2:47:28 | Attr = ]
(lirsgt) lirsgt [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\lirsgt.sys -> [Ver = | Size = 25416 bytes | Modified Date = 26.02.2008 0:11:17 | Attr = ]
(nv) nv [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\nv4_mini.sys -> NVIDIA Corporation [Ver = 6.14.10.5673 | Size = 1897408 bytes | Modified Date = 03.08.2004 18:29:56 | Attr = ]
(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ptilink.sys -> Parallel Technologies, Inc. [Ver = 1.10 (XPClient.010817-1148) | Size = 17792 bytes | Modified Date = 23.08.2001 8:00:00 | Attr = ]
(PxHelp20) PxHelp20 [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\pxhelp20.sys -> Sonic Solutions [Ver = 3.00.56a | Size = 43528 bytes | Modified Date = 07.03.2007 19:51:00 | Attr = ]
(Secdrv) Secdrv [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\secdrv.sys -> Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K. [Ver = 4.03.086 | Size = 20480 bytes | Modified Date = 13.11.2007 6:25:53 | Attr = ]
(sptd) sptd [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\sptd.sys -> [Ver = | Size = 716272 bytes | Modified Date = 26.02.2008 1:09:45 | Attr = ]
(IKFileSec) File Security Driver [File_System | Boot | Running] -> %SystemRoot%\system32\drivers\ikfilesec.sys -> PCTools Research Pty Ltd. [Ver = 5.0.2.1042 built by: WinDDK | Size = 42376 bytes | Modified Date = 02.06.2008 15:19:12 | Attr = ]
(IKSysFlt) System Filter Driver [Kernel | System | Running] -> %SystemRoot%\system32\drivers\iksysflt.sys -> PCTools Research Pty Ltd. [Ver = 5.0.2.1029 | Size = 66952 bytes | Modified Date = 02.06.2008 15:19:16 | Attr = ]
(IKSysSec) System Security Driver [Kernel | System | Running] -> %SystemRoot%\system32\drivers\iksyssec.sys -> PCTools Research Pty Ltd. [Ver = 5.0.2.1033 | Size = 81288 bytes | Modified Date = 10.06.2008 21:22:52 | Attr = ]

[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
Adobe Reader Speed Launcher -> %ProgramFiles%\Adobe\Reader 8.0\Reader\reader_sl.exe ["C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"] -> Adobe Systems Incorporated [Ver = 8.0.0.0 | Size = 40048 bytes | Modified Date = 11.05.2007 3:06:32 | Attr = ]
C-Media Mixer -> %SystemRoot%\mixer.exe [Mixer.exe /startup] -> C-Media Electronic Inc. (www.cmedia.com.tw) [Ver = 1.53 | Size = 1495040 bytes | Modified Date = 13.06.2002 0:23:54 | Attr = R ]
HostManager -> %CommonProgramFiles%\AOL\1135840234\ee\aolsoftware.exe [C:\Program Files\Common Files\AOL\1135840234\ee\AOLSoftware.exe] -> America Online, Inc. [Ver = 1.5.3.1 | Size = 50760 bytes | Modified Date = 09.05.2006 20:24:16 | Attr = ]
ISTray -> %ProgramFiles%\Spyware Doctor\pctsTray.exe ["C:\Program Files\Spyware Doctor\pctsTray.exe"] -> PC Tools [Ver = 6.0.0.10 | Size = 1166216 bytes | Modified Date = 16.07.2008 9:16:20 | Attr = ]
ISUSPM -> %CommonProgramFiles%\InstallShield\UpdateService\ISUSPM.exe ["C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler] -> File not found
PrintDisp -> %SystemRoot%\system32\PrintDisp.exe [C:\WINDOWS\system32\PrintDisp.exe] -> [Ver = | Size = 385024 bytes | Modified Date = 02.09.2007 22:29:24 | Attr = ]
QuickTime Task -> %ProgramFiles%\QuickTime\QTTask.exe ["C:\Program Files\QuickTime\qttask.exe" -atboottime] -> Apple Inc. [Ver = 7.3 | Size = 286720 bytes | Modified Date = 19.10.2007 21:16:26 | Attr = ]
RemoteControl -> %ProgramFiles%\CyberLink\PowerDVD\PDVDServ.exe ["C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"] -> Cyberlink Corp. [Ver = 6.00.1027 | Size = 32768 bytes | Modified Date = 02.11.2004 21:24:46 | Attr = ]
StartCCC -> %ProgramFiles%\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe ["C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"] -> [Ver = | Size = 90112 bytes | Modified Date = 10.11.2006 13:35:24 | Attr = ]
< OptionalComponents [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ ->
IMAIL-> Installed = 1 ->
MAPI-> Installed = 1 ->
MSFS-> Installed = 1 ->
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
BitTorrent -> %ProgramFiles%\BitTorrent\bittorrent.exe ["C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized] -> File not found
DAEMON Tools Lite -> %ProgramFiles%\DAEMON Tools Lite\daemon.exe ["C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun] -> DT Soft Ltd [Ver = 4.12.1.0 | Size = 486856 bytes | Modified Date = 13.02.2008 19:09:40 | Attr = ]
Download Master -> %ProgramFiles%\Download Master\dmaster.exe [C:\Program Files\Download Master\dmaster.exe -autorun] -> File not found
ICQ -> %ProgramFiles%\ICQ6\ICQ.exe ["C:\Program Files\ICQ6\ICQ.exe" silent] -> ICQ, Inc. [Ver = 6.0.0.6039 | Size = 172280 bytes | Modified Date = 20.11.2007 20:47:27 | Attr = ]
< Alim Startup Folder > -> C:\Documents and Settings\Alim\Start Menu\Programs\Startup ->
-> %UserProfile%\Start Menu\Programs\Startup\prkiller.CFG -> [Ver = | Size = 360 bytes | Modified Date = 24.08.2008 15:17:00 | Attr = ]
-> %UserProfile%\Start Menu\Programs\Startup\prkiller.exe -> [Ver = 1.4.1 | Size = 29184 bytes | Modified Date = 30.07.2003 0:04:32 | Attr = ]
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
%AllUsersProfile%\Start Menu\Programs\Startup\NETGEAR WG111T Smart Wizard.lnk -> %ProgramFiles%\NETGEAR\WG111T\wlan111t.exe -> NETGEAR [Ver = 1, 3, 0, 1 | Size = 884840 bytes | Modified Date = 25.01.2006 15:49:02 | Attr = ]
< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
*SecurityProviders* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
msapsspc.dll schannel.dll digest.dll msnsspc.dll -> -> File not found
*MultiFile Done* -> ->
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell ->
Explorer.exe -> %SystemRoot%\explorer.exe -> Microsoft Corporation [Ver = 6.00.2900.3156 (xpsp_sp2_gdr.070613-1234) | Size = 1033216 bytes | Modified Date = 13.06.2007 6:23:07 | Attr = ]
*MultiFile Done* -> ->
*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit ->
C:\WINDOWS\system32\userinit.exe -> %SystemRoot%\system32\userinit.exe -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 24576 bytes | Modified Date = 04.08.2004 0:56:58 | Attr = ]
*MultiFile Done* -> ->
*UIHost* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UIHost ->
C:\WINDOWS\system32\logonuiX.exe -> %SystemRoot%\system32\logonuiX.exe -> Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 4506624 bytes | Modified Date = 18.03.2008 18:47:11 | Attr = ]
*MultiFile Done* -> ->
*VMApplet* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet ->
rundll32 shell32 -> %SystemRoot%\system32\shell32.dll -> Microsoft Corporation [Ver = 6.00.2900.3241 (xpsp_sp2_gdr.071025-1248) | Size = 8454656 bytes | Modified Date = 25.10.2007 23:36:51 | Attr = ]
Control_RunDLL "sysdm.cpl" -> %SystemRoot%\system32\sysdm.cpl -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 298496 bytes | Modified Date = 04.08.2004 0:56:58 | Attr = ]
*MultiFile Done* -> ->
< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
AtiExtEvent -> %SystemRoot%\system32\ati2evxx.dll -> ATI Technologies Inc. [Ver = 6.14.10.4176 | Size = 122880 bytes | Modified Date = 02.11.2007 0:00:43 | Attr = ]
< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktopChanges -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\DisableTaskMgr -> 0 ->
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\\NoChangingWallPaper -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\\NoAddingComponents -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\\NoComponents -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\\NoDeletingComponents -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\\NoEditingComponents -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\\NoCloseDragDropBands -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\\NoMovingBands -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\\NoHTMLWallPaper -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 91 00 00 00 [binary data] ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktop -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoSaveSettings -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\ClassicShell -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoThemesTab -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\ForceActiveDesktopOn -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\NoDispScrSavPage -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\NoDispAppearancePage -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\NoColorChoice -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\NoSizeChoice -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\NoDispBackgroundPage -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\NoDispCPL -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\NoVisualStyleChoice -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\NoDispSettingsPage -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\disableregistrytools -> 0 ->
< CDROM Autorun Settings > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\ -> ->
*DependOnGroup* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\DependOnGroup ->
SCSI miniport -> -> File not found
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\ErrorControl -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Group -> SCSI CDROM Class ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Start -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Tag -> 2 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Type -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\DisplayName -> CD-ROM Driver ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\ImagePath -> %SystemRoot%\system32\drivers\cdrom.sys [system32\DRIVERS\cdrom.sys] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 49536 bytes | Modified Date = 03.08.2004 22:59:54 | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRun -> 1 ->
*AutoRunAlwaysDisable* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRunAlwaysDisable ->
NEC MBR-7 -> -> File not found
NEC MBR-7.4 -> -> File not found
PIONEER CHANGR DRM-1804X -> -> File not found
PIONEER CD-ROM DRM-6324X -> -> File not found
PIONEER CD-ROM DRM-624X -> -> File not found
TORiSAN CD-ROM CDR_C36 -> -> File not found
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\0 -> IDE\CdRomSONY_CD-RW__CRX215E1____________________SYS2____\5&1007656e&0&0.0.0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\Count -> 4 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\NextInstance -> 4 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\1 -> IDE\CdRomLITEON_DVD-ROM_LTD163D__________________GHR3____\5&1007656e&0&0.1.0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\2 -> SCSI\CdRom&Ven_XL3612M&Prod_RLY085J&Rev_1.01\5&2c4f72d4&0&000 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\3 -> SCSI\CdRom&Ven_XL3612M&Prod_RLY085J&Rev_1.01\5&2c4f72d4&0&010 ->
< Drives - Autoruns > -> ->
AUTOEXEC.BAT [] -> %SystemDrive%\AUTOEXEC.BAT [ NTFS ] -> [Ver = | Size = 0 bytes | Modified Date = 13.11.2005 12:59:17 | Attr = ]
Autorun.inf [[autorun] | open=autorun.exe | ] -> F:\Autorun.inf [ CDFS ] -> [Ver = | Size = 27 bytes | Modified Date = 15.03.2001 2:44:28 | Attr = R ]
autorun.exe [MZђ | ] -> F:\autorun.exe [ CDFS ] -> ООО "Навигатор Паблишинг" [Ver = 4, 6, 3, 8 | Size = 204800 bytes | Modified Date = 29.09.2004 8:46:26 | Attr = R ]
< HOSTS File > (734 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> ->
HKEY_LOCAL_MACHINE\: Main\\Default_Page_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome ->
HKEY_LOCAL_MACHINE\: Main\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_LOCAL_MACHINE\: Main\\Local Page -> %SystemRoot%\system32\blank.htm ->
HKEY_LOCAL_MACHINE\: Main\\Search Bar -> http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html ->
HKEY_LOCAL_MACHINE\: Main\\Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_LOCAL_MACHINE\: Main\\Start Page -> http://www.yahoo.com/ ->
HKEY_LOCAL_MACHINE\: Search\\CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKEY_LOCAL_MACHINE\: Search\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_LOCAL_MACHINE\: Search\\SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> ->
HKEY_CURRENT_USER\: Main\\Local Page -> C:\WINDOWS\system32\blank.htm ->
HKEY_CURRENT_USER\: Main\\Search Bar -> http://search.msn.com/spbasic.htm ->
HKEY_CURRENT_USER\: Main\\Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_CURRENT_USER\: Main\\Start Page -> http://www.yandex.ru/ ->
HKEY_CURRENT_USER\: ProxyEnable -> 0 ->
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 1 domain(s) found. ->
1 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. ->
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKEY_LOCAL_MACHINE] -> %CommonProgramFiles%\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 8.0.0.2006102200 | Size = 62080 bytes | Modified Date = 22.10.2006 23:08:42 | Attr = ]
{6C517674-DE1C-4493-977C-34A1BFAB35BA} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\VirtualNetwork\VirtualNetwork.dll [VirtualNetwork Class] -> GemBirdCom [Ver = 1, 0, 0, 1 | Size = 187392 bytes | Modified Date = 02.06.2008 6:44:28 | Attr = ]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
WebBrowser\\{0E1230F8-EA50-42A9-983C-D22ABC2EED3C} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
WebBrowser\\{855F3B16-6D32-4FE6-8A56-BBB695989046} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
WebBrowser\\{A057A204-BACC-4D26-9990-79A187E2698E} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{E59EB121-F339-4851-A3BA-FE49C35617C2}:Exec -> %ProgramFiles%\ICQ6\ICQ.exe [ICQ6] -> ICQ, Inc. [Ver = 6.0.0.6039 | Size = 172280 bytes | Modified Date = 20.11.2007 20:47:27 | Attr = ]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ ->
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKEY_LOCAL_MACHINE] -> [Reg Error: Value does not exist or could not be read.] -> File not found
CmdMapping\\{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{8DAE90AD-4583-4977-9DD4-4360F7A45C74} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
CmdMapping\\{E59EB121-F339-4851-A3BA-FE49C35617C2} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\ICQ6\ICQ.exe [ICQ6] -> ICQ, Inc. [Ver = 6.0.0.6039 | Size = 172280 bytes | Modified Date = 20.11.2007 20:47:27 | Attr = ]
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
Download Master -> Reg Error: Value does not exist or could not be read. -> File not found
Download Master -> Reg Error: Value does not exist or could not be read. -> File not found
Закачать ВСЕ при помощи Download Master -> Reg Error: Value does not exist or could not be read. -> File not found
Закачать при помощи Download Master -> Reg Error: Value does not exist or could not be read. -> File not found
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ ->
PluginsPageFriendlyName -> Microsoft ActiveX Gallery ->
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s ->
< User Agent Post Platform [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform ->
SV1 -> ->
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{8385689D-B396-4A95-AA44-1AF27FF5A53F} -> (NETGEAR WG111T 108Mbps Wireless USB2.0 Adapter) ->
{B87BD5D3-08AA-46AF-9E1D-5BCD89D56EA5} -> (1394 Net Adapter) ->
{E206B7A2-6979-484C-956D-2D296512ECF9} -> (Linksys LNE100TX Fast Ethernet Adapter(LNE100TX v4)) ->
< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
ipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
msdaipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE}[HKEY_LOCAL_MACHINE] -> http://office.microsoft.com/officeupdate/content/opuc3.cab[Office Update Installation Engine] ->
{D27CDB6E-AE6D-11CF-96B8-444553540000}[HKEY_LOCAL_MACHINE] -> http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[Shockwave Flash Object] ->
< Module Usage Keys [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/opuc.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/opuc.dll\\.Owner -> {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/opuc.dll\\{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -> ->


[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\DefaultLaunchPermission -> [Binary data over 100 bytes] ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\MachineLaunchRestriction -> [Binary data over 100 bytes] ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\MachineAccessRestriction -> [Binary data over 100 bytes] ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\EnableDCOM -> Y ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{A50398B8-9075-4FBF-A7A1-456BF21937AD} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{AD65A69D-3831-40D7-9629-9B0B50A93843} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{0040D221-54A1-11D1-9DE0-006097042D69} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST\\System.EnterpriseServices.Thunk.dll -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirstRunDisabled -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusDisableNotify -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallDisableNotify -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\UpdatesDisableNotify -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusOverride -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallOverride -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall\ -> ->
Reg Error: Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ not found. -> ->
Reg Error: Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\ not found. -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ -> ->
*Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages ->
msv1_0 -> %SystemRoot%\system32\msv1_0.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 129536 bytes | Modified Date = 04.08.2004 0:56:44 | Attr = ]
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Bounds -> 0 [binary data] ->
*Security Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Security Packages ->
kerberos -> %SystemRoot%\system32\kerberos.dll -> Microsoft Corporation [Ver = 5.1.2600.2698 (xpsp_sp2_gdr.050614-1522) | Size = 295936 bytes | Modified Date = 15.06.2005 13:49:30 | Attr = ]
msv1_0 -> %SystemRoot%\system32\msv1_0.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 129536 bytes | Modified Date = 04.08.2004 0:56:44 | Attr = ]
schannel -> %SystemRoot%\system32\schannel.dll -> Microsoft Corporation [Ver = 5.1.2600.3126 (xpsp_sp2_gdr.070425-0226) | Size = 144896 bytes | Modified Date = 25.04.2007 10:21:15 | Attr = ]
wdigest -> %SystemRoot%\system32\wdigest.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 49152 bytes | Modified Date = 04.08.2004 0:56:48 | Attr = ]
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\ImpersonatePrivilegeUpgradeToolHasRun -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\LsaPid -> 1224 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\SecureBoot -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\auditbaseobjects -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\crashonauditfail -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\disabledomaincreds -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\everyoneincludesanonymous -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\fipsalgorithmpolicy -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\forceguest -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\fullprivilegeauditing -> [binary data] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\limitblankpassworduse -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\lmcompatibilitylevel -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\nodefaultadminowner -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\nolmhash -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\restrictanonymous -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\restrictanonymoussam -> 1 ->
*Notification Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Notification Packages ->
scecli -> %SystemRoot%\system32\scecli.dll -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 180224 bytes | Modified Date = 04.08.2004 0:56:46 | Attr = ]
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\ -> ->
*ProviderOrder* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\\ProviderOrder ->
Windows NT Access Provider -> -> File not found
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider\\ProviderPath -> %SystemRoot%\system32\ntmarta.dll [%SystemRoot%\system32\ntmarta.dll] -> Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 118784 bytes | Modified Date = 04.08.2004 0:56:46 | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data\\Pattern -> C9 D8 2C DE 63 44 05 62 7A A3 23 EE 47 13 8D 5E 37 37 33 39 30 32 36 64 00 FD 07 00 29 67 00 00 34 FA 07 00 56 82 7C 75 20 FA 07 00 40 FD 07 00 4C FD 07 00 D5 1F 08 37 49 EB 39 52 A2 50 B0 77 [binary data] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG\\GrafBlumGroup -> 18 91 12 5A 19 44 EC B3 57 [binary data] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD\\Lookup -> BB 15 38 65 28 1C [binary data] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\\Auth132 -> %SystemRoot%\system32\iissuba.dll [IISSUBA] -> Microsoft Corporation [Ver = 6.0.2600.0 (xpclient.010817-1148) | Size = 9216 bytes | Modified Date = 23.08.2001 8:00:00 | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\\ntlmminclientsec -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\\ntlmminserversec -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1\\SkewMatrix -> 48 B2 15 50 4F 27 CF AF E1 31 E4 68 DF E1 1B 93 [binary data] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4\\SSOURL -> http://www.passport.com ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\\Time -> A0 B2 3F A6 10 06 C9 01 [binary data] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Name -> Digest ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Comment -> Digest SSPI Authentication Package ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Capabilities -> 16464 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\RpcId -> 65535 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Version -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\TokenSize -> 65535 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Time -> 00 CE 2E 70 DF 79 C4 01 [binary data] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Type -> 49 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Name -> DPA ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Comment -> DPA Security Package ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Capabilities -> 55 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\RpcId -> 17 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Version -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\TokenSize -> 768 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Time -> 00 CE 2E 70 DF 79 C4 01 [binary data] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Type -> 49 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Name -> MSN ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Comment -> MSN Security Package ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Capabilities -> 55 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\RpcId -> 18 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Version -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\TokenSize -> 768 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Time -> 00 CE 2E 70 DF 79 C4 01 [binary data] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Type -> 49 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DependOnGroup -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DependOnService -> Netman;WinMgmt; ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Description -> Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network. ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DisplayName -> Windows Firewall/Internet Connection Sharing (ICS) ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ErrorControl -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ImagePath -> %SystemRoot%\system32\svchost.exe [%SystemRoot%�
  • 0

#7
Alim

Alim

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
let me try that again
  • 0

#8
Alim

Alim

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
ok i attached log file this time

Attached Files


  • 0

#9
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hi please e-mail it to me as the code is messed up when it is attached.
My e-mail address is kahdah at aol.com replacing at with @
  • 0

#10
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
You indeed have a rootkit also I will remove those AVG services as well once the rootkit is gone.
First please delete your version of Combofix.

1. Please download The Avenger2 by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to delete:
tdssserv

Files to delete:
C:\Windows\system32\drivers\tdssserv.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengers actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.
=============
Then:

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

  • 0

Advertisements


#11
Alim

Alim

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Good morning. I'm afraid Avenger did something wrong to Internet adapter or smth.
After avenger restarted computer my internet stoped working completely. When i checked wireless network Connection properties there was only 2 tabs General and Advanced, but the tab with the order of preferred networks was completely gone. Also the Details tab in Wireless Network Status window is completely blank(no ip,dns etc.),even thow it says that Network is connected.I did restart twice, repair and Plug-in/out the WiFi adapter.Nothing helped. When i did ipconfig/all in cmd the only thing it showed was this sentence "Windows IP Configuration". So right now i have no Internet at all(had to type this letter from computer lab).
I decided not to install Repair Console since obviosly something gone wrong with previous step.

this avenger log:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "tdssserv" deleted successfully.

Error: file "C:\Windows\system32\drivers\tdssserv.sys" not found!
Deletion of file "C:\Windows\system32\drivers\tdssserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.
  • 0

#12
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hi Avenger only does what you tell it to do it would have not done that it seems that you have more issues at hand.
The only thing it did was to delete a rootkit service which it did successfully as you can see from the log.

ARe you able to download other things to a flash drive or a cd?
  • 0

#13
Alim

Alim

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Yes i will be able to download files from PC in Computer Lab and use Flashdrive to transfer them on my desktop.
I understand that Avenger is performing the script of fixing rootkit, but why the changes that i described happened immidiately after Avenger deletet this "files" and did restart.
Maybe it is possible to revert changes made by Avenger somehow?
  • 0

#14
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
It didn't delete any files it only deleted a service which has no effect on your network adapters.
Try to do a system restore to a date before you tried to manually remove Avg.
I would like to see the shape of the system before all of the changes were made.
This will also put the rootkit back on your system so be aware of that.

Let me know when you have accomplished this please.
If you are unsure of how to do a system restore then let me know.
  • 0

#15
Alim

Alim

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
I will appreciate if u can tell me how to do system restore. Since i never done it before.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP