I've been trying to get this fixed for a couple of days now. I really need some help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:43:38 AM, on 8/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\pipmon.exe
C:\WINDOWS\system32\pipmon.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [pipmon] pipmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Cwap] "C:\WINDOWS\system32\TSKS~1\logonui.exe" -vt yazb (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Govqdqvj] C:\WINDOWS\system32\s?stem\??rvices.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Cwap] "C:\WINDOWS\system32\TSKS~1\logonui.exe" -vt yazb (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\Poker.exe (HKCU)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144701120484
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA5B8AC9-DE74-44B0-9FBE-7950B95D2704}: NameServer = 4.2.2.1,4.2.2.2
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: vHdaxqUCGS - {CCCC9172-6666-3BD8-53BE-3384AFFC4B8B} - C:\WINDOWS\system32\oimp.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe

--
End of file - 5464 bytes

Hi, welcome to Safer Networking Forums!

I noticed that you are not running any AntiVirus application. You could get infected immediately after we clean you up. Please download and install ONE of these:

» Avast! (http://www.asw.cz/eng/avast_4_home.html)
» AVG AntiVirus (http://free.grisoft.com/doc/5390/lng/us/tpl/v5#avg-anti-virus-free)
» AntiVir (http://www.free-av.com/)
___

*Look in your control panels add/remove programs for any of these and uninstall them:

Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin
or anything similar with Oin or Outerinfo in it.
Zolero
Tizzletalk
MediaTickets
Cowabanga

*Download and run this uninstaller:
http://www.outerinfo.com/OiUninstaller.exe

Tutorial for the uninstaller if needed (http://www.outerinfo.com/howto.html)

Reboot when done.
____

Download combofix.exe (http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe)

1. Save it to your desktop.
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
____

HJT Uninstall list
Open HijackThis > Click "Misc Tools Section"
Click "Open Uninstall Manager".
Click "Save List".
Save it to your Desktop.
Copy the contents of the file to your next reply.
_____

I would like you to scan a file for me. This is surely an infection but I want to know what it is.

Please go HERE (http://virusscan.jotti.org/). Copy and paste the following file path in to the box.

C:\WINDOWS\system32\oimp.dll

Then click submit.

Please post the results to your next reply.

If Jotti is too busy, you can go HERE (www.virustotal.com) and do the same as above.
_____

On your next reply, please include a
Fresh HijackThis log.
HJT uninstall list.
combofix log.
jotti results

I am not able to access the add/remove programs window. Nothing happens when I click on it. I did uninstall OIM with the uninstaller you provided though.

Also, when I hit control alt delete, the task manager does not start. I am also not able to start system restore through the msconfig window.

I have downloaded avast, and will scan with that. I have tried scanning that one file on both of the sites you mentioned and neither of them seem to respond. Also, when I run combofix, I get a "COMSPEC ERROR".

I hope im not passed the point of being able to recover my system.

Here is a fresh HJT scan and uninstall log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:33:48 PM, on 8/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\pipmon.exe
C:\WINDOWS\system32\pipmon.exe
C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5821DB5D-527A-4953-A13B-2F8D14AC4300} - C:\Program Files\Common Files\hose455101.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {9B060433-B8A2-B658-D8D2-E0ABAF77009C} - C:\WINDOWS\system32\kuk.dll
O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
O2 - BHO: (no name) - {eb89e365-71df-4d4f-8708-04a5b1b8f2d2} - C:\WINDOWS\system32\iseltjy.dll
O2 - BHO: (no name) - {F4002052-AB29-4B33-8C8D-0E99084564EC} - C:\WINDOWS\system32\hgghfcb.dll
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [pipmon] pipmon.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA9926] command /c del "C:\WINDOWS\system32\hgghfcb.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6145] cmd /c del "C:\WINDOWS\system32\hgghfcb.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6950] command /c del "C:\WINDOWS\system32\geeda.dll_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8939] cmd /c del "C:\WINDOWS\system32\geeda.dll_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\RunOnce: [SpybotDeletingB265] command /c del "C:\WINDOWS\system32\hgghfcb.dll_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9446] cmd /c del "C:\WINDOWS\system32\hgghfcb.dll_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4194] command /c del "C:\WINDOWS\system32\geeda.dll_tobedeleted_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4774] cmd /c del "C:\WINDOWS\system32\geeda.dll_tobedeleted_old"
O4 - HKUS\S-1-5-18\..\Run: [Cwap] "C:\WINDOWS\system32\TSKS~1\logonui.exe" -vt yazb (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Govqdqvj] C:\WINDOWS\system32\s?stem\??rvices.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Cwap] "C:\WINDOWS\system32\TSKS~1\logonui.exe" -vt yazb (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\Poker.exe (HKCU)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144701120484
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA5B8AC9-DE74-44B0-9FBE-7950B95D2704}: NameServer = 4.2.2.1,4.2.2.2
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: hgghfcb - C:\WINDOWS\SYSTEM32\hgghfcb.dll
O20 - Winlogon Notify: winlbi32 - C:\WINDOWS\SYSTEM32\winlbi32.dll
O21 - SSODL: vHdaxqUCGS - {CCCC9172-6666-3BD8-53BE-3384AFFC4B8B} - C:\WINDOWS\system32\oimp.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe

--
End of file - 8003 bytes



Adobe Bridge 1.0
Adobe Common File Installer
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 8.1.0
Adobe Shockwave Player
Adobe Stock Photos 1.0
Adobe® Photoshop® Album Starter Edition 3.0
AOL Instant Messenger
Apple Mobile Device Support
Apple Software Update
ASIO4ALL
Ask Toolbar
Audacity 1.2.6
AutoIt v3.2.0.1
avast! Antivirus
Azureus
Bookworm Adventures (remove only)
Bullet Reader
BulletProof FTP Server (remove only)
Cablenut 4.08
CDDRV_Installer
Collab
Comcast High-Speed Internet Install Wizard
Disc2Phone
Far Manager v1.70
FL Studio 7
FlashFXP v3
Full Tilt Poker
Gadu-Gadu 7.6
Google Earth
HDD Unlock Wizard v3.0
HHD Software Hex Editor 3.12
HijackThis 2.0.2
Holdem Bot vNEURAL 1.3
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB926239)
hp photosmart printer series (Remove only)
IL Download Manager
Intel(R) PRO Network Adapters and Drivers
iTunes
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
Japanese Language Support
Jasc Animation Shop 3
Java(TM) SE Runtime Environment 6
Java(TM) SE Runtime Environment 6 Update 1
KhalSetup
Kid Pix Deluxe 3
K-Lite Codec Pack 2.85 Full
LimeWire PRO 4.14.8
Logitech SetPoint
Macromedia Flash Player 8
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Professional 2007
Microsoft Office Professional Edition 2003
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Plus! Digital Media Edition
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Application Compatibility Database
mIRC
Mozilla Firefox (2.0.0.6)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Nero 7 Ultra Edition
neroxml
NVIDIA Drivers
OpenOffice.org 2.2
Paradise Poker
PartyPoker
PokerStars
PowerISO
QuickTime
Realtek AC'97 Audio
SATARaid
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Excel 2007 (KB936509)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Office 2007 (KB934062)
Security Update for Office 2007 (KB936514)
Security Update for Publisher 2007 (KB936646)
Security Update for the 2007 Microsoft Office System (KB936960)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Skype 3.0
Skype Plugin Manager
SNMPcfg Admin 1.4
Sony Ericsson PC Suite
Sound Blaster Audigy LS
Spybot - Search & Destroy 1.4
Total Video Converter 3.02
Update for Office 2007 (KB932080)
Update for Office 2007 (KB934391)
Update for Office 2007 (KB934393)
Update for Outlook 2007 (KB937608)
Update for Outlook 2007 Junk Email Filter (kb936644)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB910437)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Word 2007 (KB934173)
Viewpoint Media Player
Virtual Hottie 2
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
WinXMedia CD MP3/WAV/WMA Converter 1.0.91c
Yahoo! Toolbar

Hi,


I hope im not passed the point of being able to recover my system

Don't worry, that isn't all we got. Those things will never succeed. What you're describing are policies that has been set by infections in your machine.

It seems that something has also modified your comspec variable in your machine which will produce such an error.

Goto Start Menu > Right click My Computer > click properties > click Advanced
Click Environment Variables and under "system variables" look for "ComSpec" make sure it points to C:\windows\system32\cmd.exe If not, highlight "ComSpec" then click edit. Copy and paste this in the "variable value" box: %SystemRoot%\system32\cmd.exe Click ok, then ok.

After that, try running combofix again.

I go to start on taskbar, right click my computer, and click on properties, but nothing happens.

By "start menu" you mean the start button on the taskbar right?

I also went to C:\Documents and Settings\Mike\Start Menu and tried accessing it through the navigation pane on the left but still no luck.

Looks like we got quite a challenge on our hands, huh?

Hi,


By "start menu" you mean the start button on the taskbar right?

Yes.


Looks like we got quite a challenge on our hands, huh?

You're right but as I have told you, we will never let this thing win.
______

Backup Your Registry with ERUNT
Please use the following link and scroll down to ERUNT and download it.
http://aumha.org/freeware/freeware.php
For version with the Installer:
Use the setup program to install ERUNT on your computer
For the zipped version:
Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe


Open notepad.
Copy and paste the text inside the Code Box below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type fix.reg in the File name and save it to your desktop.


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment]
"ComSpec"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,63,\
00,6d,00,64,00,2e,00,65,00,78,00,65,00,00,00




Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Close notepad. Make sure that all windows are closed.

Find the fix.reg file on your desktop.
Double click it.
It will then ask if you want the file merged to your registry.
Answer Yes.

Reboot then try to run combofix again.

I cannot open notepad. I try to open it but it does nothing.

However, wordpad does work. I copied the code as you said with one blank line at the end however I could not find "REGEDIT4" anywhere in the code. I saved the file and merged it with the registry. I restarted and tried running combo fix again. The blue window comes up for a second and then disappears. Nothing else happens.

I should mention that in my attempt to remove this malware, I have messed with the "services" options in the control panel. I have turned some on and turned some off. However, I know for a fact that task manager and system restore and add/remove program all did not work before I started messing with those options.

Hi,


I should mention that in my attempt to remove this malware, I have messed with the "services" options in the control panel. I have turned some on and turned some off. However, I know for a fact that task manager and system restore and add/remove program all did not work before I started messing with those options.

Do you remember what you have turned on or off? You should turn them back to the way they were..It'll be harder to clean a system that has been tampered with.


However, wordpad does work. I copied the code as you said with one blank line at the end however I could not find "REGEDIT4" anywhere in the code. I saved the file and merged it with the registry. I restarted and tried running combo fix again. The blue window comes up for a second and then disappears. Nothing else happens.

Not sure how the regfix worked in wordpad but it looks like ComSpec was fixed. Looks like a path variable problem now.

Download FIXPATH2.ZIP by Bill Stewart to your Desktop.
http://internet.cybermesa.com/~bstewart/files/fixpath2.zip
Extract the files to a folder in C:\ - like C:\FIXPATH2 (make a folder like that to extract the files to).
Open a command prompt window by going to Start > Run type: cmd and click Ok.
At the command prompt, type: cd C:\ and press Enter, so you should get C:\>.
The type: cd FIXPATH2 and press Enter, So you should get: C:\>fixpath2.
Then type: FIXPATH.EXE and press Enter.
It will display some preliminary information, and ask if it should continue and check for errors. Click Yes.
If it successfully updates the Path value in the registry, you will need to reboot for the change to take effect. !! This is really important !!

See if you can run combofix.

I ran fixpath but I think it did not do anything. It simply said that everything was correct.

I restarted and tried combofix again, but it does the same thing.

I went back to services and turned everything back to the way they were. (I wrote down which ones I had switched).

Let's try to clean the machine another way..

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your Desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES.
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
________

After that, I want to see what else is messed up in your machine so..

Download Deckard's System Scanner (http://www.techsupportforum.com/sectools/Deckard/dss.exe) to your Desktop.

Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, a text file will open - main.txt.txt<<this one will be maximized and extra.txt <<this one will be minimized.
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt.txt in your next reply.
6. Please copy and paste the contents of main.txt and extra.txt to your post.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:15:59 PM, on 8/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
O2 - BHO: (no name) - {eb89e365-71df-4d4f-8708-04a5b1b8f2d2} - C:\WINDOWS\system32\iseltjy.dll
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [pipmon] pipmon.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [xem] C:\WINDOWS\ServicePackFiles\winlogon.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ShareSearcher] c:\jnkk.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKCU\..\Run: [Xbfspkmh] "C:\Documents and Settings\Mike\My Documents\?ymantec\d?xplore.exe"
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.2\webbuying.exe
O4 - HKCU\..\Run: [ttool] C:\WINDOWS\9129837.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKUS\S-1-5-18\..\Run: [Cwap] "C:\WINDOWS\system32\TSKS~1\logonui.exe" -vt yazb (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Govqdqvj] C:\WINDOWS\system32\s?stem\??rvices.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Cwap] "C:\WINDOWS\system32\TSKS~1\logonui.exe" -vt yazb (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: SATARaid.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\Poker.exe (HKCU)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144701120484
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA5B8AC9-DE74-44B0-9FBE-7950B95D2704}: NameServer = 4.2.2.1,4.2.2.2
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: hgghfcb - hgghfcb.dll (file missing)
O20 - Winlogon Notify: winlbi32 - winlbi32.dll (file missing)
O21 - SSODL: vHdaxqUCGS - {CCCC9172-6666-3BD8-53BE-3384AFFC4B8B} - C:\WINDOWS\system32\oimp.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe

--
End of file - 8009 bytes

Deckard's System Scanner v20070826.66
Run by Mike on 2007-08-26 23:11:10
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 3 Restore Point(s) --
3: 2007-08-27 04:11:19 UTC - RP3 - Deckard's System Scanner Restore Point
2: 2007-08-26 23:35:06 UTC - RP2 - System Checkpoint
1: 2007-08-25 23:10:10 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-08-26 23:14:08
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Mike\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Search Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
O2 - BHO: (no name) - {eb89e365-71df-4d4f-8708-04a5b1b8f2d2} - C:\WINDOWS\system32\iseltjy.dll
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKEY_LOCAL_MACHINE\..\Run: [nwiz] nwiz.exe /install
O4 - HKEY_LOCAL_MACHINE\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKEY_LOCAL_MACHINE\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [pipmon] pipmon.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [xem] C:\WINDOWS\ServicePackFiles\winlogon.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [ShareSearcher] c:\jnkk.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [runner1] C:\WINDOWS\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKEY_LOCAL_MACHINE\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKEY_LOCAL_MACHINE\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKEY_LOCAL_MACHINE\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKCU\..\Run: [Xbfspkmh] "C:\Documents and Settings\Mike\My Documents\?ymantec\d?xplore.exe"
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.2\webbuying.exe
O4 - HKCU\..\Run: [ttool] C:\WINDOWS\9129837.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: SATARaid.lnk = C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra 'Tools' menuitem: (no name) - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra 'Tools' menuitem: (no name) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144701120484
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{BA5B8AC9-DE74-44B0-9FBE-7950B95D2704}: NameServer = 4.2.2.1,4.2.2.2
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: hgghfcb - C:\WINDOWS\system32\hgghfcb.dll (file missing)
O20 - Winlogon Notify: winlbi32 - C:\WINDOWS\system32\winlbi32.dll (file missing)
O21 - SSODL: vHdaxqUCGS - {CCCC9172-6666-3BD8-53BE-3384AFFC4B8B} - C:\WINDOWS\system32\oimp.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"
O23 - Service: Apple Mobile Device - Apple, Inc. - "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Microsoft Corp., Veritas Software - C:\WINDOWS\System32\dmadmin.exe /com
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\hphipm09.exe


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>

S1 InCDPass - c:\windows\system32\drivers\incdpass.sys (file missing)
S1 InCDRm (InCD Reader) - c:\windows\system32\drivers\incdrm.sys (file missing)
S2 HidCom (USB-HID -> COM Driver Service) - c:\windows\system32\drivers\hidcom.sys <Not Verified; Cypress Semiconductor; Cypress Semiconductor HidCom>
S3 ggsemc (Sony Ericsson USB Flash Driver) - c:\windows\system32\drivers\ggsemc.sys <Not Verified; Sony Ericsson Mobile Communications; Gordon's Gate>
S3 LHidUsbK (Logitech SetPoint USB Receiver Device Driver) - c:\windows\system32\drivers\lhidusbk.sys <Not Verified; Logitech, Inc.; Logitech SetPoint(TM)>
S3 LUsbKbd (Logitech SetPoint USB Keyboard Filter) - c:\windows\system32\drivers\lusbkbd.sys <Not Verified; Logitech, Inc.; Logitech SetPoint(TM)>
S4 InCDFs (InCD File System) - c:\windows\system32\drivers\incdfs.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
S3 Pml Driver - c:\windows\system32\hphipm09.exe <Not Verified; HP; HP PML>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-08-17 15:04:04 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-07-26 and 2007-08-26 -----------------------------

2007-08-26 23:04:32 0 d-------- C:\VundoFix Backups
2007-08-26 10:58:13 0 d-------- C:\fixpath2
2007-08-25 15:23:39 0 d-------- C:\Program Files\Alwil Software
2007-08-25 01:36:35 0 d-------- C:\Program Files\Trend Micro
2007-08-25 01:02:27 1628649 --ahs---- C:\WINDOWS\system32\adeeg.bak1
2007-08-25 00:43:56 0 d-------- C:\WINDOWS\ERUNT
2007-08-24 22:29:23 0 d-------- C:\WINDOWS\CSC
2007-08-23 10:43:54 245 --a------ C:\WINDOWS\tmp375203.bat
2007-08-23 10:43:34 35605 --a------ C:\WINDOWS\system32\ezhfjf32.dll
2007-08-23 10:41:39 0 d-------- C:\WINDOWS\system32\s?stem
2007-08-23 10:41:36 1174840 --a------ C:\Documents and Settings\LocalService\Application Data\Install.dat
2007-08-23 10:41:35 1174840 --a------ C:\Documents and Settings\NetworkService\Application Data\Install.dat
2007-08-23 10:41:27 0 d-------- C:\WINDOWS\ServicePackFiles
2007-08-23 10:41:22 224654 --a------ C:\WINDOWS\system32\Setup155.exe
2007-08-23 10:41:21 0 d-------- C:\Documents and Settings\LocalService\Application Data\??crosoft
2007-08-23 10:41:19 0 d-------- C:\Documents and Settings\NetworkService\Application Data\?ymbols
2007-08-23 10:41:14 0 d-------- C:\Documents and Settings\NetworkService\Start Menu
2007-08-23 10:41:13 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2007-08-23 10:41:10 0 d-------- C:\WINDOWS\system32\T?sks
2007-08-20 04:40:36 9699328 --a------ C:\Documents and Settings\Mike\ntuser.dat
2007-08-20 00:42:14 2 --a------ C:\-859008655
2007-08-20 00:42:05 0 d--hs---- C:\WINDOWS\TWlrZQ
2007-08-20 00:42:03 171520 --a------ C:\WINDOWS\system32\iseltjy.dll
2007-08-20 00:42:02 0 d-------- C:\WINDOWS\system32\tmps7
2007-08-20 00:42:02 0 d-------- C:\WINDOWS\system32\ICM23
2007-08-20 00:42:02 0 d-------- C:\WINDOWS\system32\dllsz
2007-08-20 00:42:02 0 d-------- C:\WINDOWS\system32\cofig1
2007-08-20 00:42:00 0 d-------- C:\WINDOWS\system32\f03WtR
2007-08-20 00:42:00 0 d-------- C:\Temp
2007-08-18 18:47:30 0 d-------- C:\Documents and Settings\Mike\.NationsPhoto
2007-08-18 18:47:27 0 d-------- C:\Documents and Settings\Mike\.roescache
2007-08-18 03:02:27 0 d-------- C:\Program Files\MSXML 4.0
2007-08-17 15:21:29 0 d-------- C:\Program Files\iPod
2007-08-17 15:21:24 0 d-------- C:\Program Files\iTunes
2007-08-17 15:03:55 0 d-------- C:\Program Files\Apple Software Update
2007-08-17 15:02:49 0 d-------- C:\Program Files\Common Files\Apple
2007-08-17 15:02:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-08-09 19:47:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-08-09 19:43:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2007-08-09 19:42:17 0 d-------- C:\Program Files\Yahoo! Games
2007-08-07 15:30:01 176128 --a------ C:\Program Files\TTX.exe


-- Find3M Report ---------------------------------------------------------------

2007-08-25 16:14:02 0 d-------- C:\Program Files\Common Files
2007-08-25 01:09:36 0 d-------- C:\Documents and Settings\Mike\Application Data\LimeWire
2007-08-23 10:43:31 17408 --a------ C:\WINDOWS\system32\svchost.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-08-22 20:59:13 0 d-------- C:\Program Files\Symantec
2007-08-22 20:59:13 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-22 20:58:48 0 d-------- C:\Program Files\Norton AntiVirus
2007-08-21 22:48:12 0 d-------- C:\Documents and Settings\Mike\Application Data\Azureus
2007-08-20 23:47:06 0 d-------- C:\Program Files\LimeWire
2007-08-20 00:31:32 0 d-------- C:\Program Files\Azureus
2007-08-15 18:38:50 0 d-------- C:\Documents and Settings\Mike\Application Data\Adobe
2007-08-09 23:06:29 0 d-------- C:\Program Files\FlashFXP
2007-08-09 19:47:50 0 dr-h----- C:\Documents and Settings\Mike\Application Data\yahoo!
2007-08-09 19:42:38 0 d-------- C:\Program Files\Yahoo!
2007-07-27 14:01:59 0 d-------- C:\Program Files\AIM
2007-07-18 16:40:10 0 d-------- C:\Program Files\mIRC
2007-07-06 14:40:24 204800 --a------ C:\WINDOWS\g4356cbvy63.exe <Not Verified; ; q432gf65>
2007-07-04 20:10:16 0 d-------- C:\Program Files\Google
2007-06-25 08:54:32 94208 --a------ C:\WINDOWS\uni_eh44.exe <Not Verified; ; uni_eh44.exe>
2007-06-25 08:53:26 65536 --a------ C:\WINDOWS\uninst1014.exe <Not Verified; ; uninst1016>
2007-06-13 05:23:07 1072640 --a------ C:\WINDOWS\explorer.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [10/22/2006 01:22 PM C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/22/2006 01:22 PM C:\WINDOWS\system32\nvcpl.dll]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50 AM C:\WINDOWS\system32\NeroCheck.exe]
"pipmon"="pipmon.exe" []
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [07/27/2007 05:03 PM C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe]
"xem"="C:\WINDOWS\ServicePackFiles\winlogon.exe" []
"SoundMan"="SOUNDMAN.EXE" [10/08/2003 04:41 AM C:\WINDOWS\SOUNDMAN.EXE]
"ShareSearcher"="c:\jnkk.exe" []
"runner1"="C:\WINDOWS\retadpu1000106.exe" []
"NWEReboot"="" []
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [01/23/2007 03:44 PM C:\WINDOWS\KHALMNPR.Exe]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"HPHmon03"="C:\WINDOWS\system32\hphmon03.exe" [01/13/2006 01:46 AM C:\WINDOWS\system32\hphmon03.exe]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [01/13/2006 01:46 AM C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Xbfspkmh"="C:\Documents and Settings\Mike\My Documents\?ymantec\d?xplore.exe" []
"WebBuying"="C:\Program Files\Web Buying\v1.8.2\webbuying.exe" []
"ttool"="C:\WINDOWS\9129837.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM C:\Program Files\Messenger\msmsgs.exe]
"AIM"="C:\Program Files\AIM\aim.exe" [08/05/2005 03:08 PM C:\Program Files\AIM\aim.exe]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Cwap"="C:\WINDOWS\system32\TSKS~1\logonui.exe" -vt yazb
"Govqdqvj"=C:\WINDOWS\system32\s?stem\??rvices.exe


-- End of Deckard's System Scanner: finished at 2007-08-26 23:14:55 ------------

Deckard's System Scanner v20070826.66
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 3.40GHz
CPU 1: Intel(R) Pentium(R) 4 CPU 3.40GHz
Percentage of Memory in Use: 32%
Physical Memory (total/avail): 1023.48 MiB / 694.56 MiB
Pagefile Memory (total/avail): 2462.86 MiB / 2237.62 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1943.82 MiB

A: is Removable (Unformatted)
C: is Fixed (NTFS) - 186.31 GiB total, 53.58 GiB free.
D: is CDROM (No Media)
E: is CDROM (Unformatted)
F: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - WDC WD2000JD-00GBB0 - 186.31 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 186.31 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

FW: Norton Internet Worm Protection v2005 (Symantec)
AV: Norton AntiVirus 2005 v2005 (Symantec Corporation) Outdated
AV: avast! antivirus 4.7.1029 [VPS 000768-5] v4.7.1029 (ALWIL Software)

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Mike\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MIKE-783D3D2DC6
ComSpec=C:\WINDOWS\system32\cmd.exe
DEFAULT_CA_NR=CA6
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Mike
LOGONSERVER=\\MIKE-783D3D2DC6
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Teleca Shared;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\K-Lite Codec Pack\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Mike\LOCALS~1\Temp
TMP=C:\DOCUME~1\Mike\LOCALS~1\Temp
USERDOMAIN=MIKE-783D3D2DC6
USERNAME=Mike
USERPROFILE=C:\Documents and Settings\Mike
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Mike (admin)
Monika
Poker


-- Add/Remove Programs ---------------------------------------------------------



-- Application Event Log -------------------------------------------------------

Event Record #/Type18504 / Error
Event Submitted/Written: 08/26/2007 11:09:20 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application aim.exe, version 5.9.3861.0, faulting module unknown, version 0.0.0.0, fault address 0x1221254f.
Processing media-specific event for [aim.exe!ws!]

Event Record #/Type18499 / Error
Event Submitted/Written: 08/26/2007 03:31:44 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application aim.exe, version 5.9.3861.0, faulting module unknown, version 0.0.0.0, fault address 0x1221254f.
Processing media-specific event for [aim.exe!ws!]

Event Record #/Type18495 / Error
Event Submitted/Written: 08/26/2007 11:03:00 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application aim.exe, version 5.9.3861.0, faulting module unknown, version 0.0.0.0, fault address 0x1221254f.
Processing media-specific event for [aim.exe!ws!]

Event Record #/Type18493 / Error
Event Submitted/Written: 08/26/2007 03:00:25 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application aim.exe, version 5.9.3861.0, faulting module unknown, version 0.0.0.0, fault address 0x1221254f.
Processing media-specific event for [aim.exe!ws!]

Event Record #/Type18492 / Error
Event Submitted/Written: 08/26/2007 03:00:10 AM
Event ID/Source: 1505 / Userenv
Event Description:
Windows cannot load the user's profile but has logged you on with the default profile for the system.


DETAIL - A required privilege is not held by the client.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type2075 / Error
Event Submitted/Written: 08/26/2007 02:42:27 AM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.

Event Record #/Type2065 / Error
Event Submitted/Written: 08/26/2007 02:42:24 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Application Layer Gateway Service service failed to start due to the following error:
%%1053

Event Record #/Type2064 / Error
Event Submitted/Written: 08/26/2007 02:42:24 AM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.

Event Record #/Type2048 / Error
Event Submitted/Written: 08/26/2007 02:42:20 AM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
Null

Event Record #/Type2047 / Error
Event Submitted/Written: 08/26/2007 02:42:14 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Remote Registry service failed to start due to the following error:
%%1079



-- End of Deckard's System Scanner: finished at 2007-08-26 23:14:55 ------------





VundoFix V6.5.7

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 11:04:32 PM 8/26/2007

Listing files found while scanning....

C:\WINDOWS\system32\hgghfcb.dll

Beginning removal...

Performing Repairs to the registry.
Done!

Hi,

Do you still use Norton Antivirus 2005 in your pc?

This doesn't look good. DSS didn't show me what I expected it would. We may need to dig for them manually later.

You seem to have had a few additions in your malware collection. Most of them are even bot related. I recommend that if you do online banking, you should avoid it first while we are in the process of cleaning your machine..

This may not work as combofix won't but let's give it a try and see what happens.

Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log and a new HijackThis Uninstall list

I do not have norton anymore.

I tried running sdfix in safe mode but it does the same thing as combofi. The blue screen shows up for a second and then disapears. I tried running it through command line too with no luck.

I also tried restoring the registry using reunt but it still does the same thing.

Hi,

As suspected, SDFix won't work neither..

There's an indication in your DSS log that you are lacking a certain privilege in your machine and thay may be SeDebug which may cause the problems...

Let's try this:

Download VX2Finder by Option^Explicit
http://www.downloads.subratam.org/VX2Finder.exe
Save it to your Desktop.
Double click VX2Finder.exe to run it.
Click the Restore Policy button on the right hand side, and then OK in the Administrator Policy window that opens.
Close the program.

Then try to run combofix or SDFix..If you could run both, that would be better.

Ran the program and had to restart after clicking ok.

Still the same thing. Neither of the programs will run.

Hi, Andy Manchesta, creator of SDFix suggested to us to scan something that may cause script errors..

I know that the first time you tried jotti, it wouldn't respond, please try again then if it fails, follow the instructions below the scan.

I would like you to scan a file for me.

Please go HERE (http://virusscan.jotti.org/). Copy and paste the following file path in to the box.

C:\WINDOWS\system32\drivers\null.sys

Then click submit.

Please post the results to your next reply.

If Jotti is too busy, you can go HERE (www.virustotal.com) and do the same as above.
_________

If jotti didn't work, do this:

Please download the Suspicious file Packer (http://www.safer-networking.org/files/sfp.zip) from Safer-Networking.Org and unzip it to your desktop.

Run SFP.exe.

Please copy the following lines into the Step 1: Paste Text window:

C:\WINDOWS\system32\drivers\null.sys

then click "Continue".

This will create a .cab file on your desktop named requested-files[Date/Time].cab

Next, please visit TheSpyKillers forum HERE (http://www.thespykiller.co.uk/index.php?board=1.0)

Read the first topic for instructions on uploading files then start a new Topic, name it null.sys for Andy. Post a link to this thread and upload the requested files.cab archive from your desktop.

Post back here and tell me how it went..Post the results if you have them.

when i upload to virustotal.com, it comes up as "0 bytes received".

http://www.thespykiller.co.uk/index.php?topic=4818.0

Hold on, I'll get the files o be analyzed:bigthumb:

Hello.

As of now, we've got a lot of problems and tools won't even work so we'll give it a go manually.

I would need you to do this first..

Download Gmer (http://www.majorgeeks.com/downloadget.php?id=5198&file=15&evp=3f18075291813a665b2a25536a70b307)
Disconnect from internet and close running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double click gmer.exe
Let the gmer.sys driver load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run scan...say Ok.
If no warning....
Click "Rootkit" tab and click "Scan"
Once done, click "Copy"
Open Notepad and hit "ctrl+v" to paste the log.
Reconnect to the internet and post the log back to this thread please.

It keeps restarting with the blue screen of death at a certain point in the scan. The error message is

0X0000000000000BE

or something like that.

I stopped the scan as close to the pint of restart as possible. This is what I got so far:


GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-08-30 17:39:04
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.13 ----

SSDT \??\C:\WINDOWS\system32\xpdx.sys ZwCreateKey
SSDT sptd.sys ZwEnumerateKey
SSDT sptd.sys ZwEnumerateValueKey
SSDT \??\C:\WINDOWS\system32\xpdx.sys ZwOpenKey
SSDT sptd.sys ZwQueryKey
SSDT sptd.sys ZwQueryValueKey
SSDT sptd.sys ZwSetValueKey
SSDT \??\C:\WINDOWS\system32\xpdx.sys ZwTerminateProcess

---- Kernel code sections - GMER 1.0.13 ----

? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
? C:\WINDOWS\System32\Drivers\SPTD3037.SYS The process cannot access the file because it is being used by another process.
? C:\WINDOWS\System32\Drivers\dtscsi.sys The process cannot access the file because it is being used by another process.
? C:\WINDOWS\system32\xpdx.sys The system cannot find the file specified.

---- User code sections - GMER 1.0.13 ----

.text C:\WINDOWS\Explorer.EXE[368] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA27E1
.text C:\WINDOWS\Explorer.EXE[368] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA2835
.text C:\WINDOWS\Explorer.EXE[368] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA2842
.text C:\WINDOWS\Explorer.EXE[368] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA282E
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[520] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA27E1
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[520] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA2835
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[520] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA2842
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[520] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA282E
.text C:\WINDOWS\system32\hphmon03.exe[576] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA27E1
.text C:\WINDOWS\system32\hphmon03.exe[576] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA2835
.text C:\WINDOWS\system32\hphmon03.exe[576] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA2842
.text C:\WINDOWS\system32\hphmon03.exe[576] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA282E
.text C:\Program Files\Messenger\msmsgs.exe[616] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA27E1
.text C:\Program Files\Messenger\msmsgs.exe[616] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA2835
.text C:\Program Files\Messenger\msmsgs.exe[616] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA2842
.text C:\Program Files\Messenger\msmsgs.exe[616] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA282E
.text C:\Program Files\AIM\aim.exe[624] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA27E1
.text C:\Program Files\AIM\aim.exe[624] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA2835
.text C:\Program Files\AIM\aim.exe[624] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA2842
.text C:\Program Files\AIM\aim.exe[624] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA282E
.text C:\WINDOWS\system32\winlogon.exe[816] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FF927E1
.text C:\WINDOWS\system32\winlogon.exe[816] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FF92835
.text C:\WINDOWS\system32\winlogon.exe[816] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FF92842
.text C:\WINDOWS\system32\winlogon.exe[816] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FF9282E
.text C:\WINDOWS\system32\services.exe[864] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FF927E1
.text C:\WINDOWS\system32\services.exe[864] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FF92835
.text C:\WINDOWS\system32\services.exe[864] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FF92842
.text C:\WINDOWS\system32\services.exe[864] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FF9282E
.text C:\WINDOWS\system32\lsass.exe[904] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FF927E1
.text C:\WINDOWS\system32\lsass.exe[904] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FF92835
.text C:\WINDOWS\system32\lsass.exe[904] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FF92842
.text C:\WINDOWS\system32\lsass.exe[904] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FF9282E
.text C:\WINDOWS\system32\svchost.exe[1052] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA27E1
.text C:\WINDOWS\system32\svchost.exe[1052] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA2835
.text C:\WINDOWS\system32\svchost.exe[1052] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA2842
.text C:\WINDOWS\system32\svchost.exe[1052] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA282E
.text C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA27E1
.text C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA2835
.text C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA2842
.text C:\WINDOWS\system32\svchost.exe[1100] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA282E
.text C:\WINDOWS\system32\dwwin.exe[1148] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA27E1
.text C:\WINDOWS\system32\dwwin.exe[1148] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA2835
.text C:\WINDOWS\system32\dwwin.exe[1148] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA2842
.text C:\WINDOWS\system32\dwwin.exe[1148] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA282E
.text C:\WINDOWS\System32\svchost.exe[1204] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FF927E1
.text C:\WINDOWS\System32\svchost.exe[1204] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FF92835
.text C:\WINDOWS\System32\svchost.exe[1204] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FF92842
.text C:\WINDOWS\System32\svchost.exe[1204] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FF9282E
.text C:\Documents and Settings\Mike\Desktop\gmer\gmer.exe[1252] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA27E1
.text C:\Documents and Settings\Mike\Desktop\gmer\gmer.exe[1252] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA282E
.text C:\WINDOWS\system32\svchost.exe[1280] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA27E1
.text C:\WINDOWS\system32\svchost.exe[1280] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA2835
.text C:\WINDOWS\system32\svchost.exe[1280] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA2842
.text C:\WINDOWS\system32\svchost.exe[1280] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA282E
.text C:\WINDOWS\system32\svchost.exe[1372] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA27E1
.text C:\WINDOWS\system32\svchost.exe[1372] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA2835
.text C:\WINDOWS\system32\svchost.exe[1372] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA2842
.text C:\WINDOWS\system32\svchost.exe[1372] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA282E
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1588] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FF927E1
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1588] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FF92835
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1588] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FF92842
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1588] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FF9282E

---- Kernel IAT/EAT - GMER 1.0.13 ----

IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F750BDB2] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F752171E] sptd.sys
IAT ftdisk.sys[ntoskrnl.exe!IoGetAttachedDeviceReference] [F750C3B2] sptd.sys
IAT ftdisk.sys[ntoskrnl.exe!IoGetDeviceObjectPointer] [F750C2B6] sptd.sys
IAT ftdisk.sys[ntoskrnl.exe!IofCallDriver] [F750C482] sptd.sys
IAT dmio.sys[ntoskrnl.exe!IofCallDriver] [F750C482] sptd.sys
IAT dmio.sys[ntoskrnl.exe!IoGetAttachedDeviceReference] [F750C3B2] sptd.sys
IAT dmio.sys[ntoskrnl.exe!IoGetDeviceObjectPointer] [F750C2B6] sptd.sys
IAT PartMgr.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F7521032] sptd.sys
IAT PartMgr.sys[ntoskrnl.exe!IoDetachDevice] [F750BF6E] sptd.sys
IAT atapi.sys[ntoskrnl.exe!IofCompleteRequest] [F7520C76] sptd.sys
IAT atapi.sys[ntoskrnl.exe!IoConnectInterrupt] [F750BE06] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F74FEA32] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F74FEB6E] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F74FEAF6] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F74FF6CC] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F74FF5A2] sptd.sys
IAT disk.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F7521864] sptd.sys
IAT \WINDOWS\system32\DRIVERS\CLASSPNP.SYS[ntoskrnl.exe!IoDetachDevice] [F7510F78] sptd.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!IofCompleteRequest] [F7520C76] sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F7520C82] sptd.sys
IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F7521864] sptd.sys
IAT \SystemRoot\system32\DRIVERS\rdbss.sys[ntoskrnl.exe!IofCallDriver] [F74FE020] sptd.sys
IAT \SystemRoot\system32\DRIVERS\mrxsmb.sys[ntoskrnl.exe!IofCallDriver] [F74FE020] sptd.sys

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F78110B7] xpdx.sys
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 87396EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 87396EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 87396EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 87396EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 87396EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 87396EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 87396EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 87396EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 87396EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 87396EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 87396EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 87396EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 87396EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN

IRP_MJ_CLOSE F79CFCFE
Device \Driver\Aspi32 \Device\MbMmDp32 IRP_MJ_DEVICE_CONTROL F79D0732
Device \Driver\Aspi32 \Device\MbMmDp32 IRP_MJ_CLEANUP F79CFCCC
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE 86F49448
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CLOSE 86F49448
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_READ 86F49448
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_WRITE 86F49448
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_FLUSH_BUFFERS 86F49448
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DEVICE_CONTROL 86F49448
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_INTERNAL_DEVICE_CONTROL 86F49448
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SHUTDOWN 86F49448
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_POWER 86F49448
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SYSTEM_CONTROL 86F49448
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_PNP 86F49448
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CREATE 86BAEEB0
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLOSE 86BAEEB0
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_DEVICE_CONTROL 86BAEEB0
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_INTERNAL_DEVICE_CONTROL 86BAEEB0
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLEANUP 86BAEEB0
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_PNP 86BAEEB0
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CREATE 86BAEEB0
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLOSE 86BAEEB0
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_DEVICE_CONTROL 86BAEEB0
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_INTERNAL_DEVICE_CONTROL 86BAEEB0
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLEANUP 86BAEEB0
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_PNP 86BAEEB0
Device \Driver\00000101 \Device\0000004d IRP_MJ_POWER [F7509EA8] sptd.sys
Device \Driver\00000101 \Device\0000004d IRP_MJ_SYSTEM_CONTROL [F751DA70] sptd.sys
Device \Driver\00000101 \Device\0000004d IRP_MJ_PNP [F7516728] sptd.sys
Device \Driver\NetBT \Device\NetBT_Tcpip_{3BBB868C-80C9-4DFC-B619-3D8E9E601850} IRP_MJ_CREATE 86BAEEB0
Device \Driver\NetBT \Device\NetBT_Tcpip_{3BBB868C-80C9-4DFC-B619-3D8E9E601850} IRP_MJ_CLOSE 86BAEEB0
Device \Driver\NetBT \Device\NetBT_Tcpip_{3BBB868C-80C9-4DFC-B619-3D8E9E601850} IRP_MJ_DEVICE_CONTROL 86BAEEB0
Device \Driver\NetBT \Device\NetBT_Tcpip_{3BBB868C-80C9-4DFC-B619-3D8E9E601850} IRP_MJ_INTERNAL_DEVICE_CONTROL 86BAEEB0
Device \Driver\NetBT \Device\NetBT_Tcpip_{3BBB868C-80C9-4DFC-B619-3D8E9E601850} IRP_MJ_CLEANUP 86BAEEB0
Device \Driver\NetBT \Device\NetBT_Tcpip_{3BBB868C-80C9-4DFC-B619-3D8E9E601850} IRP_MJ_PNP 86BAEEB0
Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_CREATE B9558447
Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_CREATE_NAMED_PIPE B9558447
Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_CLOSE B9558447
Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_READ B9558447
Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_WRITE B9558447
Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_QUERY_INFORMATION B9558447
Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_SET_INFORMATION B9558447
Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_QUERY_EA B9558447
Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_SET_EA B9558447
Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_FLUSH_BUFFERS B9558447
Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_QUERY_VOLUME_INFORMATION B9558447
Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_SET_VOLUME_INFORMATION B9558447
Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_DIRECTORY_CONTROL B9558447
Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_FILE_SYSTEM_CONTROL B9558447
Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_DEVICE_CONTROL B9558447
Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_INTERNAL_DEVICE_CONTROL B9558447
Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_SHUTDOWN B9558447
Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_LOCK_CONTROL B9558447
Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_CLEANUP B9558447
Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_CREATE_MAILSLOT B9558447
Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_QUERY_SECURITY B9558447
Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_SET_SECURITY B9558447
Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_POWER B9558447
Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_SYSTEM_CONTROL B9558447
Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_DEVICE_CHANGE B9558447
Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_QUERY_QUOTA B9558447
Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_SET_QUOTA B9558447
Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_PNP B9558447

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_READ [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_WRITE [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F781E2C0] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp

IRP_MJ_CLEANUP [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_POWER [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA [F781E8E6] aswTdi.SYS

Device \Driver\NetBT \Device\NetBT_Tcpip_{BA5B8AC9-DE74-44B0-9FBE-7950B95D2704} IRP_MJ_CREATE 86BAEEB0
Device \Driver\NetBT \Device\NetBT_Tcpip_{BA5B8AC9-DE74-44B0-9FBE-7950B95D2704} IRP_MJ_CLOSE 86BAEEB0
Device \Driver\NetBT \Device\NetBT_Tcpip_{BA5B8AC9-DE74-44B0-9FBE-7950B95D2704} IRP_MJ_DEVICE_CONTROL 86BAEEB0
Device \Driver\NetBT \Device\NetBT_Tcpip_{BA5B8AC9-DE74-44B0-9FBE-7950B95D2704} IRP_MJ_INTERNAL_DEVICE_CONTROL 86BAEEB0
Device \Driver\NetBT \Device\NetBT_Tcpip_{BA5B8AC9-DE74-44B0-9FBE-7950B95D2704} IRP_MJ_CLEANUP 86BAEEB0
Device \Driver\NetBT \Device\NetBT_Tcpip_{BA5B8AC9-DE74-44B0-9FBE-7950B95D2704} IRP_MJ_PNP 86BAEEB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_CREATE 873960E8
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_CLOSE 873960E8
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_READ 873960E8
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_WRITE 873960E8
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_FLUSH_BUFFERS 873960E8
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_DEVICE_CONTROL 873960E8
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_INTERNAL_DEVICE_CONTROL 873960E8
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_SHUTDOWN 873960E8
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_POWER 873960E8
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_SYSTEM_CONTROL 873960E8
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_PNP 873960E8

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_READ [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F781E2C0] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_POWER [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA [F781E8E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA [F781E8E6] aswTdi.SYS

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_NAMED_PIPE 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLOSE 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_WRITE 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_INFORMATION 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_INFORMATION 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_EA 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_EA 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FLUSH_BUFFERS 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_VOLUME_INFORMATION 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_VOLUME_INFORMATION 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DIRECTORY_CONTROL 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FILE_SYSTEM_CONTROL 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CONTROL 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_INTERNAL_DEVICE_CONTROL 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SHUTDOWN 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_LOCK_CONTROL 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLEANUP 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_MAILSLOT 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_SECURITY 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_SECURITY 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_POWER 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SYSTEM_CONTROL 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CHANGE 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_QUOTA 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_QUOTA 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_NAMED_PIPE 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLOSE 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_WRITE 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_INFORMATION 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_INFORMATION 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_EA 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_EA 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FLUSH_BUFFERS 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_VOLUME_INFORMATION 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_VOLUME_INFORMATION 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DIRECTORY_CONTROL 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FILE_SYSTEM_CONTROL 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CONTROL 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_INTERNAL_DEVICE_CONTROL 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SHUTDOWN 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_LOCK_CONTROL 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLEANUP 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_MAILSLOT 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_SECURITY 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_SECURITY 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_POWER 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SYSTEM_CONTROL 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CHANGE 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_QUOTA 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_QUOTA 86D5FA40
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP 86D5FA40
Device \Driver\symlcbrd \Device\SymantecBiosReader IRP_MJ_CREATE F79DF048
Device \Driver\symlcbrd \Device\SymantecBiosReader IRP_MJ_CLOSE F79DF048
Device \Driver\symlcbrd \Device\SymantecBiosReader IRP_MJ_DEVICE_CONTROL F79DF068
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CREATE 86BE5A70
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CREATE_NAMED_PIPE 86BE5A70
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CLOSE 86BE5A70
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_READ 86BE5A70
Device \FileSystem\Npfs \Device\NamedPipe

IRP_MJ_WRITE 86BE5A70
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_INFORMATION 86BE5A70
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_SET_INFORMATION 86BE5A70
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_FLUSH_BUFFERS 86BE5A70
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_VOLUME_INFORMATION 86BE5A70
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_DIRECTORY_CONTROL 86BE5A70
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_FILE_SYSTEM_CONTROL 86BE5A70
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CLEANUP 86BE5A70
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_SECURITY 86BE5A70
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_SET_SECURITY 86BE5A70
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CREATE 87397C78
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_READ 87397C78
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_WRITE 87397C78
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_FLUSH_BUFFERS 87397C78
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_DEVICE_CONTROL 87397C78
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_INTERNAL_DEVICE_CONTROL 87397C78
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SHUTDOWN 87397C78
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CLEANUP 87397C78
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_POWER 87397C78
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SYSTEM_CONTROL 87397C78
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_PNP 87397C78
Device \Driver\aswRdr \Device\ASWRDR IRP_MJ_CREATE B936F314
Device \Driver\aswRdr \Device\ASWRDR IRP_MJ_CREATE_NAMED_PIPE B936F314
Device \Driver\aswRdr \Device\ASWRDR IRP_MJ_CLOSE B936F314
Device \Driver\aswRdr \Device\ASWRDR IRP_MJ_READ B936F314
Device \Driver\aswRdr \Device\ASWRDR IRP_MJ_WRITE B936F314
Device \Driver\aswRdr \Device\ASWRDR IRP_MJ_QUERY_INFORMATION B936F314
Device \Driver\aswRdr \Device\ASWRDR IRP_MJ_SET_INFORMATION B936F314
Device \Driver\aswRdr \Device\ASWRDR IRP_MJ_QUERY_EA B936F314
Device \Driver\aswRdr \Device\ASWRDR IRP_MJ_SET_EA B936F314
Device \Driver\aswRdr \Device\ASWRDR IRP_MJ_FLUSH_BUFFERS B936F314
Device \Driver\aswRdr \Device\ASWRDR IRP_MJ_QUERY_VOLUME_INFORMATION B936F314
Device \Driver\aswRdr \Device\ASWRDR IRP_MJ_SET_VOLUME_INFORMATION B936F314
Device \Driver\aswRdr \Device\ASWRDR IRP_MJ_DIRECTORY_CONTROL B936F314
Device \Driver\aswRdr \Device\ASWRDR IRP_MJ_FILE_SYSTEM_CONTROL B936F314
Device \Driver\aswRdr \Device\ASWRDR IRP_MJ_DEVICE_CONTROL B936F314
Device \Driver\aswRdr \Device\ASWRDR IRP_MJ_INTERNAL_DEVICE_CONTROL B936F2C0
Device \Driver\aswRdr \Device\ASWRDR IRP_MJ_SHUTDOWN B936F314
Device \Driver\aswRdr \Device\ASWRDR IRP_MJ_LOCK_CONTROL B936F314
Device \Driver\aswRdr \Device\ASWRDR IRP_MJ_CLEANUP B936F314
Device \Driver\aswRdr \Device\ASWRDR IRP_MJ_CREATE_MAILSLOT B936F314
Device \Driver\aswRdr \Device\ASWRDR IRP_MJ_QUERY_SECURITY B936F314
Device \Driver\aswRdr \Device\ASWRDR IRP_MJ_SET_SECURITY B936F314
Device \Driver\aswRdr \Device\ASWRDR IRP_MJ_POWER B936F314
Device \Driver\aswRdr \Device\ASWRDR IRP_MJ_SYSTEM_CONTROL B936F314
Device \Driver\aswRdr \Device\ASWRDR IRP_MJ_DEVICE_CHANGE B936F314
Device \Driver\aswRdr \Device\ASWRDR IRP_MJ_QUERY_QUOTA B936F314
Device \Driver\aswRdr \Device\ASWRDR IRP_MJ_SET_QUOTA B936F314
Device \Driver\aswRdr \Device\ASWRDR IRP_MJ_PNP B936F314
Device \Driver\aswRdr \Device\AswRdrTcpFilter IRP_MJ_CREATE B936F314
Device \Driver\aswRdr \Device\AswRdrTcpFilter IRP_MJ_CREATE_NAMED_PIPE B936F314
Device \Driver\aswRdr \Device\AswRdrTcpFilter IRP_MJ_CLOSE B936F314
Device \Driver\aswRdr \Device\AswRdrTcpFilter IRP_MJ_READ B936F314
Device \Driver\aswRdr \Device\AswRdrTcpFilter IRP_MJ_WRITE B936F314
Device \Driver\aswRdr \Device\AswRdrTcpFilter IRP_MJ_QUERY_INFORMATION B936F314
Device \Driver\aswRdr \Device\AswRdrTcpFilter IRP_MJ_SET_INFORMATION B936F314
Device \Driver\aswRdr \Device\AswRdrTcpFilter IRP_MJ_QUERY_EA B936F314
Device \Driver\aswRdr \Device\AswRdrTcpFilter IRP_MJ_SET_EA B936F314
Device \Driver\aswRdr \Device\AswRdrTcpFilter IRP_MJ_FLUSH_BUFFERS B936F314
Device \Driver\aswRdr \Device\AswRdrTcpFilter IRP_MJ_QUERY_VOLUME_INFORMATION B936F314
Device \Driver\aswRdr \Device\AswRdrTcpFilter IRP_MJ_SET_VOLUME_INFORMATION B936F314
Device \Driver\aswRdr \Device\AswRdrTcpFilter IRP_MJ_DIRECTORY_CONTROL B936F314
Device \Driver\aswRdr \Device\AswRdrTcpFilter IRP_MJ_FILE_SYSTEM_CONTROL B936F314
Device \Driver\aswRdr \Device\AswRdrTcpFilter IRP_MJ_DEVICE_CONTROL B936F314
Device \Driver\aswRdr \Device\AswRdrTcpFilter IRP_MJ_INTERNAL_DEVICE_CONTROL B936F2C0
Device \Driver\aswRdr \Device\AswRdrTcpFilter IRP_MJ_SHUTDOWN B936F314
Device \Driver\aswRdr \Device\AswRdrTcpFilter IRP_MJ_LOCK_CONTROL B936F314
Device \Driver\aswRdr \Device\AswRdrTcpFilter IRP_MJ_CLEANUP B936F314
Device \Driver\aswRdr \Device\AswRdrTcpFilter IRP_MJ_CREATE_MAILSLOT B936F314
Device \Driver\aswRdr \Device\AswRdrTcpFilter IRP_MJ_QUERY_SECURITY B936F314
Device \Driver\aswRdr \Device\AswRdrTcpFilter IRP_MJ_SET_SECURITY B936F314
Device \Driver\aswRdr \Device\AswRdrTcpFilter IRP_MJ_POWER B936F314
Device \Driver\aswRdr \Device\AswRdrTcpFilter IRP_MJ_SYSTEM_CONTROL B936F314
Device \Driver\aswRdr \Device\AswRdrTcpFilter IRP_MJ_DEVICE_CHANGE B936F314
Device \Driver\aswRdr \Device\AswRdrTcpFilter IRP_MJ_QUERY_QUOTA B936F314
Device \Driver\aswRdr \Device\AswRdrTcpFilter IRP_MJ_SET_QUOTA B936F314
Device \Driver\aswRdr \Device\AswRdrTcpFilter IRP_MJ_PNP B936F314
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CREATE 86CFC0E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CLOSE 86CFC0E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_READ 86CFC0E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_WRITE 86CFC0E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_QUERY_INFORMATION 86CFC0E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_SET_INFORMATION 86CFC0E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_QUERY_VOLUME_INFORMATION 86CFC0E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_DIRECTORY_CONTROL 86CFC0E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_FILE_SYSTEM_CONTROL 86CFC0E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CLEANUP 86CFC0E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CREATE_MAILSLOT 86CFC0E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_QUERY_SECURITY 86CFC0E8
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_SET_SECURITY 86CFC0E8
Device \Driver\SI3114r \Device\Scsi\SI3114r1 IRP_MJ_CREATE 873974D0
Device \Driver\SI3114r \Device\Scsi\SI3114r1 IRP_MJ_CLOSE 873974D0
Device \Driver\SI3114r \Device\Scsi\SI3114r1 IRP_MJ_DEVICE_CONTROL 873974D0
Device \Driver\SI3114r \Device\Scsi\SI3114r1 IRP_MJ_INTERNAL_DEVICE_CONTROL 873974D0
Device \Driver\SI3114r \Device\Scsi\SI3114r1 IRP_MJ_POWER 873974D0
Device \Driver\SI3114r \Device\Scsi\SI3114r1 IRP_MJ_SYSTEM_CONTROL 873974D0
Device \Driver\SI3114r \Device\Scsi\SI3114r1 IRP_MJ_PNP 873974D0
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_CREATE 86CEAEB0
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_CLOSE 86CEAEB0
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_DEVICE_CONTROL 86CEAEB0
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_INTERNAL_DEVICE_CONTROL 86CEAEB0
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_POWER 86CEAEB0
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_SYSTEM_CONTROL 86CEAEB0
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_PNP 86CEAEB0
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port3Path0Target0Lun0 IRP_MJ_CREATE 86CEAEB0
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port3Path0Target0Lun0 IRP_MJ_CLOSE 86CEAEB0
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port3Path0Target0Lun0 IRP_MJ_DEVICE_CONTROL 86CEAEB0
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port3Path0Target0Lun0 IRP_MJ_INTERNAL_DEVICE_CONTROL 86CEAEB0
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port3Path0Target0Lun0 IRP_MJ_POWER 86CEAEB0
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port3Path0Target0Lun0 IRP_MJ_SYSTEM_CONTROL 86CEAEB0
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port3Path0Target0Lun0 IRP_MJ_PNP 86CEAEB0
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE 86ED6928
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLOSE 86ED6928
Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ 86ED6928
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_INFORMATION 86ED6928
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SET_INFORMATION 86ED6928
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_VOLUME_INFORMATION 86ED6928
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DIRECTORY_CONTROL 86ED6928
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL 86ED6928
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL 86ED6928
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SHUTDOWN 86ED6928
Device \FileSystem\Cdfs \Cdfs IRP_MJ_LOCK_CONTROL 86ED6928
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLEANUP 86ED6928
Device \FileSystem\Cdfs \Cdfs IRP_MJ_PNP 86ED6928

---- EOF - GMER 1.0.13 ----


I will try to scan in safe mode when I get back from class.

tried in safe mode and exact same thing.

I also tried locating the value in registry that the system seems to restart on (0Controls). but I could not find that value anywhere in the registry.

Hi,


I also tried locating the value in registry that the system seems to restart on (0Controls). but I could not find that value anywhere in the registry.

I suggest that you don't go to the registry on your own...One little mistake and your computer will be busted..

Having said that, before all this started, have you been tampering with your registry?

Also, is your Avast! updated?
==========

You may want to print these instructions or save them in notepad for reference.


You have remnants of Norton AntiVirus in your system..Please run the tool HERE (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/pfdocs/2005033108162039) to clean all the leftovers of your Norton Antivirus..

*Uninstall the items in bold if found:

J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
Java(TM) SE Runtime Environment 6
Java(TM) SE Runtime Environment 6 Update 1
Trymedia

*A few optionals that I would recommend be uninstalled.

Azureus
LimeWire PRO 4.14.8
These programs are very likely the reason your system is infested with malware. Even when program likes these are not infected themselves, they will still bring malware into your system because more than half of all files available for download from peer-to-peer networks have been deliberately infected with some form of malware. I recommend that you remove this program from your system.

Viewpoint Media Player
Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". In 2006, this may change, read Viewpoint to Plunge Into Adware (http://www.clickz.com/showPage.html?page=3561546).

Full Tilt Poker
Paradise Poker
PartyPoker
Holdem Bot vNEURAL 1.3
Web Buying
I recommend that if you do not use these poker related programs, you uninstall them because these programs serve as vectors for malware to enter your system. You do have pokerstars installed and it is the safest alternative if you want to play poker.

Virtual Hottie 2
Do you use this program or did you install it intentionally? If so, you can leave it there.

*Click Start > Control Panel > Add or Remove Programs and uninstall the items I listed in bold if found.

*Reboot
________

Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main,Search Page =
O2 - BHO: (no name) - {eb89e365-71df-4d4f-8708-04a5b1b8f2d2} - C:\WINDOWS\system32\iseltjy.dll
O4 - HKLM\..\Run: [pipmon] pipmon.exe
O4 - HKLM\..\Run: [xem] C:\WINDOWS\ServicePackFiles\winlogon.exe
O4 - HKLM\..\Run: [ShareSearcher] c:\jnkk.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Xbfspkmh] "C:\Documents and Settings\Mike\My Documents\?ymantec\d?xplore.exe"
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.2\webbuying.exe
O4 - HKCU\..\Run: [ttool] C:\WINDOWS\9129837.exe
O4 - HKUS\S-1-5-18\..\Run: [Cwap] "C:\WINDOWS\system32\TSKS~1\logonui.exe" -vt yazb (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Govqdqvj] C:\WINDOWS\system32\s?stem\??rvices.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Cwap] "C:\WINDOWS\system32\TSKS~1\logonui.exe" -vt yazb (User 'Default user')
O20 - Winlogon Notify: hgghfcb - hgghfcb.dll (file missing)
O20 - Winlogon Notify: winlbi32 - winlbi32.dll (file missing)
O21 - SSODL: vHdaxqUCGS - {CCCC9172-6666-3BD8-53BE-3384AFFC4B8B} - C:\WINDOWS\system32\oimp.dll (file missing)

Did you use spybot to set this policy? If so, do not fix it:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Fix the following if you uninstalled party poker:

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)

Fix the following if you uninstalled poker.com

O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\Poker.exe (HKCU)

Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.


Download OTMoveIt (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe) by OldTimer to your Desktop.

Double click OTMoveIt.exe to launch it.
Copy/Paste the contents of the box below into the left hand pane of OTMoveIt.


C:\WINDOWS\system32\oimp.dll
C:\WINDOWS\system32\hgghfcb.dll
C:\WINDOWS\system32\winlbi32.dll
C:\WINDOWS\9129837.exe
C:\Program Files\Web Buying
C:\WINDOWS\retadpu1000106.exe
c:\jnkk.exe
C:\WINDOWS\ServicePackFiles\winlogon.exe
C:\WINDOWS\system32\pipmon.exe
C:\WINDOWS\system32\iseltjy.dll
C:\VundoFix Backups
C:\WINDOWS\system32\adeeg.bak1
C:\WINDOWS\tmp375203.bat
C:\WINDOWS\system32\ezhfjf32.dll
C:\WINDOWS\system32\Setup155.exe
C:\WINDOWS\TWlrZQ
C:\WINDOWS\system32\tmps7
C:\WINDOWS\system32\ICM23
C:\WINDOWS\system32\dllsz
C:\WINDOWS\system32\cofig1
C:\WINDOWS\system32\f03WtR
C:\Temp
C:\Documents and Settings\All Users\Application Data\Trymedia
C:\WINDOWS\g4356cbvy63.exe
C:\WINDOWS\uni_eh44.exe
C:\WINDOWS\uninst1014.exe
C:\WINDOWS\system32\xpdx.sys
C:\Program Files\Norton AntiVirus
C:\Program Files\Common Files\Symantec Shared
C:\Program Files\Symantec


Click the Move It button.
The list will be processed and the results will appear in the right hand pane.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
When finished click Exit to exit the program.
A log C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log will be created (where mmddyyyy_hhmmss are numbers giving date and time the log was created).
Post the log back here please.
_____

Reboot into Safe Mode.

To enter Safe Mode..

Click Start > Turn Off Computer > Restart > Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to Safe Mode> Hit enter.

Configure your machine to view hidden files:

Windows XP
Click Start.
Open My Computer..
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the "Hidden files and folders" heading select Show hidden files and folders.
Uncheck the Hide Protected Operating System Files Option.
Click Yes to confirm.
Click OK.



*Using Windows explorer, delete the following folders:

C:\WINDOWS\system32\s?stem
C:\Documents and Settings\Mike\My Documents\?ymantec
C:\Documents and Settings\LocalService\Application Data\??crosoft
C:\Documents and Settings\NetworkService\Application Data\?ymbols
C:\WINDOWS\system32\T?sks
C:\Documents and Settings\NetworkService\Application Data\?ymbols

*Note: The ? in the folder paths means that they can be any alphanumeric character. Most of the time, those subfolders are in the end of the list of each parent folder.

C:\WINDOWS\system32\TSKS~1 <<This folder's name starts with TSK
______

*Delete the following folders if you uninstalled their corresponding programs.

C:\Program Files\Poker.com
C:\Program Files\PartyGaming.Net
C:\Program Files\Holdem Bot
C:\Program Files\Virtual Hottie 2
C:\Program Files\Paradise Poker
C:\Program Files\Full Tilt Poker
C:\Program Files\Viewpoint
C:\Program Files\Limewire
C:\Documents and Settings\Mike\Application Data\LimeWire
C:\Program Files\Azureus
C:\Documents and Settings\Mike\Application Data\Azureus

*Do you know what this folder is:

C:\-859008655

If not, double click the folder and see if there's a file inside. If there are any, right click on the file/s > properties and see if you can get any info on their vendors. If the folder appears to be empty, you can safely delete it.

Empty your recycle bin.

Reboot to normal mode.
_______

Download Superantispyware (http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE)
Load Superantispyware and click the check for updates button.
Once the update is finished click the scan your computer button.
Check Perform Complete Scan and then next.
Superantispyware will now scan your computer and when its finished it will list all the infections it has found.
Make sure that they all have a check next to them and press next.
Click finish and you will be taken back to the main interface.
Click Preferences and then click the statistics/logs tab. Click the dated log and press view log and a text file will appear.
Copy and paste the log onto the forum.
______

Your Java is out of date....
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components.
Click Start > Control Panel
Click Add/Remove Programs
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove button.
Repeat as many times as necessary to remove all versions of Java.
Reboot your computer once all Java components are removed.
Then download Java Runtime Environment 6u2 (http://java.sun.com/javase/downloads/index.jsp), and install it to your computer.
_______

As your system has been infected with bots and we can't use SDFix to see what damage it has done to your registry, we need to dig them up manually.

Open notepad.
Copy and paste the text inside the Code Box below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type revealbot.bat in the File name and save it to your desktop.


@echo off
cd %systemdrive%\
If not exist lsafiles MkDir lsafiles
regedit /e lsafiles\1.txt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
regedit /e lsafiles\2.txt HKEY_CURRENT_USER\Software\Microsoft\OLE
regedit /e lsafiles\3.txt HKEY_CURRENT_USER\System\CurrentControlSet\Control\Lsa
regedit /e lsafiles\4.txt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
regedit /e lsafiles\5.txt HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
regedit /a lsafiles\6.txt HKEY_USERS\.DEFAULT\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA
regedit /e lsafiles\7.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"
regedit /e lsafiles\8.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr"
Regedit /e lsafiles\9.txt HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
Regedit /e lsafiles\10.txt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
Regedit /e lsafiles\11.txt HKEY_LOCAL_MACHINE\SOFTWARE\Policies\WindowsFirewall
Regedit /e lsafiles\12.txt HKEY_CURRENT_USER\SOFTWARE\Policies\WindowsFirewall
regedit /e lsafiles\13.txt HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
regedit /e lsafiles\14.txt HKEY_LOCAL_MACHINE\SYSTEM\Services\SharedAccess
regedit /e lsafiles\15.txt HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
regedit /e lsafiles\16.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center"
regedit /e lsafiles\17.txt "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center"
regedit /e lsafiles\18.txt "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore"
regedit /e lsafiles\19.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\systemrestore"
regedit /e lsafiles\20.txt HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wscsvc
regedit /e lsafiles\21.txt HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TlntSvr
regedit /e lsafiles\22.txt HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry
regedit /e lsafiles\23.txt HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
regedit /e lsafiles\24.txt HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
regedit /e lsafiles\26.txt "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter"
regedit /e lsafiles\27.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting\ExclusionList"
reg query "hklm\SYSTEM\CurrentControlSet\Control" /v "WaitToKillServiceTimeout" > %systemdrive%\lsafiles\25.txt


Copy lsafiles\*.txt = %systemdrive%\lsa.txt
rmdir /s /q lsafiles
Notepad %systemdrive%\lsa.txt
exit


Locate revealbot.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the text here.
______

download RegSearch Tool (http://www.xs4all.nl/~fstaal01/regsearch-us.html) by Bobbi Flekman

Unzip it to your desktop

In the search box, enter the keyword below & click "Ok".

xpdx

Notepad will open with some text in it (the file will also be saved in the program's folder as well).
Post this text in your next reply along with a fresh HijackThis log.
____

On your next reply, please include a
Fresh HijackThis log.
Superantispyware log.
revealbot.bat results
OTmoveit log.
regsearch results.
a new gmer log. (Don't worry about it BSOD'ing..It looks like it finished scanning anyway)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop]
"NoChangingWallpaper"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoCDBurning"=dword:00000000
"NoSetActiveDesktop"=dword:00000001
"NoActiveDesktopChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID]
"{17492023-C23A-453E-A040-C7C580BBF700}"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"=dword:40000021
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=dword:00000020

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
"Start"=dword:00000002
"DependOnGroup"=hex(7):00,00
"DependOnService"=hex(7):4e,00,65,00,74,00,6d,00,61,00,6e,00,00,00,57,00,69,00,\
6e,00,4d,00,67,00,6d,00,74,00,00,00,00,00
"Description"="Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network."
"DisplayName"="Windows Firewall/Internet Connection Sharing (ICS)"
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"ObjectName"="LocalSystem"
"Type"=dword:00000020

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum]
"0"="Root\\LEGACY_SHAREDACCESS\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch]
"Epoch"=dword:00000dcb

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
69,00,70,00,6e,00,61,00,74,00,68,00,6c,00,70,00,2e,00,64,00,6c,00,6c,00,00,\
00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=dword:00000001
"DoNotAllowExceptions"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Disabled:iTunes"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup]
"ServiceUpgrade"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate]
"All"=dword:00000001

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled"=dword:00000001
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center]
"FirstRun"=dword:00000001

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wscsvc]
"Type"=dword:00000020
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"DisplayName"="Security Center"
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,77,00,69,00,6e,00,\
6d,00,67,00,6d,00,74,00,00,00,00,00
"ObjectName"="LocalSystem"
"Description"="Monitors system security settings and configurations."

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wscsvc\Enum]
"0"="Root\\LEGACY_WSCSVC\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wscsvc\Parameters]
"ServiceDll"=hex(2):25,00,53,00,59,00,53,00,54,00,45,00,4d,00,52,00,4f,00,4f,\
00,54,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
77,00,73,00,63,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wscsvc\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TlntSvr]
"Type"=dword:00000010
"Start"=dword:00000004
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,\
5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,74,00,6c,00,6e,\
00,74,00,73,00,76,00,72,00,2e,00,65,00,78,00,65,00,00,00
"DisplayName"="Telnet"
"DependOnService"=hex(7):52,00,50,00,43,00,53,00,53,00,00,00,54,00,43,00,50,00,\
49,00,50,00,00,00,4e,00,54,00,4c,00,4d,00,53,00,53,00,50,00,00,00,00,00
"DependOnGroup"=hex(7):00,00
"ObjectName"="LocalSystem"
"Description"=hex(2):45,00,6e,00,61,00,62,00,6c,00,65,00,73,00,20,00,61,00,20,\
00,72,00,65,00,6d,00,6f,00,74,00,65,00,20,00,75,00,73,00,65,00,72,00,20,00,\
74,00,6f,00,20,00,6c,00,6f,00,67,00,20,00,6f,00,6e,00,20,00,74,00,6f,00,20,\
00,74,00,68,00,69,00,73,00,20,00,63,00,6f,00,6d,00,70,00,75,00,74,00,65,00,\
72,00,20,00,61,00,6e,00,64,00,20,00,72,00,75,00,6e,00,20,00,70,00,72,00,6f,\
00,67,00,72,00,61,00,6d,00,73,00,2c,00,20,00,61,00,6e,00,64,00,20,00,73,00,\
75,00,70,00,70,00,6f,00,72,00,74,00,73,00,20,00,76,00,61,00,72,00,69,00,6f,\
00,75,00,73,00,20,00,54,00,43,00,50,00,2f,00,49,00,50,00,20,00,54,00,65,00,\
6c,00,6e,00,65,00,74,00,20,00,63,00,6c,00,69,00,65,00,6e,00,74,00,73,00,2c,\
00,20,00,69,00,6e,00,63,00,6c,00,75,00,64,00,69,00,6e,00,67,00,20,00,55,00,\
4e,00,49,00,58,00,2d,00,62,00,61,00,73,00,65,00,64,00,20,00,61,00,6e,00,64,\
00,20,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,2d,00,62,00,61,00,73,00,\
65,00,64,00,20,00,63,00,6f,00,6d,00,70,00,75,00,74,00,65,00,72,00,73,00,2e,\
00,20,00,49,00,66,00,20,00,74,00,68,00,69,00,73,00,20,00,73,00,65,00,72,00,\
76,00,69,00,63,00,65,00,20,00,69,00,73,00,20,00,73,00,74,00,6f,00,70,00,70,\
00,65,00,64,00,2c,00,20,00,72,00,65,00,6d,00,6f,00,74,00,65,00,20,00,75,00,\
73,00,65,00,72,00,20,00,61,00,63,00,63,00,65,00,73,00,73,00,20,00,74,00,6f,\
00,20,00,70,00,72,00,6f,00,67,00,72,00,61,00,6d,00,73,00,20,00,6d,00,69,00,\
67,00,68,00,74,00,20,00,62,00,65,00,20,00,75,00,6e,00,61,00,76,00,61,00,69,\
00,6c,00,61,00,62,00,6c,00,65,00,2e,00,20,00,49,00,66,00,20,00,74,00,68,00,\
69,00,73,00,20,00,73,00,65,00,72,00,76,00,69,00,63,00,65,00,20,00,69,00,73,\
00,20,00,64,00,69,00,73,00,61,00,62,00,6c,00,65,00,64,00,2c,00,20,00,61,00,\
6e,00,79,00,20,00,73,00,65,00,72,00,76,00,69,00,63,00,65,00,73,00,20,00,74,\
00,68,00,61,00,74,00,20,00,65,00,78,00,70,00,6c,00,69,00,63,00,69,00,74,00,\
6c,00,79,00,20,00,64,00,65,00,70,00,65,00,6e,00,64,00,20,00,6f,00,6e,00,20,\
00,69,00,74,00,20,00,77,00,69,00,6c,00,6c,00,20,00,66,00,61,00,69,00,6c,00,\
20,00,74,00,6f,00,20,00,73,00,74,00,61,00,72,00,74,00,2e,00,00,00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TlntSvr\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry]
"Description"="Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start."
"DependOnService"=hex(7):52,00,50,00,43,00,53,00,53,00,00,00,00,00
"DisplayName"="Remote Registry"
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,00,72,00,76,00,69,00,63,\
00,65,00,00,00
"ObjectName"="LocalSystem"
"Group"=""
"Start"=dword:00000002
"Type"=dword:00000020
"FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,e0,ad,08,\
00,01,00,00,00,e8,03,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
72,00,65,00,67,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\
05,0b,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,\
23,02,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,\
02,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Enum]
"0"="Root\\LEGACY_REMOTEREGISTRY\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"autodisconnect"=dword:0000000f
"enableforcedlogoff"=dword:00000001
"enablesecuritysignature"=dword:00000000
"requiresecuritysignature"=dword:00000000
"NullSessionPipes"=hex(7):43,00,4f,00,4d,00,4e,00,41,00,50,00,00,00,43,00,4f,\
00,4d,00,4e,00,4f,00,44,00,45,00,00,00,53,00,51,00,4c,00,5c,00,51,00,55,00,\
45,00,52,00,59,00,00,00,53,00,50,00,4f,00,4f,00,4c,00,53,00,53,00,00,00,4c,\
00,4c,00,53,00,52,00,50,00,43,00,00,00,62,00,72,00,6f,00,77,00,73,00,65,00,\
72,00,00,00,00,00
"NullSessionShares"=hex(7):43,00,4f,00,4d,00,43,00,46,00,47,00,00,00,44,00,46,\
00,53,00,24,00,00,00,00,00
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
73,00,72,00,76,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00
"Lmannounce"=dword:00000000
"Size"=dword:00000001
"Guid"=hex:fb,34,80,a8,cb,1d,a6,4d,89,08,5c,fa,df,0f,8d,27
"AdjustedNullSessionPipes"=dword:00000001
"CachedOpenLimit"=dword:00000000
"srvcomment"="MAIN"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters]
"enableplaintextpassword"=dword:00000000
"enablesecuritysignature"=dword:00000001
"requiresecuritysignature"=dword:00000000
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
77,00,6b,00,73,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00
"OtherDomains"=hex(7):00,00

‡䕒⹇塅⁅䕖卒佉⁎⸳രഊ䠊䕋彙佌䅃彌䅍䡃义居奓呓䵅䍜牵敲瑮潃瑮潲卬瑥䍜湯牴汯਍††慗瑩潔楋汬敓癲捩呥浩潥瑵刉䝅卟ग़〲〰രഊ圊椀渀搀漀眀猀 刀攀最椀猀琀爀礀 䔀搀椀琀漀爀 嘀攀爀猀椀漀渀 㔀⸀　　ഀ਀ഀ਀嬀䠀䬀䔀夀开䰀伀䌀䄀䰀开䴀䄀䌀䠀䤀一䔀尀匀漀昀琀眀愀爀攀尀䴀椀挀爀漀猀漀昀琀尀倀䌀䠀攀愀氀琀栀尀䔀爀爀漀爀刀攀瀀漀爀琀椀渀最尀䔀砀挀氀甀猀椀漀渀䰀椀猀琀崀ഀ਀∀愀椀洀⸀攀砀攀∀㴀搀眀漀爀搀㨀　　　　　　　㄀ഀ਀∀倀栀漀琀漀猀栀漀瀀 䄀氀戀甀洀 匀琀愀爀琀攀爀 䔀搀椀琀椀漀渀⸀攀砀攀∀㴀搀眀漀爀搀㨀　　　　　　　㄀ഀ਀∀䌀漀洀瀀漀渀攀渀琀䰀愀甀渀挀栀攀爀⸀攀砀攀∀㴀搀眀漀爀搀㨀　　　　　　　㄀ഀ਀∀匀伀䘀䘀䤀䌀䔀⸀䔀堀䔀∀㴀搀眀漀爀搀㨀　　　　　　　㄀ഀ਀ഀ਀圀椀渀搀漀眀猀 刀攀最椀猀琀爀礀 䔀搀椀琀漀爀 嘀攀爀猀椀漀渀 㔀⸀　　ഀ਀ഀ਀嬀䠀䬀䔀夀开䰀伀䌀䄀䰀开䴀䄀䌀䠀䤀一䔀尀匀伀䘀吀圀䄀刀䔀尀䴀椀挀爀漀猀漀昀琀尀伀氀攀崀ഀ਀∀䐀攀昀愀甀氀琀䰀愀甀渀挀栀倀攀爀洀椀猀猀椀漀渀∀㴀栀攀砀㨀　㄀Ⰰ　　Ⰰ　㐀Ⰰ㠀　Ⰰ㔀挀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ㘀挀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ尀ഀ਀  ㄀㐀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　㈀Ⰰ　　Ⰰ㐀㠀Ⰰ　　Ⰰ　㌀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ㄀㠀Ⰰ　　Ⰰ㄀昀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　㄀Ⰰ　㈀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ尀ഀ਀  　　Ⰰ　　Ⰰ　㔀Ⰰ㈀　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ㈀　Ⰰ　㈀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ㄀㐀Ⰰ　　Ⰰ　戀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　㄀Ⰰ　㄀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ尀ഀ਀  　　Ⰰ　㔀Ⰰ　㐀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ㄀㐀Ⰰ　　Ⰰ　戀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　㄀Ⰰ　㄀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　㔀Ⰰ㄀㈀Ⰰ　　Ⰰ　　Ⰰ尀ഀ਀  　　Ⰰ　㄀Ⰰ　㈀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　㔀Ⰰ㈀　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ㈀　Ⰰ　㈀Ⰰ　　Ⰰ　　Ⰰ　㄀Ⰰ　㈀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　㔀Ⰰ尀ഀ਀  ㈀　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ㈀　Ⰰ　㈀Ⰰ　　Ⰰ　　ഀ਀∀䴀愀挀栀椀渀攀䰀愀甀渀挀栀刀攀猀琀爀椀挀琀椀漀渀∀㴀栀攀砀㨀　㄀Ⰰ　　Ⰰ　㐀Ⰰ㠀　Ⰰ㐀㠀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ㔀㠀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ尀ഀ਀  ㄀㐀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　㈀Ⰰ　　Ⰰ㌀㐀Ⰰ　　Ⰰ　㈀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ㄀㠀Ⰰ　　Ⰰ㄀昀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　㄀Ⰰ　㈀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ尀ഀ਀  　　Ⰰ　　Ⰰ　㔀Ⰰ㈀　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ㈀　Ⰰ　㈀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ㄀㐀Ⰰ　　Ⰰ　戀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　㄀Ⰰ　㄀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ尀ഀ਀  　　Ⰰ　㄀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　㄀Ⰰ　㈀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　㔀Ⰰ㈀　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ㈀　Ⰰ　㈀Ⰰ　　Ⰰ　　Ⰰ　㄀Ⰰ　㈀Ⰰ　　Ⰰ尀ഀ਀  　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　㔀Ⰰ㈀　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ㈀　Ⰰ　㈀Ⰰ　　Ⰰ　　ഀ਀∀䴀愀挀栀椀渀攀䄀挀挀攀猀猀刀攀猀琀爀椀挀琀椀漀渀∀㴀栀攀砀㨀　㄀Ⰰ　　Ⰰ　㐀Ⰰ㠀　Ⰰ㐀㐀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ㔀㐀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ尀ഀ਀  ㄀㐀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　㈀Ⰰ　　Ⰰ㌀　Ⰰ　　Ⰰ　㈀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ㄀㐀Ⰰ　　Ⰰ　㌀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　㄀Ⰰ　㄀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ尀ഀ਀  　　Ⰰ　　Ⰰ　㔀Ⰰ　㜀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ㄀㐀Ⰰ　　Ⰰ　㜀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　㄀Ⰰ　㄀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　㄀Ⰰ　　Ⰰ　　Ⰰ尀ഀ਀  　　Ⰰ　　Ⰰ　㄀Ⰰ　㈀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　㔀Ⰰ㈀　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ㈀　Ⰰ　㈀Ⰰ　　Ⰰ　　Ⰰ　㄀Ⰰ　㈀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ尀ഀ਀  　㔀Ⰰ㈀　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ㈀　Ⰰ　㈀Ⰰ　　Ⰰ　　ഀ਀∀䔀渀愀戀氀攀䐀䌀伀䴀∀㴀∀夀∀ഀ਀ഀ਀嬀䠀䬀䔀夀开䰀伀䌀䄀䰀开䴀䄀䌀䠀䤀一䔀尀匀伀䘀吀圀䄀刀䔀尀䴀椀挀爀漀猀漀昀琀尀伀氀攀尀䄀瀀瀀䌀漀洀瀀愀琀崀ഀ਀ഀ਀嬀䠀䬀䔀夀开䰀伀䌀䄀䰀开䴀䄀䌀䠀䤀一䔀尀匀伀䘀吀圀䄀刀䔀尀䴀椀挀爀漀猀漀昀琀尀伀氀攀尀䄀瀀瀀䌀漀洀瀀愀琀尀䄀挀琀椀瘀愀琀椀漀渀匀攀挀甀爀椀琀礀䌀栀攀挀欀䔀砀攀洀瀀琀椀漀渀䰀椀猀琀崀ഀ਀∀笀䄀㔀　㌀㤀㠀䈀㠀ⴀ㤀　㜀㔀ⴀ㐀䘀䈀䘀ⴀ䄀㜀䄀㄀ⴀ㐀㔀㘀䈀䘀㈀㄀㤀㌀㜀䄀䐀紀∀㴀∀㄀∀ഀ਀∀笀䄀䐀㘀㔀䄀㘀㤀䐀ⴀ㌀㠀㌀㄀ⴀ㐀　䐀㜀ⴀ㤀㘀㈀㤀ⴀ㤀䈀　䈀㔀　䄀㤀㌀㠀㐀㌀紀∀㴀∀㄀∀ഀ਀∀笀　　㐀　䐀㈀㈀㄀ⴀ㔀㐀䄀㄀ⴀ㄀㄀䐀㄀ⴀ㤀䐀䔀　ⴀ　　㘀　㤀㜀　㐀㈀䐀㘀㤀紀∀㴀∀㄀∀ഀ਀∀笀㈀䄀㘀䐀㜀㈀䘀㄀ⴀ㘀䔀㜀䔀ⴀ㐀㜀　㈀ⴀ䈀㤀㤀䌀ⴀ䔀㐀　䐀㌀䐀䔀䐀㌀㌀䌀㌀紀∀㴀∀㄀∀ഀ਀ഀ਀嬀䠀䬀䔀夀开䰀伀䌀䄀䰀开䴀䄀䌀䠀䤀一䔀尀匀伀䘀吀圀䄀刀䔀尀䴀椀挀爀漀猀漀昀琀尀伀氀攀尀一伀一刀䔀䐀䤀匀吀崀ഀ਀∀匀礀猀琀攀洀⸀䔀渀琀攀爀瀀爀椀猀攀匀攀爀瘀椀挀攀猀⸀吀栀甀渀欀⸀搀氀氀∀㴀∀∀ഀ਀ഀ਀圀椀渀搀漀眀猀 刀攀最椀猀琀爀礀 䔀搀椀琀漀爀 嘀攀爀猀椀漀渀 㔀⸀　　ഀ਀ഀ਀嬀䠀䬀䔀夀开䰀伀䌀䄀䰀开䴀䄀䌀䠀䤀一䔀尀匀礀猀琀攀洀尀䌀甀爀爀攀渀琀䌀漀渀琀爀漀氀匀攀琀尀䌀漀渀琀爀漀氀尀䰀猀愀崀ഀ਀∀䄀甀琀栀攀渀琀椀挀愀琀椀漀渀 倀愀挀欀愀最攀猀∀㴀栀攀砀⠀㜀⤀㨀㘀搀Ⰰ　　Ⰰ㜀㌀Ⰰ　　Ⰰ㜀㘀Ⰰ　　Ⰰ㌀㄀Ⰰ　　Ⰰ㔀昀Ⰰ　　Ⰰ㌀　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ尀ഀ਀  　　ഀ਀∀䈀漀甀渀搀猀∀㴀栀攀砀㨀　　Ⰰ㌀　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ㈀　Ⰰ　　Ⰰ　　ഀ਀∀匀攀挀甀爀椀琀礀 倀愀挀欀愀最攀猀∀㴀栀攀砀⠀㜀⤀㨀㘀戀Ⰰ　　Ⰰ㘀㔀Ⰰ　　Ⰰ㜀㈀Ⰰ　　Ⰰ㘀㈀Ⰰ　　Ⰰ㘀㔀Ⰰ　　Ⰰ㜀㈀Ⰰ　　Ⰰ㘀昀Ⰰ　　Ⰰ㜀㌀Ⰰ　　Ⰰ　　Ⰰ尀ഀ਀  　　Ⰰ㘀搀Ⰰ　　Ⰰ㜀㌀Ⰰ　　Ⰰ㜀㘀Ⰰ　　Ⰰ㌀㄀Ⰰ　　Ⰰ㔀昀Ⰰ　　Ⰰ㌀　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ㜀㌀Ⰰ　　Ⰰ㘀㌀Ⰰ　　Ⰰ㘀㠀Ⰰ　　Ⰰ㘀㄀Ⰰ　　Ⰰ㘀攀Ⰰ　　Ⰰ尀ഀ਀  㘀攀Ⰰ　　Ⰰ㘀㔀Ⰰ　　Ⰰ㘀挀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ㜀㜀Ⰰ　　Ⰰ㘀㐀Ⰰ　　Ⰰ㘀㤀Ⰰ　　Ⰰ㘀㜀Ⰰ　　Ⰰ㘀㔀Ⰰ　　Ⰰ㜀㌀Ⰰ　　Ⰰ㜀㐀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ尀ഀ਀  　　ഀ਀∀䤀洀瀀攀爀猀漀渀愀琀攀倀爀椀瘀椀氀攀最攀唀瀀最爀愀搀攀吀漀漀氀䠀愀猀刀甀渀∀㴀搀眀漀爀搀㨀　　　　　　　㄀ഀ਀∀䰀猀愀倀椀搀∀㴀搀眀漀爀搀㨀　　　　　㌀㘀挀ഀ਀∀匀攀挀甀爀攀䈀漀漀琀∀㴀搀眀漀爀搀㨀　　　　　　　㄀ഀ਀∀愀甀搀椀琀戀愀猀攀漀戀樀攀挀琀猀∀㴀搀眀漀爀搀㨀　　　　　　　　ഀ਀∀挀爀愀猀栀漀渀愀甀搀椀琀昀愀椀氀∀㴀搀眀漀爀搀㨀　　　　　　　　ഀ਀∀搀椀猀愀戀氀攀搀漀洀愀椀渀挀爀攀搀猀∀㴀搀眀漀爀搀㨀　　　　　　　　ഀ਀∀攀瘀攀爀礀漀渀攀椀渀挀氀甀搀攀猀愀渀漀渀礀洀漀甀猀∀㴀搀眀漀爀搀㨀　　　　　　　　ഀ਀∀昀椀瀀猀愀氀最漀爀椀琀栀洀瀀漀氀椀挀礀∀㴀搀眀漀爀搀㨀　　　　　　　　ഀ਀∀昀漀爀挀攀最甀攀猀琀∀㴀搀眀漀爀搀㨀　　　　　　　㄀ഀ਀∀昀甀氀氀瀀爀椀瘀椀氀攀最攀愀甀搀椀琀椀渀最∀㴀栀攀砀㨀　　ഀ਀∀氀椀洀椀琀戀氀愀渀欀瀀愀猀猀眀漀爀搀甀猀攀∀㴀搀眀漀爀搀㨀　　　　　　　㄀ഀ਀∀氀洀挀漀洀瀀愀琀椀戀椀氀椀琀礀氀攀瘀攀氀∀㴀搀眀漀爀搀㨀　　　　　　　　ഀ਀∀渀漀搀攀昀愀甀氀琀愀搀洀椀渀漀眀渀攀爀∀㴀搀眀漀爀搀㨀　　　　　　　㄀ഀ਀∀渀漀氀洀栀愀猀栀∀㴀搀眀漀爀搀㨀　　　　　　　　ഀ਀∀爀攀猀琀爀椀挀琀愀渀漀渀礀洀漀甀猀∀㴀搀眀漀爀搀㨀　　　　　　　　ഀ਀∀爀攀猀琀爀椀挀琀愀渀漀渀礀洀漀甀猀猀愀洀∀㴀搀眀漀爀搀㨀　　　　　　　㄀ഀ਀∀一漀琀椀昀椀挀愀琀椀漀渀 倀愀挀欀愀最攀猀∀㴀栀攀砀⠀㜀⤀㨀㜀㌀Ⰰ　　Ⰰ㘀㌀Ⰰ　　Ⰰ㘀㔀Ⰰ　　Ⰰ㘀㌀Ⰰ　　Ⰰ㘀挀Ⰰ　　Ⰰ㘀㤀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　ഀ਀ഀ਀嬀䠀䬀䔀夀开䰀伀䌀䄀䰀开䴀䄀䌀䠀䤀一䔀尀匀礀猀琀攀洀尀䌀甀爀爀攀渀琀䌀漀渀琀爀漀氀匀攀琀尀䌀漀渀琀爀漀氀尀䰀猀愀尀䄀挀挀攀猀猀倀爀漀瘀椀搀攀爀猀崀ഀ਀∀倀爀漀瘀椀搀攀爀伀爀搀攀爀∀㴀栀攀砀⠀㜀⤀㨀㔀㜀Ⰰ　　Ⰰ㘀㤀Ⰰ　　Ⰰ㘀攀Ⰰ　　Ⰰ㘀㐀Ⰰ　　Ⰰ㘀昀Ⰰ　　Ⰰ㜀㜀Ⰰ　　Ⰰ㜀㌀Ⰰ　　Ⰰ㈀　Ⰰ　　Ⰰ㐀攀Ⰰ　　Ⰰ尀ഀ਀  㔀㐀Ⰰ　　Ⰰ㈀　Ⰰ　　Ⰰ㐀㄀Ⰰ　　Ⰰ㘀㌀Ⰰ　　Ⰰ㘀㌀Ⰰ　　Ⰰ㘀㔀Ⰰ　　Ⰰ㜀㌀Ⰰ　　Ⰰ㜀㌀Ⰰ　　Ⰰ㈀　Ⰰ　　Ⰰ㔀　Ⰰ　　Ⰰ㜀㈀Ⰰ　　Ⰰ㘀昀Ⰰ　　Ⰰ㜀㘀Ⰰ尀ഀ਀  　　Ⰰ㘀㤀Ⰰ　　Ⰰ㘀㐀Ⰰ　　Ⰰ㘀㔀Ⰰ　　Ⰰ㜀㈀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　ഀ਀ഀ਀嬀䠀䬀䔀夀开䰀伀䌀䄀䰀开䴀䄀䌀䠀䤀一䔀尀匀礀猀琀攀洀尀䌀甀爀爀攀渀琀䌀漀渀琀爀漀氀匀攀琀尀䌀漀渀琀爀漀氀尀䰀猀愀尀䄀挀挀攀猀猀倀爀漀瘀椀搀攀爀猀尀圀椀渀搀漀眀猀 一吀 䄀挀挀攀猀猀 倀爀漀瘀椀搀攀爀崀ഀ਀∀倀爀漀瘀椀搀攀爀倀愀琀栀∀㴀栀攀砀⠀㈀⤀㨀㈀㔀Ⰰ　　Ⰰ㔀㌀Ⰰ　　Ⰰ㜀㤀Ⰰ　　Ⰰ㜀㌀Ⰰ　　Ⰰ㜀㐀Ⰰ　　Ⰰ㘀㔀Ⰰ　　Ⰰ㘀搀Ⰰ　　Ⰰ㔀㈀Ⰰ　　Ⰰ㘀昀Ⰰ　　Ⰰ㘀昀Ⰰ尀ഀ਀  　　Ⰰ㜀㐀Ⰰ　　Ⰰ㈀㔀Ⰰ　　Ⰰ㔀挀Ⰰ　　Ⰰ㜀㌀Ⰰ　　Ⰰ㜀㤀Ⰰ　　Ⰰ㜀㌀Ⰰ　　Ⰰ㜀㐀Ⰰ　　Ⰰ㘀㔀Ⰰ　　Ⰰ㘀搀Ⰰ　　Ⰰ㌀㌀Ⰰ　　Ⰰ㌀㈀Ⰰ　　Ⰰ㔀挀Ⰰ　　Ⰰ尀ഀ਀  㘀攀Ⰰ　　Ⰰ㜀㐀Ⰰ　　Ⰰ㘀搀Ⰰ　　Ⰰ㘀㄀Ⰰ　　Ⰰ㜀㈀Ⰰ　　Ⰰ㜀㐀Ⰰ　　Ⰰ㘀㄀Ⰰ　　Ⰰ㈀攀Ⰰ　　Ⰰ㘀㐀Ⰰ　　Ⰰ㘀挀Ⰰ　　Ⰰ㘀挀Ⰰ　　Ⰰ　　Ⰰ　　ഀ਀ഀ਀嬀䠀䬀䔀夀开䰀伀䌀䄀䰀开䴀䄀䌀䠀䤀一䔀尀匀礀猀琀攀洀尀䌀甀爀爀攀渀琀䌀漀渀琀爀漀氀匀攀琀尀䌀漀渀琀爀漀氀尀䰀猀愀尀䄀甀搀椀琀崀ഀ਀ഀ਀嬀䠀䬀䔀夀开䰀伀䌀䄀䰀开䴀䄀䌀䠀䤀一䔀尀匀礀猀琀攀洀尀䌀甀爀爀攀渀琀䌀漀渀琀爀漀氀匀攀琀尀䌀漀渀琀爀漀氀尀䰀猀愀尀䄀甀搀椀琀尀倀攀爀唀猀攀爀䄀甀搀椀琀椀渀最崀ഀ਀ഀ਀嬀䠀䬀䔀夀开䰀伀䌀䄀䰀开䴀䄀䌀䠀䤀一䔀尀匀礀猀琀攀洀尀䌀甀爀爀攀渀琀䌀漀渀琀爀漀氀匀攀琀尀䌀漀渀琀爀漀氀尀䰀猀愀尀䄀甀搀椀琀尀倀攀爀唀猀攀爀䄀甀搀椀琀椀渀最尀匀礀猀琀攀洀崀ഀ਀ഀ਀嬀䠀䬀䔀夀开䰀伀䌀䄀䰀开䴀䄀䌀䠀䤀一䔀尀匀礀猀琀攀洀尀䌀甀爀爀攀渀琀䌀漀渀琀爀漀氀匀攀琀尀䌀漀渀琀爀漀氀尀䰀猀愀尀䐀愀琀愀崀ഀ਀∀倀愀琀琀攀爀渀∀㴀栀攀砀㨀㄀㠀Ⰰ㄀　Ⰰ㘀昀Ⰰ㄀㜀Ⰰ挀㐀Ⰰ㈀攀Ⰰ攀㤀Ⰰ㠀愀Ⰰ攀昀Ⰰ㌀　Ⰰ搀㤀Ⰰ攀㔀Ⰰ戀㈀Ⰰ㈀戀Ⰰ㈀挀Ⰰ㐀昀Ⰰ㌀㐀Ⰰ㘀㔀Ⰰ㘀㐀Ⰰ㌀㄀Ⰰ㌀㈀Ⰰ尀ഀ਀  ㌀㄀Ⰰ㘀㈀Ⰰ㌀㈀Ⰰ　　Ⰰ昀搀Ⰰ　㜀Ⰰ　　Ⰰ攀愀Ⰰ㌀戀Ⰰ　　Ⰰ　　Ⰰ㌀㐀Ⰰ昀愀Ⰰ　㜀Ⰰ　　Ⰰ㔀㘀Ⰰ㠀㈀Ⰰ㜀挀Ⰰ㜀㔀Ⰰ㈀　Ⰰ昀愀Ⰰ　㜀Ⰰ　　Ⰰ㐀　Ⰰ昀搀Ⰰ尀ഀ਀  　㜀Ⰰ　　Ⰰ㐀挀Ⰰ昀搀Ⰰ　㜀Ⰰ　　Ⰰ愀㘀Ⰰ㈀戀Ⰰ戀攀Ⰰ㘀搀Ⰰ㤀㄀Ⰰ搀搀Ⰰ搀㄀Ⰰ㔀　Ⰰ挀㔀Ⰰ　搀Ⰰ㈀攀Ⰰ㐀攀ഀ਀ഀ਀嬀䠀䬀䔀夀开䰀伀䌀䄀䰀开䴀䄀䌀䠀䤀一䔀尀匀礀猀琀攀洀尀䌀甀爀爀攀渀琀䌀漀渀琀爀漀氀匀攀琀尀䌀漀渀琀爀漀氀尀䰀猀愀尀䜀䈀䜀崀ഀ਀∀䜀爀愀昀䈀氀甀洀䜀爀漀甀瀀∀㴀栀攀砀㨀㜀挀Ⰰ㈀愀Ⰰ㄀㈀Ⰰ㠀搀Ⰰ戀戀Ⰰ愀戀Ⰰ㔀㤀Ⰰ昀　Ⰰ㘀㌀ഀ਀ഀ਀嬀䠀䬀䔀夀开䰀伀䌀䄀䰀开䴀䄀䌀䠀䤀一䔀尀匀礀猀琀攀洀尀䌀甀爀爀攀渀琀䌀漀渀琀爀漀氀匀攀琀尀䌀漀渀琀爀漀氀尀䰀猀愀尀䨀䐀崀ഀ਀∀䰀漀漀欀甀瀀∀㴀栀攀砀㨀㈀愀Ⰰ搀㤀Ⰰ戀㔀Ⰰ戀攀Ⰰ㔀㠀Ⰰ㈀㄀ഀ਀ഀ਀嬀䠀䬀䔀夀开䰀伀䌀䄀䰀开䴀䄀䌀䠀䤀一䔀尀匀礀猀琀攀洀尀䌀甀爀爀攀渀琀䌀漀渀琀爀漀氀匀攀琀尀䌀漀渀琀爀漀氀尀䰀猀愀尀䬀攀爀戀攀爀漀猀崀ഀ਀ഀ਀嬀䠀䬀䔀夀开䰀伀䌀䄀䰀开䴀䄀䌀䠀䤀一䔀尀匀礀猀琀攀洀尀䌀甀爀爀攀渀琀䌀漀渀琀爀漀氀匀攀琀尀䌀漀渀琀爀漀氀尀䰀猀愀尀䬀攀爀戀攀爀漀猀尀䐀漀洀愀椀渀猀崀ഀ਀ഀ਀嬀䠀䬀䔀夀开䰀伀䌀䄀䰀开䴀䄀䌀䠀䤀一䔀尀匀礀猀琀攀洀尀䌀甀爀爀攀渀琀䌀漀渀琀爀漀氀匀攀琀尀䌀漀渀琀爀漀氀尀䰀猀愀尀䬀攀爀戀攀爀漀猀尀匀椀搀䌀愀挀栀攀崀ഀ਀ഀ਀嬀䠀䬀䔀夀开䰀伀䌀䄀䰀开䴀䄀䌀䠀䤀一䔀尀匀礀猀琀攀洀尀䌀甀爀爀攀渀琀䌀漀渀琀爀漀氀匀攀琀尀䌀漀渀琀爀漀氀尀䰀猀愀尀䴀匀嘀㄀开　崀ഀ਀∀䄀甀琀栀㄀㌀㈀∀㴀∀䤀䤀匀匀唀䈀䄀∀ഀ਀∀渀琀氀洀洀椀渀挀氀椀攀渀琀猀攀挀∀㴀搀眀漀爀搀㨀　　　　　　　　ഀ਀∀渀琀氀洀洀椀渀猀攀爀瘀攀爀猀攀挀∀㴀搀眀漀爀搀㨀　　　　　　　　ഀ਀ഀ਀嬀䠀䬀䔀夀开䰀伀䌀䄀䰀开䴀䄀䌀䠀䤀一䔀尀匀礀猀琀攀洀尀䌀甀爀爀攀渀琀䌀漀渀琀爀漀氀匀攀琀尀䌀漀渀琀爀漀氀尀䰀猀愀尀匀欀攀眀㄀崀ഀ਀∀匀欀攀眀䴀愀琀爀椀砀∀㴀栀攀砀㨀㠀㐀Ⰰ搀搀Ⰰ㄀㐀Ⰰ㠀搀Ⰰ戀㌀Ⰰ㄀挀Ⰰ挀攀Ⰰ㠀昀Ⰰ昀㔀Ⰰ戀㈀Ⰰ㤀㤀Ⰰ愀㄀Ⰰ昀㠀Ⰰ昀㘀Ⰰ搀㌀Ⰰ㐀搀ഀ਀ഀ਀嬀䠀䬀䔀夀开䰀伀䌀䄀䰀开䴀䄀䌀䠀䤀一䔀尀匀礀猀琀攀洀尀䌀甀爀爀攀渀琀䌀漀渀琀爀漀氀匀攀琀尀䌀漀渀琀爀漀氀尀䰀猀愀尀匀匀伀崀ഀ਀ഀ਀嬀䠀䬀䔀夀开䰀伀䌀䄀䰀开䴀䄀䌀䠀䤀一䔀尀匀礀猀琀攀洀尀䌀甀爀爀攀渀琀䌀漀渀琀爀漀氀匀攀琀尀䌀漀渀琀爀漀氀尀䰀猀愀尀匀匀伀尀倀愀猀猀瀀漀爀琀㄀⸀㐀崀ഀ਀∀匀匀伀唀刀䰀∀㴀∀栀琀琀瀀㨀⼀⼀眀眀眀⸀瀀愀猀猀瀀漀爀琀⸀挀漀洀∀ഀ਀ഀ਀嬀䠀䬀䔀夀开䰀伀䌀䄀䰀开䴀䄀䌀䠀䤀一䔀尀匀礀猀琀攀洀尀䌀甀爀爀攀渀琀䌀漀渀琀爀漀氀匀攀琀尀䌀漀渀琀爀漀氀尀䰀猀愀尀匀猀瀀椀䌀愀挀栀攀崀ഀ਀∀吀椀洀攀∀㴀栀攀砀㨀㔀攀Ⰰ㌀㘀Ⰰ戀愀Ⰰ愀㤀Ⰰ搀搀Ⰰ㔀挀Ⰰ挀㘀Ⰰ　㄀ഀ਀ഀ਀嬀䠀䬀䔀夀开䰀伀䌀䄀䰀开䴀䄀䌀䠀䤀一䔀尀匀礀猀琀攀洀尀䌀甀爀爀攀渀琀䌀漀渀琀爀漀氀匀攀琀尀䌀漀渀琀爀漀氀尀䰀猀愀尀匀猀瀀椀䌀愀挀栀攀尀搀椀最攀猀琀⸀搀氀氀崀ഀ਀∀一愀洀攀∀㴀∀䐀椀最攀猀琀∀ഀ਀∀䌀漀洀洀攀渀琀∀㴀∀䐀椀最攀猀琀 匀匀倀䤀 䄀甀琀栀攀渀琀椀挀愀琀椀漀渀 倀愀挀欀愀最攀∀ഀ਀∀䌀愀瀀愀戀椀氀椀琀椀攀猀∀㴀搀眀漀爀搀㨀　　　　㐀　㔀　ഀ਀∀刀瀀挀䤀搀∀㴀搀眀漀爀搀㨀　　　　昀昀昀昀ഀ਀∀嘀攀爀猀椀漀渀∀㴀搀眀漀爀搀㨀　　　　　　　㄀ഀ਀∀吀漀欀攀渀匀椀稀攀∀㴀搀眀漀爀搀㨀　　　　昀昀昀昀ഀ਀∀吀椀洀攀∀㴀栀攀砀㨀　　Ⰰ挀攀Ⰰ㈀攀Ⰰ㜀　Ⰰ搀昀Ⰰ㜀㤀Ⰰ挀㐀Ⰰ　㄀ഀ਀∀吀礀瀀攀∀㴀搀眀漀爀搀㨀　　　　　　㌀㄀ഀ਀ഀ਀嬀䠀䬀䔀夀开䰀伀䌀䄀䰀开䴀䄀䌀䠀䤀一䔀尀匀礀猀琀攀洀尀䌀甀爀爀攀渀琀䌀漀渀琀爀漀氀匀攀琀尀䌀漀渀琀爀漀氀尀䰀猀愀尀匀猀瀀椀䌀愀挀栀攀尀洀猀愀瀀猀猀瀀挀⸀搀氀氀崀ഀ਀∀一愀洀攀∀㴀∀䐀倀䄀∀ഀ਀∀䌀漀洀洀攀渀琀∀㴀∀䐀倀䄀 匀攀挀甀爀椀琀礀 倀愀挀欀愀最攀∀ഀ਀∀䌀愀瀀愀戀椀氀椀琀椀攀猀∀㴀搀眀漀爀搀㨀　　　　　　㌀㜀ഀ਀∀刀瀀挀䤀搀∀㴀搀眀漀爀搀㨀　　　　　　㄀㄀ഀ਀∀嘀攀爀猀椀漀渀∀㴀搀眀漀爀搀㨀　　　　　　　㄀ഀ਀∀吀漀欀攀渀匀椀稀攀∀㴀搀眀漀爀搀㨀　　　　　㌀　　ഀ਀∀吀椀洀攀∀㴀栀攀砀㨀　　Ⰰ挀攀Ⰰ㈀攀Ⰰ㜀　Ⰰ搀昀Ⰰ㜀㤀Ⰰ挀㐀Ⰰ　㄀ഀ਀∀吀礀瀀攀∀㴀搀眀漀爀搀㨀　　　　　　㌀㄀ഀ਀ഀ਀嬀䠀䬀䔀夀开䰀伀䌀䄀䰀开䴀䄀䌀䠀䤀一䔀尀匀礀猀琀攀洀尀䌀甀爀爀攀渀琀䌀漀渀琀爀漀氀匀攀琀尀䌀漀渀琀爀漀氀尀䰀猀愀尀匀猀瀀椀䌀愀挀栀攀尀洀猀渀猀猀瀀挀⸀搀氀氀崀ഀ਀∀一愀洀攀∀㴀∀䴀匀一∀ഀ਀∀䌀漀洀洀攀渀琀∀㴀∀䴀匀一 匀攀挀甀爀椀琀礀 倀愀挀欀愀最攀∀ഀ਀∀䌀愀瀀愀戀椀氀椀琀椀攀猀∀㴀搀眀漀爀搀㨀　　　　　　㌀㜀ഀ਀∀刀瀀挀䤀搀∀㴀搀眀漀爀搀㨀　　　　　　㄀㈀ഀ਀∀嘀攀爀猀椀漀渀∀㴀搀眀漀爀搀㨀　　　　　　　㄀ഀ਀∀吀漀欀攀渀匀椀稀攀∀㴀搀眀漀爀搀㨀　　　　　㌀　　ഀ਀∀吀椀洀攀∀㴀栀攀砀㨀　　Ⰰ挀攀Ⰰ㈀攀Ⰰ㜀　Ⰰ搀昀Ⰰ㜀㤀Ⰰ挀㐀Ⰰ　㄀ഀ਀∀吀礀瀀攀∀㴀搀眀漀爀搀㨀　　　　　　㌀㄀ഀ਀ഀ਀圀椀渀搀漀眀猀 刀攀最椀猀琀爀礀 䔀搀椀琀漀爀 嘀攀爀猀椀漀渀 㔀⸀　　ഀ਀ഀ਀嬀䠀䬀䔀夀开䰀伀䌀䄀䰀开䴀䄀䌀䠀䤀一䔀尀匀伀䘀吀圀䄀刀䔀尀䴀椀挀爀漀猀漀昀琀尀圀椀渀搀漀眀猀尀䌀甀爀爀攀渀琀嘀攀爀猀椀漀渀尀匀栀攀氀氀匀攀爀瘀椀挀攀伀戀樀攀挀琀䐀攀氀愀礀䰀漀愀搀崀ഀ਀∀倀漀猀琀䈀漀漀琀刀攀洀椀渀搀攀爀∀㴀∀笀㜀㠀㐀㤀㔀㤀㘀愀ⴀ㐀㠀攀愀ⴀ㐀㠀㘀攀ⴀ㠀㤀㌀㜀ⴀ愀㈀愀㌀　　㤀昀㌀㄀愀㤀紀∀ഀ਀∀䌀䐀䈀甀爀渀∀㴀∀笀昀戀攀戀㠀愀　㔀ⴀ戀攀攀攀ⴀ㐀㐀㐀㈀ⴀ㠀　㐀攀ⴀ㐀　㤀搀㘀挀㐀㔀㄀㔀攀㤀紀∀ഀ਀∀圀攀戀䌀栀攀挀欀∀㴀∀笀䔀㘀䘀䈀㔀䔀㈀　ⴀ䐀䔀㌀㔀ⴀ㄀㄀䌀䘀ⴀ㤀䌀㠀㜀ⴀ　　䄀䄀　　㔀㄀㈀㜀䔀䐀紀∀ഀ਀∀匀礀猀吀爀愀礀∀㴀∀笀㌀㔀䌀䔀䌀㠀䄀㌀ⴀ㈀䈀䔀㘀ⴀ㄀㄀䐀㈀ⴀ㠀㜀㜀㌀ⴀ㤀㈀䔀㈀㈀　㔀㈀㐀㄀㔀㌀紀∀ഀ਀∀圀倀䐀匀栀匀攀爀瘀椀挀攀伀戀樀∀㴀∀笀䄀䄀䄀㈀㠀㠀䈀䄀ⴀ㤀䄀㐀䌀ⴀ㐀㔀䈀　ⴀ㤀㔀䐀㜀ⴀ㤀㐀䐀㔀㈀㐀㠀㘀㤀䐀䈀㔀紀∀ഀ਀∀瘀䠀搀愀砀焀唀䌀䜀匀∀㴀∀笀䌀䌀䌀䌀㤀㄀㜀㈀ⴀ㘀㘀㘀㘀ⴀ㌀䈀䐀㠀ⴀ㔀㌀䈀䔀ⴀ㌀㌀㠀㐀䄀䘀䘀䌀㐀䈀㠀䈀紀∀ഀ਀∀䴀匀一 䴀攀猀猀攀渀最攀爀∀㴀∀笀㈀㠀　䄀㜀䈀㘀㔀ⴀ㠀䘀　　ⴀ㐀㌀㠀䘀ⴀ㌀䔀㔀䄀ⴀ㄀䘀　㌀㤀㐀㌀㌀䘀䔀㘀　紀∀ഀ਀ഀ਀圀椀渀搀漀眀猀 刀攀最椀猀琀爀礀 䔀搀椀琀漀爀 嘀攀爀猀椀漀渀 㔀⸀　　ഀ਀ഀ਀嬀䠀䬀䔀夀开䰀伀䌀䄀䰀开䴀䄀䌀䠀䤀一䔀尀匀夀匀吀䔀䴀尀䌀甀爀爀攀渀琀䌀漀渀琀爀漀氀匀攀琀尀匀攀爀瘀椀挀攀猀尀猀爀崀ഀ਀∀吀礀瀀攀∀㴀搀眀漀爀搀㨀　　　　　　　㈀ഀ਀∀匀琀愀爀琀∀㴀搀眀漀爀搀㨀　　　　　　　　ഀ਀∀䔀爀爀漀爀䌀漀渀琀爀漀氀∀㴀搀眀漀爀搀㨀　　　　　　　㄀ഀ਀∀吀愀最∀㴀搀眀漀爀搀㨀　　　　　　　㐀ഀ਀∀䤀洀愀最攀倀愀琀栀∀㴀栀攀砀⠀㈀⤀㨀㜀㌀Ⰰ　　Ⰰ㜀㤀Ⰰ　　Ⰰ㜀㌀Ⰰ　　Ⰰ㜀㐀Ⰰ　　Ⰰ㘀㔀Ⰰ　　Ⰰ㘀搀Ⰰ　　Ⰰ㌀㌀Ⰰ　　Ⰰ㌀㈀Ⰰ　　Ⰰ㔀挀Ⰰ　　Ⰰ㐀㐀Ⰰ　　Ⰰ尀ഀ਀  㔀㈀Ⰰ　　Ⰰ㐀㤀Ⰰ　　Ⰰ㔀㘀Ⰰ　　Ⰰ㐀㔀Ⰰ　　Ⰰ㔀㈀Ⰰ　　Ⰰ㔀㌀Ⰰ　　Ⰰ㔀挀Ⰰ　　Ⰰ㜀㌀Ⰰ　　Ⰰ㜀㈀Ⰰ　　Ⰰ㈀攀Ⰰ　　Ⰰ㜀㌀Ⰰ　　Ⰰ㜀㤀Ⰰ　　Ⰰ㜀㌀Ⰰ尀ഀ਀  　　Ⰰ　　Ⰰ　　ഀ਀∀䐀椀猀瀀氀愀礀一愀洀攀∀㴀∀匀礀猀琀攀洀 刀攀猀琀漀爀攀 䘀椀氀琀攀爀 䐀爀椀瘀攀爀∀ഀ਀∀䜀爀漀甀瀀∀㴀∀䘀匀䘀椀氀琀攀爀 匀礀猀琀攀洀 刀攀挀漀瘀攀爀礀∀ഀ਀ഀ਀嬀䠀䬀䔀夀开䰀伀䌀䄀䰀开䴀䄀䌀䠀䤀一䔀尀匀夀匀吀䔀䴀尀䌀甀爀爀攀渀琀䌀漀渀琀爀漀氀匀攀琀尀匀攀爀瘀椀挀攀猀尀猀爀尀倀愀爀愀洀攀琀攀爀猀崀ഀ਀∀䘀椀爀猀琀刀甀渀∀㴀搀眀漀爀搀㨀　　　　　　　　ഀ਀∀䐀漀渀琀䈀愀挀欀甀瀀∀㴀搀眀漀爀搀㨀　　　　　　　　ഀ਀∀䴀愀挀栀椀渀攀䜀甀椀搀∀㴀∀笀㔀㠀㤀㔀　㔀㠀䄀ⴀ䈀㠀㌀䌀ⴀ㐀䄀㌀䄀ⴀ䈀㔀䐀䄀ⴀ㌀㈀㠀　㘀㘀䐀㜀㠀䘀　䔀紀∀ഀ਀ഀ਀嬀䠀䬀䔀夀开䰀伀䌀䄀䰀开䴀䄀䌀䠀䤀一䔀尀匀夀匀吀䔀䴀尀䌀甀爀爀攀渀琀䌀漀渀琀爀漀氀匀攀琀尀匀攀爀瘀椀挀攀猀尀猀爀尀匀攀挀甀爀椀琀礀崀ഀ਀∀匀攀挀甀爀椀琀礀∀㴀栀攀砀㨀　㄀Ⰰ　　Ⰰ㄀㐀Ⰰ㠀　Ⰰ㤀　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ㤀挀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ㄀㐀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ㌀　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　㈀Ⰰ尀ഀ਀  　　Ⰰ㄀挀Ⰰ　　Ⰰ　㄀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　㈀Ⰰ㠀　Ⰰ㄀㐀Ⰰ　　Ⰰ昀昀Ⰰ　㄀Ⰰ　昀Ⰰ　　Ⰰ　㄀Ⰰ　㄀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　㄀Ⰰ　　Ⰰ　　Ⰰ尀ഀ਀  　　Ⰰ　　Ⰰ　㈀Ⰰ　　Ⰰ㘀　Ⰰ　　Ⰰ　㐀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ㄀㐀Ⰰ　　Ⰰ昀搀Ⰰ　㄀Ⰰ　㈀Ⰰ　　Ⰰ　㄀Ⰰ　㄀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ尀ഀ਀  　㔀Ⰰ㄀㈀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ㄀㠀Ⰰ　　Ⰰ昀昀Ⰰ　㄀Ⰰ　昀Ⰰ　　Ⰰ　㄀Ⰰ　㈀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　㔀Ⰰ㈀　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ尀ഀ਀  ㈀　Ⰰ　㈀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ㄀㐀Ⰰ　　Ⰰ㠀搀Ⰰ　㄀Ⰰ　㈀Ⰰ　　Ⰰ　㄀Ⰰ　㄀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　㔀Ⰰ　戀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ尀ഀ਀  　　Ⰰ㄀㠀Ⰰ　　Ⰰ昀搀Ⰰ　㄀Ⰰ　㈀Ⰰ　　Ⰰ　㄀Ⰰ　㈀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　㔀Ⰰ㈀　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ㈀㌀Ⰰ　㈀Ⰰ　　Ⰰ　　Ⰰ　㄀Ⰰ　㄀Ⰰ尀ഀ਀  　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　㔀Ⰰ㄀㈀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　㄀Ⰰ　㄀Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　　Ⰰ　㔀Ⰰ㄀㈀Ⰰ　　Ⰰ　　Ⰰ　　ഀ਀ഀ਀嬀䠀䬀䔀夀开䰀伀䌀䄀䰀开䴀䄀䌀䠀䤀一䔀尀匀夀匀吀䔀䴀尀䌀甀爀爀攀渀琀䌀漀渀琀爀漀氀匀攀琀尀匀攀爀瘀椀挀攀猀尀猀爀尀䔀渀甀洀崀ഀ਀∀　∀㴀∀刀漀漀琀尀尀䰀䔀䜀䄀䌀夀开匀刀尀尀　　　　∀ഀ਀∀䌀漀甀渀琀∀㴀搀眀漀爀搀㨀　　　　　　　㄀ഀ਀∀一攀砀琀䤀渀猀琀愀渀挀攀∀㴀搀眀漀爀搀㨀　　　　　　　㄀ഀ਀ഀ਀圀椀渀搀漀眀猀 刀攀最椀猀琀爀礀 䔀搀椀琀漀爀 嘀攀爀猀椀漀渀 㔀⸀　　ഀ਀ഀ਀嬀䠀䬀䔀夀开䌀唀刀刀䔀一吀开唀匀䔀刀尀匀伀䘀吀圀䄀刀䔀尀䴀椀挀爀漀猀漀昀琀尀圀椀渀搀漀眀猀尀䌀甀爀爀攀渀琀嘀攀爀猀椀漀渀尀瀀漀氀椀挀椀攀猀崀ഀ਀ഀ਀嬀䠀䬀䔀夀开䌀唀刀刀䔀一吀开唀匀䔀刀尀匀伀䘀吀圀䄀刀䔀尀䴀椀挀爀漀猀漀昀琀尀圀椀渀搀漀眀猀尀䌀甀爀爀攀渀琀嘀攀爀猀椀漀渀尀瀀漀氀椀挀椀攀猀尀䄀挀琀椀瘀攀䐀攀猀欀琀漀瀀崀ഀ਀∀一漀䌀栀愀渀最椀渀最圀愀氀氀瀀愀瀀攀爀∀㴀搀眀漀爀搀㨀　　　　　　　　ഀ਀ഀ਀嬀䠀䬀䔀夀开䌀唀刀刀䔀一吀开唀匀䔀刀尀匀伀䘀吀圀䄀刀䔀尀䴀椀挀爀漀猀漀昀琀尀圀椀渀搀漀眀猀尀䌀甀爀爀攀渀琀嘀攀爀猀椀漀渀尀瀀漀氀椀挀椀攀猀尀挀漀洀搀氀最㌀㈀崀ഀ਀ഀ਀嬀䠀䬀䔀夀开䌀唀刀刀䔀一吀开唀匀䔀刀尀匀伀䘀吀圀䄀刀䔀尀䴀椀挀爀漀猀漀昀琀尀圀椀渀搀漀眀猀尀䌀甀爀爀攀渀琀嘀攀爀猀椀漀渀尀瀀漀氀椀挀椀攀猀尀䔀砀瀀氀漀爀攀爀崀ഀ਀∀一漀䐀爀椀瘀攀吀礀瀀攀䄀甀琀漀刀甀渀∀㴀搀眀漀爀搀㨀　　　　　　㤀㄀ഀ਀∀一漀䐀爀椀瘀攀猀∀㴀搀眀漀爀搀㨀　　　　　　　　ഀ਀∀一漀嘀椀攀眀伀渀䐀爀椀瘀攀∀㴀搀眀漀爀搀㨀　　　　　　　　ഀ਀∀一漀匀攀琀䄀挀琀椀瘀攀䐀攀猀欀琀漀瀀∀㴀搀眀漀爀搀㨀　　　　　　　㄀ഀ਀∀一漀䄀挀琀椀瘀攀䐀攀猀欀琀漀瀀䌀栀愀渀最攀猀∀㴀搀眀漀爀搀㨀　　　　　　　　ഀ਀ഀ਀嬀䠀䬀䔀夀开䌀唀刀刀䔀一吀开唀匀䔀刀尀匀伀䘀吀圀䄀刀䔀尀䴀椀挀爀漀猀漀昀琀尀圀椀渀搀漀眀猀尀䌀甀爀爀攀渀琀嘀攀爀猀椀漀渀尀瀀漀氀椀挀椀攀猀尀一漀渀䔀渀甀洀崀ഀ਀ഀ਀嬀䠀䬀䔀夀开䌀唀刀刀䔀一吀开唀匀䔀刀尀匀伀䘀吀圀䄀刀䔀尀䴀椀挀爀漀猀漀昀琀尀圀椀渀搀漀眀猀尀䌀甀爀爀攀渀琀嘀攀爀猀椀漀渀尀瀀漀氀椀挀椀攀猀尀匀礀猀琀攀洀崀ഀ਀∀䐀椀猀愀戀氀攀吀愀猀欀䴀最爀∀㴀搀眀漀爀搀㨀　　　　　　　　ഀ਀ഀ਀嬀䠀䬀䔀夀开䌀唀刀刀䔀一吀开唀匀䔀刀尀匀伀䘀吀圀䄀刀䔀尀䴀椀挀爀漀猀漀昀琀尀圀椀渀搀漀眀猀尀䌀甀爀爀攀渀琀嘀攀爀猀椀漀渀尀瀀漀氀椀挀椀攀猀尀唀渀椀渀猀琀愀氀氀崀ഀ਀ഀ਀

REG SEARCH LOG

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 9/2/2007 11:26:11 PM for strings:
; 'xpdx'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\xpdx]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\xpdx]
; Contents of value:
; \??\C:\WINDOWS\system32\xpdx.sys

MOVE IT LOG

File/Folder C:\WINDOWS\system32\oimp.dll not found.
File/Folder C:\WINDOWS\system32\hgghfcb.dll not found.
File/Folder C:\WINDOWS\system32\winlbi32.dll not found.
File/Folder C:\WINDOWS\9129837.exe not found.
File/Folder C:\Program Files\Web Buying not found.
File/Folder C:\WINDOWS\retadpu1000106.exe not found.
File/Folder c:\jnkk.exe not found.
File/Folder C:\WINDOWS\ServicePackFiles\winlogon.exe not found.
File/Folder C:\WINDOWS\system32\pipmon.exe not found.
C:\WINDOWS\system32\iseltjy.dll unregistered successfully.
C:\WINDOWS\system32\iseltjy.dll moved successfully.
C:\VundoFix Backups moved successfully.
C:\WINDOWS\system32\adeeg.bak1 moved successfully.
C:\WINDOWS\tmp375203.bat moved successfully.
File/Folder C:\WINDOWS\system32\ezhfjf32.dll not found.
File/Folder C:\WINDOWS\system32\Setup155.exe not found.
C:\WINDOWS\TWlrZQ moved successfully.
C:\WINDOWS\system32\tmps7 moved successfully.
C:\WINDOWS\system32\ICM23 moved successfully.
C:\WINDOWS\system32\dllsz moved successfully.
C:\WINDOWS\system32\cofig1 moved successfully.
C:\WINDOWS\system32\f03WtR moved successfully.
C:\Temp\1cb moved successfully.
C:\Temp moved successfully.
C:\Documents and Settings\All Users\Application Data\Trymedia\licenses moved successfully.
C:\Documents and Settings\All Users\Application Data\Trymedia moved successfully.
C:\WINDOWS\g4356cbvy63.exe moved successfully.
C:\WINDOWS\uni_eh44.exe moved successfully.
C:\WINDOWS\uninst1014.exe moved successfully.
File move failed. C:\WINDOWS\system32\xpdx.sys scheduled to be moved on reboot.
File/Folder C:\Program Files\Norton AntiVirus not found.
C:\Program Files\Common Files\Symantec Shared\CCPD-LC moved successfully.
C:\Program Files\Common Files\Symantec Shared moved successfully.
File/Folder C:\Program Files\Symantec not found.

Created on 09/02/2007 23:02:40

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:30:59 PM, on 9/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\hphmon03.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: 3.exe~
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: SATARaid.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\Poker.exe (HKCU)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144701120484
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA5B8AC9-DE74-44B0-9FBE-7950B95D2704}: NameServer = 4.2.2.1,4.2.2.2
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: vHdaxqUCGS - {CCCC9172-6666-3BD8-53BE-3384AFFC4B8B} - C:\WINDOWS\system32\oimp.dll (file missing)
O21 - SSODL: MSN Messenger - {280A7B65-8F00-438F-3E5A-1F039433FE60} - C:\WINDOWS\system32\dssdll32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe

--
End of file - 6853 bytes

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-09-02 23:34:36
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.13 ----

SSDT sptd.sys ZwCreateKey
SSDT sptd.sys ZwEnumerateKey
SSDT sptd.sys ZwEnumerateValueKey
SSDT sptd.sys ZwOpenKey
SSDT sptd.sys ZwQueryKey
SSDT sptd.sys ZwQueryValueKey
SSDT sptd.sys ZwSetValueKey

---- Kernel code sections - GMER 1.0.13 ----

? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
? C:\WINDOWS\System32\Drivers\SPTD3037.SYS The process cannot access the file because it is being used by another process.
? C:\WINDOWS\System32\Drivers\dtscsi.sys The process cannot access the file because it is being used by another process.

---- User code sections - GMER 1.0.13 ----

.text C:\WINDOWS\Explorer.EXE[360] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA27E1
.text C:\WINDOWS\Explorer.EXE[360] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA2835
.text C:\WINDOWS\Explorer.EXE[360] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA2842
.text C:\WINDOWS\Explorer.EXE[360] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA282E
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[540] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA27E1
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[540] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA2835
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[540] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA2842
.text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[540] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA282E
.text C:\WINDOWS\system32\hphmon03.exe[616] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA27E1
.text C:\WINDOWS\system32\hphmon03.exe[616] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA2835
.text C:\WINDOWS\system32\hphmon03.exe[616] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA2842
.text C:\WINDOWS\system32\hphmon03.exe[616] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA282E
.text C:\WINDOWS\system32\winlogon.exe[816] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA27E1
.text C:\WINDOWS\system32\winlogon.exe[816] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA2835
.text C:\WINDOWS\system32\winlogon.exe[816] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA2842
.text C:\WINDOWS\system32\winlogon.exe[816] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA282E
.text C:\WINDOWS\system32\services.exe[864] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FF927E1
.text C:\WINDOWS\system32\services.exe[864] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FF92835
.text C:\WINDOWS\system32\services.exe[864] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FF92842
.text C:\WINDOWS\system32\services.exe[864] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FF9282E
.text C:\WINDOWS\system32\lsass.exe[876] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FF927E1
.text C:\WINDOWS\system32\lsass.exe[876] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FF92835
.text C:\WINDOWS\system32\lsass.exe[876] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FF92842
.text C:\WINDOWS\system32\lsass.exe[876] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FF9282E
.text C:\WINDOWS\system32\nvsvc32.exe[1008] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA27E1
.text C:\WINDOWS\system32\nvsvc32.exe[1008] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA2835
.text C:\WINDOWS\system32\nvsvc32.exe[1008] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA2842
.text C:\WINDOWS\system32\nvsvc32.exe[1008] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA282E
.text C:\WINDOWS\system32\svchost.exe[1060] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA27E1
.text C:\WINDOWS\system32\svchost.exe[1060] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA2835
.text C:\WINDOWS\system32\svchost.exe[1060] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA2842
.text C:\WINDOWS\system32\svchost.exe[1060] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA282E
.text C:\WINDOWS\system32\svchost.exe[1104] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA27E1
.text C:\WINDOWS\system32\svchost.exe[1104] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA2835
.text C:\WINDOWS\system32\svchost.exe[1104] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA2842
.text C:\WINDOWS\system32\svchost.exe[1104] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA282E
.text C:\WINDOWS\System32\svchost.exe[1272] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FF927E1
.text C:\WINDOWS\System32\svchost.exe[1272] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FF92835
.text C:\WINDOWS\System32\svchost.exe[1272] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FF92842
.text C:\WINDOWS\System32\svchost.exe[1272] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FF9282E
.text C:\WINDOWS\system32\svchost.exe[1384] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA27E1
.text C:\WINDOWS\system32\svchost.exe[1384] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA2835
.text C:\WINDOWS\system32\svchost.exe[1384] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA2842
.text C:\WINDOWS\system32\svchost.exe[1384] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA282E
.text C:\WINDOWS\system32\svchost.exe[1488] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA27E1
.text C:\WINDOWS\system32\svchost.exe[1488] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA2835
.text C:\WINDOWS\system32\svchost.exe[1488] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA2842
.text C:\WINDOWS\system32\svchost.exe[1488] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA282E
.text C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe[1560] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA27E1
.text C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe[1560] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA2835
.text C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe[1560] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA2842
.text C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe[1560] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA282E
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1632] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FF927E1
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1632] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FF92835
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1632] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FF92842
.text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1632] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FF9282E
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[1936] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA27E1
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[1936] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA2835
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[1936] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA2842
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[1936] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA282E
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[2012] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA27E1
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[2012] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA2835
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[2012] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA2842
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[2012] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA282E
.text C:\Documents and Settings\Mike\Desktop\gmer\gmer.exe[2072] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA27E1
.text C:\Documents and Settings\Mike\Desktop\gmer\gmer.exe[2072] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA282E
.text C:\Program Files\Mozilla Firefox\firefox.exe[2552] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA27E1
.text C:\Program Files\Mozilla Firefox\firefox.exe[2552] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA2835
.text C:\Program Files\Mozilla Firefox\firefox.exe[2552] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA2842
.text C:\Program Files\Mozilla Firefox\firefox.exe[2552] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA282E
.text C:\WINDOWS\System32\svchost.exe[2600] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA27E1
.text C:\WINDOWS\System32\svchost.exe[2600] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA2835
.text C:\WINDOWS\System32\svchost.exe[2600] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA2842
.text C:\WINDOWS\System32\svchost.exe[2600] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA282E
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3116] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA27E1
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3116] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA2835
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3116] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA2842
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3116] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA282E

---- Kernel IAT/EAT - GMER 1.0.13 ----

IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F750BDB2] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F752171E] sptd.sys
IAT ftdisk.sys[ntoskrnl.exe!IoGetAttachedDeviceReference] [F750C3B2] sptd.sys
IAT ftdisk.sys[ntoskrnl.exe!IoGetDeviceObjectPointer] [F750C2B6] sptd.sys
IAT ftdisk.sys[ntoskrnl.exe!IofCallDriver] [F750C482] sptd.sys
IAT dmio.sys[ntoskrnl.exe!IofCallDriver] [F750C482] sptd.sys
IAT dmio.sys[ntoskrnl.exe!IoGetAttachedDeviceReference] [F750C3B2] sptd.sys
IAT dmio.sys[ntoskrnl.exe!IoGetDeviceObjectPointer] [F750C2B6] sptd.sys
IAT PartMgr.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F7521032] sptd.sys
IAT PartMgr.sys[ntoskrnl.exe!IoDetachDevice] [F750BF6E] sptd.sys
IAT atapi.sys[ntoskrnl.exe!IofCompleteRequest] [F7520C76] sptd.sys
IAT atapi.sys[ntoskrnl.exe!IoConnectInterrupt] [F750BE06] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F74FEA32] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F74FEB6E] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F74FEAF6] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F74FF6CC] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F74FF5A2] sptd.sys
IAT disk.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F7521864] sptd.sys
IAT \WINDOWS\system32\DRIVERS\CLASSPNP.SYS[ntoskrnl.exe!IoDetachDevice] [F7510F78] sptd.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!IofCompleteRequest] [F7520C76] sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F7520C82] sptd.sys
IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F7521864] sptd.sys
IAT \SystemRoot\system32\DRIVERS\rdbss.sys[ntoskrnl.exe!IofCallDriver] [F74FE020] sptd.sys
IAT \SystemRoot\system32\DRIVERS\mrxsmb.sys[ntoskrnl.exe!IofCallDriver] [F74FE020] sptd.sys

---- Devices - GMER 1.0.13 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 873D4EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 873D4EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 873D4EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 873D4EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 873D4EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 873D4EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 873D4EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 873D4EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 873D4EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 873D4EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 873D4EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 873D4EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 873D4EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 873D4EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 873D4EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 873D4EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 873D4EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 873D4EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 873D4EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 873D4EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 873D4EB0
Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 873D4EB0

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F7A029F2] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F7A02306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F7A02306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F7A028B4] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F7A02306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F7A02306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F7A02306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F7A02306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F7A02306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F7A02306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F7A02306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F7A02306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F7A02306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F7A02D04] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F7A02306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F7A02306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F7A02306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F7A02306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F7A02306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F7A02306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F7A02306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F7A02306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F7A02306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F7A02306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F7A02306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F7A02306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F7A02306] SiWinAcc.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [BA392812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [BA392812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [BA392812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [BA392812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [BA392812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [BA392812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [BA392812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [BA392812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [BA392812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [BA392812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [BA392812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [BA392812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [BA392812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [BA393F76] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [BA392812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [BA392812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [BA392812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [BA392812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [BA392812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [BA392812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [BA392812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [BA392812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [BA392812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [BA392812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [BA392812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [BA392812] aswMon2.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [BA392812] aswMon2.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_READ [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F6BB52C0] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_POWER [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA [F6BB58E6] aswTdi.SYS

Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CREATE 87387A40
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CLOSE 87387A40
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_READ 87387A40
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_WRITE 87387A40
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_FLUSH_BUFFERS 87387A40
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_DEVICE_CONTROL 87387A40
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_INTERNAL_DEVICE_CONTROL 87387A40
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SHUTDOWN 87387A40
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_POWER 87387A40
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SYSTEM_CONTROL 87387A40
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_PNP 87387A40
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CREATE 87387A40
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CLOSE 87387A40
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_READ 87387A40
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_WRITE 87387A40
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_FLUSH_BUFFERS 87387A40
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_DEVICE_CONTROL 87387A40
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_INTERNAL_DEVICE_CONTROL 87387A40
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SHUTDOWN 87387A40
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_POWER 87387A40
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SYSTEM_CONTROL 87387A40
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_PNP 87387A40
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CREATE 87387A40
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CLOSE 87387A40
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_READ 87387A40
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_WRITE 87387A40
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_FLUSH_BUFFERS 87387A40
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_DEVICE_CONTROL 87387A40
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_INTERNAL_DEVICE_CONTROL 87387A40
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SHUTDOWN 87387A40
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_POWER 87387A40
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SYSTEM_CONTROL 87387A40
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_PNP 87387A40
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CREATE 87387A40
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CLOSE 87387A40
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_READ 87387A40
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_WRITE 87387A40
Device \Driver\dmio \Device\DmControl\DmInfo

IRP_MJ_FLUSH_BUFFERS 87387A40
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_DEVICE_CONTROL 87387A40
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_INTERNAL_DEVICE_CONTROL 87387A40
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SHUTDOWN 87387A40
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_POWER 87387A40
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SYSTEM_CONTROL 87387A40
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_PNP 87387A40
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_READ [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F6BB52C0] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [F6BB58E6] aswTdi.SYS

Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 87387C78
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ 87387C78
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE 87387C78
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS 87387C78
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL 87387C78
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL 87387C78
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN 87387C78
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP 87387C78
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER 87387C78
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SYSTEM_CONTROL 87387C78
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_PNP 87387C78
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 86D79418
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 86D79418
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 86D79418
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 86D79418
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 86D79418
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 86D79418
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 86D79418
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 86D79418
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 86D79418
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 86D79418
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 86D79418
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE 86EA7EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE_NAMED_PIPE 86EA7EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CLOSE 86EA7EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_READ 86EA7EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_WRITE 86EA7EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_INFORMATION 86EA7EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_INFORMATION 86EA7EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_EA 86EA7EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_EA 86EA7EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_FLUSH_BUFFERS 86EA7EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_VOLUME_INFORMATION 86EA7EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_VOLUME_INFORMATION 86EA7EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DIRECTORY_CONTROL 86EA7EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_FILE_SYSTEM_CONTROL 86EA7EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DEVICE_CONTROL 86EA7EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_INTERNAL_DEVICE_CONTROL 86EA7EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SHUTDOWN 86EA7EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_LOCK_CONTROL 86EA7EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CLEANUP 86EA7EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE_MAILSLOT 86EA7EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_SECURITY 86EA7EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_SECURITY 86EA7EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_POWER 86EA7EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SYSTEM_CONTROL 86EA7EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DEVICE_CHANGE 86EA7EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_QUOTA 86EA7EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_QUOTA 86EA7EB0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 86D79418
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE 86D79418
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ 86D79418
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 86D79418
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 86D79418
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 86D79418
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 86D79418
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 86D79418
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 86D79418
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 86D79418
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 86D79418
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE 86D79418
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CLOSE 86D79418
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_READ 86D79418
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_WRITE 86D79418
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_FLUSH_BUFFERS 86D79418
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DEVICE_CONTROL 86D79418
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_INTERNAL_DEVICE_CONTROL 86D79418
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SHUTDOWN 86D79418
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_POWER 86D79418
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SYSTEM_CONTROL 86D79418
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_PNP 86D79418
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CREATE 86E697A0
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLOSE 86E697A0
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_DEVICE_CONTROL 86E697A0
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_INTERNAL_DEVICE_CONTROL 86E697A0
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLEANUP 86E697A0
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_PNP 86E697A0
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CREATE 86E697A0
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLOSE 86E697A0
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_DEVICE_CONTROL 86E697A0
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_INTERNAL_DEVICE_CONTROL 86E697A0
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLEANUP 86E697A0
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_PNP 86E697A0
Device \Driver\00000100 \Device\0000004d IRP_MJ_POWER [F7509EA8] sptd.sys
Device \Driver\00000100 \Device\0000004d IRP_MJ_SYSTEM_CONTROL [F751DA70] sptd.sys
Device \Driver\00000100 \Device\0000004d IRP_MJ_PNP [F7516728] sptd.sys
Device \Driver\NetBT \Device\NetBT_Tcpip_{3BBB868C-80C9-4DFC-B619-3D8E9E601850} IRP_MJ_CREATE 86E697A0
Device \Driver\NetBT \Device\NetBT_Tcpip_{3BBB868C-80C9-4DFC-B619-3D8E9E601850} IRP_MJ_CLOSE 86E697A0
Device \Driver\NetBT \Device\NetBT_Tcpip_{3BBB868C-80C9-4DFC-B619-3D8E9E601850} IRP_MJ_DEVICE_CONTROL 86E697A0
Device \Driver\NetBT \Device\NetBT_Tcpip_{3BBB868C-80C9-4DFC-B619-3D8E9E601850} IRP_MJ_INTERNAL_DEVICE_CONTROL 86E697A0
Device \Driver\NetBT \Device\NetBT_Tcpip_{3BBB868C-80C9-4DFC-B619-3D8E9E601850} IRP_MJ_CLEANUP 86E697A0
Device \Driver\NetBT \Device\NetBT_Tcpip_{3BBB868C-80C9-4DFC-B619-3D8E9E601850} IRP_MJ_PNP 86E697A0

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_READ [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_WRITE [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS [F6BB58E6] aswTdi.SYS

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F6BB52C0] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_POWER [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA [F6BB58E6] aswTdi.SYS

Device \Driver\NetBT \Device\NetBT_Tcpip_{BA5B8AC9-DE74-44B0-9FBE-7950B95D2704} IRP_MJ_CREATE 86E697A0
Device \Driver\NetBT \Device\NetBT_Tcpip_{BA5B8AC9-DE74-44B0-9FBE-7950B95D2704} IRP_MJ_CLOSE 86E697A0
Device \Driver\NetBT \Device\NetBT_Tcpip_{BA5B8AC9-DE74-44B0-9FBE-7950B95D2704} IRP_MJ_DEVICE_CONTROL 86E697A0
Device \Driver\NetBT \Device\NetBT_Tcpip_{BA5B8AC9-DE74-44B0-9FBE-7950B95D2704} IRP_MJ_INTERNAL_DEVICE_CONTROL 86E697A0
Device \Driver\NetBT \Device\NetBT_Tcpip_{BA5B8AC9-DE74-44B0-9FBE-7950B95D2704} IRP_MJ_CLEANUP 86E697A0
Device \Driver\NetBT \Device\NetBT_Tcpip_{BA5B8AC9-DE74-44B0-9FBE-7950B95D2704} IRP_MJ_PNP 86E697A0

AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_READ [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F6BB52C0] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_POWER [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA [F6BB58E6] aswTdi.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA [F6BB58E6] aswTdi.SYS

Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_CREATE 873D40E8
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_CLOSE 873D40E8
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_READ 873D40E8
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_WRITE 873D40E8
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_FLUSH_BUFFERS 873D40E8
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_DEVICE_CONTROL 873D40E8
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_INTERNAL_DEVICE_CONTROL 873D40E8
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_SHUTDOWN 873D40E8
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_POWER 873D40E8
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_SYSTEM_CONTROL 873D40E8
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_PNP 873D40E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_NAMED_PIPE 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLOSE 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_WRITE 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_INFORMATION 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_INFORMATION 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_EA 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_EA 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FLUSH_BUFFERS 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_VOLUME_INFORMATION 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_VOLUME_INFORMATION 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DIRECTORY_CONTROL 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FILE_SYSTEM_CONTROL 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CONTROL 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_INTERNAL_DEVICE_CONTROL 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SHUTDOWN 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_LOCK_CONTROL 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLEANUP 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_MAILSLOT 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_SECURITY 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_SECURITY 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_POWER 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SYSTEM_CONTROL 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CHANGE 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_QUOTA 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_QUOTA 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_NAMED_PIPE 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLOSE 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_WRITE 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_INFORMATION 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_INFORMATION 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_EA 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_EA 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FLUSH_BUFFERS 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_VOLUME_INFORMATION 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_VOLUME_INFORMATION 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DIRECTORY_CONTROL 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FILE_SYSTEM_CONTROL 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CONTROL 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_INTERNAL_DEVICE_CONTROL 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SHUTDOWN 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_LOCK_CONTROL 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLEANUP 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_MAILSLOT 86D7A710

Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_SECURITY 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_SECURITY 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_POWER 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SYSTEM_CONTROL 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CHANGE 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_QUOTA 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_QUOTA 86D7A710
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP 86D7A710
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CREATE 86D747E0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CREATE_NAMED_PIPE 86D747E0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CLOSE 86D747E0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_READ 86D747E0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_WRITE 86D747E0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_INFORMATION 86D747E0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_SET_INFORMATION 86D747E0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_FLUSH_BUFFERS 86D747E0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_VOLUME_INFORMATION 86D747E0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_DIRECTORY_CONTROL 86D747E0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_FILE_SYSTEM_CONTROL 86D747E0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CLEANUP 86D747E0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_SECURITY 86D747E0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_SET_SECURITY 86D747E0
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CREATE 87387C78
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_READ 87387C78
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_WRITE 87387C78
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_FLUSH_BUFFERS 87387C78
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_DEVICE_CONTROL 87387C78
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_INTERNAL_DEVICE_CONTROL 87387C78
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SHUTDOWN 87387C78
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CLEANUP 87387C78
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_POWER 87387C78
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SYSTEM_CONTROL 87387C78
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_PNP 87387C78
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CREATE 86E29AF0
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CLOSE 86E29AF0
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_READ 86E29AF0
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_WRITE 86E29AF0
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_QUERY_INFORMATION 86E29AF0
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_SET_INFORMATION 86E29AF0
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_QUERY_VOLUME_INFORMATION 86E29AF0
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_DIRECTORY_CONTROL 86E29AF0
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_FILE_SYSTEM_CONTROL 86E29AF0
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CLEANUP 86E29AF0
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CREATE_MAILSLOT 86E29AF0
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_QUERY_SECURITY 86E29AF0
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_SET_SECURITY 86E29AF0
Device \Driver\SI3114r \Device\Scsi\SI3114r1 IRP_MJ_CREATE 873874D0
Device \Driver\SI3114r \Device\Scsi\SI3114r1 IRP_MJ_CLOSE 873874D0
Device \Driver\SI3114r \Device\Scsi\SI3114r1 IRP_MJ_DEVICE_CONTROL 873874D0
Device \Driver\SI3114r \Device\Scsi\SI3114r1 IRP_MJ_INTERNAL_DEVICE_CONTROL 873874D0
Device \Driver\SI3114r \Device\Scsi\SI3114r1 IRP_MJ_POWER 873874D0
Device \Driver\SI3114r \Device\Scsi\SI3114r1 IRP_MJ_SYSTEM_CONTROL 873874D0
Device \Driver\SI3114r \Device\Scsi\SI3114r1 IRP_MJ_PNP 873874D0
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_CREATE 86E4BD18
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_CLOSE 86E4BD18
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_DEVICE_CONTROL 86E4BD18
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_INTERNAL_DEVICE_CONTROL 86E4BD18
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_POWER 86E4BD18
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_SYSTEM_CONTROL 86E4BD18
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_PNP 86E4BD18
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port3Path0Target0Lun0 IRP_MJ_CREATE 86E4BD18
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port3Path0Target0Lun0 IRP_MJ_CLOSE 86E4BD18
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port3Path0Target0Lun0 IRP_MJ_DEVICE_CONTROL 86E4BD18
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port3Path0Target0Lun0 IRP_MJ_INTERNAL_DEVICE_CONTROL 86E4BD18
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port3Path0Target0Lun0 IRP_MJ_POWER 86E4BD18
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port3Path0Target0Lun0 IRP_MJ_SYSTEM_CONTROL 86E4BD18
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port3Path0Target0Lun0 IRP_MJ_PNP 86E4BD18
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE 8639F370
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLOSE 8639F370
Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ 8639F370
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_INFORMATION 8639F370
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SET_INFORMATION 8639F370
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_VOLUME_INFORMATION 8639F370
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DIRECTORY_CONTROL 8639F370
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL 8639F370
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL 8639F370
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SHUTDOWN 8639F370
Device \FileSystem\Cdfs \Cdfs IRP_MJ_LOCK_CONTROL 8639F370
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLEANUP 8639F370
Device \FileSystem\Cdfs \Cdfs IRP_MJ_PNP 8639F370

---- EOF - GMER 1.0.13 ----

I did not mess with the registry before this happened.

A couple problems.

I cannot open up the add/remove dialog. It does nothing when I click on it.

Some of the files you said to delete did not exist (i did turn on the option to see hidden and system files).

I could not install superantispyware. When I try running the program it gives 2 failed to initialize dialogs. If I extract to folder using winrar and try running msiexec it comes up with "incorrect command line paramaters"

Hi,


Some of the files you said to delete did not exist (i did turn on the option to see hidden and system files).

That's ok.


I could not install superantispyware. When I try running the program it gives 2 failed to initialize dialogs. If I extract to folder using winrar and try running msiexec it comes up with "incorrect command line paramaters"

That's weird. I'll let you try an alternative.

We're getting there. After we get you cleaned up, we'll fix your other issues.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://free.grisoft.com/doc/5390/us/frt/0?prd=asf
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update AVG Antispyware.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update. Do not use it yet!

Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune

Do not use it yet.
_____

Open HijackThis > Ope Misc tools > Open uninstall manager > Look for all the old java entries there then highlight each one by one > At the right pane, there's an "Uninstall Command" box and there's some text in it > Copy and paste the contents of that box for each old java version.

After you do that, click back > scan > Check these entries in bold:

O4 - HKLM\..\Run: %systemroot%\system32\dumprep 0 -u
O4 - Global Startup: 3.exe~
O21 - SSODL: vHdaxqUCGS - {CCCC9172-6666-3BD8-53BE-3384AFFC4B8B} - C:\WINDOWS\system32\oimp.dll (file missing)
O21 - SSODL: MSN Messenger - {280A7B65-8F00-438F-3E5A-1F039433FE60} - C:\WINDOWS\system32\dssdll32.dll

Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
_____

You may want to print these instructions here or save them in notepad since you'll work offline.

Reboot into Safe Mode.

To enter Safe Mode..

Click Start > Turn Off Computer > Restart > Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to Safe Mode> Hit enter.

*Click start > run > copy and paste these one at a time then press enter for each of them:

sc stop xpdx

Enter.

sc delete xpdx

Enter.
_____

*Using Windows Explorer, find and delete these files:

C:\WINDOWS\system32\dssdll32.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\3.exe~

Empty your recycle bin.
_____

Important: Make sure all your browsers are closed before running ATF Cleaner..

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

[u]If you use Firefox browser

Click Firefox at the top and choose:Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click
No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE:If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Please run AVG AntiSpyware, and run a full scan as follow:

IMPORTANT: Do not open any other windows or programs while AVG AntiSpyware is scanning, it may interfere with the scanning process.

Launch AVG AntiSpyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
AVG AntiSpyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save Report As" button in the lower left hand of the screen and save it to a text file on your system. (Make sure to remember where you saved that file, this is important).
Close AVG AntiSpyware.
Reboot to normal mode.
_____

Please perform an online scan using Internet Explorer at this website - http://www.bitdefender.com/scan8/ie.html


http://img.photobucket.com/albums/v666/sUBs/BitDefenderA.gif
http://img.photobucket.com/albums/v666/sUBs/BitDefenderB.gif


Under SCANNING OPTIONS, use the following Settings:
Action options - Report only
Second option - Report only

Once finished, click on the Details button to view the results.
To the upper right of the results you will see an option saying "Click here to export the scan results" Post the log of the scan results in your next reply
______

On your next reply, please include a
Fresh HijackThis log.
The uninstall commands for Java
Bitdefender results.
AVG Antispyware log
A detailed description on how's your machine running.

Hi meatwad, I'll be leaving tomorrow and I'll be back on Saturday. I have asked another helper to help you through this. :bigthumb:

Hi meatwad,

I'll help you until Angelfire gets back.
Please run the previous steps that Angelfire requested.

Are you still unable to open regedit, notepad etc?

wng

Meatwad, Angelfire has returned and will continue to assist you with your computer.

wng

meatwad, you still there?

Due to inactivity this thread is now closed:spider:

If you wish to reopen this thread, please send me or a moderator a private message (pm). Please include a link to this topic.

This only applies to the original topic starter. Everyone, please start a new topic.