Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Infection help

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Infection help

Unread postby mhgy17 » September 7th, 2009, 11:21 am

Hi, all. First, thank you for everything you do. I've come to this site a couple of times in the past and your advice has been incredibly helpful. I really appreciate it.

Basically, I am having trouble with many malware/virus problems ranging from google redirects to my internet explorer running on its own and going to websites while hidden causing more viruses to appear as well as advertisement sounds im guessing are on the malicious webpages. This occurs even while offline I will get spammed constantly with notifications that an unknown program is calling xxxxxxx.com and asks me which internet to connect to. The problem however is after reviewing and attempting the suggestions in the Forum Guidelines over and over I have no way to get any logs to post here for help.
It seems to not only be limited to HJT, GMER and DDS either. I have noticed many Anti Virus programs I have tried before coming here such as Malwarebytes, SuperAntispyware, TrendMicro all will not run either. This also has effected all Microsoft programs as well since I can no longer install Windows updates either. There are about 15 window updates that I downloaded (including SP3) and upon installation they simply just disappear and nothing happens. Safe mode also no longer works either, as I thought it may work if I tried these programs while in Safe mode but when I try to boot up it will immediately reboot my computer and notify me it has shut down unexpectedly.

I am desperately attempting to get some logs up so I may get some help but no matter what I do I can't seem to get anything to work. Please don't lock my thread because I have no log, I don't know what else to do since I have now read everything but I still cant produce any logs for the thread.

Thanks
mhgy17
Active Member
 
Posts: 13
Joined: September 7th, 2009, 10:59 am
Advertisement
Register to Remove

Re: Infection help

Unread postby km2357 » September 10th, 2009, 2:29 pm

Hello and welcome to Malware Removal.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

Sorry for the delay in replying, the forum is very busy.

Do you still need help? Are you able to run HJT, DDS, or GMER? If you can, please run these programs and post their logs in your next post/reply.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Infection help

Unread postby mhgy17 » September 13th, 2009, 12:43 pm

Thanks for the reply. I read your post and tried to use HJT, DDS, and GMER from this working computer via memory stick, but my infected computer will not recognize any drives. All my drives are listed, but they will not run when prompted. I tried this with normal logon, and with all different combinations of safe mode. So I can't supply you with any logs at this time.
When the computer boots and loads in normal mode, my desktop has an "Active Desktop Recovery" notice superimposed on my wallpaper.
Also, many error messages pop-up. They are;
c\docume~1\robert~\locals~1\temp\winlogon.exe
c:\windows\system32\braviax.exe
c:\windows\system32\dumprep.exe
c:\windows\system32\nurofuyi.dll
c:\system32\rundll32.exe
c:\windows\system32\popiwoba.dll
c:\windows\pchealth\helpctr\binaries\msconfig.exe

Sometimes I can click "OK" and they go away, but most times the computer freezes, and nothing responds.

I can click on the "start" button when the error messages are visible, but once I click on a drive or program, the hour glass appears for few seconds, then nothing responds and I have to reboot. Sometimes when I click on a program or drive, I get an error message relating to whatever it was I clicked on.

These error messages don't appear in safe mode, but when safe mode loads, the computer hangs and nothing happens.

I noticed two new programs listed in the "all programs" folder; Windows Police Pro, AntivirusPro_2010

I tried regedit in Safe Mode with command prompt, but the "registry editing has been disabled by your administrator" message comes up.

The infected computer does not currently have internet access, although last week when this started, it did. At that time, I was able to access the internet, but any sort of download attempt would freeze the computer.
mhgy17
Active Member
 
Posts: 13
Joined: September 7th, 2009, 10:59 am

Re: Infection help

Unread postby km2357 » September 13th, 2009, 4:08 pm

If your internet connection is still down, you'll need to download the following file from a clean computer and transfer it to your infected computer's Desktop, if possible.

Step # 1 Download and Run exeHelper

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Try running DDS and GMER after exeHelper has run.

Post the exeHelper log, DDS and GMER Logs (if you get them) in your next post/reply
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Infection help

Unread postby mhgy17 » September 13th, 2009, 4:49 pm

OK. I got exeHelper to run. But gmer and dds would not. Both of those programs have been extracted/saved to the desktop, but nothing happens when asked.
I have two options with gmer-OPEN or Run as...when I click OPEN, nothing happens. When I click Run as...I get a window with "Which user account do you want to use to run this program?" The bullet box "Current User" is checked. Another bullet box is checked "Protect my computer and data from unauthorized program activity".
I click OK, but nothing happens either.
When I click OPEN for the dds program, the computer freezes.
exeHelper log follows:

exeHelper by Raktor - 09
Build 20090911
Run at 16:25:42 on 09/13/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Killed process desote.exe
Killed process desote.exe
Killed process desote.exe
Killed process desote.exe
Killed process desote.exe
Checking for bad files...
Found file C:\WINDOWS\system32\desote.exe
Deleted file C:\WINDOWS\system32\desote.exe
Found file C:\WINDOWS\svchasts.exe
Deleted file C:\WINDOWS\svchasts.exe
Found file C:\Program Files\Windows Police Pro\Windows Police Pro.exe
Deleted file C:\Program Files\Windows Police Pro\Windows Police Pro.exe
Found file C:\WINDOWS\system32\dddesot.dll
Deleted file C:\WINDOWS\system32\dddesot.dll
Found file C:\WINDOWS\system32\braviax.exe
Deleted file C:\WINDOWS\system32\braviax.exe
Found file C:\WINDOWS\braviax.exe
Deleted file C:\WINDOWS\braviax.exe
Found file C:\WINDOWS\ppp3.dat
Deleted file C:\WINDOWS\ppp3.dat
Found file C:\WINDOWS\ppp4.dat
Deleted file C:\WINDOWS\ppp4.dat
Found file C:\WINDOWS\system32\cru629.dat
Deleted file C:\WINDOWS\system32\cru629.dat
Found file C:\WINDOWS\cru629.dat
Deleted file C:\WINDOWS\cru629.dat
Found file C:\Program Files\protection system\psystem.exe
Deleted file C:\Program Files\protection system\psystem.exe
Resetting filetype association for .exe
Resetting filetype association for .com
Finished.
exeHelper by Raktor - 09
Build 20090911
Run at 16:32:01 on 09/13/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Found file C:\WINDOWS\system32\cru629.dat
Deleted file C:\WINDOWS\system32\cru629.dat
Resetting filetype association for .exe
Resetting filetype association for .com
Finished.
mhgy17
Active Member
 
Posts: 13
Joined: September 7th, 2009, 10:59 am

Re: Infection help

Unread postby km2357 » September 14th, 2009, 1:25 am

You mention in your first post about downloading SP3 and it failing to install. What level of Service Pack do you currently have installed on your computer?

It looks like exeHelper cleared out a lot of bad stuff. :)

Let's try different scanners than DDS and GMER and see if they run.

Step # 1 Download and Run RSIT

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)



Step # 2 Download and run RootRepeal


We Need to check for Rootkits with RootRepeal
  1. Download RootRepeal from the following location and save it to your desktop.
  2. Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  3. Open Image on your desktop.
  4. Click the Image tab.
  5. Click the Image button.
  6. Check all seven boxes: Image
  7. Push Ok
  8. Check the box for your main system drive (Usually C:), and press Ok.
  9. Allow RootRepeal to run a scan of your system. This may take some time.
  10. Once the scan completes, push the Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.


In your next post/reply, I need to see the following:

1. The two RSIT Logs (log and info.txt)
2. The RootRepeal Log
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Infection help

Unread postby mhgy17 » September 14th, 2009, 9:28 am

I am running Windows XP Professional with SP3.

I could not get RSIT to run. I downloaded to memory stick, then transferred to infected computer. I tried to run RSIT from the memory stick and from the infected computer desktop. Both times I got the message "RSIT.exe is not a valid Win32 application".

I did the same thing with RootRepeal. When I tried to run from the memory stick, I got the message "Windows cannot access the specified device, path, or file. You may not have the appropiate permission to access the item".
I was able to run it from the desktop. At first the scan would run for a few seconds, then freeze the computer. I then scanned each box separately and realized the program froze during the Files scan. I stopped the Files scan near the point of the hold-up, so the Files scan is incomplete.

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/09/14 08:18
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xB9F79000 Size: 187776 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -

Name: ADIHdAud.sys
Image Path: C:\WINDOWS\system32\drivers\ADIHdAud.sys
Address: 0xA8CC9000 Size: 356352 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xA8AA6000 Size: 138496 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xB9F0B000 Size: 96512 File Visible: - Signed: -
Status: -

Name: ATMFD.DLL
Image Path: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xBA775000 Size: 3072 File Visible: - Signed: -
Status: -

Name: avgio.sys
Image Path: C:\Program Files\Avira\AntiVir Desktop\avgio.sys
Address: 0xBA5D4000 Size: 6144 File Visible: - Signed: -
Status: -

Name: avgntflt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\avgntflt.sys
Address: 0xA885E000 Size: 81920 File Visible: - Signed: -
Status: -

Name: avipbb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\avipbb.sys
Address: 0xA89CA000 Size: 114688 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xBA2C8000 Size: 45056 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xBA4B8000 Size: 12288 File Visible: - Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xBA318000 Size: 63744 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xBA208000 Size: 62976 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xBA0E8000 Size: 53248 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xBA0D8000 Size: 36352 File Visible: - Signed: -
Status: -

Name: dmio.sys
Image Path: dmio.sys
Address: 0xB9F23000 Size: 153344 File Visible: - Signed: -
Status: -

Name: dmload.sys
Image Path: dmload.sys
Address: 0xBA5AC000 Size: 5888 File Visible: - Signed: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xBA298000 Size: 61440 File Visible: - Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA898A000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5D8000 Size: 8192 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xB9D9C000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF000000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xBA716000 Size: 4096 File Visible: - Signed: -
Status: -

Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xA7E2C000 Size: 143744 File Visible: - Signed: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xBA2E8000 Size: 44544 File Visible: - Signed: -
Status: -

Name: fltMgr.sys
Image Path: fltMgr.sys
Address: 0xB9EEB000 Size: 129792 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xBA5C4000 Size: 7936 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xB9F49000 Size: 125056 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806E4000 Size: 134528 File Visible: - Signed: -
Status: -

Name: HDAudBus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Address: 0xB9789000 Size: 163840 File Visible: - Signed: -
Status: -

Name: HIDCLASS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Address: 0xBA308000 Size: 36864 File Visible: - Signed: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xBA420000 Size: 28672 File Visible: - Signed: -
Status: -

Name: hidusb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xA8CC5000 Size: 10368 File Visible: - Signed: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xA7F68000 Size: 264832 File Visible: - Signed: -
Status: -

Name: i2omgmt.SYS
Image Path: C:\WINDOWS\System32\Drivers\i2omgmt.SYS
Address: 0xBA54C000 Size: 8576 File Visible: - Signed: -
Status: -

Name: igxpdv32.DLL
Image Path: C:\WINDOWS\System32\igxpdv32.DLL
Address: 0xBF04F000 Size: 2146304 File Visible: - Signed: -
Status: -

Name: igxpdx32.DLL
Image Path: C:\WINDOWS\System32\igxpdx32.DLL
Address: 0xBF25B000 Size: 3174400 File Visible: - Signed: -
Status: -

Name: igxpgd32.dll
Image Path: C:\WINDOWS\System32\igxpgd32.dll
Address: 0xBF024000 Size: 176128 File Visible: - Signed: -
Status: -

Name: igxpmp32.sys
Image Path: C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
Address: 0xB97C5000 Size: 6021184 File Visible: - Signed: -
Status: -

Name: igxprd32.dll
Image Path: C:\WINDOWS\System32\igxprd32.dll
Address: 0xBF012000 Size: 73728 File Visible: - Signed: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xBA1F8000 Size: 42112 File Visible: - Signed: -
Status: -

Name: intelppm.sys
Image Path: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Address: 0xBA1D8000 Size: 36352 File Visible: - Signed: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xA8AC8000 Size: 152832 File Visible: - Signed: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xA8B97000 Size: 75264 File Visible: - Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xBA0A8000 Size: 37248 File Visible: - Signed: -
Status: -

Name: k57xp32.sys
Image Path: C:\WINDOWS\system32\DRIVERS\k57xp32.sys
Address: 0xB975A000 Size: 192512 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xBA3C8000 Size: 24576 File Visible: - Signed: -
Status: -

Name: kbdhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdhid.sys
Address: 0xA8CB9000 Size: 14592 File Visible: - Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xBA5A8000 Size: 8192 File Visible: - Signed: -
Status: -

Name: kmixer.sys
Image Path: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xA7C1E000 Size: 172416 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xB96FF000 Size: 143360 File Visible: - Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xB9EB1000 Size: 92928 File Visible: - Signed: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xBA5C8000 Size: 4224 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xBA3D0000 Size: 23040 File Visible: - Signed: -
Status: -

Name: mouhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Address: 0xA8CB1000 Size: 12160 File Visible: - Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xBA0B8000 Size: 42368 File Visible: - Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xA89E6000 Size: 455296 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xBA438000 Size: 19072 File Visible: - Signed: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xBA258000 Size: 35072 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xBA588000 Size: 15488 File Visible: - Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xB9DDD000 Size: 105344 File Visible: - Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xB9DF7000 Size: 182656 File Visible: - Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xBA564000 Size: 10112 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xB96E8000 Size: 91520 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xBA288000 Size: 40576 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xBA2D8000 Size: 34688 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xA8AEE000 Size: 162816 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xBA448000 Size: 30848 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xB9E24000 Size: 574976 File Visible: - Signed: -
Status: -

Name: ntkrnlpa.exe
Image Path: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xBA7CC000 Size: 2944 File Visible: - Signed: -
Status: -

Name: parport.sys
Image Path: C:\WINDOWS\system32\DRIVERS\parport.sys
Address: 0xB9722000 Size: 80128 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xBA330000 Size: 19712 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xB9F68000 Size: 68224 File Visible: - Signed: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xBA670000 Size: 3328 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xBA328000 Size: 28672 File Visible: - Signed: -
Status: -

Name: PCTCore.sys
Image Path: PCTCore.sys
Address: 0xB9EC8000 Size: 143360 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xA8C7D000 Size: 147456 File Visible: - Signed: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xB96D7000 Size: 69120 File Visible: - Signed: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xBA3A8000 Size: 17792 File Visible: - Signed: -
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xBA0F8000 Size: 36320 File Visible: - Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xBA560000 Size: 8832 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xBA228000 Size: 51328 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xBA238000 Size: 41472 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xBA248000 Size: 48384 File Visible: - Signed: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xBA3B8000 Size: 16512 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xA8A56000 Size: 175744 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xBA5CC000 Size: 4224 File Visible: - Signed: -
Status: -

Name: rdpdr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Address: 0xB96A7000 Size: 196224 File Visible: - Signed: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xBA218000 Size: 57600 File Visible: - Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA7E60000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SASDIFSV.SYS
Image Path: C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
Address: 0xBA468000 Size: 24576 File Visible: - Signed: -
Status: -

Name: SASKUTIL.sys
Image Path: C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
Address: 0xA8A81000 Size: 151552 File Visible: - Signed: -
Status: -

Name: serenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serenum.sys
Address: 0xBA554000 Size: 15744 File Visible: - Signed: -
Status: -

Name: serial.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serial.sys
Address: 0xBA1E8000 Size: 64512 File Visible: - Signed: -
Status: -

Name: sfaudio.sys
Image Path: sfaudio.sys
Address: 0xBA108000 Size: 45056 File Visible: - Signed: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xA80E9000 Size: 333952 File Visible: - Signed: -
Status: -

Name: ssmdrv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
Address: 0xBA460000 Size: 23040 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xBA5B8000 Size: 4352 File Visible: - Signed: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xA8696000 Size: 60800 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xA8B3E000 Size: 361600 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xBA398000 Size: 20480 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xBA268000 Size: 40704 File Visible: - Signed: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xB9621000 Size: 384768 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xBA5C0000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xBA370000 Size: 30208 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xBA2B8000 Size: 59520 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xB9736000 Size: 147456 File Visible: - Signed: -
Status: -

Name: USBSTOR.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Address: 0xBA340000 Size: 26368 File Visible: - Signed: -
Status: -

Name: usbuhci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Address: 0xBA368000 Size: 20608 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xBA428000 Size: 20992 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xB97B1000 Size: 81920 File Visible: - Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xBA0C8000 Size: 52352 File Visible: - Signed: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xBA128000 Size: 34560 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xBA4A0000 Size: 20480 File Visible: - Signed: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xA8551000 Size: 83072 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1851392 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1851392 File Visible: - Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xBA470000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xA8BDD000 Size: 61440 File Visible: No Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xBA5AA000 Size: 8192 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/09/14 08:30
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\pagefile.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\eventlog.dll
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACovmrvyvmei.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACpdxcdqloyl.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACvbfamdxnpy.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACvoybnejkcb.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACyxtlgwwyed.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uac3a54.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC679e.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uac6a1e.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC7a50.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uac86fd.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC8a4e.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uac8ac5.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC8b86.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uac8e11.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC9153.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uac962f.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC9867.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uac9ab4.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\Perflib_Perfdata_6c0.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\WINDOWS\Temp\UACa6fe.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACb14e.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACb37c.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACbb80.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACbc1c.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACbc5a.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uaccc85.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uacce3b.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uacd148.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uacd2a9.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uacd455.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACd512.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uacd7b0.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACed8c.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACf8c6.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uacfdc.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC9e62.tmp
Status: Invisible to the Windows API!

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/09/14 08:23
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Stealth Objects
-------------------
Object: Hidden Module [Name: UACvoybnejkcb.dll]
Process: svchost.exe (PID: 928) Address: 0x00750000 Size: 65536

Object: Hidden Module [Name: UACyxtlgwwyed.dll]
Process: svchost.exe (PID: 928) Address: 0x10000000 Size: 217088

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/09/14 08:21
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Processes
-------------------
Path: System
PID: 4 Status: -

Path: C:\WINDOWS\system32\braviax.exe
PID: 332 Status: -

Path: C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\winlogon.exe
PID: 372 Status: -

Path: C:\WINDOWS\system32\smss.exe
PID: 408 Status: -

Path: C:\WINDOWS\system32\csrss.exe
PID: 640 Status: -

Path: C:\WINDOWS\system32\winlogon.exe
PID: 664 Status: -

Path: C:\WINDOWS\system32\services.exe
PID: 708 Status: -

Path: C:\WINDOWS\system32\lsass.exe
PID: 720 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 928 Status: -

Path: C:\WINDOWS\system32\rundll32.exe
PID: 976 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1040 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1116 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1136 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1196 Status: -

Path: C:\WINDOWS\system32\spoolsv.exe
PID: 1256 Status: -

Path: C:\Program Files\Avira\AntiVir Desktop\sched.exe
PID: 1320 Status: -

Path: C:\WINDOWS\explorer.exe
PID: 1580 Status: -

Path: C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PID: 1628 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1660 Status: -

Path: C:\Program Files\Java\jre6\bin\jqs.exe
PID: 1700 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1748 Status: -

Path: C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
PID: 1768 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1804 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1840 Status: -

Path: E:\RootRepeal.exe
PID: 3828 Status: -

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/09/14 08:22
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

SSDT
-------------------
#: 000 Function Name: NtAcceptConnectPort
Status: Not hooked

#: 001 Function Name: NtAccessCheck
Status: Not hooked

#: 002 Function Name: NtAccessCheckAndAuditAlarm
Status: Not hooked

#: 003 Function Name: NtAccessCheckByType
Status: Not hooked

#: 004 Function Name: NtAccessCheckByTypeAndAuditAlarm
Status: Not hooked

#: 005 Function Name: NtAccessCheckByTypeResultList
Status: Not hooked

#: 006 Function Name: NtAccessCheckByTypeResultListAndAuditAlarm
Status: Not hooked

#: 007 Function Name: NtAccessCheckByTypeResultListAndAuditAlarmByHandle
Status: Not hooked

#: 008 Function Name: NtAddAtom
Status: Not hooked

#: 009 Function Name: NtAddBootEntry
Status: Not hooked

#: 010 Function Name: NtAdjustGroupsToken
Status: Not hooked

#: 011 Function Name: NtAdjustPrivilegesToken
Status: Not hooked

#: 012 Function Name: NtAlertResumeThread
Status: Not hooked

#: 013 Function Name: NtAlertThread
Status: Not hooked

#: 014 Function Name: NtAllocateLocallyUniqueId
Status: Not hooked

#: 015 Function Name: NtAllocateUserPhysicalPages
Status: Not hooked

#: 016 Function Name: NtAllocateUuids
Status: Not hooked

#: 017 Function Name: NtAllocateVirtualMemory
Status: Not hooked

#: 018 Function Name: NtAreMappedFilesTheSame
Status: Not hooked

#: 019 Function Name: NtAssignProcessToJobObject
Status: Not hooked

#: 020 Function Name: NtCallbackReturn
Status: Not hooked

#: 021 Function Name: NtCancelDeviceWakeupRequest
Status: Not hooked

#: 022 Function Name: NtCancelIoFile
Status: Not hooked

#: 023 Function Name: NtCancelTimer
Status: Not hooked

#: 024 Function Name: NtClearEvent
Status: Not hooked

#: 025 Function Name: NtClose
Status: Not hooked

#: 026 Function Name: NtCloseObjectAuditAlarm
Status: Not hooked

#: 027 Function Name: NtCompactKeys
Status: Not hooked

#: 028 Function Name: NtCompareTokens
Status: Not hooked

#: 029 Function Name: NtCompleteConnectPort
Status: Not hooked

#: 030 Function Name: NtCompressKey
Status: Not hooked

#: 031 Function Name: NtConnectPort
Status: Not hooked

#: 032 Function Name: NtContinue
Status: Not hooked

#: 033 Function Name: NtCreateDebugObject
Status: Not hooked

#: 034 Function Name: NtCreateDirectoryObject
Status: Not hooked

#: 035 Function Name: NtCreateEvent
Status: Not hooked

#: 036 Function Name: NtCreateEventPair
Status: Not hooked

#: 037 Function Name: NtCreateFile
Status: Not hooked

#: 038 Function Name: NtCreateIoCompletion
Status: Not hooked

#: 039 Function Name: NtCreateJobObject
Status: Not hooked

#: 040 Function Name: NtCreateJobSet
Status: Not hooked

#: 041 Function Name: NtCreateKey
Status: Not hooked

#: 042 Function Name: NtCreateMailslotFile
Status: Not hooked

#: 043 Function Name: NtCreateMutant
Status: Not hooked

#: 044 Function Name: NtCreateNamedPipeFile
Status: Not hooked

#: 045 Function Name: NtCreatePagingFile
Status: Not hooked

#: 046 Function Name: NtCreatePort
Status: Not hooked

#: 047 Function Name: NtCreateProcess
Status: Not hooked

#: 048 Function Name: NtCreateProcessEx
Status: Not hooked

#: 049 Function Name: NtCreateProfile
Status: Not hooked

#: 050 Function Name: NtCreateSection
Status: Not hooked

#: 051 Function Name: NtCreateSemaphore
Status: Not hooked

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Not hooked

#: 053 Function Name: NtCreateThread
Status: Not hooked

#: 054 Function Name: NtCreateTimer
Status: Not hooked

#: 055 Function Name: NtCreateToken
Status: Not hooked

#: 056 Function Name: NtCreateWaitablePort
Status: Not hooked

#: 057 Function Name: NtDebugActiveProcess
Status: Not hooked

#: 058 Function Name: NtDebugContinue
Status: Not hooked

#: 059 Function Name: NtDelayExecution
Status: Not hooked

#: 060 Function Name: NtDeleteAtom
Status: Not hooked

#: 061 Function Name: NtDeleteBootEntry
Status: Not hooked

#: 062 Function Name: NtDeleteFile
Status: Not hooked

#: 063 Function Name: NtDeleteKey
Status: Not hooked

#: 064 Function Name: NtDeleteObjectAuditAlarm
Status: Not hooked

#: 065 Function Name: NtDeleteValueKey
Status: Not hooked

#: 066 Function Name: NtDeviceIoControlFile
Status: Not hooked

#: 067 Function Name: NtDisplayString
Status: Not hooked

#: 068 Function Name: NtDuplicateObject
Status: Not hooked

#: 069 Function Name: NtDuplicateToken
Status: Not hooked

#: 070 Function Name: NtEnumerateBootEntries
Status: Not hooked

#: 071 Function Name: NtEnumerateKey
Status: Not hooked

#: 072 Function Name: NtEnumerateSystemEnvironmentValuesEx
Status: Not hooked

#: 073 Function Name: NtEnumerateValueKey
Status: Not hooked

#: 074 Function Name: NtExtendSection
Status: Not hooked

#: 075 Function Name: NtFilterToken
Status: Not hooked

#: 076 Function Name: NtFindAtom
Status: Not hooked

#: 077 Function Name: NtFlushBuffersFile
Status: Not hooked

#: 078 Function Name: NtFlushInstructionCache
Status: Not hooked

#: 079 Function Name: NtFlushKey
Status: Not hooked

#: 080 Function Name: NtFlushVirtualMemory
Status: Not hooked

#: 081 Function Name: NtFlushWriteBuffer
Status: Not hooked

#: 082 Function Name: NtFreeUserPhysicalPages
Status: Not hooked

#: 083 Function Name: NtFreeVirtualMemory
Status: Not hooked

#: 084 Function Name: NtFsControlFile
Status: Not hooked

#: 085 Function Name: NtGetContextThread
Status: Not hooked

#: 086 Function Name: NtGetDevicePowerState
Status: Not hooked

#: 087 Function Name: NtGetPlugPlayEvent
Status: Not hooked

#: 088 Function Name: NtGetWriteWatch
Status: Not hooked

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Not hooked

#: 090 Function Name: NtImpersonateClientOfPort
Status: Not hooked

#: 091 Function Name: NtImpersonateThread
Status: Not hooked

#: 092 Function Name: NtInitializeRegistry
Status: Not hooked

#: 093 Function Name: NtInitiatePowerAction
Status: Not hooked

#: 094 Function Name: NtIsProcessInJob
Status: Not hooked

#: 095 Function Name: NtIsSystemResumeAutomatic
Status: Not hooked

#: 096 Function Name: NtListenPort
Status: Not hooked

#: 097 Function Name: NtLoadDriver
Status: Not hooked

#: 098 Function Name: NtLoadKey
Status: Not hooked

#: 099 Function Name: NtLoadKey2
Status: Not hooked

#: 100 Function Name: NtLockFile
Status: Not hooked

#: 101 Function Name: NtLockProductActivationKeys
Status: Not hooked

#: 102 Function Name: NtLockRegistryKey
Status: Not hooked

#: 103 Function Name: NtLockVirtualMemory
Status: Not hooked

#: 104 Function Name: NtMakePermanentObject
Status: Not hooked

#: 105 Function Name: NtMakeTemporaryObject
Status: Not hooked

#: 106 Function Name: NtMapUserPhysicalPages
Status: Not hooked

#: 107 Function Name: NtMapUserPhysicalPagesScatter
Status: Not hooked

#: 108 Function Name: NtMapViewOfSection
Status: Not hooked

#: 109 Function Name: NtModifyBootEntry
Status: Not hooked

#: 110 Function Name: NtNotifyChangeDirectoryFile
Status: Not hooked

#: 111 Function Name: NtNotifyChangeKey
Status: Not hooked

#: 112 Function Name: NtNotifyChangeMultipleKeys
Status: Not hooked

#: 113 Function Name: NtOpenDirectoryObject
Status: Not hooked

#: 114 Function Name: NtOpenEvent
Status: Not hooked

#: 115 Function Name: NtOpenEventPair
Status: Not hooked

#: 116 Function Name: NtOpenFile
Status: Not hooked

#: 117 Function Name: NtOpenIoCompletion
Status: Not hooked

#: 118 Function Name: NtOpenJobObject
Status: Not hooked

#: 119 Function Name: NtOpenKey
Status: Not hooked

#: 120 Function Name: NtOpenMutant
Status: Not hooked

#: 121 Function Name: NtOpenObjectAuditAlarm
Status: Not hooked

#: 122 Function Name: NtOpenProcess
Status: Not hooked

#: 123 Function Name: NtOpenProcessToken
Status: Not hooked

#: 124 Function Name: NtOpenProcessTokenEx
Status: Not hooked

#: 125 Function Name: NtOpenSection
Status: Not hooked

#: 126 Function Name: NtOpenSemaphore
Status: Not hooked

#: 127 Function Name: NtOpenSymbolicLinkObject
Status: Not hooked

#: 128 Function Name: NtOpenThread
Status: Not hooked

#: 129 Function Name: NtOpenThreadToken
Status: Not hooked

#: 130 Function Name: NtOpenThreadTokenEx
Status: Not hooked

#: 131 Function Name: NtOpenTimer
Status: Not hooked

#: 132 Function Name: NtPlugPlayControl
Status: Not hooked

#: 133 Function Name: NtPowerInformation
Status: Not hooked

#: 134 Function Name: NtPrivilegeCheck
Status: Not hooked

#: 135 Function Name: NtPrivilegeObjectAuditAlarm
Status: Not hooked

#: 136 Function Name: NtPrivilegedServiceAuditAlarm
Status: Not hooked

#: 137 Function Name: NtProtectVirtualMemory
Status: Not hooked

#: 138 Function Name: NtPulseEvent
Status: Not hooked

#: 139 Function Name: NtQueryAttributesFile
Status: Not hooked

#: 140 Function Name: NtQueryBootEntryOrder
Status: Not hooked

#: 141 Function Name: NtQueryBootOptions
Status: Not hooked

#: 142 Function Name: NtQueryDebugFilterState
Status: Not hooked

#: 143 Function Name: NtQueryDefaultLocale
Status: Not hooked

#: 144 Function Name: NtQueryDefaultUILanguage
Status: Not hooked

#: 145 Function Name: NtQueryDirectoryFile
Status: Not hooked

#: 146 Function Name: NtQueryDirectoryObject
Status: Not hooked

#: 147 Function Name: NtQueryEaFile
Status: Not hooked

#: 148 Function Name: NtQueryEvent
Status: Not hooked

#: 149 Function Name: NtQueryFullAttributesFile
Status: Not hooked

#: 150 Function Name: NtQueryInformationAtom
Status: Not hooked

#: 151 Function Name: NtQueryInformationFile
Status: Not hooked

#: 152 Function Name: NtQueryInformationJobObject
Status: Not hooked

#: 153 Function Name: NtQueryInformationPort
Status: Not hooked

#: 154 Function Name: NtQueryInformationProcess
Status: Not hooked

#: 155 Function Name: NtQueryInformationThread
Status: Not hooked

#: 156 Function Name: NtQueryInformationToken
Status: Not hooked

#: 157 Function Name: NtQueryInstallUILanguage
Status: Not hooked

#: 158 Function Name: NtQueryIntervalProfile
Status: Not hooked

#: 159 Function Name: NtQueryIoCompletion
Status: Not hooked

#: 160 Function Name: NtQueryKey
Status: Not hooked

#: 161 Function Name: NtQueryMultipleValueKey
Status: Not hooked

#: 162 Function Name: NtQueryMutant
Status: Not hooked

#: 163 Function Name: NtQueryObject
Status: Not hooked

#: 164 Function Name: NtQueryOpenSubKeys
Status: Not hooked

#: 165 Function Name: NtQueryPerformanceCounter
Status: Not hooked

#: 166 Function Name: NtQueryQuotaInformationFile
Status: Not hooked

#: 167 Function Name: NtQuerySection
Status: Not hooked

#: 168 Function Name: NtQuerySecurityObject
Status: Not hooked

#: 169 Function Name: NtQuerySemaphore
Status: Not hooked

#: 170 Function Name: NtQuerySymbolicLinkObject
Status: Not hooked

#: 171 Function Name: NtQuerySystemEnvironmentValue
Status: Not hooked

#: 172 Function Name: NtQuerySystemEnvironmentValueEx
Status: Not hooked

#: 173 Function Name: NtQuerySystemInformation
Status: Not hooked

#: 174 Function Name: NtQuerySystemTime
Status: Not hooked

#: 175 Function Name: NtQueryTimer
Status: Not hooked

#: 176 Function Name: NtQueryTimerResolution
Status: Not hooked

#: 177 Function Name: NtQueryValueKey
Status: Not hooked

#: 178 Function Name: NtQueryVirtualMemory
Status: Not hooked

#: 179 Function Name: NtQueryVolumeInformationFile
Status: Not hooked

#: 180 Function Name: NtQueueApcThread
Status: Not hooked

#: 181 Function Name: NtRaiseException
Status: Not hooked

#: 182 Function Name: NtRaiseHardError
Status: Not hooked

#: 183 Function Name: NtReadFile
Status: Not hooked

#: 184 Function Name: NtReadFileScatter
Status: Not hooked

#: 185 Function Name: NtReadRequestData
Status: Not hooked

#: 186 Function Name: NtReadVirtualMemory
Status: Not hooked

#: 187 Function Name: NtRegisterThreadTerminatePort
Status: Not hooked

#: 188 Function Name: NtReleaseMutant
Status: Not hooked

#: 189 Function Name: NtReleaseSemaphore
Status: Not hooked

#: 190 Function Name: NtRemoveIoCompletion
Status: Not hooked

#: 191 Function Name: NtRemoveProcessDebug
Status: Not hooked

#: 192 Function Name: NtRenameKey
Status: Not hooked

#: 193 Function Name: NtReplaceKey
Status: Not hooked

#: 194 Function Name: NtReplyPort
Status: Not hooked

#: 195 Function Name: NtReplyWaitReceivePort
Status: Not hooked

#: 196 Function Name: NtReplyWaitReceivePortEx
Status: Not hooked

#: 197 Function Name: NtReplyWaitReplyPort
Status: Not hooked

#: 198 Function Name: NtRequestDeviceWakeup
Status: Not hooked

#: 199 Function Name: NtRequestPort
Status: Not hooked

#: 200 Function Name: NtRequestWaitReplyPort
Status: Not hooked

#: 201 Function Name: NtRequestWakeupLatency
Status: Not hooked

#: 202 Function Name: NtResetEvent
Status: Not hooked

#: 203 Function Name: NtResetWriteWatch
Status: Not hooked

#: 204 Function Name: NtRestoreKey
Status: Not hooked

#: 205 Function Name: NtResumeProcess
Status: Not hooked

#: 206 Function Name: NtResumeThread
Status: Not hooked

#: 207 Function Name: NtSaveKey
Status: Not hooked

#: 208 Function Name: NtSaveKeyEx
Status: Not hooked

#: 209 Function Name: NtSaveMergedKeys
Status: Not hooked

#: 210 Function Name: NtSecureConnectPort
Status: Not hooked

#: 211 Function Name: NtSetBootEntryOrder
Status: Not hooked

#: 212 Function Name: NtSetBootOptions
Status: Not hooked

#: 213 Function Name: NtSetContextThread
Status: Not hooked

#: 214 Function Name: NtSetDebugFilterState
Status: Not hooked

#: 215 Function Name: NtSetDefaultHardErrorPort
Status: Not hooked

#: 216 Function Name: NtSetDefaultLocale
Status: Not hooked

#: 217 Function Name: NtSetDefaultUILanguage
Status: Not hooked

#: 218 Function Name: NtSetEaFile
Status: Not hooked

#: 219 Function Name: NtSetEvent
Status: Not hooked

#: 220 Function Name: NtSetEventBoostPriority
Status: Not hooked

#: 221 Function Name: NtSetHighEventPair
Status: Not hooked

#: 222 Function Name: NtSetHighWaitLowEventPair
Status: Not hooked

#: 223 Function Name: NtSetInformationDebugObject
Status: Not hooked

#: 224 Function Name: NtSetInformationFile
Status: Not hooked

#: 225 Function Name: NtSetInformationJobObject
Status: Not hooked

#: 226 Function Name: NtSetInformationKey
Status: Not hooked

#: 227 Function Name: NtSetInformationObject
Status: Not hooked

#: 228 Function Name: NtSetInformationProcess
Status: Not hooked

#: 229 Function Name: NtSetInformationThread
Status: Not hooked

#: 230 Function Name: NtSetInformationToken
Status: Not hooked

#: 231 Function Name: NtSetIntervalProfile
Status: Not hooked

#: 232 Function Name: NtSetIoCompletion
Status: Not hooked

#: 233 Function Name: NtSetLdtEntries
Status: Not hooked

#: 234 Function Name: NtSetLowEventPair
Status: Not hooked

#: 235 Function Name: NtSetLowWaitHighEventPair
Status: Not hooked

#: 236 Function Name: NtSetQuotaInformationFile
Status: Not hooked

#: 237 Function Name: NtSetSecurityObject
Status: Not hooked

#: 238 Function Name: NtSetSystemEnvironmentValue
Status: Not hooked

#: 239 Function Name: NtSetSystemEnvironmentValueEx
Status: Not hooked

#: 240 Function Name: NtSetSystemInformation
Status: Not hooked

#: 241 Function Name: NtSetSystemPowerState
Status: Not hooked

#: 242 Function Name: NtSetSystemTime
Status: Not hooked

#: 243 Function Name: NtSetThreadExecutionState
Status: Not hooked

#: 244 Function Name: NtSetTimer
Status: Not hooked

#: 245 Function Name: NtSetTimerResolution
Status: Not hooked

#: 246 Function Name: NtSetUuidSeed
Status: Not hooked

#: 247 Function Name: NtSetValueKey
Status: Not hooked

#: 248 Function Name: NtSetVolumeInformationFile
Status: Not hooked

#: 249 Function Name: NtShutdownSystem
Status: Not hooked

#: 250 Function Name: NtSignalAndWaitForSingleObject
Status: Not hooked

#: 251 Function Name: NtStartProfile
Status: Not hooked

#: 252 Function Name: NtStopProfile
Status: Not hooked

#: 253 Function Name: NtSuspendProcess
Status: Not hooked

#: 254 Function Name: NtSuspendThread
Status: Not hooked

#: 255 Function Name: NtSystemDebugControl
Status: Not hooked

#: 256 Function Name: NtTerminateJobObject
Status: Not hooked

#: 257 Function Name: NtTerminateProcess
Status: Not hooked

#: 258 Function Name: NtTerminateThread
Status: Not hooked

#: 259 Function Name: NtTestAlert
Status: Not hooked

#: 260 Function Name: NtTraceEvent
Status: Not hooked

#: 261 Function Name: NtTranslateFilePath
Status: Not hooked

#: 262 Function Name: NtUnloadDriver
Status: Not hooked

#: 263 Function Name: NtUnloadKey
Status: Not hooked

#: 264 Function Name: NtUnloadKeyEx
Status: Not hooked

#: 265 Function Name: NtUnlockFile
Status: Not hooked

#: 266 Function Name: NtUnlockVirtualMemory
Status: Not hooked

#: 267 Function Name: NtUnmapViewOfSection
Status: Not hooked

#: 268 Function Name: NtVdmControl
Status: Not hooked

#: 269 Function Name: NtWaitForDebugEvent
Status: Not hooked

#: 270 Function Name: NtWaitForMultipleObjects
Status: Not hooked

#: 271 Function Name: NtWaitForSingleObject
Status: Not hooked

#: 272 Function Name: NtWaitHighEventPair
Status: Not hooked

#: 273 Function Name: NtWaitLowEventPair
Status: Not hooked

#: 274 Function Name: NtWriteFile
Status: Not hooked

#: 275 Function Name: NtWriteFileGather
Status: Not hooked

#: 276 Function Name: NtWriteRequestData
Status: Not hooked

#: 277 Function Name: NtWriteVirtualMemory
Status: Not hooked

#: 278 Function Name: NtYieldExecution
Status: Not hooked

#: 279 Function Name: NtCreateKeyedEvent
Status: Not hooked

#: 280 Function Name: NtOpenKeyedEvent
Status: Not hooked

#: 281 Function Name: NtReleaseKeyedEvent
Status: Not hooked

#: 282 Function Name: NtWaitForKeyedEvent
Status: Not hooked

#: 283 Function Name: NtQueryPortInformationProcess
Status: Not hooked

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/09/14 08:23
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Shadow SSDT
-------------------
#: 000 Function Name: NtGdiAbortDoc
Status: Not hooked

#: 001 Function Name: NtGdiAbortPath
Status: Not hooked

#: 002 Function Name: NtGdiAddFontResourceW
Status: Not hooked

#: 003 Function Name: NtGdiAddRemoteFontToDC
Status: Not hooked

#: 004 Function Name: NtGdiAddFontMemResourceEx
Status: Not hooked

#: 005 Function Name: NtGdiRemoveMergeFont
Status: Not hooked

#: 006 Function Name: NtGdiAddRemoteMMInstanceToDC
Status: Not hooked

#: 007 Function Name: NtGdiAlphaBlend
Status: Not hooked

#: 008 Function Name: NtGdiAngleArc
Status: Not hooked

#: 009 Function Name: NtGdiAnyLinkedFonts
Status: Not hooked

#: 010 Function Name: NtGdiFontIsLinked
Status: Not hooked

#: 011 Function Name: NtGdiArcInternal
Status: Not hooked

#: 012 Function Name: NtGdiBeginPath
Status: Not hooked

#: 013 Function Name: NtGdiBitBlt
Status: Not hooked

#: 014 Function Name: NtGdiCancelDC
Status: Not hooked

#: 015 Function Name: NtGdiCheckBitmapBits
Status: Not hooked

#: 016 Function Name: NtGdiCloseFigure
Status: Not hooked

#: 017 Function Name: NtGdiClearBitmapAttributes
Status: Not hooked

#: 018 Function Name: NtGdiClearBrushAttributes
Status: Not hooked

#: 019 Function Name: NtGdiColorCorrectPalette
Status: Not hooked

#: 020 Function Name: NtGdiCombineRgn
Status: Not hooked

#: 021 Function Name: NtGdiCombineTransform
Status: Not hooked

#: 022 Function Name: NtGdiComputeXformCoefficients
Status: Not hooked

#: 023 Function Name: NtGdiConsoleTextOut
Status: Not hooked

#: 024 Function Name: NtGdiConvertMetafileRect
Status: Not hooked

#: 025 Function Name: NtGdiCreateBitmap
Status: Not hooked

#: 026 Function Name: NtGdiCreateClientObj
Status: Not hooked

#: 027 Function Name: NtGdiCreateColorSpace
Status: Not hooked

#: 028 Function Name: NtGdiCreateColorTransform
Status: Not hooked

#: 029 Function Name: NtGdiCreateCompatibleBitmap
Status: Not hooked

#: 030 Function Name: NtGdiCreateCompatibleDC
Status: Not hooked

#: 031 Function Name: NtGdiCreateDIBBrush
Status: Not hooked

#: 032 Function Name: NtGdiCreateDIBitmapInternal
Status: Not hooked

#: 033 Function Name: NtGdiCreateDIBSection
Status: Not hooked

#: 034 Function Name: NtGdiCreateEllipticRgn
Status: Not hooked

#: 035 Function Name: NtGdiCreateHalftonePalette
Status: Not hooked

#: 036 Function Name: NtGdiCreateHatchBrushInternal
Status: Not hooked

#: 037 Function Name: NtGdiCreateMetafileDC
Status: Not hooked

#: 038 Function Name: NtGdiCreatePaletteInternal
Status: Not hooked

#: 039 Function Name: NtGdiCreatePatternBrushInternal
Status: Not hooked

#: 040 Function Name: NtGdiCreatePen
Status: Not hooked

#: 041 Function Name: NtGdiCreateRectRgn
Status: Not hooked

#: 042 Function Name: NtGdiCreateRoundRectRgn
Status: Not hooked

#: 043 Function Name: NtGdiCreateServerMetaFile
Status: Not hooked

#: 044 Function Name: NtGdiCreateSolidBrush
Status: Not hooked

#: 045 Function Name: NtGdiD3dContextCreate
Status: Not hooked

#: 046 Function Name: NtGdiD3dContextDestroy
Status: Not hooked

#: 047 Function Name: NtGdiD3dContextDestroyAll
Status: Not hooked

#: 048 Function Name: NtGdiD3dValidateTextureStageState
Status: Not hooked

#: 049 Function Name: NtGdiD3dDrawPrimitives2
Status: Not hooked

#: 050 Function Name: NtGdiDdGetDriverState
Status: Not hooked

#: 051 Function Name: NtGdiDdAddAttachedSurface
Status: Not hooked

#: 052 Function Name: NtGdiDdAlphaBlt
Status: Not hooked

#: 053 Function Name: NtGdiDdAttachSurface
Status: Not hooked

#: 054 Function Name: NtGdiDdBeginMoCompFrame
Status: Not hooked

#: 055 Function Name: NtGdiDdBlt
Status: Not hooked

#: 056 Function Name: NtGdiDdCanCreateSurface
Status: Not hooked

#: 057 Function Name: NtGdiDdCanCreateD3DBuffer
Status: Not hooked

#: 058 Function Name: NtGdiDdColorControl
Status: Not hooked

#: 059 Function Name: NtGdiDdCreateDirectDrawObject
Status: Not hooked

#: 060 Function Name: NtGdiDdCreateSurface
Status: Not hooked

#: 061 Function Name: NtGdiDdCreateD3DBuffer
Status: Not hooked

#: 062 Function Name: NtGdiDdCreateMoComp
Status: Not hooked

#: 063 Function Name: NtGdiDdCreateSurfaceObject
Status: Not hooked

#: 064 Function Name: NtGdiDdDeleteDirectDrawObject
Status: Not hooked

#: 065 Function Name: NtGdiDdDeleteSurfaceObject
Status: Not hooked

#: 066 Function Name: NtGdiDdDestroyMoComp
Status: Not hooked

#: 067 Function Name: NtGdiDdDestroySurface
Status: Not hooked

#: 068 Function Name: NtGdiDdDestroyD3DBuffer
Status: Not hooked

#: 069 Function Name: NtGdiDdEndMoCompFrame
Status: Not hooked

#: 070 Function Name: NtGdiDdFlip
Status: Not hooked

#: 071 Function Name: NtGdiDdFlipToGDISurface
Status: Not hooked

#: 072 Function Name: NtGdiDdGetAvailDriverMemory
Status: Not hooked

#: 073 Function Name: NtGdiDdGetBltStatus
Status: Not hooked

#: 074 Function Name: NtGdiDdGetDC
Status: Not hooked

#: 075 Function Name: NtGdiDdGetDriverInfo
Status: Not hooked

#: 076 Function Name: NtGdiDdGetDxHandle
Status: Not hooked

#: 077 Function Name: NtGdiDdGetFlipStatus
Status: Not hooked

#: 078 Function Name: NtGdiDdGetInternalMoCompInfo
Status: Not hooked

#: 079 Function Name: NtGdiDdGetMoCompBuffInfo
Status: Not hooked

#: 080 Function Name: NtGdiDdGetMoCompGuids
Status: Not hooked

#: 081 Function Name: NtGdiDdGetMoCompFormats
Status: Not hooked

#: 082 Function Name: NtGdiDdGetScanLine
Status: Not hooked

#: 083 Function Name: NtGdiDdLock
Status: Not hooked

#: 084 Function Name: NtGdiDdLockD3D
Status: Not hooked

#: 085 Function Name: NtGdiDdQueryDirectDrawObject
Status: Not hooked

#: 086 Function Name: NtGdiDdQueryMoCompStatus
Status: Not hooked

#: 087 Function Name: NtGdiDdReenableDirectDrawObject
Status: Not hooked

#: 088 Function Name: NtGdiDdReleaseDC
Status: Not hooked

#: 089 Function Name: NtGdiDdRenderMoComp
Status: Not hooked

#: 090 Function Name: NtGdiDdResetVisrgn
Status: Not hooked

#: 091 Function Name: NtGdiDdSetColorKey
Status: Not hooked

#: 092 Function Name: NtGdiDdSetExclusiveMode
Status: Not hooked

#: 093 Function Name: NtGdiDdSetGammaRamp
Status: Not hooked

#: 094 Function Name: NtGdiDdCreateSurfaceEx
Status: Not hooked

#: 095 Function Name: NtGdiDdSetOverlayPosition
Status: Not hooked

#: 096 Function Name: NtGdiDdUnattachSurface
Status: Not hooked

#: 097 Function Name: NtGdiDdUnlock
Status: Not hooked

#: 098 Function Name: NtGdiDdUnlockD3D
Status: Not hooked

#: 099 Function Name: NtGdiDdUpdateOverlay
Status: Not hooked

#: 100 Function Name: NtGdiDdWaitForVerticalBlank
Status: Not hooked

#: 101 Function Name: NtGdiDvpCanCreateVideoPort
Status: Not hooked

#: 102 Function Name: NtGdiDvpColorControl
Status: Not hooked

#: 103 Function Name: NtGdiDvpCreateVideoPort
Status: Not hooked

#: 104 Function Name: NtGdiDvpDestroyVideoPort
Status: Not hooked

#: 105 Function Name: NtGdiDvpFlipVideoPort
Status: Not hooked

#: 106 Function Name: NtGdiDvpGetVideoPortBandwidth
Status: Not hooked

#: 107 Function Name: NtGdiDvpGetVideoPortField
Status: Not hooked

#: 108 Function Name: NtGdiDvpGetVideoPortFlipStatus
Status: Not hooked

#: 109 Function Name: NtGdiDvpGetVideoPortInputFormats
Status: Not hooked

#: 110 Function Name: NtGdiDvpGetVideoPortLine
Status: Not hooked

#: 111 Function Name: NtGdiDvpGetVideoPortOutputFormats
Status: Not hooked

#: 112 Function Name: NtGdiDvpGetVideoPortConnectInfo
Status: Not hooked

#: 113 Function Name: NtGdiDvpGetVideoSignalStatus
Status: Not hooked

#: 114 Function Name: NtGdiDvpUpdateVideoPort
Status: Not hooked

#: 115 Function Name: NtGdiDvpWaitForVideoPortSync
Status: Not hooked

#: 116 Function Name: NtGdiDvpAcquireNotification
Status: Not hooked

#: 117 Function Name: NtGdiDvpReleaseNotification
Status: Not hooked

#: 118 Function Name: NtGdiDxgGenericThunk
Status: Not hooked

#: 119 Function Name: NtGdiDeleteClientObj
Status: Not hooked

#: 120 Function Name: NtGdiDeleteColorSpace
Status: Not hooked

#: 121 Function Name: NtGdiDeleteColorTransform
Status: Not hooked

#: 122 Function Name: NtGdiDeleteObjectApp
Status: Not hooked

#: 123 Function Name: NtGdiDescribePixelFormat
Status: Not hooked

#: 124 Function Name: NtGdiGetPerBandInfo
Status: Not hooked

#: 125 Function Name: NtGdiDoBanding
Status: Not hooked

#: 126 Function Name: NtGdiDoPalette
Status: Not hooked

#: 127 Function Name: NtGdiDrawEscape
Status: Not hooked

#: 128 Function Name: NtGdiEllipse
Status: Not hooked

#: 129 Function Name: NtGdiEnableEudc
Status: Not hooked

#: 130 Function Name: NtGdiEndDoc
Status: Not hooked

#: 131 Function Name: NtGdiEndPage
Status: Not hooked

#: 132 Function Name: NtGdiEndPath
Status: Not hooked

#: 133 Function Name: NtGdiEnumFontChunk
Status: Not hooked

#: 134 Function Name: NtGdiEnumFontClose
Status: Not hooked

#: 135 Function Name: NtGdiEnumFontOpen
Status: Not hooked

#: 136 Function Name: NtGdiEnumObjects
Status: Not hooked

#: 137 Function Name: NtGdiEqualRgn
Status: Not hooked

#: 138 Function Name: NtGdiEudcLoadUnloadLink
Status: Not hooked

#: 139 Function Name: NtGdiExcludeClipRect
Status: Not hooked

#: 140 Function Name: NtGdiExtCreatePen
Status: Not hooked

#: 141 Function Name: NtGdiExtCreateRegion
Status: Not hooked

#: 142 Function Name: NtGdiExtEscape
Status: Not hooked

#: 143 Function Name: NtGdiExtFloodFill
Status: Not hooked

#: 144 Function Name: NtGdiExtGetObjectW
Status: Not hooked

#: 145 Function Name: NtGdiExtSelectClipRgn
Status: Not hooked

#: 146 Function Name: NtGdiExtTextOutW
Status: Not hooked

#: 147 Function Name: NtGdiFillPath
Status: Not hooked

#: 148 Function Name: NtGdiFillRgn
Status: Not hooked

#: 149 Function Name: NtGdiFlattenPath
Status: Not hooked

#: 150 Function Name: NtGdiFlushUserBatch
Status: Not hooked

#: 151 Function Name: NtGdiFlush
Status: Not hooked

#: 152 Function Name: NtGdiForceUFIMapping
Status: Not hooked

#: 153 Function Name: NtGdiFrameRgn
Status: Not hooked

#: 154 Function Name: NtGdiFullscreenControl
Status: Not hooked

#: 155 Function Name: NtGdiGetAndSetDCDword
Status: Not hooked

#: 156 Function Name: NtGdiGetAppClipBox
Status: Not hooked

#: 157 Function Name: NtGdiGetBitmapBits
Status: Not hooked

#: 158 Function Name: NtGdiGetBitmapDimension
Status: Not hooked

#: 159 Function Name: NtGdiGetBoundsRect
Status: Not hooked

#: 160 Function Name: NtGdiGetCharABCWidthsW
Status: Not hooked

#: 161 Function Name: NtGdiGetCharacterPlacementW
Status: Not hooked

#: 162 Function Name: NtGdiGetCharSet
Status: Not hooked

#: 163 Function Name: NtGdiGetCharWidthW
Status: Not hooked

#: 164 Function Name: NtGdiGetCharWidthInfo
Status: Not hooked

#: 165 Function Name: NtGdiGetColorAdjustment
Status: Not hooked

#: 166 Function Name: NtGdiGetColorSpaceforBitmap
Status: Not hooked

#: 167 Function Name: NtGdiGetDCDword
Status: Not hooked

#: 168 Function Name: NtGdiGetDCforBitmap
Status: Not hooked

#: 169 Function Name: NtGdiGetDCObject
Status: Not hooked

#: 170 Function Name: NtGdiGetDCPoint
Status: Not hooked

#: 171 Function Name: NtGdiGetDeviceCaps
Status: Not hooked

#: 172 Function Name: NtGdiGetDeviceGammaRamp
Status: Not hooked

#: 173 Function Name: NtGdiGetDeviceCapsAll
Status: Not hooked

#: 174 Function Name: NtGdiGetDIBitsInternal
Status: Not hooked

#: 175 Function Name: NtGdiGetETM
Status: Not hooked

#: 176 Function Name: NtGdiGetEudcTimeStampEx
Status: Not hooked

#: 177 Function Name: NtGdiGetFontData
Status: Not hooked

#: 178 Function Name: NtGdiGetFontResourceInfoInternalW
Status: Not hooked

#: 179 Function Name: NtGdiGetGlyphIndicesW
Status: Not hooked

#: 180 Function Name: NtGdiGetGlyphIndicesWInternal
Status: Not hooked

#: 181 Function Name: NtGdiGetGlyphOutline
Status: Not hooked

#: 182 Function Name: NtGdiGetKerningPairs
Status: Not hooked

#: 183 Function Name: NtGdiGetLinkedUFIs
Status: Not hooked

#: 184 Function Name: NtGdiGetMiterLimit
Status: Not hooked

#: 185 Function Name: NtGdiGetMonitorID
Status: Not hooked

#: 186 Function Name: NtGdiGetNearestColor
Status: Not hooked

#: 187 Function Name: NtGdiGetNearestPaletteIndex
Status: Not hooked

#: 188 Function Name: NtGdiGetObjectBitmapHandle
Status: Not hooked

#: 189 Function Name: NtGdiGetOutlineTextMetricsInternalW
Status: Not hooked

#: 190 Function Name: NtGdiGetPath
Status: Not hooked

#: 191 Function Name: NtGdiGetPixel
Status: Not hooked

#: 192 Function Name: NtGdiGetRandomRgn
Status: Not hooked

#: 193 Function Name: NtGdiGetRasterizerCaps
Status: Not hooked

#: 194 Function Name: NtGdiGetRealizationInfo
Status: Not hooked

#: 195 Function Name: NtGdiGetRegionData
Status: Not hooked

#: 196 Function Name: NtGdiGetRgnBox
Status: Not hooked

#: 197 Function Name: NtGdiGetServerMetaFileBits
Status: Not hooked

#: 198 Function Name: NtGdiGetSpoolMessage
Status: Not hooked

#: 199 Function Name: NtGdiGetStats
Status: Not hooked

#: 200 Function Name: NtGdiGetStockObject
Status: Not hooked

#: 201 Function Name: NtGdiGetStringBitmapW
Status: Not hooked

#: 202 Function Name: NtGdiGetSystemPaletteUse
Status: Not hooked

#: 203 Function Name: NtGdiGetTextCharsetInfo
Status: Not hooked

#: 204 Function Name: NtGdiGetTextExtent
Status: Not hooked

#: 205 Function Name: NtGdiGetTextExtentExW
Status: Not hooked

#: 206 Function Name: NtGdiGetTextFaceW
Status: Not hooked

#: 207 Function Name: NtGdiGetTextMetricsW
Status: Not hooked

#: 208 Function Name: NtGdiGetTransform
Status: Not hooked

#: 209 Function Name: NtGdiGetUFI
Status: Not hooked

#: 210 Function Name: NtGdiGetEmbUFI
Status: Not hooked

#: 211 Function Name: NtGdiGetUFIPathname
Status: Not hooked

#: 212 Function Name: NtGdiGetEmbedFonts
Status: Not hooked

#: 213 Function Name: NtGdiChangeGhostFont
Status: Not hooked

#: 214 Function Name: NtGdiAddEmbFontToDC
Status: Not hooked

#: 215 Function Name: NtGdiGetFontUnicodeRanges
Status: Not hooked

#: 216 Function Name: NtGdiGetWidthTable
Status: Not hooked

#: 217 Function Name: NtGdiGradientFill
Status: Not hooked

#: 218 Function Name: NtGdiHfontCreate
Status: Not hooked

#: 219 Function Name: NtGdiIcmBrushInfo
Status: Not hooked

#: 220 Function Name: NtGdiInit
Status: Not hooked

#: 221 Function Name: NtGdiInitSpool
Status: Not hooked

#: 222 Function Name: NtGdiIntersectClipRect
Status: Not hooked

#: 223 Function Name: NtGdiInvertRgn
Status: Not hooked

#: 224 Function Name: NtGdiLineTo
Status: Not hooked

#: 225 Function Name: NtGdiMakeFontDir
Status: Not hooked

#: 226 Function Name: NtGdiMakeInfoDC
Status: Not hooked

#: 227 Function Name: NtGdiMaskBlt
Status: Not hooked

#: 228 Function Name: NtGdiModifyWorldTransform
Status: Not hooked

#: 229 Function Name: NtGdiMonoBitmap
Status: Not hooked

#: 230 Function Name: NtGdiMoveTo
Status: Not hooked

#: 231 Function Name: NtGdiOffsetClipRgn
Status: Not hooked

#: 232 Function Name: NtGdiOffsetRgn
Status: Not hooked

#: 233 Function Name: NtGdiOpenDCW
Status: Not hooked

#: 234 Function Name: NtGdiPatBlt
Status: Not hooked

#: 235 Function Name: NtGdiPolyPatBlt
Status: Not hooked

#: 236 Function Name: NtGdiPathToRegion
Status: Not hooked

#: 237 Function Name: NtGdiPlgBlt
Status: Not hooked

#: 238 Function Name: NtGdiPolyDraw
Status: Not hooked

#: 239 Function Name: NtGdiPolyPolyDraw
Status: Not hooked

#: 240 Function Name: NtGdiPolyTextOutW
Status: Not hooked

#: 241 Function Name: NtGdiPtInRegion
Status: Not hooked

#: 242 Function Name: NtGdiPtVisible
Status: Not hooked

#: 243 Function Name: NtGdiQueryFonts
Status: Not hooked

#: 244 Function Name: NtGdiQueryFontAssocInfo
Status: Not hooked

#: 245 Function Name: NtGdiRectangle
Status: Not hooked

#: 246 Function Name: NtGdiRectInRegion
Status: Not hooked

#: 247 Function Name: NtGdiRectVisible
Status: Not hooked

#: 248 Function Name: NtGdiRemoveFontResourceW
Status: Not hooked

#: 249 Function Name: NtGdiRemoveFontMemResourceEx
Status: Not hooked

#: 250 Function Name: NtGdiResetDC
Status: Not hooked

#: 251 Function Name: NtGdiResizePalette
Status: Not hooked

#: 252 Function Name: NtGdiRestoreDC
Status: Not hooked

#: 253 Function Name: NtGdiRoundRect
Status: Not hooked

#: 254 Function Name: NtGdiSaveDC
Status: Not hooked

#: 255 Function Name: NtGdiScaleViewportExtEx
Status: Not hooked

#: 256 Function Name: NtGdiScaleWindowExtEx
Status: Not hooked

#: 257 Function Name: NtGdiSelectBitmap
Status: Not hooked

#: 258 Function Name: NtGdiSelectBrush
Status: Not hooked

#: 259 Function Name: NtGdiSelectClipPath
Status: Not hooked

#: 260 Function Name: NtGdiSelectFont
Status: Not hooked

#: 261 Function Name: NtGdiSelectPen
Status: Not hooked

#: 262 Function Name: NtGdiSetBitmapAttributes
Status: Not hooked

#: 263 Function Name: NtGdiSetBitmapBits
Status: Not hooked

#: 264 Function Name: NtGdiSetBitmapDimension
Status: Not hooked

#: 265 Function Name: NtGdiSetBoundsRect
Status: Not hooked

#: 266 Function Name: NtGdiSetBrushAttributes
Status: Not hooked

#: 267 Function Name: NtGdiSetBrushOrg
Status: Not hooked

#: 268 Function Name: NtGdiSetColorAdjustment
Status: Not hooked

#: 269 Function Name: NtGdiSetColorSpace
Status: Not hooked

#: 270 Function Name: NtGdiSetDeviceGammaRamp
Status: Not hooked

#: 271 Function Name: NtGdiSetDIBitsToDeviceInternal
Status: Not hooked

#: 272 Function Name: NtGdiSetFontEnumeration
Status: Not hooked

#: 273 Function Name: NtGdiSetFontXform
Status: Not hooked

#: 274 Function Name: NtGdiSetIcmMode
Status: Not hooked

#: 275 Function Name: NtGdiSetLinkedUFIs
Status: Not hooked

#: 276 Function Name: NtGdiSetMagicColors
Status: Not hooked

#: 277 Function Name: NtGdiSetMetaRgn
Status: Not hooked

#: 278 Function Name: NtGdiSetMiterLimit
Status: Not hooked

#: 279 Function Name: NtGdiGetDeviceWidth
Status: Not hooked

#: 280 Function Name: NtGdiMirrorWindowOrg
Status: Not hooked

#: 281 Function Name: NtGdiSetLayout
Status: Not hooked

#: 282 Function Name: NtGdiSetPixel
Status: Not hooked

#: 283 Function Name: NtGdiSetPixelFormat
Status: Not hooked

#: 284 Function Name: NtGdiSetRectRgn
Status: Not hooked

#: 285 Function Name: NtGdiSetSystemPaletteUse
Status: Not hooked

#: 286 Function Name: NtGdiSetTextJustification
Status: Not hooked

#: 287 Function Name: NtGdiSetupPublicCFONT
Status: Not hooked

#: 288 Function Name: NtGdiSetVirtualResolution
Status: Not hooked

#: 289 Function Name: NtGdiSetSizeDevice
Status: Not hooked

#: 290 Function Name: NtGdiStartDoc
Status: Not hooked

#: 291 Function Name: NtGdiStartPage
Status: Not hooked

#: 292 Function Name: NtGdiStretchBlt
Status: Not hooked

#: 293 Function Name: NtGdiStretchDIBitsInternal
Status: Not hooked

#: 294 Function Name: NtGdiStrokeAndFillPath
Status: Not hooked

#: 295 Function Name: NtGdiStrokePath
Status: Not hooked

#: 296 Function Name: NtGdiSwapBuffers
Status: Not hooked

#: 297 Function Name: NtGdiTransformPoints
Status: Not hooked

#: 298 Function Name: NtGdiTransparentBlt
Status: Not hooked

#: 299 Function Name: NtGdiUnloadPrinterDriver
Status: Not hooked

#: 300 Function Name: NtGdiUnmapMemFont
Status: Not hooked

#: 301 Function Name: NtGdiUnrealizeObject
Status: Not hooked

#: 302 Function Name: NtGdiUpdateColors
Status: Not hooked

#: 303 Function Name: NtGdiWidenPath
Status: Not hooked

#: 304 Function Name: NtUserActivateKeyboardLayout
Status: Not hooked

#: 305 Function Name: NtUserAlterWindowStyle
Status: Not hooked

#: 306 Function Name: NtUserAssociateInputContext
Status: Not hooked

#: 307 Function Name: NtUserAttachThreadInput
Status: Not hooked

#: 308 Function Name: NtUserBeginPaint
Status: Not hooked

#: 309 Function Name: NtUserBitBltSysBmp
Status: Not hooked

#: 310 Function Name: NtUserBlockInput
Status: Not hooked

#: 311 Function Name: NtUserBuildHimcList
Status: Not hooked

#: 312 Function Name: NtUserBuildHwndList
Status: Not hooked

#: 313 Function Name: NtUserBuildNameList
Status: Not hooked

#: 314 Function Name: NtUserBuildPropList
Status: Not hooked

#: 315 Function Name: NtUserCallHwnd
Status: Not hooked

#: 316 Function Name: NtUserCallHwndLock
Status: Not hooked

#: 317 Function Name: NtUserCallHwndOpt
Status: Not hooked

#: 318 Function Name: NtUserCallHwndParam
Status: Not hooked

#: 319 Function Name: NtUserCallHwndParamLock
Status: Not hooked

#: 320 Function Name: NtUserCallMsgFilter
Status: Not hooked

#: 321 Function Name: NtUserCallNextHookEx
Status: Not hooked

#: 322 Function Name: NtUserCallNoParam
Status: Not hooked

#: 323 Function Name: NtUserCallOneParam
Status: Not hooked

#: 324 Function Name: NtUserCallTwoParam
Status: Not hooked

#: 325 Function Name: NtUserChangeClipboardChain
Status: Not hooked

#: 326 Function Name: NtUserChangeDisplaySettings
Status: Not hooked

#: 327 Function Name: NtUserCheckImeHotKey
Status: Not hooked

#: 328 Function Name: NtUserCheckMenuItem
Status: Not hooked

#: 329 Function Name: NtUserChildWindowFromPointEx
Status: Not hooked

#: 330 Function Name: NtUserClipCursor
Status: Not hooked

#: 331 Function Name: NtUserCloseClipboard
Status: Not hooked

#: 332 Function Name: NtUserCloseDesktop
Status: Not hooked

#: 333 Function Name: NtUserCloseWindowStation
Status: Not hooked

#: 334 Function Name: NtUserConsoleControl
Status: Not hooked

#: 335 Function Name: NtUserConvertMemHandle
Status: Not hooked

#: 336 Function Name: NtUserCopyAcceleratorTable
Status: Not hooked

#: 337 Function Name: NtUserCountClipboardFormats
Status: Not hooked

#: 338 Function Name: NtUserCreateAcceleratorTable
Status: Not hooked

#: 339 Function Name: NtUserCreateCaret
Status: Not hooked

#: 340 Function Name: NtUserCreateDesktop
Status: Not hooked

#: 341 Function Name: NtUserCreateInputContext
Status: Not hooked

#: 342 Function Name: NtUserCreateLocalMemHandle
Status: Not hooked

#: 343 Function Name: NtUserCreateWindowEx
Status: Not hooked

#: 344 Function Name: NtUserCreateWindowStation
Status: Not hooked

#: 345 Function Name: NtUserDdeGetQualityOfService
Status: Not hooked

#: 346 Function Name: NtUserDdeInitialize
Status: Not hooked

#: 347 Function Name: NtUserDdeSetQualityOfService
Status: Not hooked

#: 348 Function Name: NtUserDeferWindowPos
Status: Not hooked

#: 349 Function Name: NtUserDefSetText
Status: Not hooked

#: 350 Function Name: NtUserDeleteMenu
Status: Not hooked

#: 351 Function Name: NtUserDestroyAcceleratorTable
Status: Not hooked

#: 352 Function Name: NtUserDestroyCursor
Status: Not hooked

#: 353 Function Name: NtUserDestroyInputContext
Status: Not hooked

#: 354 Function Name: NtUserDestroyMenu
Status: Not hooked

#: 355 Function Name: NtUserDestroyWindow
Status: Not hooked

#: 356 Function Name: NtUserDisableThreadIme
Status: Not hooked

#: 357 Function Name: NtUserDispatchMessage
Status: Not hooked

#: 358 Function Name: NtUserDragDetect
Status: Not hooked

#: 359 Function Name: NtUserDragObject
Status: Not hooked

#: 360 Function Name: NtUserDrawAnimatedRects
Status: Not hooked

#: 361 Function Name: NtUserDrawCaption
Status: Not hooked

#: 362 Function Name: NtUserDrawCaptionTemp
Status: Not hooked

#: 363 Function Name: NtUserDrawIconEx
Status: Not hooked

#: 364 Function Name: NtUserDrawMenuBarTemp
Status: Not hooked

#: 365 Function Name: NtUserEmptyClipboard
Status: Not hooked

#: 366 Function Name: NtUserEnableMenuItem
Status: Not hooked

#: 367 Function Name: NtUserEnableScrollBar
Status: Not hooked

#: 368 Function Name: NtUserEndDeferWindowPosEx
Status: Not hooked

#: 369 Function Name: NtUserEndMenu
Status: Not hooked

#: 370 Function Name: NtUserEndPaint
Status: Not hooked

#: 371 Function Name: NtUserEnumDisplayDevices
Status: Not hooked

#: 372 Function Name: NtUserEnumDisplayMonitors
Status: Not hooked

#: 373 Function Name: NtUserEnumDisplaySettings
Status: Not hooked

#: 374 Function Name: NtUserEvent
Status: Not hooked

#: 375 Function Name: NtUserExcludeUpdateRgn
Status: Not hooked

#: 376 Function Name: NtUserFillWindow
Status: Not hooked

#: 377 Function Name: NtUserFindExistingCursorIcon
Status: Not hooked

#: 378 Function Name: NtUserFindWindowEx
Status: Not hooked

#: 379 Function Name: NtUserFlashWindowEx
Status: Not hooked

#: 380 Function Name: NtUserGetAltTabInfo
Status: Not hooked

#: 381 Function Name: NtUserGetAncestor
Status: Not hooked

#: 382 Function Name: NtUserGetAppImeLevel
Status: Not hooked

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Not hooked

#: 384 Function Name: NtUserGetAtomName
Status: Not hooked

#: 385 Function Name: NtUserGetCaretBlinkTime
Status: Not hooked

#: 386 Function Name: NtUserGetCaretPos
Status: Not hooked

#: 387 Function Name: NtUserGetClassInfo
Status: Not hooked

#: 388 Function Name: NtUserGetClassName
Status: Not hooked

#: 389 Function Name: NtUserGetClipboardData
Status: Not hooked

#: 390 Function Name: NtUserGetClipboardFormatName
Status: Not hooked

#: 391 Function Name: NtUserGetClipboardOwner
Status: Not hooked

#: 392 Function Name: NtUserGetClipboardSequenceNumber
Status: Not hooked

#: 393 Function Name: NtUserGetClipboardViewer
Status: Not hooked

#: 394 Function Name: NtUserGetClipCursor
Status: Not hooked

#: 395 Function Name: NtUserGetComboBoxInfo
Status: Not hooked

#: 396 Function Name: NtUserGetControlBrush
Status: Not hooked

#: 397 Function Name: NtUserGetControlColor
Status: Not hooked

#: 398 Function Name: NtUserGetCPD
Status: Not hooked

#: 399 Function Name: NtUserGetCursorFrameInfo
Status: Not hooked

#: 400 Function Name: NtUserGetCursorInfo
Status: Not hooked

#: 401 Function Name: NtUserGetDC
Status: Not hooked

#: 402 Function Name: NtUserGetDCEx
Status: Not hooked

#: 403 Function Name: NtUserGetDoubleClickTime
Status: Not hooked

#: 404 Function Name: NtUserGetForegroundWindow
Status: Not hooked

#: 405 Function Name: NtUserGetGuiResources
Status: Not hooked

#: 406 Function Name: NtUserGetGUIThreadInfo
Status: Not hooked

#: 407 Function Name: NtUserGetIconInfo
Status: Not hooked

#: 408 Function Name: NtUserGetIconSize
Status: Not hooked

#: 409 Function Name: NtUserGetImeHotKey
Status: Not hooked

#: 410 Function Name: NtUserGetImeInfoEx
Status: Not hooked

#: 411 Function Name: NtUserGetInternalWindowPos
Status: Not hooked

#: 412 Function Name: NtUserGetKeyboardLayoutList
Status: Not hooked

#: 413 Function Name: NtUserGetKeyboardLayoutName
Status: Not hooked

#: 414 Function Name: NtUserGetKeyboardState
Status: Not hooked

#: 415 Function Name: NtUserGetKeyNameText
Status: Not hooked

#: 416 Function Name: NtUserGetKeyState
Status: Not hooked

#: 417 Function Name: NtUserGetListBoxInfo
Status: Not hooked

#: 418 Function Name: NtUserGetMenuBarInfo
Status: Not hooked

#: 419 Function Name: NtUserGetMenuIndex
Status: Not hooked

#: 420 Function Name: NtUserGetMenuItemRect
Status: Not hooked

#: 421 Function Name: NtUserGetMessage
Status: Not hooked

#: 422 Function Name: NtUserGetMouseMovePointsEx
Status: Not hooked

#: 423 Function Name: NtUserGetObjectInformation
Status: Not hooked

#: 424 Function Name: NtUserGetOpenClipboardWindow
Status: Not hooked

#: 425 Function Name: NtUserGetPriorityClipboardFormat
Status: Not hooked

#: 426 Function Name: NtUserGetProcessWindowStation
Status: Not hooked

#: 427 Function Name: NtUserGetRawInputBuffer
Status: Not hooked

#: 428 Function Name: NtUserGetRawInputData
Status: Not hooked

#: 429 Function Name: NtUserGetRawInputDeviceInfo
Status: Not hooked

#: 430 Function Name: NtUserGetRawInputDeviceList
Status: Not hooked

#: 431 Function Name: NtUserGetRegisteredRawInputDevices
Status: Not hooked

#: 432 Function Name: NtUserGetScrollBarInfo
Status: Not hooked

#: 433 Function Name: NtUserGetSystemMenu
Status: Not hooked

#: 434 Function Name: NtUserGetThreadDesktop
Status: Not hooked

#: 435 Function Name: NtUserGetThreadState
Status: Not hooked

#: 436 Function Name: NtUserGetTitleBarInfo
Status: Not hooked

#: 437 Function Name: NtUserGetUpdateRect
Status: Not hooked

#: 438 Function Name: NtUserGetUpdateRgn
Status: Not hooked

#: 439 Function Name: NtUserGetWindowDC
Status: Not hooked

#: 440 Function Name: NtUserGetWindowPlacement
Status: Not hooked

#: 441 Function Name: NtUserGetWOWClass
Status: Not hooked

#: 442 Function Name: NtUserHardErrorControl
Status: Not hooked

#: 443 Function Name: NtUserHideCaret
Status: Not hooked

#: 444 Function Name: NtUserHiliteMenuItem
Status: Not hooked

#: 445 Function Name: NtUserImpersonateDdeClientWindow
Status: Not hooked

#: 446 Function Name: NtUserInitialize
Status: Not hooked

#: 447 Function Name: NtUserInitializeClientPfnArrays
Status: Not hooked

#: 448 Function Name: NtUserInitTask
Status: Not hooked

#: 449 Function Name: NtUserInternalGetWindowText
Status: Not hooked

#: 450 Function Name: NtUserInvalidateRect
Status: Not hooked

#: 451 Function Name: NtUserInvalidateRgn
Status: Not hooked

#: 452 Function Name: NtUserIsClipboardFormatAvailable
Status: Not hooked

#: 453 Function Name: NtUserKillTimer
Status: Not hooked

#: 454 Function Name: NtUserLoadKeyboardLayoutEx
Status: Not hooked

#: 455 Function Name: NtUserLockWindowStation
Status: Not hooked

#: 456 Function Name: NtUserLockWindowUpdate
Status: Not hooked

#: 457 Function Name: NtUserLockWorkStation
Status: Not hooked

#: 458 Function Name: NtUserMapVirtualKeyEx
Status: Not hooked

#: 459 Function Name: NtUserMenuItemFromPoint
Status: Not hooked

#: 460 Function Name: NtUserMessageCall
Status: Not hooked

#: 461 Function Name: NtUserMinMaximize
Status: Not hooked

#: 462 Function Name: NtUserMNDragLeave
Status: Not hooked

#: 463 Function Name: NtUserMNDragOver
Status: Not hooked

#: 464 Function Name: NtUserModifyUserStartupInfoFlags
Status: Not hooked

#: 465 Function Name: NtUserMoveWindow
Status: Not hooked

#: 466 Function Name: NtUserNotifyIMEStatus
Status: Not hooked

#: 467 Function Name: NtUserNotifyProcessCreate
Status: Not hooked

#: 468 Function Name: NtUserNotifyWinEvent
Status: Not hooked

#: 469 Function Name: NtUserOpenClipboard
Status: Not hooked

#: 470 Function Name: NtUserOpenDesktop
Status: Not hooked

#: 471 Function Name: NtUserOpenInputDesktop
Status: Not hooked

#: 472 Function Name: NtUserOpenWindowStation
Status: Not hooked

#: 473 Function Name: NtUserPaintDesktop
Status: Not hooked

#: 474 Function Name: NtUserPeekMessage
Status: Not hooked

#: 475 Function Name: NtUserPostMessage
Status: Not hooked

#: 476 Function Name: NtUserPostThreadMessage
Status: Not hooked

#: 477 Function Name: NtUserPrintWindow
Status: Not hooked

#: 478 Function Name: NtUserProcessConnect
Status: Not hooked

#: 479 Function Name: NtUserQueryInformationThread
Status: Not hooked

#: 480 Function Name: NtUserQueryInputContext
Status: Not hooked

#: 481 Function Name: NtUserQuerySendMessage
Status: Not hooked

#: 482 Function Name: NtUserQueryUserCounters
Status: Not hooked

#: 483 Function Name: NtUserQueryWindow
Status: Not hooked

#: 484 Function Name: NtUserRealChildWindowFromPoint
Status: Not hooked

#: 485 Function Name: NtUserRealInternalGetMessage
Status: Not hooked

#: 486 Function Name: NtUserRealWaitMessageEx
Status: Not hooked

#: 487 Function Name: NtUserRedrawWindow
Status: Not hooked

#: 488 Function Name: NtUserRegisterClassExWOW
Status: Not hooked

#: 489 Function Name: NtUserRegisterUserApiHook
Status: Not hooked

#: 490 Function Name: NtUserRegisterHotKey
Status: Not hooked

#: 491 Function Name: NtUserRegisterRawInputDevices
Status: Not hooked

#: 492 Function Name: NtUserRegisterTasklist
Status: Not hooked

#: 493 Function Name: NtUserRegisterWindowMessage
Status: Not hooked

#: 494 Function Name: NtUserRemoveMenu
Status: Not hooked

#: 495 Function Name: NtUserRemoveProp
Status: Not hooked

#: 496 Function Name: NtUserResolveDesktop
Status: Not hooked

#: 497 Function Name: NtUserResolveDesktopForWOW
Status: Not hooked

#: 498 Function Name: NtUserSBGetParms
Status: Not hooked

#: 499 Function Name: NtUserScrollDC
Status: Not hooked

#: 500 Function Name: NtUserScrollWindowEx
Status: Not hooked

#: 501 Function Name: NtUserSelectPalette
Status: Not hooked

#: 502 Function Name: NtUserSendInput
Status: Not hooked

#: 503 Function Name: NtUserSetActiveWindow
Status: Not hooked

#: 504 Function Name: NtUserSetAppImeLevel
Status: Not hooked

#: 505 Function Name: NtUserSetCapture
Status: Not hooked

#: 506 Function Name: NtUserSetClassLong
Status: Not hooked

#: 507 Function Name: NtUserSetClassWord
Status: Not hooked

#: 508 Function Name: NtUserSetClipboardData
Status: Not hooked

#: 509 Function Name: NtUserSetClipboardViewer
Status: Not hooked

#: 510 Function Name: NtUserSetConsoleReserveKeys
Status: Not hooked

#: 511 Function Name: NtUserSetCursor
Status: Not hooked

#: 512 Function Name: NtUserSetCursorContents
Status: Not hooked

#: 513 Function Name: NtUserSetCursorIconData
Status: Not hooked

#: 514 Function Name: NtUserSetDbgTag
Status: Not hooked

#: 515 Function Name: NtUserSetFocus
Status: Not hooked

#: 516 Function Name: NtUserSetImeHotKey
Status: Not hooked

#: 517 Function Name: NtUserSetImeInfoEx
Status: Not hooked

#: 518 Function Name: NtUserSetImeOwnerWindow
Status: Not hooked

#: 519 Function Name: NtUserSetInformationProcess
Status: Not hooked

#: 520 Function Name: NtUserSetInformationThread
Status: Not hooked

#: 521 Function Name: NtUserSetInternalWindowPos
Status: Not hooked

#: 522 Function Name: NtUserSetKeyboardState
Status: Not hooked

#: 523 Function Name: NtUserSetLogonNotifyWindow
Status: Not hooked

#: 524 Function Name: NtUserSetMenu
Status: Not hooked

#: 525 Function Name: NtUserSetMenuContextHelpId
Status: Not hooked

#: 526 Function Name: NtUserSetMenuDefaultItem
Status: Not hooked

#: 527 Function Name: NtUserSetMenuFlagRtoL
Status: Not hooked

#: 528 Function Name: NtUserSetObjectInformation
Status: Not hooked

#: 529 Function Name: NtUserSetParent
Status: Not hooked

#: 530 Function Name: NtUserSetProcessWindowStation
Status: Not hooked

#: 531 Function Name: NtUserSetProp
Status: Not hooked

#: 532 Function Name: NtUserSetRipFlags
Status: Not hooked

#: 533 Function Name: NtUserSetScrollInfo
Status: Not hooked

#: 534 Function Name: NtUserSetShellWindowEx
Status: Not hooked

#: 535 Function Name: NtUserSetSysColors
Status: Not hooked

#: 536 Function Name: NtUserSetSystemCursor
Status: Not hooked

#: 537 Function Name: NtUserSetSystemMenu
Status: Not hooked

#: 538 Function Name: NtUserSetSystemTimer
Status: Not hooked

#: 539 Function Name: NtUserSetThreadDesktop
Status: Not hooked

#: 540 Function Name: NtUserSetThreadLayoutHandles
Status: Not hooked

#: 541 Function Name: NtUserSetThreadState
Status: Not hooked

#: 542 Function Name: NtUserSetTimer
Status: Not hooked

#: 543 Function Name: NtUserSetWindowFNID
Status: Not hooked

#: 544 Function Name: NtUserSetWindowLong
Status: Not hooked

#: 545 Function Name: NtUserSetWindowPlacement
Status: Not hooked

#: 546 Function Name: NtUserSetWindowPos
Status: Not hooked

#: 547 Function Name: NtUserSetWindowRgn
Status: Not hooked

#: 548 Function Name: NtUserSetWindowsHookAW
Status: Not hooked

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Not hooked

#: 550 Function Name: NtUserSetWindowStationUser
Status: Not hooked

#: 551 Function Name: NtUserSetWindowWord
Status: Not hooked

#: 552 Function Name: NtUserSetWinEventHook
Status: Not hooked

#: 553 Function Name: NtUserShowCaret
Status: Not hooked

#: 554 Function Name: NtUserShowScrollBar
Status: Not hooked

#: 555 Function Name: NtUserShowWindow
Status: Not hooked

#: 556 Function Name: NtUserShowWindowAsync
Status: Not hooked

#: 557 Function Name: NtUserSoundSentry
Status: Not hooked

#: 558 Function Name: NtUserSwitchDesktop
Status: Not hooked

#: 559 Function Name: NtUserSystemParametersInfo
Status: Not hooked

#: 560 Function Name: NtUserTestForInteractiveUser
Status: Not hooked

#: 561 Function Name: NtUserThunkedMenuInfo
Status: Not hooked

#: 562 Function Name: NtUserThunkedMenuItemInfo
Status: Not hooked

#: 563 Function Name: NtUserToUnicodeEx
Status: Not hooked

#: 564 Function Name: NtUserTrackMouseEvent
Status: Not hooked

#: 565 Function Name: NtUserTrackPopupMenuEx
Status: Not hooked

#: 566 Function Name: NtUserCalcMenuBar
Status: Not hooked

#: 567 Function Name: NtUserPaintMenuBar
Status: Not hooked

#: 568 Function Name: NtUserTranslateAccelerator
Status: Not hooked

#: 569 Function Name: NtUserTranslateMessage
Status: Not hooked

#: 570 Function Name: NtUserUnhookWindowsHookEx
Status: Not hooked

#: 571 Function Name: NtUserUnhookWinEvent
Status: Not hooked

#: 572 Function Name: NtUserUnloadKeyboardLayout
Status: Not hooked

#: 573 Function Name: NtUserUnlockWindowStation
Status: Not hooked

#: 574 Function Name: NtUserUnregisterClass
Status: Not hooked

#: 575 Function Name: NtUserUnregisterUserApiHook
Status: Not hooked

#: 576 Function Name: NtUserUnregisterHotKey
Status: Not hooked

#: 577 Function Name: NtUserUpdateInputContext
Status: Not hooked

#: 578 Function Name: NtUserUpdateInstance
Status: Not hooked

#: 579 Function Name: NtUserUpdateLayeredWindow
Status: Not hooked

#: 580 Function Name: NtUserGetLayeredWindowAttributes
Status: Not hooked

#: 581 Function Name: NtUserSetLayeredWindowAttributes
Status: Not hooked

#: 582 Function Name: NtUserUpdatePerUserSystemParameters
Status: Not hooked

#: 583 Function Name: NtUserUserHandleGrantAccess
Status: Not hooked

#: 584 Function Name: NtUserValidateHandleSecure
Status: Not hooked

#: 585 Function Name: NtUserValidateRect
Status: Not hooked

#: 586 Function Name: NtUserValidateTimerCallback
Status: Not hooked

#: 587 Function Name: NtUserVkKeyScanEx
Status: Not hooked

#: 588 Function Name: NtUserWaitForInputIdle
Status: Not hooked

#: 589 Function Name: NtUserWaitForMsgAndEvent
Status: Not hooked

#: 590 Function Name: NtUserWaitMessage
Status: Not hooked

#: 591 Function Name: NtUserWin32PoolAllocationStats
Status: Not hooked

#: 592 Function Name: NtUserWindowFromPoint
Status: Not hooked

#: 593 Function Name: NtUserYieldTask
Status: Not hooked

#: 594 Function Name: NtUserRemoteConnect
Status: Not hooked

#: 595 Function Name: NtUserRemoteRedrawRectangle
Status: Not hooked

#: 596 Function Name: NtUserRemoteRedrawScreen
Status: Not hooked

#: 597 Function Name: NtUserRemoteStopScreenUpdates
Status: Not hooked

#: 598 Function Name: NtUserCtxDisplayIOCtl
Status: Not hooked

#: 599 Function Name: NtGdiEngAssociateSurface
Status: Not hooked

#: 600 Function Name: NtGdiEngCreateBitmap
Status: Not hooked

#: 601 Function Name: NtGdiEngCreateDeviceSurface
Status: Not hooked

#: 602 Function Name: NtGdiEngCreateDeviceBitmap
Status: Not hooked

#: 603 Function Name: NtGdiEngCreatePalette
Status: Not hooked

#: 604 Function Name: NtGdiEngComputeGlyphSet
Status: Not hooked

#: 605 Function Name: NtGdiEngCopyBits
Status: Not hooked

#: 606 Function Name: NtGdiEngDeletePalette
Status: Not hooked

#: 607 Function Name: NtGdiEngDeleteSurface
Status: Not hooked

#: 608 Function Name: NtGdiEngEraseSurface
Status: Not hooked

#: 609 Function Name: NtGdiEngUnlockSurface
Status: Not hooked

#: 610 Function Name: NtGdiEngLockSurface
Status: Not hooked

#: 611 Function Name: NtGdiEngBitBlt
Status: Not hooked

#: 612 Function Name: NtGdiEngStretchBlt
Status: Not hooked

#: 613 Function Name: NtGdiEngPlgBlt
Status: Not hooked

#: 614 Function Name: NtGdiEngMarkBandingSurface
Status: Not hooked

#: 615 Function Name: NtGdiEngStrokePath
Status: Not hooked

#: 616 Function Name: NtGdiEngFillPath
Status: Not hooked

#: 617 Function Name: NtGdiEngStrokeAndFillPath
Status: Not hooked

#: 618 Function Name: NtGdiEngPaint
Status: Not hooked

#: 619 Function Name: NtGdiEngLineTo
Status: Not hooked

#: 620 Function Name: NtGdiEngAlphaBlend
Status: Not hooked

#: 621 Function Name: NtGdiEngGradientFill
Status: Not hooked

#: 622 Function Name: NtGdiEngTransparentBlt
Status: Not hooked

#: 623 Function Name: NtGdiEngTextOut
Status: Not hooked

#: 624 Function Name: NtGdiEngStretchBltROP
Status: Not hooked

#: 625 Function Name: NtGdiXLATEOBJ_cGetPalette
Status: Not hooked

#: 626 Function Name: NtGdiXLATEOBJ_iXlate
Status: Not hooked

#: 627 Function Name: NtGdiXLATEOBJ_hGetColorTransform
Status: Not hooked

#: 628 Function Name: NtGdiCLIPOBJ_bEnum
Status: Not hooked

#: 629 Function Name: NtGdiCLIPOBJ_cEnumStart
Status: Not hooked

#: 630 Function Name: NtGdiCLIPOBJ_ppoGetPath
Status: Not hooked

#: 631 Function Name: NtGdiEngDeletePath
Status: Not hooked

#: 632 Function Name: NtGdiEngCreateClip
Status: Not hooked

#: 633 Function Name: NtGdiEngDeleteClip
Status: Not hooked

#: 634 Function Name: NtGdiBRUSHOBJ_ulGetBrushColor
Status: Not hooked

#: 635 Function Name: NtGdiBRUSHOBJ_pvAllocRbrush
Status: Not hooked

#: 636 Function Name: NtGdiBRUSHOBJ_pvGetRbrush
Status: Not hooked

#: 637 Function Name: NtGdiBRUSHOBJ_hGetColorTransform
Status: Not hooked

#: 638 Function Name: NtGdiXFORMOBJ_bApplyXform
Status: Not hooked

#: 639 Function Name: NtGdiXFORMOBJ_iGetXform
Status: Not hooked

#: 640 Function Name: NtGdiFONTOBJ_vGetInfo
Status: Not hooked

#: 641 Function Name: NtGdiFONTOBJ_pxoGetXform
Status: Not hooked

#: 642 Function Name: NtGdiFONTOBJ_cGetGlyphs
Status: Not hooked

#: 643 Function Name: NtGdiFONTOBJ_pifi
Status: Not hooked

#: 644 Function Name: NtGdiFONTOBJ_pfdg
Status: Not hooked

#: 645 Function Name: NtGdiFONTOBJ_pQueryGlyphAttrs
Status: Not hooked

#: 646 Function Name: NtGdiFONTOBJ_pvTrueTypeFontFile
Status: Not hooked

#: 647 Function Name: NtGdiFONTOBJ_cGetAllGlyphHandles
Status: Not hooked

#: 648 Function Name: NtGdiSTROBJ_bEnum
Status: Not hooked

#: 649 Function Name: NtGdiSTROBJ_bEnumPositionsOnly
Status: Not hooked

#: 650 Function Name: NtGdiSTROBJ_bGetAdvanceWidths
Status: Not hooked

#: 651 Function Name: NtGdiSTROBJ_vEnumStart
Status: Not hooked

#: 652 Function Name: NtGdiSTROBJ_dwGetCodePage
Status: Not hooked

#: 653 Function Name: NtGdiPATHOBJ_vGetBounds
Status: Not hooked

#: 654 Function Name: NtGdiPATHOBJ_bEnum
Status: Not hooked

#: 655 Function Name: NtGdiPATHOBJ_vEnumStart
Status: Not hooked

#: 656 Function Name: NtGdiPATHOBJ_vEnumStartClipLines
Status: Not hooked

#: 657 Function Name: NtGdiPATHOBJ_bEnumClipLines
Status: Not hooked

#: 658 Function Name: NtGdiGetDhpdev
Status: Not hooked

#: 659 Function Name: NtGdiEngCheckAbort
Status: Not hooked

#: 660 Function Name: NtGdiHT_Get8BPPFormatPalette
Status: Not hooked

#: 661 Function Name: NtGdiHT_Get8BPPMaskPalette
Status: Not hooked

#: 662 Function Name: NtGdiUpdateTransform
Status: Not hooked

#: 663 Function Name: NtGdiSetPUMPDOBJ
Status: Not hooked

#: 664 Function Name: NtGdiBRUSHOBJ_DeleteRbrush
Status: Not hooked

#: 665 Function Name: NtGdiUnmapMemFont
Status: Not hooked

#: 666 Function Name: NtGdiDrawStream
Status: Not hooked

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/09/14 08:23
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Hidden Services
-------------------
Service Name: UACd.sys
Image PathC:\WINDOWS\system32\drivers\UAClyavymnadx.sys
mhgy17
Active Member
 
Posts: 13
Joined: September 7th, 2009, 10:59 am

Re: Infection help

Unread postby km2357 » September 14th, 2009, 2:40 pm

Step # 1: Download and Run ComboFix

Download ComboFix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2

Image


Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • Please include C:\ComboFix.txt in your next reply so we can continue cleaning the system.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Infection help

Unread postby mhgy17 » September 14th, 2009, 10:20 pm

OK. ComboFix log attached.
The ComboFix scan asked me connect to the internet because the machine does not have Windows Recovery Console. But I don't have an internet connection, so I clicked "No".

ComboFix 09-09-14.02 - Robert Hoagland 09/14/2009 22:03.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3061.2684 [GMT -4:00]
Running from: E:\Rename.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ROBERT~1\LOCALS~1\Temp\csrss.exe
c:\docume~1\ROBERT~1\LOCALS~1\Temp\lsass.exe
c:\docume~1\ROBERT~1\LOCALS~1\Temp\svchost.exe
c:\docume~1\ROBERT~1\LOCALS~1\Temp\taskmgr.exe
c:\documents and settings\All Users\Application Data\cipymehyc.sys
c:\documents and settings\All Users\Application Data\oqyb.bin
c:\documents and settings\All Users\Application Data\owelodoti.lib
c:\documents and settings\All Users\Application Data\zabemibucu._sy
c:\documents and settings\All Users\Documents\fokyvigoqe.pif
c:\documents and settings\All Users\Documents\luda.pif
c:\documents and settings\All Users\Documents\ohebo.bat
c:\documents and settings\All Users\Documents\pilo.dll
c:\documents and settings\All Users\Documents\udozekibu.ban
c:\documents and settings\All Users\Documents\ugykepidi.dl
c:\documents and settings\All Users\Documents\yzek.vbs
c:\documents and settings\Robert Hoagland\Application Data\apufij.bat
c:\documents and settings\Robert Hoagland\Application Data\Microsoft\Internet Explorer\Quick Launch\Advanced Virus Remover.lnk
c:\documents and settings\Robert Hoagland\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk
c:\documents and settings\Robert Hoagland\Application Data\omyfojeba.sys
c:\documents and settings\Robert Hoagland\Application Data\vojazox._sy
c:\documents and settings\Robert Hoagland\Application Data\wyxufaculi.dl
c:\documents and settings\Robert Hoagland\Application Data\xinakexata.reg
c:\documents and settings\Robert Hoagland\Application Data\yzucazi.scr
c:\documents and settings\Robert Hoagland\Desktop\Advanced Virus Remover.lnk
c:\documents and settings\Robert Hoagland\Local Settings\Application Data\aburi.dl
c:\documents and settings\Robert Hoagland\Local Settings\Application Data\idyjevuz.inf
c:\documents and settings\Robert Hoagland\Local Settings\Application Data\zequ.bin
c:\documents and settings\Robert Hoagland\Local Settings\Temporary Internet Files\bycedy.bin
c:\documents and settings\Robert Hoagland\Local Settings\Temporary Internet Files\keho.bat
c:\documents and settings\Robert Hoagland\Local Settings\Temporary Internet Files\subyzu.ban
c:\documents and settings\Robert Hoagland\Local Settings\Temporary Internet Files\ujatily.lib
c:\documents and settings\Robert Hoagland\Start Menu\Advanced Virus Remover.lnk
c:\documents and settings\Robert Hoagland\Start Menu\Programs\AntivirusPro_2010
c:\documents and settings\Robert Hoagland\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk
c:\documents and settings\Robert Hoagland\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk
c:\program files\AdvancedVirusRemover
c:\program files\AntivirusPro_2010
c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe
c:\program files\AntivirusPro_2010\AVEngn.ocx
c:\program files\AntivirusPro_2010\htmlayout.ocx
c:\program files\AntivirusPro_2010\pthreadVC2.ocx
c:\program files\Common Files\anaco._dl
c:\program files\Common Files\bugelodot.exe
c:\program files\Common Files\fuladis.ban
c:\program files\Common Files\nepanoge._dl
c:\program files\Common Files\ubonunol.inf
c:\program files\Protection System
c:\program files\Protection System\blacklist.cga
c:\program files\Protection System\core.cga
c:\program files\Protection System\coreext.dll
c:\program files\Protection System\firewall.dll
c:\program files\Protection System\uninstall.exe
c:\program files\Windows Police Pro
c:\windows\amyby.bat
c:\windows\braviax.exe
c:\windows\dobydiruha.dl
c:\windows\gehijifot.exe
c:\windows\ihah.vbs
c:\windows\msa.exe
c:\windows\msb.exe
c:\windows\rinyjecuh.bat
c:\windows\system32\_scui.cpl
c:\windows\system32\~.exe
c:\windows\system32\bennuar.old
c:\windows\system32\braviax.exe
c:\windows\system32\drivers\UAClyavymnadx.sys
c:\windows\system32\fuwoduke.dll
c:\windows\system32\gusesuzy.reg
c:\windows\system32\hovolile.dll
c:\windows\system32\joyabihu.dll
c:\windows\system32\kypymu.reg
c:\windows\system32\nurofoyi.dll
c:\windows\system32\onhelp.htm
c:\windows\system32\parahuri.dll
c:\windows\system32\popiwoba.dll
c:\windows\system32\ryputufel._dl
c:\windows\system32\sokazoya.dll
c:\windows\system32\sysnet.dat
c:\windows\system32\tajf83ikdmf.dll
c:\windows\system32\tapi.nfo
c:\windows\system32\uacinit.dll
c:\windows\system32\UACovmrvyvmei.dat
c:\windows\system32\UACpdxcdqloyl.dll
c:\windows\system32\UACvbfamdxnpy.dll
c:\windows\system32\UACvoybnejkcb.dll
c:\windows\system32\UACyxtlgwwyed.dll
c:\windows\system32\vakumene.dll
c:\windows\system32\vorehuye.dll
c:\windows\system32\vuyugije.dll
c:\windows\system32\wafiguvu.dll
c:\windows\system32\wisdstr.exe
c:\windows\uxel.bin
c:\windows\xagat.inf
c:\windows\yjisamed.scr
c:\windows\yqota.bin

c:\windows\system32\drivers\beep.sys . . . is infected!!

c:\windows\system32\proquota.exe . . . is missing!!

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\logevent.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_UACd.sys
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}


((((((((((((((((((((((((( Files Created from 2009-08-15 to 2009-09-15 )))))))))))))))))))))))))))))))
.

2009-09-06 11:56 . 2009-09-06 11:56 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-09-06 07:10 . 2009-09-06 07:10 -------- d-----w- c:\documents and settings\All Users\Application Data\gra
2009-09-06 05:17 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-09-06 05:17 . 2009-04-03 14:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-09-06 05:17 . 2008-12-18 15:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-09-06 05:17 . 2009-09-06 05:18 -------- d-----w- c:\program files\Common Files\PC Tools
2009-09-06 05:17 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-09-06 05:17 . 2009-09-07 17:31 -------- d-----w- c:\program files\Spyware Doctor
2009-09-06 05:17 . 2009-09-06 05:17 -------- d-----w- c:\documents and settings\Robert Hoagland\Application Data\PC Tools
2009-09-06 05:17 . 2009-09-06 05:17 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-09-06 05:16 . 2009-09-14 02:19 -------- d-----w- c:\documents and settings\Robert Hoagland\Application Data\GetRightToGo
2009-09-06 05:13 . 2009-09-06 05:13 19638 ----a-w- c:\program files\Common Files\sonop.dat
2009-09-06 05:13 . 2009-09-06 05:13 12620 ----a-w- c:\windows\ydivyhoj.dat
2009-09-06 05:13 . 2009-09-06 05:13 12180 ----a-w- c:\windows\haxus.com
2009-09-05 20:27 . 2009-09-14 02:19 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-05 20:00 . 2009-09-05 20:00 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-07 17:25 . 2009-09-07 17:25 15191 ----a-w- c:\documents and settings\Robert Hoagland\Application Data\gago.dat
2009-09-07 17:25 . 2009-09-07 17:25 10826 ----a-w- c:\program files\Common Files\tosy.lib
2009-09-05 20:25 . 2009-06-08 13:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-05 20:17 . 2009-05-16 02:57 -------- d-----w- c:\program files\CleanUp!
2009-09-02 21:45 . 2009-04-29 21:04 -------- d-----w- c:\documents and settings\Robert Hoagland\Application Data\AdobeUM
2009-08-10 15:28 . 2009-08-10 15:01 -------- d-----w- c:\program files\gyifuw
2009-08-06 02:22 . 2009-04-23 18:43 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 09:01 . 2008-04-25 16:16 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 17:36 . 2009-06-08 13:02 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2009-06-08 13:02 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-01 11:54 . 2009-07-12 21:04 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-31 06:46 . 2009-07-31 06:36 -------- d-----w- c:\program files\Computer Alarm Clock
2009-07-31 06:40 . 2009-07-31 06:40 -------- d-----w- c:\program files\Alarm Clock
2009-07-31 06:30 . 2009-07-31 06:30 -------- d-----w- c:\documents and settings\Robert Hoagland\Application Data\BACS.exe
2009-07-26 16:05 . 2009-07-26 16:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-26 15:45 . 2009-07-26 15:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-07-26 15:35 . 2009-07-26 15:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search
2009-07-26 03:11 . 2009-07-25 22:17 -------- d-----w- c:\program files\bmcyhe
2009-07-23 11:10 . 2009-04-29 21:03 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-17 19:01 . 2008-04-25 16:16 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 16:21 . 2008-04-25 16:16 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2008-04-25 16:16 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2008-04-25 16:16 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2008-04-25 16:16 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2008-04-25 16:16 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2008-04-25 16:16 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2008-04-25 16:16 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2008-04-25 16:16 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2008-04-25 16:16 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-04-29 18:28 . 2009-04-29 18:26 2172080 ----a-w- c:\program files\ptreplicator-setup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\windows\system32\onhelp.htm
FriendlyName= tets

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Avira\\AntiVir Desktop\\avgnt.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [9/6/2009 1:17 AM 130936]
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [4/16/2009 12:58 AM 24064]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [3/23/2009 2:07 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [3/23/2009 2:07 PM 72944]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 4:47 AM 98304]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/23/2009 2:43 PM 108289]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [10/4/2004 3:40 AM 118784]
R3 k57w2k;Broadcom NetLink (TM) Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [4/16/2009 12:58 AM 176640]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [3/23/2009 2:07 PM 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [9/6/2009 1:17 AM 348752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
Trusted Zone: doccentral.com
Trusted Zone: fnismls.com
Trusted Zone: getmedianow.com
Trusted Zone: live.com
Trusted Zone: rdesk.com
Trusted Zone: rexplorer.net
Trusted Zone: showingtime.com
Trusted Zone: sitexdata.com
Trusted Zone: spellchecker.net
Trusted Zone: transactionpoint.com
Trusted Zone: trpoint.com
Trusted Zone: virtualearth.net
Trusted Zone: xmlsweb.com
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

BHO-{568ff9cb-2d1d-41a9-9682-66761808c9d4} - c:\windows\system32\joyabihu.dll
HKLM-Run-wujayefana - c:\windows\system32\nurofoyi.dll
HKLM-Run-ribekafir - c:\windows\system32\popiwoba.dll
SharedTaskScheduler-{38988d00-4cc7-442f-a8ad-24da475bd0b9} - c:\windows\system32\popiwoba.dll
SSODL-gevitaheg-{38988d00-4cc7-442f-a8ad-24da475bd0b9} - c:\windows\system32\popiwoba.dll
AddRemove-Adobe Acrobat 4.0 - c:\windows\ISUNINST.EXE -fc:\program files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.isu
AddRemove-Win Police Pro - c:\program files\Windows Police Pro\AntiSpyware_Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-14 22:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(668)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3864)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2009-09-15 22:10 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-15 02:10

Pre-Run: 299,779,903,488 bytes free
Post-Run: 299,698,421,760 bytes free

313 --- E O F --- 2009-09-15 02:10
mhgy17
Active Member
 
Posts: 13
Joined: September 7th, 2009, 10:59 am

Re: Infection help

Unread postby km2357 » September 15th, 2009, 1:45 am

Running from E:\Rename.exe


I'm guessing that the E drive is your Flash Drive? If that is so, you'll need to move the renamed ComboFix file to your Desktop as you'll need it on the Desktop for a couple of steps in this post.


The ComboFix scan asked me connect to the internet because the machine does not have Windows Recovery Console. But I don't have an internet connection, so I clicked "No".


Ok, I'll have you install the Recovery Console another way in this post. What happens when you try to connect to the Internet? What error(s) do you get?

================================


Seems your missing an important part of your operating system. Let's get it reinstalled in case you ever need it.
Nothing is going to change on your computer other than we are going to reinstall the Recovery Console.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

At that page, scroll down and click on the appropriate download for your version of Windows XP (Home or Professional) and the service pack level that you have installed. When you click on the link to download the file, make sure you save it directly to your desktop. If you are using Windows XP Service Pack 3 (SP3), then select the Service Pack 2 download. If you are using Windows XP Media Center, then you should select the Windows XP Pro Service Pack 2 download. If you are unsure what version of Windows you have and what Service Pack is installed, you can follow these instructions to gain that information.

Click on the Start button.

Click on the Run menu option.

In the Open: field type the following: sysdm.cpl and then click on the OK button.

A screen will appear showing information about your installation. Under the System: category you should see your Windows version and the installed Service Pack.

Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Click and drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

  • At the next prompt, click 'No'.

    Image

  • When the tool is finished, it will produce a report for you.


Next from a clean computer that has XP SP3 installed, I need you to do the following:

1. Reconfigure Windows XP to show hidden files:
To enable the viewing of Hidden files follow these steps:


  • Close all programs so that you are at your desktop.
  • Double-click on the My Computer icon.
  • Select the Tools menu and click Folder Options.
  • After the new window appears select the View tab.
  • Put a checkmark in the checkbox labeled Display the contents of system folders.
  • Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
  • Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
  • Remove the checkmark from the checkbox labeled Hide protected operating system files.
  • Press the Apply button and then the OK button and shutdown My Computer.
  • Now your computer is configured to show all hidden files.

Be sure to re-hide your files once you are finished cleaning your computer.

2. Once that is done, plug in your Flash Drive to the clean computer and copy the following file from the clean computer onto the Flash Drive:

c:\windows\system32\proquota.exe

3. Once the file has been copied, remove the Flash Drive and plug into your infected computer. Then copy the proquota.exe file on the Flash Drive to the following folder on the infected computer:

c:\windows\system32

4. Finally, once that is done you can remove the Flash Drive.


Step # 1 Download and run Win32kDiag

Please save this file to your desktop.

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r


Let's retry DDS to see if it works now. First, delete DDS.scr and then follow the directions below.

Step # 2 Download and run DDS

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop. Post them back to your topic.


Step # 3: Run CFScript

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    KILLALL::
    
    File::
    
    c:\windows\ydivyhoj.dat
    c:\windows\haxus.com
    c:\documents and settings\Robert Hoagland\Application Data\gago.dat
    c:\program files\Common Files\tosy.lib
    c:\windows\system32\onhelp.htm
    
    Folder::
    
    c:\program files\gyifuw
    c:\program files\bmcyhe
    
    Registry::
    
    [-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
    
    



  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.




    Image


    Note: This CFScript is for use on mhgy17's computer only! Do not use it on your computer.


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

In your next post/reply, I need to see the following:

1. Recovery Console Log
2. Win32kDiag Log
3. The two DDS Logs (DDS and Attach.txt), if available
4. The ComboFix Log that appears after Step 3 has been completed.

Use multiple posts if you can't fit everything into one post.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Infection help

Unread postby mhgy17 » September 15th, 2009, 11:43 am

OK. Scans attached.

I now have internet access on the "infected" computer.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

Running from: C:\Documents and Settings\Robert Hoagland\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Robert Hoagland\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...
Finished!

ComboFix 09-09-14.02 - Robert Hoagland 09/15/2009 11:31.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3061.2651 [GMT -4:00]
Running from: c:\documents and settings\Robert Hoagland\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Robert Hoagland\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\documents and settings\Robert Hoagland\Application Data\gago.dat"
"c:\program files\Common Files\tosy.lib"
"c:\windows\haxus.com"
"c:\windows\system32\onhelp.htm"
"c:\windows\ydivyhoj.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Robert Hoagland\Application Data\gago.dat
c:\program files\bmcyhe
c:\program files\Common Files\tosy.lib
c:\program files\gyifuw
c:\windows\haxus.com
c:\windows\ydivyhoj.dat

.
((((((((((((((((((((((((( Files Created from 2009-08-15 to 2009-09-15 )))))))))))))))))))))))))))))))
.

2009-09-15 15:21 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-09-15 15:21 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-09-15 15:03 . 2009-09-15 15:07 -------- d-----w- C:\Combo-Fix
2009-09-15 02:36 . 2009-09-15 15:31 -------- d-----w- c:\documents and settings\All Users\Application Data\ATTToolbar
2009-09-15 02:36 . 2009-09-15 02:38 -------- d-----w- c:\documents and settings\Robert Hoagland\Application Data\ATTToolbar
2009-09-15 02:36 . 2009-09-15 02:36 -------- d-----w- c:\program files\ATTToolbar
2009-09-15 02:35 . 2009-09-15 02:35 -------- d-----w- c:\program files\ATT-SST
2009-09-15 02:28 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-15 02:26 . 2009-09-15 02:35 -------- d-----w- c:\documents and settings\Robert Hoagland\Application Data\Motive
2009-09-15 02:26 . 2009-09-15 02:26 -------- d-----w- c:\program files\ATT-HSI
2009-09-15 02:25 . 2009-09-15 03:52 -------- d-----w- c:\program files\Common Files\Motive
2009-09-15 02:25 . 2009-09-15 02:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2009-09-06 11:56 . 2009-09-06 11:56 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-09-06 07:10 . 2009-09-06 07:10 -------- d-----w- c:\documents and settings\All Users\Application Data\gra
2009-09-06 05:17 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-09-06 05:17 . 2009-04-03 14:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-09-06 05:17 . 2008-12-18 15:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-09-06 05:17 . 2009-09-06 05:18 -------- d-----w- c:\program files\Common Files\PC Tools
2009-09-06 05:17 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-09-06 05:17 . 2009-09-07 17:31 -------- d-----w- c:\program files\Spyware Doctor
2009-09-06 05:17 . 2009-09-06 05:17 -------- d-----w- c:\documents and settings\Robert Hoagland\Application Data\PC Tools
2009-09-06 05:17 . 2009-09-06 05:17 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-09-06 05:16 . 2009-09-14 02:19 -------- d-----w- c:\documents and settings\Robert Hoagland\Application Data\GetRightToGo
2009-09-06 05:13 . 2009-09-06 05:13 19638 ----a-w- c:\program files\Common Files\sonop.dat
2009-09-05 20:27 . 2009-09-14 02:19 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-05 20:00 . 2009-09-05 20:00 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-05 20:25 . 2009-06-08 13:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-05 20:17 . 2009-05-16 02:57 -------- d-----w- c:\program files\CleanUp!
2009-09-02 21:45 . 2009-04-29 21:04 -------- d-----w- c:\documents and settings\Robert Hoagland\Application Data\AdobeUM
2009-08-06 02:22 . 2009-04-23 18:43 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 09:01 . 2008-04-25 16:16 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 17:36 . 2009-06-08 13:02 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2009-06-08 13:02 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-01 11:54 . 2009-07-12 21:04 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-31 06:46 . 2009-07-31 06:36 -------- d-----w- c:\program files\Computer Alarm Clock
2009-07-31 06:40 . 2009-07-31 06:40 -------- d-----w- c:\program files\Alarm Clock
2009-07-31 06:30 . 2009-07-31 06:30 -------- d-----w- c:\documents and settings\Robert Hoagland\Application Data\BACS.exe
2009-07-26 16:05 . 2009-07-26 16:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-26 15:45 . 2009-07-26 15:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-07-26 15:35 . 2009-07-26 15:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Search
2009-07-23 11:10 . 2009-04-29 21:03 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-17 19:01 . 2008-04-25 16:16 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 16:21 . 2008-04-25 16:16 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2008-04-25 16:16 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2008-04-25 16:16 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2008-04-25 16:16 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2008-04-25 16:16 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2008-04-25 16:16 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2008-04-25 16:16 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2008-04-25 16:16 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2008-04-25 16:16 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-04-29 18:28 . 2009-04-29 18:26 2172080 ----a-w- c:\program files\ptreplicator-setup.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-09-15_02.09.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-15 15:33 . 2009-09-15 15:33 16384 c:\windows\temp\Perflib_Perfdata_668.dat
+ 2005-09-23 11:29 . 2005-09-23 11:29 626688 c:\windows\system32\msvcr80.dll
+ 2008-04-25 16:16 . 2009-06-22 06:44 726528 c:\windows\system32\jscript.dll
- 2008-04-25 16:16 . 2009-03-08 08:33 726528 c:\windows\system32\jscript.dll
+ 2009-04-16 02:09 . 2009-06-22 06:44 726528 c:\windows\system32\dllcache\jscript.dll
- 2009-04-16 02:09 . 2009-03-08 08:33 726528 c:\windows\system32\dllcache\jscript.dll
+ 2009-09-15 03:12 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB971961-IE8\spuninst\updspapi.dll
+ 2009-09-15 03:12 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB971961-IE8\spuninst\spuninst.exe
+ 2009-09-15 03:12 . 2009-03-08 08:33 726528 c:\windows\ie8updates\KB971961-IE8\jscript.dll
+ 2008-04-25 16:16 . 2009-05-26 20:53 2174976 c:\windows\system32\WMVCore.dll
- 2008-04-25 16:16 . 2008-11-07 21:45 2174976 c:\windows\system32\WMVCore.dll
+ 2008-11-07 21:45 . 2009-05-26 20:53 2174976 c:\windows\system32\dllcache\WMVCore.dll
- 2008-11-07 21:45 . 2008-11-07 21:45 2174976 c:\windows\system32\dllcache\WMVCore.dll
+ 2009-09-15 03:12 . 2009-08-28 18:38 24689600 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2008-09-19 1529856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Avira\\AntiVir Desktop\\avgnt.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [9/6/2009 1:17 AM 130936]
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [4/16/2009 12:58 AM 24064]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [3/23/2009 2:07 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [3/23/2009 2:07 PM 72944]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 4:47 AM 98304]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/23/2009 2:43 PM 108289]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [10/4/2004 3:40 AM 118784]
R3 k57w2k;Broadcom NetLink (TM) Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [4/16/2009 12:58 AM 176640]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [3/23/2009 2:07 PM 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [9/6/2009 1:17 AM 348752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net
mStart Page = hxxp://www.google.com
Trusted Zone: doccentral.com
Trusted Zone: fnismls.com
Trusted Zone: getmedianow.com
Trusted Zone: live.com
Trusted Zone: motive.com\patttbc.att
Trusted Zone: rdesk.com
Trusted Zone: rexplorer.net
Trusted Zone: showingtime.com
Trusted Zone: sitexdata.com
Trusted Zone: spellchecker.net
Trusted Zone: transactionpoint.com
Trusted Zone: trpoint.com
Trusted Zone: virtualearth.net
Trusted Zone: xmlsweb.com
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-15 11:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(668)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3404)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
.
**************************************************************************
.
Completion time: 2009-09-15 11:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-15 15:35
ComboFix2.txt 2009-09-15 02:10

Pre-Run: 299,512,922,112 bytes free
Post-Run: 299,515,834,368 bytes free

237 --- E O F --- 2009-09-15 12:34
mhgy17
Active Member
 
Posts: 13
Joined: September 7th, 2009, 10:59 am

Re: Infection help

Unread postby mhgy17 » September 15th, 2009, 11:45 am

Scans continued....



DDS (Ver_09-07-30.01) - NTFSx86
Run by Robert Hoagland at 11:25:26.56 on Tue 09/15/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3061.2616 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATT-SST\McciTrayApp.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
svchost.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ATTToolbar\FDServer.exe
C:\Documents and Settings\Robert Hoagland\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.att.net
mStart Page = hxxp://www.google.com
BHO: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
TB: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
mRun: [ATT-SST_McciTrayApp] "c:\program files\att-sst\McciTrayApp.exe"
dRunOnce: [RunNarrator] Narrator.exe
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: doccentral.com
Trusted Zone: fnismls.com
Trusted Zone: getmedianow.com
Trusted Zone: live.com
Trusted Zone: motive.com\patttbc.att
Trusted Zone: rdesk.com
Trusted Zone: rexplorer.net
Trusted Zone: showingtime.com
Trusted Zone: sitexdata.com
Trusted Zone: spellchecker.net
Trusted Zone: transactionpoint.com
Trusted Zone: trpoint.com
Trusted Zone: virtualearth.net
Trusted Zone: xmlsweb.com
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {4E330863-6A11-11D0-BFD8-006097237877} - hxxp://support.rexplorer.net/iftw_install//iftwclix.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-9-6 130936]
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2009-4-16 24064]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-4-23 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-4-23 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-4-23 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-4-23 55656]
R3 k57w2k;Broadcom NetLink (TM) Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [2009-4-16 176640]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]
S2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-4 118784]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-9-6 348752]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-9-6 1097096]

=============== Created Last 30 ================

2009-09-15 11:21 50,176 ac------ c:\windows\system32\dllcache\proquota.exe
2009-09-15 11:21 50,176 a------- c:\windows\system32\proquota.exe
2009-09-15 11:03 <DIR> a-dshr-- C:\cmdcons
2009-09-15 11:03 <DIR> --ds---- C:\Combo-Fix
2009-09-14 22:36 <DIR> --d----- c:\program files\ATTToolbar
2009-09-14 22:36 <DIR> --d----- c:\docume~1\robert~1\applic~1\ATTToolbar
2009-09-14 22:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ATTToolbar
2009-09-14 22:35 <DIR> --d----- c:\program files\ATT-SST
2009-09-14 22:28 153,088 -c------ c:\windows\system32\dllcache\triedit.dll
2009-09-14 22:26 <DIR> --d----- c:\program files\ATT-HSI
2009-09-14 22:25 <DIR> --d----- c:\program files\common files\Motive
2009-09-14 21:53 229,888 a------- c:\windows\PEV.exe
2009-09-14 21:53 161,792 a------- c:\windows\SWREG.exe
2009-09-14 21:53 98,816 a------- c:\windows\sed.exe
2009-09-07 13:25 15,191 a------- c:\docume~1\robert~1\applic~1\gago.dat
2009-09-07 13:25 13,123 a------- c:\windows\fybig._sy
2009-09-06 03:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\gra
2009-09-06 01:17 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-09-06 01:17 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-09-06 01:17 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-09-06 01:17 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-09-06 01:17 <DIR> --d----- c:\program files\common files\PC Tools
2009-09-06 01:17 <DIR> --d----- c:\program files\Spyware Doctor
2009-09-06 01:17 <DIR> --d----- c:\docume~1\robert~1\applic~1\PC Tools
2009-09-06 01:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-09-06 01:16 <DIR> --d----- c:\docume~1\robert~1\applic~1\GetRightToGo
2009-09-06 01:13 19,638 a------- c:\program files\common files\sonop.dat
2009-09-06 01:13 12,620 a------- c:\windows\ydivyhoj.dat
2009-09-06 01:13 12,180 a------- c:\windows\haxus.com

==================== Find3M ====================

2009-09-07 13:25 10,826 a------- c:\program files\common files\tosy.lib
2009-08-05 22:22 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-12 12:21 233,472 a------- c:\windows\system32\wmpdxm.dll
2009-07-03 13:09 915,456 -------- c:\windows\system32\wininet.dll
2009-06-25 04:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 04:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 04:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 04:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 04:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 04:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-04-29 14:28 2,172,080 a------- c:\program files\ptreplicator-setup.exe

============= FINISH: 11:25:36.23 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 4/23/2009 2:33:22 PM
System Uptime: 9/15/2009 10:18:13 AM (1 hours ago)

Motherboard: Dell Inc. | | 0T656F
Processor: Intel(R) Core(TM)2 Duo CPU E7300 @ 2.66GHz | CPU | 2659/1066mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 298 GiB total, 278.956 GiB free.
D: is CDROM ()
J: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 9/15/2009 10:51:32 AM - System Checkpoint

==== Installed Programs ======================

32 Bit HP CIO Components Installer
7500_7600_7700_Help
ACI Collection 32
ACI Desktop Additional Components
Adobe Flash Player 10 ActiveX
Adobe Photoshop Elements 3.0
Adobe Reader 6.0.1
Alarm Clock v1.0
AT&T Self Support Tool
AT&T Toolbar
Avira AntiVir Personal - Free Antivirus
BPD_HPSU
BPD_Scan
BPDfax
BPDSoftware
BPDSoftware_Ini
Broadcom Management Programs
BufferChm
Choice Guard
CleanUp!
Computer Alarm Clock
CP_CalendarTemplates1
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Panorama1Config
cp_PosterPrintConfig
CueTour
CustomerResearchQFolder
Destinations
DeviceManagementQFolder
DocProc
DocProcQFolder
DocumentViewer
DocumentViewerQFolder
eSupportQFolder
FullDPAppQFolder
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB953955)
Hotfix for Windows XP (KB954434)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB958347)
Hotfix for Windows XP (KB959252)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
HP Customer Participation Program 7.0
HP Document Viewer 7.0
HP Imaging Device Functions 7.0
HP Officejet Pro All-In-One Series
HP Photosmart Essential
HP Photosmart Premier Software 6.5
HP Product Assistant
HP Solution Center 7.0
HP Update
HPPhotoSmartExpress
HPProductAssistant
InstantShareDevices
InstantShareDevicesMFC
Intel(R) Graphics Media Accelerator Driver
Java(TM) 6 Update 11
Karen's Replicator
L7500
Malwarebytes' Anti-Malware
MarketResearch
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Office 2000 SR-1 Disc 2
Microsoft Office 2000 SR-1 Small Business
Microsoft Silverlight
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
MPM
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB927977)
OCR Software by I.R.I.S 7.0
PanoStandAlone
PC Access for Windows
PhotoGallery
PowerDVD
ProductContext
RandMap
REXplorer Component Upgrade
Scan
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
SkinsHP1
SlideShow
SolutionCenter
Sonic CinePlayer Decoder Pack
Sonic_PrimoSDK
Spyware Doctor 6.1
Status
SUPERAntiSpyware Free Edition
Toolbox
TrayApp
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB898461)
Update for Windows XP (KB951618-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 8
Windows Live Sync
Windows Live Upload Tool
Windows Presentation Foundation
Windows Search 4.0
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

9/9/2009 8:10:29 AM, error: Print [19] - Sharing printer failed + 1722, Printer Microsoft XPS Document Writer share name Printer.
9/14/2009 9:56:58 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
9/14/2009 9:56:40 PM, error: Service Control Manager [7001] - The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
9/14/2009 9:54:04 PM, error: Service Control Manager [7034] - The Photoshop Elements Device Connect service terminated unexpectedly. It has done this 1 time(s).
9/14/2009 9:54:04 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
9/14/2009 9:53:52 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the AntiVirSchedulerService service.
9/14/2009 9:53:52 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Adobe Active File Monitor service to connect.
9/14/2009 9:53:52 PM, error: Service Control Manager [7001] - The Windows Firewall/Internet Connection Sharing (ICS) service depends on the Windows Management Instrumentation service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
9/14/2009 9:53:52 PM, error: Service Control Manager [7001] - The Fax service depends on the Telephony service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
9/14/2009 9:53:52 PM, error: Service Control Manager [7000] - The Adobe Active File Monitor service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
9/14/2009 9:53:40 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
9/14/2009 9:46:40 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
9/14/2009 9:46:18 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
9/14/2009 9:46:12 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
9/14/2009 10:07:52 PM, error: PlugPlayManager [11] - The device Root\LEGACY_ROOTREPEAL\0000 disappeared from the system without first being prepared for removal.
9/14/2009 10:07:42 PM, information: Windows File Protection [64004] - The protected system file beep.sys could not be restored to its original, valid version. The file version of the bad file is unknown The specific error code is 0x00000000 [The operation completed successfully. ].
9/14/2009 10:07:42 PM, information: Windows File Protection [64003] - File replacement was attempted on the protected system file beep.sys. This file was restored to the original version to maintain system stability. The file version of the bad file is unknown.
9/14/2009 10:07:36 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file beep.sys. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.0.
9/14/2009 10:05:06 PM, error: Service Control Manager [7034] - The Adobe Active File Monitor service terminated unexpectedly. It has done this 1 time(s).
9/14/2009 10:05:06 PM, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: The system cannot find the file specified.
9/14/2009 10:03:20 PM, error: SRService [104] - The System Restore initialization process failed.
9/13/2009 11:50:03 AM, error: Dhcp [1002] - The IP address lease 192.168.0.4 for the Network Card with network address 0023AE84BA0C has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
9/13/2009 10:36:00 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
9/13/2009 10:36:00 AM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

==== End Of File ===========================
mhgy17
Active Member
 
Posts: 13
Joined: September 7th, 2009, 10:59 am

Re: Infection help

Unread postby km2357 » September 15th, 2009, 2:39 pm

Good to hear that you've got your Internet connection back. :)

Both the Recovery Console and Win32kdiag logs look good as well. :)


Step # 1 Update Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u16.
  • Click on the link to download Windows Offline Installation and save to your desktop. Do NOT use the Sun Download Manager.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Remove the following old versions of Java:

  • Java(TM) 6 Update 11

  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • From your desktop double-click on the download to install the newest version.



Step # 2: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Step # 3: Deleting Files/Folders

I need you to delete the file I have marked in Red(if found):

c:\program files\Common Files\sonop.dat



Step # 4 Run Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware.
  • Before running a scan, click the Update tab, next click Check for Updates to download any updates, if available.
  • Next click the Scanner tab and select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • You can also access the log by doing the following:
  • Click on the Malwarebytes' Anti-Malware icon to launch the program.
  • Click on the Logs tab.
  • Click on the log at the bottom of those listed to highlight it.
  • Click Open.


Post the MalwareBytes' Log in your next post/reply.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: Infection help

Unread postby mhgy17 » September 15th, 2009, 11:43 pm

OK. Scan attached. Thank you.

Malwarebytes' Anti-Malware 1.41
Database version: 2807
Windows 5.1.2600 Service Pack 3

9/15/2009 11:34:41 PM
mbam-log-2009-09-15 (23-34-41).txt

Scan type: Quick Scan
Objects scanned: 98877
Time elapsed: 2 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robert Hoagland\Start Menu\Programs\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\Protection System\Protection System Support.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Protection System\Protection System.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Protection System\Uninstall Protection System.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robert Hoagland\Start Menu\Programs\Windows Police Pro\Windows Police Pro.lnk (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
mhgy17
Active Member
 
Posts: 13
Joined: September 7th, 2009, 10:59 am

Re: Infection help

Unread postby km2357 » September 16th, 2009, 12:19 am

Step # 1 Update Adobe Acrobat Reader

There is a newer version of Adobe Acrobat Reader available. (See Note below)

  • First, go to Add/Remove Programs and uninstall Adobe Reader 6.0.1.
  • Please go to this link Adobe Acrobat Reader Download Link
  • On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
  • Click the Continue button
  • Click Run, and click Run again
  • Next click the Install Now button and follow the on screen prompts

Note: Adobe 9.1.3 is a large program and if you prefer a smaller program you can get Foxit 3.1 instead from http://www.foxitsoftware.com/pdf/rd_intro.php

If you decide to install Foxit 3.1 instead of Adobe, do the following during Foxit's Setup/Installation process:

Uncheck the following boxes:

I accept the License Terms and want to install Foxit Toolbar

Make Ask.com my default search

Create desktop, quick launch and start menu icon to eBay



Step # 2: Run Kaspersky Online Scan

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.


In your next post/reply, I need to see the following:

1. Kaspersky Log
2. A fresh DDS Log
3. How is your computer doing, any problems?
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 89 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware