Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

BankerFox.A popup and weird lgfldrotssd.exe application

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

BankerFox.A popup and weird lgfldrotssd.exe application

Unread postby Towel » August 3rd, 2010, 3:26 am

Hi all,

My computer appears to be infected. I keep getting a pop up saying that I have a BankerFox.A trojan virus. This pop up tells me that I should download/buy some anti-virus software to fix it. I also found a suspicious program while running the MSCONFIG mode. I found out the my computer has the application "lgfldrotssd" starting up every time I turn on my computer.

Attached is my HJT and uninstall list below. Thanks in advance for helping me out!

=======================================
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:17:45 PM, on 8/2/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\HDAudPropShortcut.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HJT\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6522
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [D-Link Wireless G WUA-1340] C:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [bkpayrbk] C:\Documents and Settings\Owner\Local Settings\Application Data\ukvmvpwfl\lgfldrotssd.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 7885475359
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9276 bytes
=======================================
Uninstall list:

Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.3
AIM 6
ANIO Service
ANIWZCS2 Service
ArcSoft Camera Suite
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Canon Camera Window for ZoomBrowser EX
Canon i560
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities Easy-PhotoPrint
Canon Utilities Easy-PhotoPrint Plus
Canon Utilities PhotoStitch 3.1
Canon Utilities ZoomBrowser EX
CC_ccStart
ccCommon
eMachines Bay Reader
Google Talk Plugin
High Definition Audio Driver Package - KB835221
HiJackThis
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel(R) PRO Network Adapters and Drivers
Java 2 Runtime Environment, SE v1.4.2
Learn2 Player (Uninstall Only)
LiveReg (Symantec Corporation)
LiveUpdate 1.90 (Symantec Corporation)
Microsoft Choice Guard
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Picture It! Photo Premium 9
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works 7.0
MSRedist
MSVCRT
Multimedia Keyboard Driver
MUSICMATCH® Jukebox
Nero BurnRights
Nero OEM
Norton AntiVirus 2004
Norton AntiVirus 2004 (Symantec Corporation)
Norton AntiVirus Parent MSI
Norton WMI Update
PowerDVD
QuickTime
RealPlayer Basic
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB982312)
Security Update for 2007 Microsoft Office System (KB982331)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB982308)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB980376)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office Publisher 2007 (KB982124)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB982135)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Segoe UI
SoftV92 Data Fax Modem with SmartCP
Symantec Script Blocking Installer
SymNet
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Outlook 2007 Junk Email Filter (kb2202131)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Viewpoint Media Player
Winamp
Windows Backup Utility
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format Runtime
Windows XP Service Pack 3
Wireless G WUA-1340
Yahoo! Messenger
Yahoo! Toolbar
Towel
Regular Member
 
Posts: 59
Joined: March 13th, 2005, 2:49 am
Advertisement
Register to Remove

Re: BankerFox.A popup and weird lgfldrotssd.exe application

Unread postby MWR 3 day Mod » August 7th, 2010, 2:43 am

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: BankerFox.A popup and weird lgfldrotssd.exe application

Unread postby melboy » August 7th, 2010, 5:05 am

Hi and welcome back to the MR forums. :)

I'm melboy and I am going to try to help you with your problem. Please take note of the following:

  1. I will be working on your Malware issues this may or may not solve other issues you have with your machine.
  2. The fixes are specific to your problem and should only be used for this issue on this machine.
  3. If you don't know or understand something, please don't hesitate to ask.
  4. Please refrain from making any further changes to your computer (Install/Uninstall programs, delete files, edit the registry, etc...)
  5. Please DO NOT run any other tools or scans whilst I am helping you.
  6. It is important that you reply to this thread. Do not start a new topic.
  7. DO NOT attach logs unless requested to. Please copy/paste all requested logs into your replies.
  8. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  9. Absence of symptoms does not mean that everything is clear.


NOTE: Please take time to read the Malware Removal Forum Guidelines and Rules where the conditions for receiving help at this forum are explained.


IMPORTANT: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.



No Reply Within 3 Days Will Result In Your Topic Being Closed!! If you need more time, please inform me.


======================================


Fix HijackThis entries
  • Run HijackThis
  • Click on the do a system scan only button
  • Put a check beside all of the items listed below (if present):

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6522
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
    O4 - HKCU\..\Run: [bkpayrbk] C:\Documents and Settings\Owner\Local Settings\Application Data\ukvmvpwfl\lgfldrotssd.exe

  • Close all open windows and browsers/email etc...
  • Click on the Fix Checked button
  • When completed close the application.

REBOOT



TFC

  • Please download TFC by Old Timer to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • Click the Start button in the bottom left of TFC
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It should not take longer than a couple of minutes , and may only take a few seconds. Only if needed will you be prompted to reboot.



Rkill

Please download Rkill from one of the five following links and save to your Desktop:

One, Two, Three, eXplorer.exe (Renamed rKill), iExplore.exe (Renamed rKill).

  • Double click on Rkill.
  • A command window will open then disappear upon completion. This is normal, as is your desktop temporarily disappearing. Do not be alarmed.
  • Notepad will open, please post the contents in your next reply. (The log can also be found at C:\Rkill.txt)
  • Please leave Rkill on the Desktop until otherwise advised.

Note: If you recieve a message that rkill is an infection, do not be concerned. This message is just a fake warning given by rogue malware when it terminates programs that may potentially remove it.
If you encounter infections that give a fake warning and close Rkill, a trick is to leave the fake warning on the screen and then run Rkill again. By not closing the fake warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the rogue processes.




Malwarebytes' Anti-Malware (MBAM)

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick scan, then click on Scan
  • When done, you will be prompted. Click OK. If Items are found, then click on Show Results
  • Check all items then click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply.


    The log can also be found here:
    1. C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    2. Or via the Logs tab when the application is started.

Note: MBAM may ask to reboot your computer so it can continue with the removal process, please do so immediately.
Failure to reboot will prevent MBAM from removing all the malware.



random's system information tool (RSIT)

  • Download random's system information tool (RSIT) by random/random from HERE and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open:
    • log.txt (<<will be maximized)
    • info.txt (<<will be minimized)
  • Post both of these logs in your next reply (Sometimes you have to make several post to get the logs posted.)




In your next reply:
  1. RSIT log.txt
  2. RSIT info.txt
  3. MBAM log
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: BankerFox.A popup and weird lgfldrotssd.exe application

Unread postby Towel » August 7th, 2010, 3:55 pm

Thanks for your help! My logs are below:

RSIT log.txt
Logfile of random's system information tool 1.08 (written by random/random)
Run by Owner at 2010-08-07 11:50:20
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 166 GB (87%) free of 191 GB
Total RAM: 511 MB (28% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:50:31 AM, on 8/7/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\HDAudPropShortcut.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Desktop\RSIT.exe
C:\Program Files\trend micro\Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [D-Link Wireless G WUA-1340] C:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 7885475359
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8859 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3477034509-3013108683-1553488708-1003Core.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3477034509-3013108683-1553488708-1003UA.job
C:\WINDOWS\tasks\Symantec NetDetect.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll [2008-07-28 882416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
CNavExtBho Class - C:\Program Files\Norton AntiVirus\NavShExt.dll [2003-12-04 103368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
SingleInstance Class - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll [2008-07-28 160496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Norton AntiVirus - C:\Program Files\Norton AntiVirus\NavShExt.dll [2003-12-04 103368]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll [2008-07-28 882416]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"CHotkey"=C:\WINDOWS\zHotkey.exe [2003-07-29 515584]
"ShowWnd"=C:\WINDOWS\ShowWnd.exe [2003-09-19 36864]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2003-10-31 32768]
"ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2006-03-09 71328]
"High Definition Audio Property Page Shortcut"=C:\WINDOWS\system32\HDAudPropShortcut.exe [2004-03-17 61952]
"mmtask"=c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe [2004-01-26 53248]
"SunKistEM"=C:\Program Files\eMachines Bay Reader\shwiconem.exe [2004-03-11 135168]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2004-06-13 339968]
"Symantec NetDriver Monitor"=C:\PROGRA~1\SYMNET~1\SNDMon.exe [2008-04-10 95960]
"WinampAgent"=C:\Program Files\Winamp\winampa.exe []
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2008-10-25 31072]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2002-02-15 77824]
"D-Link Wireless G WUA-1340"=C:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe [2007-08-27 1662976]
"ANIWZCS2Service"=C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe [2007-01-19 49152]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-15 39792]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"Aim6"= []
"MsnMsgr"=C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2009-07-26 3883856]
"Messenger (Yahoo!)"=C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [2008-11-05 4347120]
"Google Update"=C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-05 136176]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2004-06-06 344064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SYMTDI]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\AIM6\aim6.exe"="C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe"="C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe:*:Enabled:Google Talk Plugin"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"

======List of files/folders created in the last 1 months======

2010-08-07 11:38:20 ----D---- C:\Program Files\trend micro
2010-08-07 11:38:19 ----D---- C:\rsit
2010-08-07 11:22:42 ----D---- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2010-08-07 11:22:34 ----A---- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2010-08-07 11:22:31 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-08-07 11:22:31 ----A---- C:\WINDOWS\system32\drivers\mbam.sys
2010-08-07 11:22:30 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-08-02 21:44:53 ----D---- C:\Program Files\HJT
2010-08-02 21:40:37 ----ASH---- C:\hiberfil.sys
2010-08-02 21:32:58 ----D---- C:\WINDOWS\pss
2010-08-02 20:49:35 ----A---- C:\WINDOWS\ntbtlog.txt
2010-08-02 20:34:59 ----HDC---- C:\WINDOWS\$NtUninstallKB2286198$
2010-07-16 12:40:52 ----D---- C:\Documents and Settings\Owner\Application Data\Mozilla
2010-07-13 18:57:28 ----HDC---- C:\WINDOWS\$NtUninstallKB2229593$

======List of files/folders modified in the last 1 months======

2010-08-07 11:46:47 ----D---- C:\WINDOWS\Temp
2010-08-07 11:46:38 ----D---- C:\WINDOWS
2010-08-07 11:46:33 ----RD---- C:\Program Files
2010-08-07 11:46:33 ----D---- C:\Program Files\Common Files
2010-08-07 11:46:13 ----D---- C:\WINDOWS\system32\drivers
2010-08-07 11:45:37 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-08-07 11:18:34 ----D---- C:\WINDOWS\Prefetch
2010-08-07 11:10:51 ----D---- C:\WINDOWS\system32
2010-08-07 10:58:26 ----RASH---- C:\boot.ini
2010-08-07 10:58:26 ----A---- C:\WINDOWS\win.ini
2010-08-07 10:58:26 ----A---- C:\WINDOWS\system.ini
2010-08-02 21:45:17 ----SHD---- C:\WINDOWS\Installer
2010-08-02 20:52:44 ----D---- C:\Documents and Settings
2010-08-02 20:35:08 ----HD---- C:\WINDOWS\inf
2010-08-02 20:35:03 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-08-02 20:34:16 ----D---- C:\WINDOWS\system32\CatRoot2
2010-08-02 12:06:59 ----HD---- C:\WINDOWS\$hf_mig$
2010-07-26 22:30:35 ----A---- C:\WINDOWS\system32\shell32.dll
2010-07-25 19:07:31 ----D---- C:\WINDOWS\network diagnostic
2010-07-13 18:57:36 ----A---- C:\WINDOWS\imsins.BAK
2010-07-13 18:54:36 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 ohci1394;OHCI Compliant IEEE 1394 Host Controller; C:\WINDOWS\System32\DRIVERS\ohci1394.sys [2008-04-13 61696]
R0 PxHelp20;PxHelp20; C:\WINDOWS\System32\Drivers\PxHelp20.sys [2007-03-07 43528]
R0 sptd;sptd; C:\WINDOWS\System32\Drivers\sptd.sys [2008-04-10 717296]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 SAVRTPEL;SAVRTPEL; \??\C:\Program Files\Norton AntiVirus\SAVRTPEL.SYS []
R1 SYMTDI;SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [2005-01-21 267384]
R2 ANIO;ANIO Service; \??\C:\WINDOWS\system32\ANIO.SYS []
R2 ASCTRM;ASCTRM; C:\WINDOWS\system32\drivers\ASCTRM.sys [2002-02-15 8552]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys [2004-01-16 12970]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 ati2mtag;ati2mtag; C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [2004-06-13 747520]
R3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\System32\DRIVERS\e100b325.sys [2004-02-10 154112]
R3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\HdAudio.sys [2004-03-17 113664]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\System32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HSF_DP;HSF_DP; C:\WINDOWS\System32\DRIVERS\HSF_DP.sys [2003-11-13 1042816]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\System32\DRIVERS\HSFHWBS2.sys [2003-11-13 210304]
R3 MxlW2k;MxlW2k; C:\WINDOWS\system32\drivers\MxlW2k.sys [2002-02-15 28352]
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100707.002\NAVENG.Sys []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100707.002\NavEx15.Sys []
R3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 RT73;D-Link USB Wireless LAN Card Driver; C:\WINDOWS\System32\DRIVERS\Dr71WU.sys [2007-07-28 451456]
R3 SAVRT;SAVRT; \??\C:\Program Files\Norton AntiVirus\SAVRT.SYS []
R3 SunkFilt;Alcor Micro Corp - 9360; \??\C:\WINDOWS\System32\Drivers\sunkfilt.sys []
R3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []
R3 SYMREDRV;SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [2005-01-21 26424]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 winachsf;winachsf; C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys [2003-11-13 679808]
S3 arwyw1ul;arwyw1ul; C:\WINDOWS\system32\drivers\arwyw1ul.sys []
S3 Bridge;MAC Bridge; C:\WINDOWS\System32\DRIVERS\bridge.sys [2008-04-13 71552]
S3 BridgeMP;MAC Bridge Miniport; C:\WINDOWS\System32\DRIVERS\bridge.sys [2008-04-13 71552]
S3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2004-06-06 730653]
S3 SunkFilt39;Alcor Micro Corp - 3239; \??\C:\WINDOWS\System32\Drivers\sunkfilt39.sys []
S3 Sunkfiltp;HP && Alcor Micro Corp for Phison; \??\C:\WINDOWS\System32\Drivers\sunkfiltp.sys []
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\System32\DRIVERS\wanatw4.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\System32\Ati2evxx.exe [2004-06-13 376832]
R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [2006-03-09 255648]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [2006-03-09 235168]
R2 navapsvc;Norton AntiVirus Auto Protect Service; C:\Program Files\Norton AntiVirus\navapsvc.exe [2004-04-23 158848]
R2 SymWSC;SymWMI Service; C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe [2004-11-02 316544]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\System32\wdfmgr.exe [2005-01-28 38912]
R2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R3 SAVScan;SAVScan; C:\Program Files\Norton AntiVirus\SAVScan.exe [2005-01-25 194272]
S2 ANIWZCSdService;ANIWZCSd Service; C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe [2007-01-19 49152]
S2 SBService;ScriptBlocking Service; C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe [2003-06-24 66784]
S3 ccPwdSvc;Symantec Password Validation; C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe [2006-03-09 87712]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2008-10-25 65888]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 SNDSrvc;Symantec Network Drivers Service; C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe [2005-01-21 206552]

-----------------EOF-----------------


RSIT info.txt
info.txt logfile of random's system information tool 1.08 2010-08-07 11:38:38

======Uninstall list======

-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {926CC8AE-8414-43DF-8EB4-CF26D9C3C663}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.3-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81300000003}
AIM 6-->C:\Program Files\AIM6\uninst.exe
ANIO Service-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B5CE976-C7A9-4E38-A7F3-6C8EF025DD8E}\Setup.exe"
ANIWZCS2 Service-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4C590030-7469-453E-8589-D15DA9D03F52}\Setup.exe"
ArcSoft Camera Suite-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AD708DF0-9F04-4CB3-821A-85804A833B4D}\setup.exe" -l0x9 -uninst
ATI - Software Uninstall Utility-->C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver-->rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Canon Camera Window for ZoomBrowser EX-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{A29EA741-24F7-4C07-9B2C-06CB6491BE4A}
Canon i560-->C:\WINDOWS\System32\CNMCP58.exe "-PRINTERNAMECanon i560" "-HELPERDLLC:\BJPrinter\CNMWINDOWS\Canon i560 Installer\Inst2\cnmis.dll" "-RCDLLC:\BJPrinter\CNMWINDOWS\Canon i560 Installer\Inst2\cnmi0409.dll"
Canon PhotoRecord-->MsiExec.exe /X{BEF56F2D-56ED-4176-BF72-7B68D4A3B98D}
Canon RAW Image Task for ZoomBrowser EX-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{FAF0DAD8-1EA7-4FEF-80E5-8D8D6EBD5A23}
Canon RemoteCapture Task for ZoomBrowser EX-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{F0FC315A-7D1D-444F-BB96-A59B28179626}
Canon Utilities Easy-PhotoPrint Plus-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Canon\Easy-PhotoPrint Plus\Uninst.isu" -c"C:\Program Files\Canon\Easy-PhotoPrint Plus\EZUNINST.DLL"
Canon Utilities Easy-PhotoPrint-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Canon\Easy-PhotoPrint\Uninst.isu" -c"C:\Program Files\Canon\Easy-PhotoPrint\EZUNINST.DLL"
Canon Utilities PhotoStitch 3.1-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{C05E2D43-A05F-4835-A15C-CD0AD1576506}
Canon Utilities ZoomBrowser EX-->MsiExec.exe /X{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}
CC_ccStart-->MsiExec.exe /I{D6414CC7-F215-467F-88B1-546ED863F35B}
ccCommon-->MsiExec.exe /I{DC367608-64A7-4BF7-92F4-8BAA25BA02DB}
eMachines Bay Reader-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{81EED1A1-AE78-4B11-BE47-C6AE9F5E87F1}
Google Talk Plugin-->MsiExec.exe /I{26B878A8-5704-3B64-BDBC-4F0EACA38121}
High Definition Audio Driver Package - KB835221-->C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HiJackThis-->MsiExec.exe /X{45A66726-69BC-466B-A7A4-12FCBA4883D7}
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB976098-v2)-->"C:\WINDOWS\$NtUninstallKB976098-v2$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB979306)-->"C:\WINDOWS\$NtUninstallKB979306$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB981793)-->"C:\WINDOWS\$NtUninstallKB981793$\spuninst\spuninst.exe"
Intel(R) PRO Network Adapters and Drivers-->Prounstl.exe
Java 2 Runtime Environment, SE v1.4.2-->MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142000}
Learn2 Player (Uninstall Only)-->C:\Program Files\Learn2.com\StRunner\stuninst.exe
LiveReg (Symantec Corporation)-->C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 1.90 (Symantec Corporation)-->C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Choice Guard-->MsiExec.exe /X{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft Money 2004 System Pack-->MsiExec.exe /I{8C64E145-54BA-11D6-91B1-00500462BE80}
Microsoft Money 2004-->MsiExec.exe /I{1D643CD7-4DD6-11D7-A4E0-000874180BB3}
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-00BA-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0114-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {ABDDE972-355B-4AF1-89A8-DA50B7B5C045}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {F580DDD5-8D37-4998-968E-EBB76BB86787}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {187308AB-5FA7-4F14-9AB9-D290383A10D9}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Picture It! Photo Premium 9-->c:\WINDOWS\System32\msiexec.exe /i {DBA8B9E1-C6FF-4624-9598-73D3B41A0903}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works 7.0-->MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}
MSRedist-->MsiExec.exe /I{FC37ABD0-2108-4beb-B010-1254E0662B5A}
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
Multimedia Keyboard Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6E66ECBD-FCA7-4AE1-A8C5-1CA78BEEB057}\Setup.exe" -l0x9
MUSICMATCH® Jukebox-->C:\PROGRA~1\MUSICM~1\MUSICM~1\unmatch.exe
Nero BurnRights-->C:\WINDOWS\UNNeroBurnRights.exe /UNINSTALL
Nero OEM-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Norton AntiVirus 2004 (Symantec Corporation)-->C:\Program Files\Common Files\Symantec Shared\SymSetup\{C6F5B6CF-609C-428E-876F-CA83176C021B}.exe /X
Norton AntiVirus 2004-->MsiExec.exe /X{C6F5B6CF-609C-428E-876F-CA83176C021B}
Norton AntiVirus Parent MSI-->MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton WMI Update-->MsiExec.exe /X{1526D87C-A955-4FAB-BF18-697BA457E352}
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
QuickTime-->C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log
RealPlayer Basic-->C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Security Update for 2007 Microsoft Office System (KB969559)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {69F52148-9BF6-4CDC-BF76-103DEAF3DD08}
Security Update for 2007 Microsoft Office System (KB976321)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {7F207DCA-3399-40CB-A968-6E5991B1421A}
Security Update for 2007 Microsoft Office System (KB982312)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {B0EC5722-241F-4CDA-83B4-AA5846B6F9F4}
Security Update for 2007 Microsoft Office System (KB982331)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {E8766951-2B6C-4022-86E8-80D2D1762B76}
Security Update for Microsoft Office Access 2007 (KB979440)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {1142CCEC-ACA9-484B-BA90-C3A5CA1988C5}
Security Update for Microsoft Office Access 2007 (KB979440)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {5A4E43D5-858F-49BD-BA72-8F30E1793060}
Security Update for Microsoft Office Excel 2007 (KB982308)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {C3F9A0DC-A5D1-4BB6-870E-2953E5A2487B}
Security Update for Microsoft Office InfoPath 2007 (KB979441)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {1109D0B3-EFA3-4553-AAED-4C3E9AD130E8}
Security Update for Microsoft Office InfoPath 2007 (KB979441)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {8CCB781A-CF6B-4FCB-B6D8-59C64DF5C6DB}
Security Update for Microsoft Office Outlook 2007 (KB980376)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {48113C06-9BA2-4D54-A731-D1D2C5B3144A}
Security Update for Microsoft Office PowerPoint 2007 (KB982158)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F5B70033-E79C-4569-90BF-BC9B4E4F3F46}
Security Update for Microsoft Office Publisher 2007 (KB982124)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {289FA8BC-6A8E-4341-B194-EB26B49E9F5D}
Security Update for Microsoft Office system 2007 (972581)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {3D019598-7B59-447A-80AE-815B703B84FF}
Security Update for Microsoft Office system 2007 (KB969613)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {5ECEB317-CBE9-4E08-AB10-756CB6F0FB6C}
Security Update for Microsoft Office system 2007 (KB974234)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {FCD742B9-7A55-44BC-A776-F795F21FEDDC}
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {71127777-8B2C-4F97-AF7A-6CF8CAC8224D}
Security Update for Microsoft Office Word 2007 (KB982135)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {0112C750-A06F-4F92-9C40-E5C1EA9A70EB}
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB972260)-->"C:\WINDOWS\ie7updates\KB972260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB974455)-->"C:\WINDOWS\ie7updates\KB974455-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB971961)-->"C:\WINDOWS\ie8updates\KB971961-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB974455)-->"C:\WINDOWS\ie8updates\KB974455-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB976325)-->"C:\WINDOWS\ie8updates\KB976325-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB978207)-->"C:\WINDOWS\ie8updates\KB978207-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB981332)-->"C:\WINDOWS\ie8updates\KB981332-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB982381)-->"C:\WINDOWS\ie8updates\KB982381-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB968816)-->"C:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB978695)-->"C:\WINDOWS\$NtUninstallKB978695_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB979402)-->"C:\WINDOWS\$NtUninstallKB979402_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2229593)-->"C:\WINDOWS\$NtUninstallKB2229593$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2286198)-->"C:\WINDOWS\$NtUninstallKB2286198$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371-v2)-->"C:\WINDOWS\$NtUninstallKB961371-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969947)-->"C:\WINDOWS\$NtUninstallKB969947$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970430)-->"C:\WINDOWS\$NtUninstallKB970430$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971468)-->"C:\WINDOWS\$NtUninstallKB971468$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971486)-->"C:\WINDOWS\$NtUninstallKB971486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971961)-->"C:\WINDOWS\$NtUninstallKB971961$\spuninst\spuninst.exe"
Security Update for Windows XP (KB972270)-->"C:\WINDOWS\$NtUninstallKB972270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973525)-->"C:\WINDOWS\$NtUninstallKB973525$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973904)-->"C:\WINDOWS\$NtUninstallKB973904$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974318)-->"C:\WINDOWS\$NtUninstallKB974318$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974392)-->"C:\WINDOWS\$NtUninstallKB974392$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975560)-->"C:\WINDOWS\$NtUninstallKB975560$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975561)-->"C:\WINDOWS\$NtUninstallKB975561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975562)-->"C:\WINDOWS\$NtUninstallKB975562$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975713)-->"C:\WINDOWS\$NtUninstallKB975713$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977165)-->"C:\WINDOWS\$NtUninstallKB977165$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977816)-->"C:\WINDOWS\$NtUninstallKB977816$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977914)-->"C:\WINDOWS\$NtUninstallKB977914$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978037)-->"C:\WINDOWS\$NtUninstallKB978037$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978251)-->"C:\WINDOWS\$NtUninstallKB978251$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978262)-->"C:\WINDOWS\$NtUninstallKB978262$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978338)-->"C:\WINDOWS\$NtUninstallKB978338$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978542)-->"C:\WINDOWS\$NtUninstallKB978542$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978601)-->"C:\WINDOWS\$NtUninstallKB978601$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978706)-->"C:\WINDOWS\$NtUninstallKB978706$\spuninst\spuninst.exe"
Security Update for Windows XP (KB979309)-->"C:\WINDOWS\$NtUninstallKB979309$\spuninst\spuninst.exe"
Security Update for Windows XP (KB979482)-->"C:\WINDOWS\$NtUninstallKB979482$\spuninst\spuninst.exe"
Security Update for Windows XP (KB979559)-->"C:\WINDOWS\$NtUninstallKB979559$\spuninst\spuninst.exe"
Security Update for Windows XP (KB979683)-->"C:\WINDOWS\$NtUninstallKB979683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB980195)-->"C:\WINDOWS\$NtUninstallKB980195$\spuninst\spuninst.exe"
Security Update for Windows XP (KB980218)-->"C:\WINDOWS\$NtUninstallKB980218$\spuninst\spuninst.exe"
Security Update for Windows XP (KB980232)-->"C:\WINDOWS\$NtUninstallKB980232$\spuninst\spuninst.exe"
Segoe UI-->MsiExec.exe /I{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}
SoftV92 Data Fax Modem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1\HXFSETUP.EXE -U -IVEN_14F1&DEV_2F20&SUBSYS_200014F1
Symantec Script Blocking Installer-->MsiExec.exe /I{D327AFC9-7BAA-473A-8319-6EB7A0D40138}
SymNet-->MsiExec.exe /I{E47EE8FB-ACC0-4608-859C-4E2851B18A6A}
Update for 2007 Microsoft Office System (KB967642)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {C444285D-5E4F-48A4-91DD-47AAAA68E92D}
Update for Microsoft Office OneNote 2007 (KB980729)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {329050A9-EF80-40F9-B633-74508F54C1FF}
Update for Outlook 2007 Junk Email Filter (kb2202131)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A67392E8-282B-4BEF-8020-EF3DD664DE7B}
Update for Windows Internet Explorer 7 (KB976749)-->"C:\WINDOWS\ie7updates\KB976749-IE7\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB975364)-->"C:\WINDOWS\ie8updates\KB975364-IE8\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB976662)-->"C:\WINDOWS\ie8updates\KB976662-IE8\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB976749)-->"C:\WINDOWS\ie8updates\KB976749-IE8\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB980182)-->"C:\WINDOWS\ie8updates\KB980182-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955759)-->"C:\WINDOWS\$NtUninstallKB955759$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB961503)-->"C:\WINDOWS\$NtUninstallKB961503$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Update for Windows XP (KB971737)-->"C:\WINDOWS\$NtUninstallKB971737$\spuninst\spuninst.exe"
Update for Windows XP (KB973687)-->"C:\WINDOWS\$NtUninstallKB973687$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Winamp-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Backup Utility-->MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Live Call-->MsiExec.exe /I{F6BD194C-4190-4D73-B1B1-C48C99921BFE}
Windows Live Communications Platform-->MsiExec.exe /I{3B4E636E-9D65-4D67-BA61-189800823F52}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}
Windows Live Messenger-->MsiExec.exe /X{A85FD55B-891B-4314-97A5-EA96C0BD80B5}
Windows Live Sign-in Assistant-->MsiExec.exe /I{45338B07-A236-4270-9A77-EBB4115517B5}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
Wireless G WUA-1340-->C:\Program Files\InstallShield Installation Information\{D895E3FB-45BA-4BBF-BE50-0DEED3CD3F7E}\setup.exe -runfromtemp -l0x0009 -removeonly
Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE

======Security center information======

AV: Norton AntiVirus (outdated)

======System event log======

Computer Name: STEVEN
Event Code: 8021
Message: The browser was unable to retrieve a list of servers from the browser master \\KEVIN on the network \Device\NetBT_Tcpip_{B375869A-89B7-45CE-A133-0DC3F355351C}.
The data is the error code.

Record Number: 69689
Source Name: BROWSER
Time Written: 20100714105143.000000-480
Event Type: warning
User:

Computer Name: STEVEN
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001CF0D3A0EC. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 69688
Source Name: Dhcp
Time Written: 20100714105122.000000-480
Event Type: warning
User:

Computer Name: STEVEN
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001CF0D3A0EC. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 69634
Source Name: Dhcp
Time Written: 20100714003909.000000-480
Event Type: warning
User:

Computer Name: STEVEN
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001CF0D3A0EC. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 69599
Source Name: Dhcp
Time Written: 20100714003010.000000-480
Event Type: warning
User:

Computer Name: STEVEN
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 001CF0D3A0EC. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 69574
Source Name: Dhcp
Time Written: 20100714001631.000000-480
Event Type: warning
User:

=====Application event log=====

Computer Name: STEVEN
Event Code: 1524
Message: Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.



Record Number: 7365
Source Name: Userenv
Time Written: 20100110095112.000000-480
Event Type: warning
User: STEVEN\Owner

Computer Name: STEVEN
Event Code: 1000
Message: Faulting application ANIWZCSdS.exe, version 1.0.3.7034, faulting module user32.dll, version 5.1.2600.5512, fault address 0x00014acd.

Record Number: 7335
Source Name: Application Error
Time Written: 20100108010223.000000-480
Event Type: error
User:

Computer Name: STEVEN
Event Code: 1000
Message: Faulting application ANIWZCSdS.exe, version 1.0.3.7034, faulting module user32.dll, version 5.1.2600.5512, fault address 0x00014acd.

Record Number: 7208
Source Name: Application Error
Time Written: 20091229143314.000000-480
Event Type: error
User:

Computer Name: STEVEN
Event Code: 1000
Message: Faulting application ANIWZCSdS.exe, version 1.0.3.7034, faulting module user32.dll, version 5.1.2600.5512, fault address 0x00014acd.

Record Number: 7200
Source Name: Application Error
Time Written: 20091229082217.000000-480
Event Type: error
User:

Computer Name: STEVEN
Event Code: 1000
Message: Faulting application ANIWZCSdS.exe, version 1.0.3.7034, faulting module user32.dll, version 5.1.2600.5512, fault address 0x00014aac.

Record Number: 7185
Source Name: Application Error
Time Written: 20091228081113.000000-480
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 3 Stepping 4, GenuineIntel
"PROCESSOR_REVISION"=0304
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO

-----------------EOF-----------------


MBAM log

Malwarebytes' Anti-Malware 1.46
http://www.malwarebytes.org

Database version: 4404

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/7/2010 11:44:49 AM
mbam-log-2010-08-07 (11-44-49).txt

Scan type: Quick scan
Objects scanned: 141370
Time elapsed: 5 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\SolutionAV (Rogue.AntivirSolutionPro) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bkpayrbk (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

-----------------------------
Rkill

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Owner on 08/07/2010 at 11:18:30.


Processes terminated by Rkill or while it was running:


C:\Documents and Settings\Owner\Desktop\rkill.scr


Rkill completed on 08/07/2010 at 11:18:35.
Towel
Regular Member
 
Posts: 59
Joined: March 13th, 2005, 2:49 am

Re: BankerFox.A popup and weird lgfldrotssd.exe application

Unread postby melboy » August 8th, 2010, 9:16 am

Hi

How are things running?


Update Adobe Reader

Your Adobe Reader is out of date.
Older versions may have vulnerabilities that malware can use to infect your system.
Please download Adobe Reader 9.3 to your PC's desktop.
  • Uninstall via Start > Control Panel > Add/Remove Programs:
    Adobe Reader 8.1.3
  • Install the new downloaded updated software.
  • Then using the internal updater update the software to the current increment 9.3.3
    • Open Adobe Reader go to > Help > Check for updates and allow the updater to check.
    • If updates are found click Show Details and check the boxes to click to download and install any necessary updates.



Update Java Runtime
You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 21.

  • Go to Sun Java
  • Scroll down to where it says "JDK 6 Update 21 (JDK or JRE)"
  • Click the orange Download JRE button to the right
  • In the Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says "jre-6u21-windows-i586.exe" and save the downloaded file to your desktop.
  • Uninstall all old versions of Java via Start > Control Panel > Add/Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
  • Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
  • Reboot your computer



Security Check

Please download and save SecurityCheck.exe to your Desktop from one of the links below.

Link 1
Link 2

  • Double click SecurityCheck.exe and follow the onscreen instructions inside the black box.
  • A Notepad document should open automatically called checkup.txt
  • Please post the contents of that document in your next reply.



Gmer

Download GMER Rootkit Scanner from here.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
    See image below
    Image
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in your next reply
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

-- If GMER crashes or keeps resulting in a BSoDs, uncheck Devices on the right side before scanning -- If you continue to encounter problems, try running GMER in safe mode

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Note: Do not run any programs while Gmer is running.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: BankerFox.A popup and weird lgfldrotssd.exe application

Unread postby Towel » August 8th, 2010, 6:57 pm

Hello,

Things appear to be running fine. I don't notice any hiccups. I have will have to split the logs into a few posts because it has reached the maximum number of allowed characters.

Checkup.txt
Results of screen317's Security Check version 0.99.5
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Norton AntiVirus 2004 (Symantec Corporation)
Norton AntiVirus 2004
Norton AntiVirus Parent MSI
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java(TM) 6 Update 21
Adobe Flash Player
Adobe Reader 9.3.3
````````````````````````````````
Process Check:
objlist.exe by Laurent

Norton AntiVirus navapsvc.exe
Norton AntiVirus SAVScan.exe
````````````````````````````````
DNS Vulnerability Check:

Unknown. This method cannot test your vulnerability to DNS cache poisoning. (Wireless connection?)

``````````End of Log````````````
Towel
Regular Member
 
Posts: 59
Joined: March 13th, 2005, 2:49 am

Re: BankerFox.A popup and weird lgfldrotssd.exe application

Unread postby Towel » August 8th, 2010, 7:00 pm

Gmer.txt
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-08 15:51:07
Windows 5.1.2600 Service Pack 3
Running: nbhbx2b2.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uxtdypob.sys


---- System - GMER 1.0.15 ----

SSDT spgc.sys ZwCreateKey [0xF85570E0]
SSDT spgc.sys ZwEnumerateKey [0xF8575CA2]
SSDT spgc.sys ZwEnumerateValueKey [0xF8576030]
SSDT spgc.sys ZwOpenKey [0xF85570C0]
SSDT spgc.sys ZwQueryKey [0xF8576108]
SSDT spgc.sys ZwQueryValueKey [0xF8575F88]
SSDT spgc.sys ZwSetValueKey [0xF857619A]

INT 0x62 ? 82F6BBF8
INT 0x63 ? 82E70F00
INT 0x82 ? 82F6BBF8
INT 0xA4 ? 82E70F00
INT 0xB4 ? 82F6BBF8
INT 0xB4 ? 82F6BBF8
INT 0xB4 ? 82E70F00
INT 0xB4 ? 82F6BBF8

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 192 804E49EC 2 Bytes [A2, 5C]
.text ntoskrnl.exe!ZwYieldExecution + 2F6 804E4B50 2 Bytes [08, 61]
.text ntoskrnl.exe!ZwYieldExecution + 33A 804E4B94 2 Bytes [88, 5F]
.text ntoskrnl.exe!ZwYieldExecution + 452 804E4CAC 2 Bytes [9A, 61]
PAGE ntoskrnl.exe!ZwSetTimerResolution + 1E968 80609E00 195 Bytes [65, 64, 20, 2D, 20, 53, 74, ...]
PAGE ntoskrnl.exe!ZwSetTimerResolution + 1EA2C 80609EC4 17 Bytes CALL 804E3494 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwSetTimerResolution + 1EA3E 80609ED6 14 Bytes [8B, 45, F0, 89, 45, F4, E9, ...]
PAGE ntoskrnl.exe!ZwSetTimerResolution + 1EA4E 80609EE6 4 Bytes [68, 6A, 9F, 60]
PAGE ntoskrnl.exe!ZwSetTimerResolution + 1EA54 80609EEC 3 Bytes CALL 80501EEA \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ...
PAGE ntoskrnl.exe!CcMdlRead + 53 8061BED0 36 Bytes [8D, 45, D0, 50, 8D, 45, CC, ...]
PAGE ntoskrnl.exe!CcMdlRead + 78 8061BEF5 45 Bytes CALL 804F1DA2 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!CcMdlRead + A6 8061BF23 32 Bytes [C7, 05, 28, 30, 55, 80, 78, ...]
PAGE ntoskrnl.exe!CcMdlRead + C7 8061BF44 49 Bytes [00, 00, 8D, 45, E0, 50, 8D, ...]
PAGE ntoskrnl.exe!CcMdlRead + F9 8061BF76 43 Bytes [9C, 13, 4D, A8, 89, 4D, A0, ...]
PAGE ...
PAGE ntoskrnl.exe!CcMdlReadComplete + 28 8061C158 17 Bytes [75, 08, FF, D1, 84, C0, 75, ...]
PAGE ntoskrnl.exe!CcMdlReadComplete + 3A 8061C16A 156 Bytes [CC, CC, CC, CC, CC, CC, 90, ...]
PAGE ntoskrnl.exe!CmUnRegisterCallback + 3C 8061C207 5 Bytes [53, E8, D6, 09, 03]
PAGE ntoskrnl.exe!CmUnRegisterCallback + 42 8061C20D 11 Bytes [84, C0, 74, 46, 83, C8, FF, ...]
PAGE ntoskrnl.exe!CmUnRegisterCallback + 4E 8061C219 29 Bytes [F0, 0F, C1, 01, 8B, 45, FC, ...]
PAGE ntoskrnl.exe!CmUnRegisterCallback + 6C 8061C237 2 Bytes [76, 10] {JBE 0x12}
PAGE ntoskrnl.exe!CmUnRegisterCallback + 6F 8061C23A 3 Bytes CALL 805511E7 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ...
PAGE ntoskrnl.exe!CmRegisterCallback + 2 8061C289 21 Bytes [55, 8B, EC, 51, 53, 56, 57, ...]
PAGE ntoskrnl.exe!CmRegisterCallback + 18 8061C29F 6 Bytes [8B, F0, 33, FF, 3B, F7] {MOV ESI, EAX; XOR EDI, EDI; CMP ESI, EDI}
PAGE ntoskrnl.exe!CmRegisterCallback + 1F 8061C2A6 13 Bytes [84, CB, 00, 00, 00, 53, 6A, ...]
PAGE ntoskrnl.exe!CmRegisterCallback + 2D 8061C2B4 66 Bytes [3B, C7, 89, 46, 10, 74, 19, ...]
PAGE ntoskrnl.exe!CmRegisterCallback + 70 8061C2F7 67 Bytes [40, 04, 89, 00, 8B, 46, 10, ...]
PAGE ...
PAGE ntoskrnl.exe!FsRtlMdlReadDev + 5 8061C4C2 1 Byte [52]
PAGE ntoskrnl.exe!FsRtlMdlReadDev + 5 8061C4C2 27 Bytes CALL 804E2EA1 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!FsRtlMdlReadDev + 21 8061C4DE 183 Bytes JMP 8061C5CA \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!FsRtlMdlReadDev + D9 8061C596 25 Bytes [1C, C7, 00, 11, 00, 00, C0, ...]
PAGE ntoskrnl.exe!FsRtlMdlReadDev + F3 8061C5B0 20 Bytes [80, D4, 00, 00, 00, 75, 13, ...]
PAGE ...
PAGE ntoskrnl.exe!FsRtlPrepareMdlWriteDev + 30 8061C76B 22 Bytes [6A, 01, 8B, 5D, 10, 53, 8B, ...]
PAGE ntoskrnl.exe!FsRtlPrepareMdlWriteDev + 47 8061C782 51 Bytes [F6, 46, 2C, 10, 0F, 85, 99, ...]
PAGE ntoskrnl.exe!FsRtlPrepareMdlWriteDev + 7B 8061C7B6 215 Bytes [CB, 33, C0, 03, 0F, 13, 47, ...]
PAGE ntoskrnl.exe!FsRtlPrepareMdlWriteDev + 153 8061C88E 96 Bytes CALL 804DA3A1 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!FsRtlPrepareMdlWriteDev + 1B4 8061C8EF 37 Bytes CALL 804E842C \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ...
PAGE ntoskrnl.exe!FsRtlPrepareMdlWrite + 48 8061CB83 44 Bytes [40, 08, 8B, 40, 28, 85, C0, ...]
PAGE ntoskrnl.exe!FsRtlPrepareMdlWrite + 75 8061CBB0 37 Bytes [FF, 5F, 5E, 5D, C2, 18, 00, ...]
PAGE ntoskrnl.exe!FsRtlMdlWriteCompleteDev + 13 8061CBD6 74 Bytes [75, 10, FF, 75, 0C, 50, E8, ...]
PAGE ntoskrnl.exe!FsRtlIncrementCcFastReadNotPossible + C 8061CC21 40 Bytes [C3, CC, CC, CC, CC, CC, CC, ...]
PAGE ntoskrnl.exe!FsRtlCopyRead + 1A 8061CC4B 100 Bytes [8B, 4D, 10, 8D, 84, 08, FF, ...]
PAGE ntoskrnl.exe!FsRtlCopyRead + 7F 8061CCB0 38 Bytes [00, FF, 88, D4, 00, 00, 00, ...]
PAGE ntoskrnl.exe!FsRtlCopyRead + A6 8061CCD7 14 Bytes [83, 7E, 18, 00, 0F, 84, 00, ...]
PAGE ntoskrnl.exe!FsRtlCopyRead + B5 8061CCE6 32 Bytes [0F, 84, F5, 01, 00, 00, 3C, ...]
PAGE ntoskrnl.exe!FsRtlCopyRead + D6 8061CD07 31 Bytes [75, 18, FF, 75, 14, FF, 75, ...]
PAGE ...
PAGE ntoskrnl.exe!FsRtlCopyWrite + 18 8061CF4F 5 Bytes [8B, 5D, 0C, 83, 3B]
PAGE ntoskrnl.exe!FsRtlCopyWrite + 1E 8061CF55 19 Bytes [75, 0A, 83, 7B, 04, FF, C6, ...] {JNZ 0xc; CMP DWORD [EBX+0x4], -0x1; MOV BYTE [EBP-0x1a], 0x1; JZ 0x10; MOV BYTE [EBP-0x1a], 0x0; MOV EDI, [EBP+0x8]}
PAGE ntoskrnl.exe!FsRtlCopyWrite + 32 8061CF69 26 Bytes [77, 0C, 89, 75, CC, 6A, 00, ...]
PAGE ntoskrnl.exe!FsRtlCopyWrite + 4D 8061CF84 48 Bytes [F6, 47, 2C, 10, 0F, 85, B1, ...]
PAGE ntoskrnl.exe!FsRtlCopyWrite + 7E 8061CFB5 2 Bytes [88, D4] {MOV AH, DL}
PAGE ...
PAGE ntoskrnl.exe!FsRtlMdlWriteComplete + 8 8061D663 69 Bytes CALL 804E842D \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!FsRtlMdlWriteComplete + 4E 8061D6A9 27 Bytes [78, 4C, 00, 74, 04, 32, C0, ...]
PAGE ntoskrnl.exe!FsRtlMdlWriteComplete + 6A 8061D6C5 33 Bytes [90, 90, 90, CC, CC, CC, CC, ...]
PAGE ntoskrnl.exe!FsRtlInitializeMcb + 8 8061D6E7 8 Bytes [E5, ED, FF, CC, CC, CC, CC, ...] {IN EAX, 0xed; DEC ESP; INT 3 ; INT 3 ; INT 3 ; INT 3 }
PAGE ntoskrnl.exe!FsRtlInitializeMcb + 11 8061D6F0 20 Bytes [90, 90, 90, 90, 8B, FF, 55, ...]
PAGE ntoskrnl.exe!FsRtlUninitializeMcb + 14 8061D708 114 Bytes [90, A1, 0C, A0, 69, 80, 83, ...]
PAGE ntoskrnl.exe!FsRtlSyncVolumes + 30 8061D77B 4 Bytes [75, 08, E8, 27]
PAGE ntoskrnl.exe!FsRtlSyncVolumes + 35 8061D780 1 Byte [EC]
PAGE ntoskrnl.exe!FsRtlSyncVolumes + 35 8061D780 86 Bytes [EC, FF, 5D, C2, 08, 00, CC, ...]
PAGE ntoskrnl.exe!FsRtlSyncVolumes + 8C 8061D7D7 100 Bytes [8B, C6, EB, 7E, 8B, 4E, 1C, ...]
PAGE ntoskrnl.exe!FsRtlSyncVolumes + F1 8061D83C 36 Bytes [C0, 8B, 4D, 10, 8B, 45, E4, ...]
PAGE ...
PAGE ntoskrnl.exe!FsRtlDeregisterUncProvider + 2F 8061D9D2 5 Bytes [3B, 35, 18, A0, 69]
PAGE ntoskrnl.exe!FsRtlDeregisterUncProvider + 35 8061D9D8 67 Bytes [75, 34, A1, 20, A0, 69, 80, ...]
PAGE ntoskrnl.exe!FsRtlDeregisterUncProvider + 79 8061DA1C 29 Bytes [57, 6A, 01, 57, 53, E8, A8, ...]
PAGE ntoskrnl.exe!FsRtlDissectDbcs + 2 8061DA3A 19 Bytes [55, 8B, EC, 8B, 45, 10, 8B, ...]
PAGE ntoskrnl.exe!FsRtlDissectDbcs + 16 8061DA4E 157 Bytes [18, 66, 89, 58, 02, 89, 58, ...]
PAGE ntoskrnl.exe!FsRtlDoesDbcsContainWildCards + B 8061DAEC 104 Bytes [B7, 30, 33, D2, 85, F6, 57, ...]
PAGE ntoskrnl.exe!FsRtlIsDbcsInExpression + 2 8061DB55 149 Bytes [55, 8B, EC, 81, EC, 84, 00, ...]
PAGE ntoskrnl.exe!FsRtlIsDbcsInExpression + 98 8061DBEB 153 Bytes [00, 89, 4D, 8C, 74, 3E, 33, ...]
PAGE ntoskrnl.exe!FsRtlIsDbcsInExpression + 132 8061DC85 4 Bytes [74, 2B, 8B, 3D]
PAGE ntoskrnl.exe!FsRtlIsDbcsInExpression + 137 8061DC8A 34 Bytes [C4, 56, 80, 0F, B6, F2, 66, ...]
PAGE ntoskrnl.exe!FsRtlIsDbcsInExpression + 15A 8061DCAD 45 Bytes [4D, A0, 58, EB, 0B, 66, 0F, ...]
PAGE ...
PAGE ntoskrnl.exe!FsRtlIsHpfsDbcsLegal + 16 8061DFCA 29 Bytes [00, 38, 5D, 10, 8B, 4D, 0C, ...]
PAGE ntoskrnl.exe!FsRtlIsHpfsDbcsLegal + 34 8061DFE8 5 Bytes [14, 8A, 01, 3C, 2E] {ADC AL, 0x8a; ADD [ESI+EBP], EDI}
PAGE ntoskrnl.exe!FsRtlIsHpfsDbcsLegal + 3A 8061DFEE 26 Bytes [05, 38, 41, 01, 74, 66, 3C, ...]
PAGE ntoskrnl.exe!FsRtlIsHpfsDbcsLegal + 55 8061E009 30 Bytes [FA, 01, 76, 4D, 41, 66, 4A, ...]
PAGE ntoskrnl.exe!FsRtlIsHpfsDbcsLegal + 74 8061E028 98 Bytes [45, 0C, 80, 38, 5C, 74, 39, ...]
PAGE ...
PAGE ntoskrnl.exe!FsRtlNotifyFullChangeDirectory + 1D 8061E190 97 Bytes [75, 10, FF, 75, 0C, FF, 75, ...]
PAGE ntoskrnl.exe!FsRtlNotifyFullReportChange + 7 8061E1F2 12 Bytes [FF, 75, 28, FF, 75, 24, FF, ...] {PUSH DWORD [EBP+0x28]; PUSH DWORD [EBP+0x24]; PUSH DWORD [EBP+0x20]; PUSH DWORD [EBP+0x1c]}
PAGE ntoskrnl.exe!FsRtlNotifyFullReportChange + 14 8061E1FF 1 Byte [75]
PAGE ntoskrnl.exe!FsRtlNotifyFullReportChange + 14 8061E1FF 37 Bytes [75, 18, FF, 75, 14, FF, 75, ...]
PAGE ntoskrnl.exe!FsRtlNotifyFullReportChange + 3C 8061E227 29 Bytes [8B, FF, 55, 8B, EC, 51, 51, ...]
PAGE ntoskrnl.exe!FsRtlNotifyFullReportChange + 5A 8061E245 240 Bytes [B8, FF, 00, 00, 00, 74, 05, ...]
PAGE ...
PAGE ntoskrnl.exe!IoSetPartitionInformation + 4 8061E51B 22 Bytes [EC, 83, EC, 40, 53, BB, 00, ...]
PAGE ntoskrnl.exe!IoSetPartitionInformation + 1B 8061E532 41 Bytes [89, 55, F8, 73, 03, 89, 5D, ...]
PAGE ntoskrnl.exe!IoSetPartitionInformation + 45 8061E55C 85 Bytes [89, 5D, E0, EB, 03, 89, 75, ...]
PAGE ntoskrnl.exe!IoSetPartitionInformation + 9B 8061E5B2 29 Bytes [C8, 57, 8D, 45, C0, 50, E8, ...]
PAGE ntoskrnl.exe!IoSetPartitionInformation + B9 8061E5D0 13 Bytes CALL 80518D95 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ...
PAGE ntoskrnl.exe!IoWritePartitionTable + 1C 8061E7A7 42 Bytes [00, 89, 5D, F4, 88, 5D, FE, ...]
PAGE ntoskrnl.exe!IoWritePartitionTable + 47 8061E7D2 3 Bytes CALL 8050D42C \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!IoWritePartitionTable + 4B 8061E7D6 103 Bytes [39, 5D, E0, 74, 12, 53, FF, ...]
PAGE ntoskrnl.exe!IoWritePartitionTable + B3 8061E83E 19 Bytes [23, 75, 03, 88, 45, FF, C6, ...]
PAGE ntoskrnl.exe!IoWritePartitionTable + C7 8061E852 150 Bytes [10, 00, 00, 39, 45, EC, 72, ...]
PAGE ...
PAGE ntoskrnl.exe!IoWritePartitionTableEx + 28 8061F9EE 27 Bytes [06, 2B, C3, 0F, 84, B5, 00, ...]
PAGE ntoskrnl.exe!IoWritePartitionTableEx + 44 8061FA0A 20 Bytes [75, FC, 89, 5D, 08, E8, DB, ...]
PAGE ntoskrnl.exe!IoWritePartitionTableEx + 59 8061FA1F 6 Bytes [75, FC, E8, C9, F9, FF]
PAGE ntoskrnl.exe!IoWritePartitionTableEx + 60 8061FA26 95 Bytes [8B, F8, 3B, FB, 0F, 8C, 87, ...]
PAGE ntoskrnl.exe!IoWritePartitionTableEx + C0 8061FA86 45 Bytes [70, 04, 6A, 01, FF, 73, 34, ...]
PAGE ...
PAGE ntoskrnl.exe!IoVerifyPartitionTable + 27 8061FB07 36 Bytes [F0, 85, F6, 7C, 25, 8B, 45, ...]
PAGE ntoskrnl.exe!IoVerifyPartitionTable + 4C 8061FB2C 89 Bytes [F6, 85, FF, 74, 06, 57, E8, ...]
PAGE ntoskrnl.exe!IoVerifyPartitionTable + A6 8061FB86 31 Bytes [4D, 10, 8D, 04, F6, 57, C1, ...]
PAGE ntoskrnl.exe!IoVerifyPartitionTable + C6 8061FBA6 5 Bytes [51, 20, 89, 50, 20]
PAGE ntoskrnl.exe!IoVerifyPartitionTable + CC 8061FBAC 57 Bytes [51, 24, 6A, 12, 8D, 71, 28, ...]
PAGE ...
PAGE ntoskrnl.exe!IoSetPartitionInformationEx + 2F 8061FD59 21 Bytes [7C, 44, 8B, 4D, FC, 8B, 45, ...]
PAGE ntoskrnl.exe!IoSetPartitionInformationEx + 45 8061FD6F 112 Bytes [74, 19, 49, 74, 07, BE, BB, ...]
PAGE ntoskrnl.exe!IoSetPartitionInformationEx + B6 8061FDE0 35 Bytes [8B, 7D, 18, 8B, 45, 14, C1, ...]
PAGE ntoskrnl.exe!IoSetPartitionInformationEx + DA 8061FE04 41 Bytes [75, 08, FF, 15, 98, 80, 4D, ...]
PAGE ntoskrnl.exe!IoSetPartitionInformationEx + 104 8061FE2E 18 Bytes [FF, 89, 73, 08, 89, 73, 04, ...] {DEC DWORD [ECX+0x73890873]; ADD AL, 0x33; SHR BL, 0x32; MOV EAX, [ECX+0x8]; LEA ECX, [EBP+0x10]; PUSH ECX}
PAGE ...
PAGE ntoskrnl.exe!IoCheckQuotaBufferValidity + D3 80620097 48 Bytes CALL 804DA2A1 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!IoCheckQuotaBufferValidity + 104 806200C8 11 Bytes CALL 80574887 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!IoCheckQuotaBufferValidity + 110 806200D4 10 Bytes [6E, 01, 00, 00, 57, 68, 70, ...]
PAGE ntoskrnl.exe!IoCheckQuotaBufferValidity + 11B 806200DF 21 Bytes CALL 804DA2A2 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!IoCheckQuotaBufferValidity + 131 806200F5 8 Bytes [D0, 50, C7, 45, A4, 18, 00, ...]
PAGE ...
PAGE ntoskrnl.exe!IoEnqueueIrp 806202B8 77 Bytes [8B, FF, 55, 8B, EC, 56, 57, ...]
PAGE ntoskrnl.exe!IoFastQueryNetworkAttributes + B 80620306 21 Bytes [A1, 60, A3, 55, 80, 8B, 55, ...]
PAGE ntoskrnl.exe!IoFastQueryNetworkAttributes + 21 8062031C 24 Bytes [64, FF, FF, FF, 33, C0, 6A, ...]
PAGE ntoskrnl.exe!IoFastQueryNetworkAttributes + 3A 80620335 57 Bytes [33, DB, 43, 89, 85, 24, FF, ...]
PAGE ntoskrnl.exe!IoFastQueryNetworkAttributes + 74 8062036F 17 Bytes [FF, FF, 88, 9D, 4D, FF, FF, ...]
PAGE ntoskrnl.exe!IoFastQueryNetworkAttributes + 86 80620381 53 Bytes [FF, FF, 64, A1, 24, 01, 00, ...]
PAGE ...
PAGE ntoskrnl.exe!IoIsValidNameGraftingBuffer + D 8062040D 283 Bytes [53, 8B, 5D, 0C, 81, 3B, 03, ...]
PAGE ntoskrnl.exe!IoIsValidNameGraftingBuffer + 12A 8062052A 58 Bytes [BE, 9A, 07, 62, 80, 8D, 7D, ...]
PAGE ntoskrnl.exe!IoIsValidNameGraftingBuffer + 166 80620566 21 Bytes [00, 89, 7D, B0, C7, 45, B8, ...]
PAGE ntoskrnl.exe!IoIsValidNameGraftingBuffer + 17C 8062057C 116 Bytes [85, C0, 0F, 8C, 09, 01, 00, ...]
PAGE ntoskrnl.exe!IoIsValidNameGraftingBuffer + 1F1 806205F1 100 Bytes [44, 0F, 85, 8C, 00, 00, 00, ...]
PAGE ...
PAGE ntoskrnl.exe!IoRegisterLastChanceShutdownNotification + 26 80620959 104 Bytes CALL 804DA06A \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!IoSetInformation + 33 806209C2 21 Bytes [89, 7B, 60, C6, 45, 0B, 01, ...]
PAGE ntoskrnl.exe!IoSetInformation + 49 806209D8 113 Bytes [FF, FF, 50, 57, 53, E8, 83, ...]
PAGE ntoskrnl.exe!IoSetInformation + BB 80620A4A 136 Bytes [80, 7D, 0B, 00, 89, 46, 50, ...]
PAGE ntoskrnl.exe!IoSetInformation + 144 80620AD3 82 Bytes [05, 83, C8, 10, EB, 03, 83, ...]
PAGE ntoskrnl.exe!IoSetInformation + 197 80620B26 28 Bytes [F8, 0B, 74, 78, 83, F8, 1F, ...]
PAGE ...
PAGE ntoskrnl.exe!IoUnregisterFsRegistrationChange + 60 80620CA4 27 Bytes [CC, CC, CC, CC, CC, CC, CC, ...]
PAGE ntoskrnl.exe!IoVerifyVolume + C 80620CC0 17 Bytes [08, 57, 33, DB, 53, 53, 53, ...]
PAGE ntoskrnl.exe!IoVerifyVolume + 1E 80620CD2 44 Bytes CALL 804DC400 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!IoVerifyVolume + 4B 80620CFF 86 Bytes [8B, F8, 8B, 47, 10, 3B, C3, ...]
PAGE ntoskrnl.exe!IoVerifyVolume + A2 80620D56 22 Bytes [88, 48, 02, C6, 40, 01, 02, ...]
PAGE ntoskrnl.exe!IoVerifyVolume + B9 80620D6D 253 Bytes [CF, FF, 15, 80, B7, 55, 80, ...]
PAGE ntoskrnl.exe!IoCancelFileOpen + 72 80620E6B 19 Bytes CALL A0A8D494
PAGE ntoskrnl.exe!IoCancelFileOpen + 86 80620E7F 5 Bytes [B1, 01, C6, 00, 12] {MOV CL, 0x1; MOV BYTE [EAX], 0x12}
PAGE ntoskrnl.exe!IoCancelFileOpen + 8C 80620E85 26 Bytes [58, 18, FF, 15, 2C, 80, 4D, ...]
PAGE ntoskrnl.exe!IoCancelFileOpen + A7 80620EA0 102 Bytes [89, 79, 04, 8A, C8, 89, 3A, ...]
PAGE ntoskrnl.exe!IoCancelFileOpen + 10F 80620F08 3 Bytes [90, 90, 90] {NOP ; NOP ; NOP }
PAGE ntoskrnl.exe!IoQueryFileDosDeviceName + 1 80620F0C 31 Bytes [FF, 55, 8B, EC, 51, 51, 56, ...]
PAGE ntoskrnl.exe!IoQueryFileDosDeviceName + 21 80620F2C 5 Bytes [56, 6A, 01, 6A, 01] {PUSH ESI; PUSH 0x1; PUSH 0x1}
PAGE ntoskrnl.exe!IoQueryFileDosDeviceName + 27 80620F32 1 Byte [75]
PAGE ntoskrnl.exe!IoQueryFileDosDeviceName + 27 80620F32 6 Bytes [75, 08, E8, 6C, E8, F6]
PAGE ntoskrnl.exe!IoQueryFileDosDeviceName + 2E 80620F39 45 Bytes [85, C0, 89, 45, F8, 74, 29, ...]
PAGE ...
PAGE ntoskrnl.exe!IoEnumerateRegisteredFiltersList + 13 80620F99 22 Bytes CALL 804E197E \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!IoEnumerateRegisteredFiltersList + 2A 80620FB0 93 Bytes [EB, 03, 8B, 00, 47, 3B, C3, ...]
PAGE ntoskrnl.exe!IoEnumerateRegisteredFiltersList + 89 8062100F 3 Bytes [8B, FF, 55] {MOV EDI, EDI; PUSH EBP}
PAGE ntoskrnl.exe!IoEnumerateRegisteredFiltersList + 8D 80621013 27 Bytes [EC, 53, 8B, 5D, 14, 56, 33, ...]
PAGE ntoskrnl.exe!IoEnumerateRegisteredFiltersList + A9 8062102F 1 Byte [75]
PAGE ...
PAGE ntoskrnl.exe!IoAttachDevice + 6F 80621170 27 Bytes CALL 804E3495 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!IoAttachDevice + 8B 8062118C 173 Bytes [C6, 5F, 5E, C9, C2, 0C, 00, ...]
PAGE ntoskrnl.exe!IoAttachDevice + 139 8062123A 128 Bytes [50, 04, 6A, 00, 51, FF, 77, ...]
PAGE ntoskrnl.exe!IoAttachDevice + 1BA 806212BB 24 Bytes [76, 78, C6, 45, C4, 00, 53, ...]
PAGE ntoskrnl.exe!IoAttachDevice + 1D3 806212D4 2 Bytes [48, 60] {DEC EAX; PUSHA }
PAGE ...
PAGE ntoskrnl.exe!ZwOpenIoCompletion + 3 80621406 19 Bytes CALL 804E2E9F \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwOpenIoCompletion + 17 8062141A 23 Bytes [89, 45, D4, 8A, 80, 40, 01, ...]
PAGE ntoskrnl.exe!ZwOpenIoCompletion + 2F 80621432 265 Bytes [3B, F0, 72, 02, 89, 18, 8B, ...]
PAGE ntoskrnl.exe!ZwQueryIoCompletion + 78 8062153C 99 Bytes JMP 806215D9 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwQueryIoCompletion + DC 806215A0 25 Bytes [C3, 90, 90, 90, 90, 90, 8B, ...]
PAGE ntoskrnl.exe!ZwQueryIoCompletion + F6 806215BA 8 Bytes [00, 89, 45, D8, E8, 23, 15, ...]
PAGE ntoskrnl.exe!ZwQueryIoCompletion + FF 806215C3 143 Bytes [C3, 90, 90, 90, 90, 90, 8B, ...]
PAGE ntoskrnl.exe!NtQueryEaFile + 7 80621653 4 Bytes CALL 804E2EA3 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!NtQueryEaFile + C 80621658 56 Bytes [33, F6, 89, 75, D4, 89, 75, ...]
PAGE ntoskrnl.exe!NtQueryEaFile + 45 80621691 94 Bytes [30, 8B, 03, 89, 03, 8B, 43, ...]
PAGE ntoskrnl.exe!NtQueryEaFile + A4 806216F0 34 Bytes [3B, 05, D4, 7E, 56, 80, 76, ...]
PAGE ntoskrnl.exe!NtQueryEaFile + C7 80621713 100 Bytes [75, 1C, 8B, F8, 8B, D1, C1, ...]
PAGE ...
PAGE ntoskrnl.exe!NtSetEaFile + 8B 80621C1C 213 Bytes CALL 6A2E91AC
PAGE ntoskrnl.exe!NtSetEaFile + 161 80621CF2 30 Bytes [3B, D8, 75, 21, F6, 47, 2C, ...]
PAGE ntoskrnl.exe!NtSetEaFile + 180 80621D11 6 Bytes JMP 80621EB2 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!NtSetEaFile + 187 80621D18 2 Bytes [7B, 64] {JNP 0x66}
PAGE ntoskrnl.exe!NtSetEaFile + 18A 80621D1B 75 Bytes [4D, C8, 89, 4B, 50, 8A, 4D, ...]
PAGE ...
PAGE ntoskrnl.exe!NtSetQuotaInformationFile + 18 80621EF1 58 Bytes [5D, C2, 10, 00, 90, 90, 90, ...]
PAGE ntoskrnl.exe!NtQueryQuotaInformationFile + 29 80621F2C 68 Bytes [01, 00, 00, 88, 45, DC, 84, ...]
PAGE ntoskrnl.exe!NtQueryQuotaInformationFile + 6E 80621F71 55 Bytes [3B, C8, 72, 05, 0F, B6, 00, ...]
PAGE ntoskrnl.exe!NtQueryQuotaInformationFile + A6 80621FA9 6 Bytes [76, 05, E8, 04, D5, 02]
PAGE ntoskrnl.exe!NtQueryQuotaInformationFile + AD 80621FB0 61 Bytes [83, 7D, 1C, 00, 74, 5F, 8B, ...]
PAGE ntoskrnl.exe!NtQueryQuotaInformationFile + EB 80621FEE 1 Byte [6A]
PAGE ...
PAGE ntoskrnl.exe!NtSetVolumeInformationFile + 7 8062241E 9 Bytes CALL 804E2EA3 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!NtSetVolumeInformationFile + 11 80622428 39 Bytes [89, 45, E4, 8B, 45, 08, 89, ...]
PAGE ntoskrnl.exe!NtSetVolumeInformationFile + 39 80622450 8 Bytes [00, 89, 45, 88, 8A, 80, 40, ...]
PAGE ntoskrnl.exe!NtSetVolumeInformationFile + 43 8062245A 125 Bytes [88, 45, BB, 84, C0, 74, 6A, ...]
PAGE ntoskrnl.exe!NtSetVolumeInformationFile + C1 806224D8 94 Bytes [75, BB, FF, 35, 58, 0D, 56, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwReadFileScatter + A7 8062287E 7 Bytes [8B, 75, 20, 81, E6, FF, 0F]
PAGE ntoskrnl.exe!ZwReadFileScatter + AF 80622886 74 Bytes [00, F7, DE, 1B, F6, F7, DE, ...]
PAGE ntoskrnl.exe!ZwReadFileScatter + FA 806228D1 39 Bytes JMP 80622C95 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwReadFileScatter + 122 806228F9 34 Bytes [45, 9C, 8B, 41, 04, 89, 45, ...]
PAGE ntoskrnl.exe!ZwReadFileScatter + 145 8062291C 167 Bytes [8B, 55, 20, 85, C2, 74, 0A, ...]
PAGE ...
PAGE ntoskrnl.exe!IoReleaseRemoveLockAndWaitEx + 34 80624B15 5 Bytes [10, 58, 75, 09, 57]
PAGE ntoskrnl.exe!IoReleaseRemoveLockAndWaitEx + 3A 80624B1B 46 Bytes CALL 805511E4 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!IoAssignResources + 14 80624B4B 5 Bytes [8B, 86, B0, 00, 00]
PAGE ntoskrnl.exe!IoAssignResources + 1A 80624B51 44 Bytes [8B, 40, 14, 3B, C3, 0F, 84, ...]
PAGE ntoskrnl.exe!IoAssignResources + 47 80624B7E 164 Bytes [3B, 00, 74, 14, 6A, 02, 53, ...]
PAGE ntoskrnl.exe!IoAssignResources + EC 80624C23 4 Bytes [B0, 98, 00, 00] {MOV AL, 0x98; ADD [EAX], AL}
PAGE ntoskrnl.exe!IoAssignResources + F1 80624C28 110 Bytes CALL 80532DE0 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ...
PAGE ntoskrnl.exe!IoPnPDeliverServicePowerNotification + BB 806256E1 84 Bytes [24, 00, 00, 33, C0, 39, 5D, ...]
PAGE ntoskrnl.exe!IoReportTargetDeviceChange + 26 80625737 28 Bytes [53, 8B, 5D, 0C, 56, 8D, 73, ...]
PAGE ntoskrnl.exe!IoReportTargetDeviceChange + 43 80625754 16 Bytes [2B, C7, F7, D8, 1B, C0, 40, ...]
PAGE ntoskrnl.exe!IoReportTargetDeviceChange + 54 80625765 28 Bytes [3B, F0, 74, 4D, 57, 50, 56, ...]
PAGE ntoskrnl.exe!IoReportTargetDeviceChange + 71 80625782 117 Bytes [3B, F0, 74, 30, 57, 50, 56, ...]
PAGE ntoskrnl.exe!IoReportTargetDeviceChange + E7 806257F8 3 Bytes CALL 804DC401 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ...
PAGE ntoskrnl.exe!KeSetTimeUpdateNotifyRoutine + 4B 8062A43A 69 Bytes CALL 80538AE2 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!KeSetTimeUpdateNotifyRoutine + 91 8062A480 77 Bytes [84, 88, 01, 00, 00, 8B, 71, ...]
PAGE ntoskrnl.exe!KeSetTimeUpdateNotifyRoutine + DF 8062A4CE 23 Bytes [04, 03, 00, 00, 00, 89, 58, ...]
PAGE ntoskrnl.exe!KeSetTimeUpdateNotifyRoutine + F8 8062A4E7 26 Bytes [04, 00, 00, C0, 8B, 4D, F4, ...]
PAGE ntoskrnl.exe!KeSetTimeUpdateNotifyRoutine + 113 8062A502 1 Byte [FF]
PAGE ...
PAGE ntoskrnl.exe!ZwQueryInformationPort + 18 8062B3EB 64 Bytes [88, 45, E4, 33, DB, 3A, C3, ...]
PAGE ntoskrnl.exe!ZwQueryInformationPort + 59 8062B42C 39 Bytes [35, 08, 2F, 56, 80, BE, 00, ...]
PAGE ntoskrnl.exe!ZwQueryInformationPort + 81 8062B454 49 Bytes CALL 8056C555 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwQueryInformationPort + B3 8062B486 50 Bytes CALL 805F020E \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwReplyWaitReplyPort + 7 8062B4B9 90 Bytes CALL 804E2EA3 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwReplyWaitReplyPort + 62 8062B514 11 Bytes [4D, FC, FF, EB, 2E, 90, 90, ...]
PAGE ntoskrnl.exe!ZwReplyWaitReplyPort + 6E 8062B520 76 Bytes [EC, 8B, 00, 8B, 00, 89, 45, ...]
PAGE ntoskrnl.exe!ZwReplyWaitReplyPort + BB 8062B56D 14 Bytes [75, D4, FF, 35, 08, 2F, 56, ...]
PAGE ntoskrnl.exe!ZwReplyWaitReplyPort + CA 8062B57C 21 Bytes [F4, FF, 3B, C7, 0F, 8C, 93, ...]
PAGE ...
PAGE ntoskrnl.exe!MmMarkPhysicalMemoryAsBad + 18 8062B9C3 13 Bytes [90, CC, CC, CC, CC, CC, CC, ...]
PAGE ntoskrnl.exe!MmRemovePhysicalMemory + 2 8062B9D1 10 Bytes [55, 8B, EC, 6A, 00, FF, 75, ...]
PAGE ntoskrnl.exe!MmRemovePhysicalMemory + D 8062B9DC 8 Bytes CALL 80539D79 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!MmRemovePhysicalMemory + 16 8062B9E5 29 Bytes [90, CC, CC, CC, CC, CC, CC, ...]
PAGE ntoskrnl.exe!MmRemovePhysicalMemory + 34 8062BA03 30 Bytes [00, C0, EB, 74, 53, 56, 57, ...]
PAGE ntoskrnl.exe!MmRemovePhysicalMemory + 53 8062BA22 5 Bytes [53, E8, D8, 09, EB]
PAGE ...
PAGE ntoskrnl.exe!MmAddVerifierThunks + 2A 8062BB1E 16 Bytes JMP 8062BC7D \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!MmAddVerifierThunks + 3C 8062BB30 17 Bytes CALL 80551001 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!MmAddVerifierThunks + 4F 8062BB43 46 Bytes JMP 8062BC7C \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!MmAddVerifierThunks + 7E 8062BB72 38 Bytes CALL 804DC3FF \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!MmAddVerifierThunks + A6 8062BB9A 6 Bytes [75, 13, 8D, 46, 34, 39]
PAGE ...
PAGE ntoskrnl.exe!MmFreeMappingAddress + 43 8062C920 51 Bytes [75, 0C, 52, 68, 02, 01, 00, ...]
PAGE ntoskrnl.exe!MmFreeMappingAddress + 77 8062C954 29 Bytes [83, C6, 02, 56, 57, E8, B2, ...]
PAGE ntoskrnl.exe!MmFreeMappingAddress + 95 8062C972 130 Bytes CALL 8053767E \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!MmSetBankedSection + 64 8062C9F5 16 Bytes [D7, EB, FF, 8B, F8, 85, FF, ...] {XLATB ; JMP 0x2; MOV EDI, EAX; TEST EDI, EDI; MOV [EBP-0x4], EDI; JZ 0x16c}
PAGE ntoskrnl.exe!MmSetBankedSection + 75 8062CA06 11 Bytes [0F, C1, EE, 0C, 3B, CE, 0F, ...]
PAGE ntoskrnl.exe!MmSetBankedSection + 81 8062CA12 4 Bytes [F6, 47, 16, 08] {TEST BYTE [EDI+0x16], 0x8}
PAGE ntoskrnl.exe!MmSetBankedSection + 86 8062CA17 258 Bytes [84, 45, 01, 00, 00, 8B, 47, ...]
PAGE ntoskrnl.exe!MmSetBankedSection + 189 8062CB1A 66 Bytes [03, 88, 89, 70, 30, 0F, B6, ...]
PAGE ...
PAGE ntoskrnl.exe!MmAllocateNonCachedMemory + 87 8062CD11 12 Bytes [04, 8B, D0, 8D, 4B, 1C, C1, ...]
PAGE ntoskrnl.exe!MmAllocateNonCachedMemory + 94 8062CD1E 80 Bytes [C8, 89, 45, FC, 89, 55, F0, ...]
PAGE ntoskrnl.exe!MmAllocateNonCachedMemory + E5 8062CD6F 3 Bytes CALL 804E9BF6 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!MmAllocateNonCachedMemory + E9 8062CD73 26 Bytes CALL 80504BD9 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!MmAllocateNonCachedMemory + 104 8062CD8E 3 Bytes [8B, 45, FC] {MOV EAX, [EBP-0x4]}
PAGE ...
PAGE ntoskrnl.exe!MmFreeNonCachedMemory + 22 8062CDDD 1 Byte [6A]
PAGE ntoskrnl.exe!MmFreeNonCachedMemory + 22 8062CDDD 7 Bytes [6A, 00, 57, E8, 01, 44, F2]
PAGE ntoskrnl.exe!MmFreeNonCachedMemory + 2A 8062CDE5 19 Bytes [8B, 45, 0C, 8B, C8, 81, E1, ...]
PAGE ntoskrnl.exe!MmFreeNonCachedMemory + 3E 8062CDF9 50 Bytes [6A, 00, 8D, 44, 08, 01, 50, ...]
PAGE ntoskrnl.exe!MmProbeAndLockProcessPages + 16 8062CE2C 85 Bytes [00, 8B, 4D, 0C, 3B, 48, 44, ...]
PAGE ntoskrnl.exe!MmProbeAndLockProcessPages + 6C 8062CE82 22 Bytes CALL 804F4026 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!MmProbeAndLockProcessPages + 83 8062CE99 62 Bytes [C2, 10, 00, CC, CC, CC, CC, ...]
PAGE ntoskrnl.exe!MmProbeAndLockProcessPages + C2 8062CED8 1 Byte [4D]
PAGE ntoskrnl.exe!MmProbeAndLockProcessPages + C2 8062CED8 66 Bytes CALL 804EA1F5 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ...
PAGE ntoskrnl.exe!ZwExtendSection + A0 8062D7C9 11 Bytes CALL 8056C559 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwExtendSection + AC 8062D7D5 74 Bytes [45, CC, 50, FF, 75, E4, E8, ...]
PAGE ntoskrnl.exe!ZwExtendSection + F7 8062D820 14 Bytes [CC, CC, CC, CC, CC, CC, 90, ...] {INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; NOP ; NOP ; NOP ; NOP ; NOP ; MOV EDI, EDI; PUSH EBP}
PAGE ntoskrnl.exe!ZwExtendSection + 106 8062D82F 52 Bytes [EC, 8B, 45, 08, 56, 8B, 75, ...]
PAGE ntoskrnl.exe!ZwExtendSection + 13B 8062D864 8 Bytes [49, 18, 89, 0A, 5E, 5D, C2, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwMapUserPhysicalPages + 58 8062DE1E 84 Bytes JMP 8062E202 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwMapUserPhysicalPages + AD 8062DE73 24 Bytes CALL 8064F4C5 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwMapUserPhysicalPages + C6 8062DE8C 61 Bytes CALL 8064F4B2 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwMapUserPhysicalPages + 104 8062DECA 1 Byte [00]
PAGE ntoskrnl.exe!ZwMapUserPhysicalPages + 104 8062DECA 13 Bytes [00, 00, 40, 03, C6, 89, 45, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwMapUserPhysicalPagesScatter + 2 8062E221 169 Bytes [55, 8B, EC, 6A, FF, 68, D8, ...]
PAGE ntoskrnl.exe!ZwMapUserPhysicalPagesScatter + AC 8062E2CB 13 Bytes [E5, 11, 02, 00, 8B, CB, 8B, ...]
PAGE ntoskrnl.exe!ZwMapUserPhysicalPagesScatter + BA 8062E2D9 56 Bytes JMP 0C08D5E0
PAGE ntoskrnl.exe!ZwMapUserPhysicalPagesScatter + F3 8062E312 63 Bytes [89, 45, D8, 85, C0, 75, 13, ...]
PAGE ntoskrnl.exe!ZwMapUserPhysicalPagesScatter + 133 8062E352 56 Bytes CALL 8064F4B2 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ...
PAGE ntoskrnl.exe!ZwAllocateUserPhysicalPages + C 8062E776 89 Bytes [33, FF, 89, 7D, D0, 64, A1, ...]
PAGE ntoskrnl.exe!ZwAllocateUserPhysicalPages + 66 8062E7D0 3 Bytes CALL 8056E8A0 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwAllocateUserPhysicalPages + 6A 8062E7D4 49 Bytes [EB, 08, 8B, 45, 0C, 8B, 00, ...]
PAGE ntoskrnl.exe!ZwAllocateUserPhysicalPages + 9C 8062E806 21 Bytes [4D, B8, 89, 4D, E4, 3B, C7, ...]
PAGE ntoskrnl.exe!ZwAllocateUserPhysicalPages + B2 8062E81C 123 Bytes [FF, 35, 78, AC, 69, 80, E8, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwFreeUserPhysicalPages + 3F 8062EB5C 5 Bytes [00, 88, 45, B0, 33]
PAGE ntoskrnl.exe!ZwFreeUserPhysicalPages + 45 8062EB62 1 Byte [84]
PAGE ntoskrnl.exe!ZwFreeUserPhysicalPages + 45 8062EB62 13 Bytes [84, C0, 74, 49, 89, 7D, FC, ...]
PAGE ntoskrnl.exe!ZwFreeUserPhysicalPages + 53 8062EB70 112 Bytes [0C, 3B, C8, 72, 02, 89, 38, ...]
PAGE ntoskrnl.exe!ZwFreeUserPhysicalPages + C4 8062EBE1 20 Bytes [FF, 0F, 00, 3B, C8, 89, 45, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwFlushWriteBuffer + 15 8062EFDC 15 Bytes [55, 8B, EC, 8B, 45, 08, 8B, ...]
PAGE ntoskrnl.exe!ZwFlushWriteBuffer + 25 8062EFEC 105 Bytes [C0, 75, 32, 53, 8B, 5D, 10, ...]
PAGE ntoskrnl.exe!ZwUnlockVirtualMemory + 1B 8062F056 38 Bytes [75, 68, F6, 45, 14, 03, 74, ...]
PAGE ntoskrnl.exe!ZwUnlockVirtualMemory + 42 8062F07D 16 Bytes [3B, C1, 72, 02, 89, 19, 8B, ...] {CMP EAX, ECX; JB 0x6; MOV [ECX], EBX; MOV ECX, [EAX]; MOV [EAX], ECX; MOV ECX, [0x80567ed4]}
PAGE ntoskrnl.exe!ZwUnlockVirtualMemory + 53 8062F08E 68 Bytes [55, 10, 3B, D1, 72, 02, 89, ...]
PAGE ntoskrnl.exe!ZwUnlockVirtualMemory + 98 8062F0D3 4 Bytes [35, 58, 97, 56]
PAGE ntoskrnl.exe!ZwUnlockVirtualMemory + 9D 8062F0D8 64 Bytes [6A, 08, FF, 75, 08, E8, 77, ...]
PAGE ...
PAGE ntoskrnl.exe!PoShutdownBugCheck + 13 80632E92 27 Bytes CALL 8062134B \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!PoShutdownBugCheck + 2F 80632EAE 25 Bytes [00, C0, 89, 45, FC, 6A, 04, ...]
PAGE ntoskrnl.exe!PoShutdownBugCheck + 49 80632EC8 170 Bytes CALL 804E39E6 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!PoShutdownBugCheck + F4 80632F73 169 Bytes [55, 8B, EC, 8B, 4D, 08, 8A, ...]
PAGE ntoskrnl.exe!PoShutdownBugCheck + 19E 8063301D 57 Bytes JMP 806330F8 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ...
PAGE ntoskrnl.exe!ZwRequestWakeupLatency + 3A 80633CC2 80 Bytes [00, 80, 50, 53, 88, 5E, 68, ...]
PAGE ntoskrnl.exe!ZwInitiatePowerAction + 2C 80633D13 30 Bytes [FF, 35, F0, AC, 69, 80, E8, ...]
PAGE ntoskrnl.exe!ZwInitiatePowerAction + 4B 80633D32 111 Bytes [FA, 07, 75, 0F, 38, 5D, CC, ...]
PAGE ntoskrnl.exe!ZwInitiatePowerAction + BB 80633DA2 29 Bytes JMP 80633E72 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwInitiatePowerAction + D9 80633DC0 109 Bytes [89, 5E, 04, 8D, 46, 08, 89, ...]
PAGE ntoskrnl.exe!ZwInitiatePowerAction + 147 80633E2E 148 Bytes [5E, 14, 74, 31, 53, 6A, 01, ...]
PAGE ntoskrnl.exe!ZwRequestDeviceWakeup + 34 80633EC3 123 Bytes [75, 08, F6, 46, 2D, 08, 57, ...]
PAGE ntoskrnl.exe!ZwGetDevicePowerState + C 80633F3F 83 Bytes [64, A1, 24, 01, 00, 00, 8A, ...]
PAGE ntoskrnl.exe!ZwGetDevicePowerState + 60 80633F93 56 Bytes [8B, 7D, 0C, 64, A1, 24, 01, ...]
PAGE ntoskrnl.exe!ZwGetDevicePowerState + 99 80633FCC 33 Bytes [8B, F0, 8B, 4D, E0, E8, 5A, ...]
PAGE ntoskrnl.exe!ZwGetDevicePowerState + BC 80633FEF 182 Bytes [89, 07, EB, 1E, 90, 90, 90, ...]
PAGE ntoskrnl.exe!ZwGetDevicePowerState + 173 806340A6 69 Bytes [55, 8B, EC, 56, 8B, 75, 08, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwQueryPortInformationProcess + 7 80635298 86 Bytes [48, 44, 83, B9, BC, 00, 00, ...]
PAGE ntoskrnl.exe!ZwQueryPortInformationProcess + 5E 806352EF 47 Bytes [34, 68, 88, E4, 52, 80, E8, ...]
PAGE ntoskrnl.exe!ZwQueryPortInformationProcess + 8E 8063531F 158 Bytes CALL 8056C557 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwQueryPortInformationProcess + 12D 806353BE 20 Bytes [00, 83, 4D, FC, FF, 33, C0, ...]
PAGE ntoskrnl.exe!ZwQueryPortInformationProcess + 142 806353D3 76 Bytes [89, 45, E0, 33, C0, 40, C3, ...]
PAGE ntoskrnl.exe!PsDereferenceImpersonationToken + D 80635420 3 Bytes CALL 804E1931 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!PsDereferenceImpersonationToken + 11 80635424 144 Bytes [5D, C2, 04, 00, CC, CC, CC, ...]
PAGE ntoskrnl.exe!PsSetCreateProcessNotifyRoutine + 16 806354B5 4 Bytes CALL 8064CCB8 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!PsSetCreateProcessNotifyRoutine + 1B 806354BA 11 Bytes [F0, 85, F6, 74, 1F, 56, E8, ...]
PAGE ntoskrnl.exe!PsSetCreateProcessNotifyRoutine + 27 806354C6 1 Byte [45]
PAGE ntoskrnl.exe!PsSetCreateProcessNotifyRoutine + 2A 806354C9 9 Bytes [0D, 56, 6A, 00, 57, E8, 10, ...]
PAGE ntoskrnl.exe!PsSetCreateProcessNotifyRoutine + 34 806354D3 31 Bytes [84, C0, 75, 17, 56, 57, E8, ...]
PAGE ...
PAGE ntoskrnl.exe!PsSetCreateThreadNotifyRoutine + 39 806355B0 28 Bytes CALL 47783E08
PAGE ntoskrnl.exe!PsSetCreateThreadNotifyRoutine + 56 806355CD 59 Bytes [41, F0, 0F, C1, 08, 33, C0, ...]
PAGE ntoskrnl.exe!PsRemoveCreateThreadNotifyRoutine + 29 80635609 28 Bytes CALL 8064CBE2 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!PsRemoveCreateThreadNotifyRoutine + 46 80635626 8 Bytes [00, C0, 5F, 5E, 5B, 5D, C2, ...]
PAGE ntoskrnl.exe!PsRemoveCreateThreadNotifyRoutine + 4F 8063562F 25 Bytes [B8, C0, 97, 56, 80, 83, C9, ...]
PAGE ntoskrnl.exe!PsRemoveCreateThreadNotifyRoutine + 69 80635649 42 Bytes CALL 8064CB67 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!PsRemoveCreateThreadNotifyRoutine + 94 80635674 34 Bytes [71, 04, 8B, 01, 50, FF, 70, ...]
PAGE ntoskrnl.exe!PsSetLoadImageNotifyRoutine + 2 80635697 60 Bytes [55, 8B, EC, 53, 57, 33, FF, ...]
PAGE ntoskrnl.exe!PsSetLoadImageNotifyRoutine + 3F 806356D4 3 Bytes CALL 80581CCF \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!PsSetLoadImageNotifyRoutine + 43 806356D8 4 Bytes [B8, 9A, 00, 00]
PAGE ntoskrnl.exe!PsSetLoadImageNotifyRoutine + 48 806356DD 48 Bytes [5E, 5F, 5B, 5D, C2, 04, 00, ...]
PAGE ntoskrnl.exe!PsRemoveLoadImageNotifyRoutine + 7 8063570E 39 Bytes [57, 33, DB, BF, 80, 97, 56, ...]
PAGE ntoskrnl.exe!PsRemoveLoadImageNotifyRoutine + 2F 80635736 37 Bytes [84, C0, 75, 1C, 56, 57, E8, ...]
PAGE ntoskrnl.exe!PsRemoveLoadImageNotifyRoutine + 55 8063575C 25 Bytes [C9, FF, F0, 0F, C1, 08, 56, ...]
PAGE ntoskrnl.exe!PsRemoveLoadImageNotifyRoutine + 6F 80635776 20 Bytes CALL 80581CCD \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!PsRemoveLoadImageNotifyRoutine + 84 8063578B 2 Bytes [FF, 55]
PAGE ...
PAGE ntoskrnl.exe!PsGetContextThread + F 80635846 40 Bytes [A1, 60, A3, 55, 80, 89, 45, ...]
PAGE ntoskrnl.exe!PsGetContextThread + 38 8063586F 10 Bytes [FF, F3, AB, 66, AB, 89, 9D, ...]
PAGE ntoskrnl.exe!PsGetContextThread + 43 8063587A 129 Bytes [64, A1, 24, 01, 00, 00, 8B, ...]
PAGE ntoskrnl.exe!PsGetContextThread + C5 806358FC 39 Bytes [FF, 8A, 45, 10, 88, 85, 00, ...]
PAGE ntoskrnl.exe!PsGetContextThread + ED 80635924 40 Bytes [8D, 85, F8, FC, FF, FF, 50, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwGetContextThread + 2 80635A5F 10 Bytes [55, 8B, EC, 51, 56, 64, A1, ...]
PAGE ntoskrnl.exe!ZwGetContextThread + D 80635A6A 48 Bytes [8A, 80, 40, 01, 00, 00, 6A, ...]
PAGE ntoskrnl.exe!ZwGetContextThread + 3E 80635A9B 62 Bytes [00, 10, 75, 10, FF, 75, FC, ...]
PAGE ntoskrnl.exe!PsSetContextThread + B 80635ADA 20 Bytes JMP A360A1FF
PAGE ntoskrnl.exe!PsSetContextThread + 20 80635AEF 8 Bytes [8B, 5D, 0C, 33, F6, 89, B5, ...]
PAGE ntoskrnl.exe!PsSetContextThread + 2A 80635AF9 15 Bytes [FF, 64, A1, 24, 01, 00, 00, ...]
PAGE ntoskrnl.exe!PsSetContextThread + 3A 80635B09 51 Bytes [80, 7D, 10, 00, 74, 15, F6, ...]
PAGE ntoskrnl.exe!PsSetContextThread + 6E 80635B3D 175 Bytes [23, C8, 3B, C8, 74, 0A, C7, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwSetContextThread + 2B 80635CAE 3 Bytes CALL 8056C55A \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwSetContextThread + 2F 80635CB2 38 Bytes [8B, F0, 85, F6, 7C, 2A, 57, ...]
PAGE ntoskrnl.exe!ZwSetContextThread + 56 80635CD9 101 Bytes CALL 804E192D \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!PsSetJobUIRestrictionsClass + 2 80635D3F 140 Bytes [55, 8B, EC, 8B, 45, 0C, 8B, ...]
PAGE ntoskrnl.exe!PsIsThreadImpersonating + 3C 80635DCC 30 Bytes [57, EB, 14, F6, 86, 48, 02, ...]
PAGE ntoskrnl.exe!PsIsThreadImpersonating + 5B 80635DEB 182 Bytes [8B, F0, 3B, F7, 75, DE, 5F, ...]
PAGE ntoskrnl.exe!PsIsThreadImpersonating + 112 80635EA2 147 Bytes [00, 90, 42, 72, 65, 61, 6B, ...]
PAGE ntoskrnl.exe!PsIsThreadImpersonating + 1A6 80635F36 56 Bytes [55, 8B, EC, 83, EC, 0C, 83, ...]
PAGE ntoskrnl.exe!PsIsThreadImpersonating + 1DF 80635F6F 133 Bytes [00, 00, 75, 13, 56, E8, F0, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwSetLdtEntries + 2 80636991 25 Bytes JMP 806366E7 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwSetLdtEntries + 1C 806369AB 10 Bytes CALL 804E2EA3 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwSetLdtEntries + 27 806369B6 19 Bytes [8B, 40, 44, 89, 45, E4, 83, ...]
PAGE ntoskrnl.exe!ZwSetLdtEntries + 3B 806369CA 1 Byte [C0]
PAGE ntoskrnl.exe!ZwSetLdtEntries + 3B 806369CA 118 Bytes JMP 80636C7E \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ...
PAGE ntoskrnl.exe!ZwSuspendThread + 8 8063793F 13 Bytes JMP 89DB33FF
PAGE ntoskrnl.exe!ZwSuspendThread + 16 8063794D 56 Bytes [00, 89, 45, D0, 8A, 80, 40, ...]
PAGE ntoskrnl.exe!ZwSuspendThread + 4F 80637986 35 Bytes [6A, 02, FF, 75, 08, E8, C9, ...]
PAGE ntoskrnl.exe!ZwSuspendThread + 73 806379AA 134 Bytes [C7, 45, FC, 01, 00, 00, 00, ...]
PAGE ntoskrnl.exe!ZwSuspendProcess + 16 80637A31 6 Bytes [45, FC, 8D, 45, 08, 50] {INC EBP; CLD ; LEA EAX, [EBP+0x8]; PUSH EAX}
PAGE ntoskrnl.exe!ZwSuspendProcess + 1D 80637A38 124 Bytes [75, FC, FF, 35, 58, 97, 56, ...]
PAGE ntoskrnl.exe!ZwResumeProcess + 3F 80637AB5 114 Bytes [FF, 8B, 4D, 08, 8B, F0, E8, ...]
PAGE ntoskrnl.exe!ZwAlertResumeThread + 53 80637B29 1 Byte [08]
PAGE ntoskrnl.exe!ZwAlertResumeThread + 53 80637B29 5 Bytes [08, E8, 2A, 4A, F3] {OR AL, CH; SUB CL, [EDX-0xd]}
PAGE ntoskrnl.exe!ZwAlertResumeThread + 59 80637B2F 12 Bytes [3B, C3, 7C, 6D, FF, 75, E4, ...] {CMP EAX, EBX; JL 0x71; PUSH DWORD [EBP-0x1c]; CALL 0xfffffffffff0068c}
PAGE ntoskrnl.exe!ZwAlertResumeThread + 66 80637B3C 19 Bytes CALL 804E192C \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwAlertResumeThread + 7A 80637B50 55 Bytes [89, 3E, 83, 4D, FC, FF, 33, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwIsProcessInJob + 1F 80637E52 31 Bytes [35, 58, 97, 56, 80, 68, 00, ...]
PAGE ntoskrnl.exe!ZwIsProcessInJob + 3F 80637E72 74 Bytes [38, 8B, 8F, 34, 01, 00, 00, ...]
PAGE ntoskrnl.exe!ZwIsProcessInJob + 8B 80637EBE 1 Byte [0C]
PAGE ntoskrnl.exe!ZwIsProcessInJob + 8B 80637EBE 5 Bytes [0C, E8, 95, 46, F3]
PAGE ntoskrnl.exe!ZwIsProcessInJob + 91 80637EC4 7 Bytes [85, C0, 8B, 4D, FC, 7D, AE] {TEST EAX, EAX; MOV ECX, [EBP-0x4]; JGE 0xffffffffffffffb5}
PAGE ...
PAGE ntoskrnl.exe!ZwCreateJobSet + 5B 80637FD8 119 Bytes [8A, 80, 40, 01, 00, 00, 88, ...]
PAGE ntoskrnl.exe!ZwCreateJobSet + D3 80638050 4 Bytes [35, E0, 96, 56]
PAGE ntoskrnl.exe!ZwCreateJobSet + D8 80638055 44 Bytes CALL 8056C556 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwCreateJobSet + 105 80638082 95 Bytes [7D, 21, 85, FF, 76, 16, 8D, ...]
PAGE ntoskrnl.exe!ZwCreateJobSet + 165 806380E2 19 Bytes [89, 70, 04, 89, 06, 89, 41, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwOpenJobObject + 56 8063822B 23 Bytes [E0, EB, 4C, 8B, 75, 08, 8D, ...]
PAGE ntoskrnl.exe!ZwOpenJobObject + 6E 80638243 8 Bytes CALL 8057010A \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwOpenJobObject + 77 8063824C 4 Bytes [C3, 7C, 32, C7]
PAGE ntoskrnl.exe!ZwOpenJobObject + 7C 80638251 139 Bytes [FC, 01, 00, 00, 00, 8B, 4D, ...]
PAGE ntoskrnl.exe!ZwOpenJobObject + 108 806382DD 27 Bytes [8D, BB, 44, 02, 00, 00, F6, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwTerminateJobObject + 3E 80638391 60 Bytes [53, 8B, 5D, 08, 57, 6A, 01, ...]
PAGE ntoskrnl.exe!ZwTerminateJobObject + 7B 806383CE 166 Bytes CALL 804E192E \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwTerminateJobObject + 122 80638475 9 Bytes [45, F8, FF, 75, 0C, 89, 45, ...] {INC EBP; CLC ; PUSH DWORD [EBP+0xc]; MOV [EBP-0x4], EAX; PUSH EAX}
PAGE ntoskrnl.exe!ZwTerminateJobObject + 12C 8063847F 12 Bytes [55, 08, 85, C0, 89, 45, F4, ...]
PAGE ntoskrnl.exe!ZwTerminateJobObject + 139 8063848C 16 Bytes CALL 804DBE11 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ...
PAGE ntoskrnl.exe!LdrEnumResources + 1B 80638B23 2 Bytes [14, 8B] {ADC AL, 0x8b}
PAGE ntoskrnl.exe!LdrEnumResources + 1E 80638B26 33 Bytes [89, 45, E0, 8B, 45, 14, 89, ...]
PAGE ntoskrnl.exe!LdrEnumResources + 40 80638B48 5 Bytes [C0, E9, F2, 01, 00] {SHR CL, 0xf2; ADD [EAX], EAX}
PAGE ntoskrnl.exe!LdrEnumResources + 46 80638B4E 23 Bytes [0F, B7, 7E, 0E, 0F, B7, 46, ...]
PAGE ntoskrnl.exe!LdrEnumResources + 5E 80638B66 1 Byte [00]
PAGE ...
PAGE ntoskrnl.exe!RtlCustomCPToUnicodeN + 2 80638D98 103 Bytes [55, 8B, EC, 53, 8B, 5D, 08, ...]
PAGE ntoskrnl.exe!RtlCustomCPToUnicodeN + 6A 80638E00 174 Bytes [B6, 58, 0C, 66, 8B, 1C, 5A, ...]
PAGE ntoskrnl.exe!RtlCustomCPToUnicodeN + 119 80638EAF 47 Bytes [FF, 85, FF, 8B, 4D, 0C, 8B, ...]
PAGE ntoskrnl.exe!RtlCustomCPToUnicodeN + 149 80638EDF 30 Bytes [74, 30, 42, 0F, B6, 02, 0F, ...]
PAGE ntoskrnl.exe!RtlCustomCPToUnicodeN + 168 80638EFE 84 Bytes [04, 38, 66, 89, 01, 41, 41, ...]
PAGE ...
PAGE ntoskrnl.exe!RtlUnicodeToCustomCPN + 2 80638F83 261 Bytes [55, 8B, EC, 8B, 55, 1C, 8B, ...]
PAGE ntoskrnl.exe!RtlUnicodeToCustomCPN + 109 8063908A 13 Bytes [4D, 0C, 8B, 70, 20, 89, 4D, ...]
PAGE ntoskrnl.exe!RtlUnicodeToCustomCPN + 117 80639098 17 Bytes [74, 32, 8B, 45, 18, 0F, B7, ...]
PAGE ntoskrnl.exe!RtlUnicodeToCustomCPN + 129 806390AA 64 Bytes CALL F52414B7
PAGE ntoskrnl.exe!RtlUnicodeToCustomCPN + 16A 806390EB 12 Bytes [90, 79, 90, 63, 80, 6F, 90, ...]
PAGE ...
PAGE ntoskrnl.exe!RtlUpcaseUnicodeToCustomCPN + 2 80639139 6 Bytes [55, 8B, EC, 83, EC, 0C] {PUSH EBP; MOV EBP, ESP; SUB ESP, 0xc}
PAGE ntoskrnl.exe!RtlUpcaseUnicodeToCustomCPN + 9 80639140 24 Bytes [45, 1C, 53, 56, 8B, 75, 08, ...]
PAGE ntoskrnl.exe!RtlUpcaseUnicodeToCustomCPN + 22 80639159 47 Bytes [55, 10, 3B, C2, 73, 02, 8B, ...]
PAGE ntoskrnl.exe!RtlUpcaseUnicodeToCustomCPN + 52 80639189 16 Bytes [63, 80, 0F, B7, 11, 0F, B6, ...] {ARPL [EAX+0xf11b70f], AX; MOV DH, 0x14; ADD CL, [EBX-0x48f0e382]; ADC AL, 0x57}
PAGE ntoskrnl.exe!RtlUpcaseUnicodeToCustomCPN + 63 8063919A 59 Bytes [45, 0C, 10, 83, C1, 20, 66, ...]
PAGE ...
PAGE ntoskrnl.exe!PfxInitialize + 2 806399CE 48 Bytes [55, 8B, EC, 8B, 45, 08, 66, ...]
PAGE ntoskrnl.exe!PfxRemovePrefix + 11 80639A00 17 Bytes [7C, 68, 81, F9, 02, 02, 00, ...] {JL 0x6a; CMP ECX, 0x202; JG 0x6a; LEA EDX, [EAX+0x8]; MOV EAX, EDX; JMP 0x13}
PAGE ntoskrnl.exe!PfxRemovePrefix + 23 80639A12 48 Bytes [C1, 8B, 08, 3B, C8, 75, F8, ...]
PAGE ntoskrnl.exe!PfxRemovePrefix + 54 80639A43 53 Bytes [4E, 04, 83, C0, F8, EB, 03, ...]
PAGE ntoskrnl.exe!PfxRemovePrefix + 8A 80639A79 221 Bytes [FF, 55, 8B, EC, 56, 57, 8B, ...]
PAGE ntoskrnl.exe!PfxRemovePrefix + 16A 80639B59 2 Bytes [8B, 4E]
PAGE ...
PAGE ntoskrnl.exe!RtlNextUnicodePrefix + 93 80639CE5 162 Bytes [90, 90, 90, 90, 8B, FF, 55, ...]
PAGE ntoskrnl.exe!PfxInsertPrefix + 9F 80639D88 36 Bytes [EB, 36, 83, 63, 04, 00, 83, ...]
PAGE ntoskrnl.exe!PfxInsertPrefix + C4 80639DAD 26 Bytes CALL 812B03BA
PAGE ntoskrnl.exe!PfxInsertPrefix + DF 80639DC8 11 Bytes [CC, CC, CC, CC, CC, CC, 90, ...] {INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; NOP ; NOP ; NOP ; NOP ; NOP }
PAGE ntoskrnl.exe!PfxFindPrefix + 1 80639DD4 47 Bytes [FF, 55, 8B, EC, 53, 56, 57, ...]
PAGE ntoskrnl.exe!PfxFindPrefix + 31 80639E04 37 Bytes [75, 0C, 8D, 7B, F8, FF, 77, ...]
PAGE ntoskrnl.exe!PfxFindPrefix + 57 80639E2A 69 Bytes [76, 04, 66, 83, 7E, 02, 00, ...]
PAGE ntoskrnl.exe!PfxFindPrefix + 9D 80639E70 45 Bytes [CC, CC, CC, CC, CC, CC, CC, ...]
PAGE ntoskrnl.exe!RtlSelfRelativeToAbsoluteSD2 + 13 80639E9E 172 Bytes [00, C0, EB, 5E, 83, 7D, 0C, ...]
PAGE ntoskrnl.exe!RtlSelfRelativeToAbsoluteSD2 + C0 80639F4B 152 Bytes [EC, 56, 8B, 75, 08, 8A, 06, ...]
PAGE ntoskrnl.exe!RtlSelfRelativeToAbsoluteSD2 + 159 80639FE4 34 Bytes [CC, CC, CC, CC, CC, CC, CC, ...]
PAGE ntoskrnl.exe!RtlSelfRelativeToAbsoluteSD2 + 17C 8063A007 85 Bytes [74, 05, 0D, 80, 00, 00, 00, ...]
PAGE ntoskrnl.exe!RtlSelfRelativeToAbsoluteSD2 + 1D2 8063A05D 48 Bytes [90, CC, CC, CC, CC, CC, CC, ...]
PAGE ntoskrnl.exe!RtlDestroyAtomTable + 7 8063A08E 137 Bytes CALL 804E2EA3 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!RtlDestroyAtomTable + 91 8063A118 28 Bytes [00, 8B, 00, 89, 45, D4, 33, ...]
PAGE ntoskrnl.exe!RtlDestroyAtomTable + AE 8063A135 140 Bytes CALL 804E2EDC \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!RtlEmptyAtomTable + 79 8063A1C2 166 Bytes [45, E0, EB, B7, 53, E8, 97, ...]
PAGE ntoskrnl.exe!RtlEmptyAtomTable + 120 8063A269 39 Bytes [44, 96, 10, 89, 45, DC, 85, ...]
PAGE ntoskrnl.exe!RtlEmptyAtomTable + 148 8063A291 223 Bytes [00, EB, D8, 42, EB, C9, 8B, ...]
PAGE ntoskrnl.exe!RtlMergeRangeLists + 1F 8063A371 33 Bytes [00, 8B, 45, 10, 8B, 30, EB, ...]
PAGE ntoskrnl.exe!RtlMergeRangeLists + 41 8063A393 95 Bytes CALL 805BC437 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!RtlMergeRangeLists + A1 8063A3F3 89 Bytes CALL 805BC436 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!RtlDeleteRange + C 8063A44E 2 Bytes [0B, 83]
PAGE ntoskrnl.exe!RtlDeleteRange + F 8063A451 47 Bytes [1C, 8D, 51, 1C, 56, 8B, 32, ...]
PAGE ntoskrnl.exe!RtlDeleteRange + 3F 8063A481 84 Bytes [00, 00, 77, 09, 39, 45, 14, ...]
PAGE ntoskrnl.exe!RtlDeleteRange + 94 8063A4D6 171 Bytes [3B, 7D, 18, 75, 08, 8B, 7D, ...]
PAGE ntoskrnl.exe!RtlInvertRangeList + 2 8063A582 90 Bytes [55, 8B, EC, 8B, 55, 0C, 53, ...]
PAGE ntoskrnl.exe!RtlInvertRangeList + 5D 8063A5DD 44 Bytes [8D, 7E, 1C, 39, 7D, 0C, 75, ...]
PAGE ntoskrnl.exe!RtlInvertRangeList + 8A 8063A60A 29 Bytes [3B, C3, 7C, 02, 33, C0, 5F, ...]
PAGE ntoskrnl.exe!RtlZeroHeap + 7 8063A628 45 Bytes CALL 804E2EA3 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!RtlZeroHeap + 35 8063A656 24 Bytes [C6, 45, E7, 01, C7, 45, FC, ...]
PAGE ntoskrnl.exe!RtlZeroHeap + 4E 8063A66F 166 Bytes [45, D8, 8B, 4D, DC, 8B, 7C, ...]
PAGE ntoskrnl.exe!RtlZeroHeap + F5 8063A716 28 Bytes CALL 0A2FECA6
PAGE ntoskrnl.exe!RtlZeroHeap + 112 8063A733 17 Bytes [C2, 08, 00, 90, 90, 90, 90, ...] {RET 0x8; NOP ; NOP ; NOP ; NOP ; NOP ; CMP BYTE [EBP-0x19], 0x0; JZ 0x1c; MOV EAX, [EBP-0x28]}
PAGE ...
PAGE ntoskrnl.exe!RtlDestroyHeap + 1E 8063A81D 10 Bytes [53, 8D, 5F, 50, 56, 8B, 33, ...]
PAGE ntoskrnl.exe!RtlDestroyHeap + 29 8063A828 85 Bytes [80, 00, 00, 8D, 45, 08, 50, ...]
PAGE ntoskrnl.exe!RtlDestroyHeap + 7F 8063A87E 113 Bytes [36, 83, 65, 08, 00, 6A, FF, ...]
PAGE ntoskrnl.exe!RtlSizeHeap + E 8063A8F0 3 Bytes [05, 83, C8]
PAGE ntoskrnl.exe!RtlSizeHeap + 12 8063A8F4 55 Bytes [EB, 1C, A8, 08, 74, 0B, 0F, ...]
PAGE ntoskrnl.exe!RtlSizeHeap + 4A 8063A92C 9 Bytes CALL 804E2EA3 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
Towel
Regular Member
 
Posts: 59
Joined: March 13th, 2005, 2:49 am

Re: BankerFox.A popup and weird lgfldrotssd.exe application

Unread postby Towel » August 8th, 2010, 7:00 pm

PAGE ntoskrnl.exe!RtlSizeHeap + 54 8063A936 29 Bytes [DC, 33, FF, C6, 45, D3, 00, ...]
PAGE ntoskrnl.exe!RtlSizeHeap + 72 8063A954 39 Bytes [00, 3B, CF, 75, 03, 33, C9, ...]
PAGE ...
PAGE ntoskrnl.exe!RtlDowncaseUnicodeString + 31 8063B7F8 64 Bytes [93, 00, 00, 00, 66, 3B, 47, ...]
PAGE ntoskrnl.exe!RtlDowncaseUnicodeString + 72 8063B839 415 Bytes [46, 04, 0F, B7, 0C, 48, A1, ...]
PAGE ntoskrnl.exe!RtlAnsiStringToUnicodeSize + 92 8063B9D9 62 Bytes [F0, FF, 3B, C7, 0F, 8C, B3, ...]
PAGE ntoskrnl.exe!RtlAnsiStringToUnicodeSize + D1 8063BA18 90 Bytes [12, 8B, 5B, 04, 0F, B7, F0, ...]
PAGE ntoskrnl.exe!RtlAnsiStringToUnicodeSize + 12C 8063BA73 206 Bytes JMP E71C0003
PAGE ntoskrnl.exe!RtlAnsiStringToUnicodeSize + 1FB 8063BB42 72 Bytes [FF, FF, EB, 2A, 66, 3B, DF, ...]
PAGE ntoskrnl.exe!RtlAnsiStringToUnicodeSize + 246 8063BB8D 56 Bytes JMP 8063BAB0 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ...
PAGE ntoskrnl.exe!RtlUpcaseUnicodeStringToAnsiString + 1 8063BCBA 12 Bytes [FF, 55, 8B, EC, 53, 33, DB, ...]
PAGE ntoskrnl.exe!RtlUpcaseUnicodeStringToAnsiString + E 8063BCC7 11 Bytes [57, 8B, 7D, 0C, 74, 08, 57, ...]
PAGE ntoskrnl.exe!RtlUpcaseUnicodeStringToAnsiString + 1A 8063BCD3 11 Bytes [EB, 07, 0F, B7, 07, 40, 40, ...]
PAGE ntoskrnl.exe!RtlUpcaseUnicodeStringToAnsiString + 26 8063BCDF 31 Bytes [00, 00, 76, 07, B8, F0, 00, ...]
PAGE ntoskrnl.exe!RtlUpcaseUnicodeStringToAnsiString + 46 8063BCFF 184 Bytes [15, 90, 2B, 58, 80, 3B, C3, ...]
PAGE ntoskrnl.exe!RtlOemStringToCountedUnicodeString + 35 8063BDB8 74 Bytes [58, 04, 33, C0, EB, 75, 3D, ...]
PAGE ntoskrnl.exe!RtlOemStringToCountedUnicodeString + 80 8063BE03 41 Bytes [77, 04, 8D, 45, 0C, 50, 0F, ...]
PAGE ntoskrnl.exe!RtlOemStringToCountedUnicodeString + AA 8063BE2D 45 Bytes [C7, EB, 02, 33, C0, 5E, 5F, ...]
PAGE ntoskrnl.exe!RtlUpcaseUnicodeStringToCountedOemString + F 8063BE5B 8 Bytes [7D, 0C, 74, 08, 57, E8, B6, ...]
PAGE ntoskrnl.exe!RtlUpcaseUnicodeStringToCountedOemString + 18 8063BE64 74 Bytes [FF, EB, 07, 0F, B7, 07, 40, ...]
PAGE ntoskrnl.exe!RtlUpcaseUnicodeStringToCountedOemString + 63 8063BEAF 119 Bytes [3B, C3, 89, 46, 04, 75, 14, ...]
PAGE ntoskrnl.exe!RtlUpcaseUnicodeStringToCountedOemString + DB 8063BF27 144 Bytes [55, 8B, EC, 83, EC, 28, A1, ...]
PAGE ntoskrnl.exe!RtlUpcaseUnicodeStringToCountedOemString + 16C 8063BFB8 26 Bytes [75, 10, 8D, 45, DC, 50, 56, ...]
PAGE ...
PAGE ntoskrnl.exe!RtlCompareString + 45 8063C030 6 Bytes [75, 10, E8, A4, 7D, F6]
PAGE ntoskrnl.exe!RtlCompareString + 4D 8063C038 9 Bytes [75, 08, 88, 45, 10, E8, 99, ...]
PAGE ntoskrnl.exe!RtlCompareString + 57 8063C042 154 Bytes [38, 45, 10, 75, 11, 3B, F3, ...]
PAGE ntoskrnl.exe!RtlAppendAsciizToString + 3E 8063C0DD 254 Bytes [75, 0C, 03, C8, 51, E8, DE, ...]
PAGE ntoskrnl.exe!RtlEqualLuid + 8B 8063C1DC 53 Bytes [CC, CC, CC, CC, CC, CC, CC, ...]
PAGE ntoskrnl.exe!RtlEqualLuid + C1 8063C212 23 Bytes [8B, 45, 10, 66, 0F, B6, 50, ...]
PAGE ntoskrnl.exe!RtlEqualLuid + D9 8063C22A 76 Bytes [00, 76, 4E, 89, 45, FC, 8A, ...]
PAGE ntoskrnl.exe!RtlEqualLuid + 126 8063C277 88 Bytes [4D, FC, 75, B5, 0F, B7, DB, ...]
PAGE ntoskrnl.exe!RtlEqualLuid + 17F 8063C2D0 7 Bytes [04, 3C, 04, 74, 21, 0F, B7]
PAGE ...
PAGE ntoskrnl.exe!RtlCharToInteger + 64 8063C967 264 Bytes [5F, 33, C9, 41, EB, 01, 4E, ...]
PAGE ntoskrnl.exe!RtlCharToInteger + 16D 8063CA70 46 Bytes [FF, FF, 8B, 45, 0C, 33, DB, ...]
PAGE ntoskrnl.exe!RtlCharToInteger + 19C 8063CA9F 32 Bytes [00, 00, EB, 1E, C7, 85, 7C, ...]
PAGE ntoskrnl.exe!RtlCharToInteger + 1BD 8063CAC0 6 Bytes [FF, 8B, BD, 7C, FF, FF] {DEC DWORD [EBX-0x8343]}
PAGE ntoskrnl.exe!RtlCharToInteger + 1C4 8063CAC7 18 Bytes [3B, FB, 74, 10, 6A, 04, 59, ...]
PAGE ...
PAGE ntoskrnl.exe!RtlInt64ToUnicodeString + 37 8063CE44 256 Bytes [45, DC, 89, 45, D8, 66, C7, ...]
PAGE ntoskrnl.exe!RtlInt64ToUnicodeString + 138 8063CF45 7 Bytes [85, C0, 7D, 07, 3D, 23, 00]
PAGE ntoskrnl.exe!RtlInt64ToUnicodeString + 140 8063CF4D 50 Bytes [C0, 75, 9F, 0F, B7, 4D, E0, ...]
PAGE ntoskrnl.exe!RtlInt64ToUnicodeString + 173 8063CF80 32 Bytes [00, C0, 83, 45, F4, 02, 4B, ...]
PAGE ntoskrnl.exe!RtlInt64ToUnicodeString + 194 8063CFA1 125 Bytes [45, FC, 66, 89, 10, EB, 07, ...]
PAGE ntoskrnl.exe!RtlSetTimeZoneInformation + 15 8063D020 43 Bytes [F7, 00, 00, 00, 53, 56, 57, ...]
PAGE ntoskrnl.exe!RtlSetTimeZoneInformation + 41 8063D04C 14 Bytes CALL 804EA4A5 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!RtlSetTimeZoneInformation + 50 8063D05B 68 Bytes [53, 6A, 01, 68, 74, 8E, 5C, ...]
PAGE ntoskrnl.exe!RtlSetTimeZoneInformation + 95 8063D0A0 36 Bytes CALL 805B61D4 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!RtlSetTimeZoneInformation + BA 8063D0C5 38 Bytes CALL 805B61D3 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ...
PAGE ntoskrnl.exe!RtlDecompressBuffer + F 8063D138 25 Bytes [74, 2C, 66, 83, F8, 01, 74, ...]
PAGE ntoskrnl.exe!RtlDecompressBuffer + 29 8063D152 5 Bytes [75, 18, FF, 75, 14] {JNZ 0x1a; PUSH DWORD [EBP+0x14]}
PAGE ntoskrnl.exe!RtlDecompressBuffer + 2F 8063D158 5 Bytes [75, 10, FF, 75, 0C] {JNZ 0x12; PUSH DWORD [EBP+0xc]}
PAGE ntoskrnl.exe!RtlDecompressBuffer + 35 8063D15E 17 Bytes [14, 85, 70, D1, 63, 80, EB, ...]
PAGE ntoskrnl.exe!RtlDecompressBuffer + 47 8063D170 19 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
PAGE ...
PAGE ntoskrnl.exe!RtlDescribeChunk + 2 8063D1A3 9 Bytes [55, 8B, EC, 33, C0, 8A, 45, ...]
PAGE ntoskrnl.exe!RtlDescribeChunk + C 8063D1AD 28 Bytes [00, 00, 00, 74, 29, 66, 83, ...]
PAGE ntoskrnl.exe!RtlDescribeChunk + 29 8063D1CA 39 Bytes [75, 14, FF, 75, 10, FF, 75, ...]
PAGE ntoskrnl.exe!RtlDescribeChunk + 51 8063D1F2 71 Bytes [63, 80, 93, D5, 63, 80, 93, ...]
PAGE ntoskrnl.exe!RtlReserveChunk + 2C 8063D23A 33 Bytes [75, 10, FF, 75, 0C, FF, 14, ...]
PAGE ntoskrnl.exe!RtlReserveChunk + 4E 8063D25C 15 Bytes [F3, F2, 63, 80, 93, D5, 63, ...]
PAGE ntoskrnl.exe!RtlReserveChunk + 5E 8063D26C 3 Bytes [93, D5, 63] {XCHG EBX, EAX; AAD 0x63}
PAGE ntoskrnl.exe!RtlReserveChunk + 62 8063D270 22 Bytes [93, D5, 63, 80, CC, CC, CC, ...]
PAGE ntoskrnl.exe!RtlDecompressChunks + 9 8063D287 20 Bytes [55, 20, 8A, 4A, 03, 0F, B7, ...]
PAGE ntoskrnl.exe!RtlDecompressChunks + 1F 8063D29D 23 Bytes [08, 89, 45, FC, 89, 75, F8, ...]
PAGE ntoskrnl.exe!RtlDecompressChunks + 37 8063D2B5 2 Bytes [7D, FC] {JGE 0xfffffffffffffffe}
PAGE ntoskrnl.exe!RtlDecompressChunks + 3A 8063D2B8 54 Bytes [0F, 84, 1E, 01, 00, 00, 8B, ...]
PAGE ntoskrnl.exe!RtlDecompressChunks + 71 8063D2EF 92 Bytes [F8, F3, A5, 8B, CA, 83, E1, ...]
PAGE ...
PAGE ntoskrnl.exe!RtlCompressChunks + 50 8063D497 10 Bytes [75, 18, FF, 75, 08, 50, E8, ...]
PAGE ntoskrnl.exe!RtlCompressChunks + 5B 8063D4A2 30 Bytes [3D, 17, 01, 00, 00, 75, 06, ...]
PAGE ntoskrnl.exe!RtlCompressChunks + 7A 8063D4C1 25 Bytes JMP 0C09C7C8
PAGE ntoskrnl.exe!RtlCompressChunks + 94 8063D4DB 4 Bytes [CE, 2B, CA, 03]
PAGE ntoskrnl.exe!RtlCompressChunks + 99 8063D4E0 16 Bytes JMP 742407E7
PAGE ...
PAGE ntoskrnl.exe!RtlCreateSystemVolumeInformationFolder + 1A 8063D95E 80 Bytes CALL 0BCA9996
PAGE ntoskrnl.exe!RtlCreateSystemVolumeInformationFolder + 6B 8063D9AF 25 Bytes [0F, B7, 0B, 56, 8B, 73, 04, ...]
PAGE ntoskrnl.exe!RtlCreateSystemVolumeInformationFolder + 85 8063D9C9 11 Bytes [F3, A4, 66, 8B, 1B, 66, 89, ...] {REP MOVSB ; MOV BX, [EBX]; MOV [EBP-0x10], BX; JZ 0x1e}
PAGE ntoskrnl.exe!RtlCreateSystemVolumeInformationFolder + 91 8063D9D5 36 Bytes [4D, F4, 0F, B7, C3, D1, E8, ...]
PAGE ntoskrnl.exe!RtlCreateSystemVolumeInformationFolder + B6 8063D9FA 47 Bytes [F3, A5, 8B, C8, 83, E1, 03, ...]
PAGE ...
PAGE ntoskrnl.exe!RtlIsValidOemCharacter + C 8063DB66 177 Bytes [00, 8B, 45, 08, 0F, B7, 00, ...]
PAGE ntoskrnl.exe!RtlIsValidOemCharacter + BE 8063DC18 71 Bytes [0F, B7, 04, 41, 66, 8B, D0, ...]
PAGE ntoskrnl.exe!RtlIsValidOemCharacter + 106 8063DC60 99 Bytes [F9, 66, 03, 14, 78, 0F, B7, ...]
PAGE ntoskrnl.exe!RtlIsNameLegalDOS8Dot3 + 26 8063DCC4 12 Bytes [C6, 45, ED, 00, 76, 07, 32, ...]
PAGE ntoskrnl.exe!RtlIsNameLegalDOS8Dot3 + 33 8063DCD1 115 Bytes [53, 33, DB, 3B, F3, 75, 13, ...]
PAGE ntoskrnl.exe!RtlIsNameLegalDOS8Dot3 + A7 8063DD45 68 Bytes [00, 8A, 0C, 1E, 88, 4D, EE, ...]
PAGE ntoskrnl.exe!RtlIsNameLegalDOS8Dot3 + EC 8063DD8A 4 Bytes [F9, 33, C0, 40] {STC ; XOR EAX, EAX; INC EAX}
PAGE ntoskrnl.exe!RtlIsNameLegalDOS8Dot3 + F1 8063DD8F 1 Byte [EF]
PAGE ...
PAGE ntoskrnl.exe!RtlLockBootStatusData + 10 8063DE38 93 Bytes [56, 57, 8B, 7D, 08, BE, 00, ...]
PAGE ntoskrnl.exe!RtlLockBootStatusData + 6E 8063DE96 6 Bytes [FF, 89, 85, E4, FD, FF] {DEC DWORD [ECX-0x21b7b]}
PAGE ntoskrnl.exe!RtlLockBootStatusData + 75 8063DE9D 42 Bytes [56, 8D, 85, CC, FD, FF, FF, ...]
PAGE ntoskrnl.exe!RtlLockBootStatusData + A0 8063DEC8 57 Bytes CALL 4163DECA
PAGE ntoskrnl.exe!RtlLockBootStatusData + DA 8063DF02 33 Bytes [5C, 00, 53, 00, 79, 00, 73, ...]
PAGE ...
PAGE ntoskrnl.exe!RtlGetSetBootStatusData + 78 8063E009 57 Bytes [C0, EB, 73, C1, E0, 03, 56, ...]
PAGE ntoskrnl.exe!RtlGetSetBootStatusData + B2 8063E043 1 Byte [23]
PAGE ntoskrnl.exe!RtlGetSetBootStatusData + B6 8063E047 37 Bytes [EB, 34, 38, 5D, 0C, 53, 8D, ...]
PAGE ntoskrnl.exe!RtlGetSetBootStatusData + DC 8063E06D 47 Bytes [3B, C3, 7C, 0C, 8B, 4D, 1C, ...]
PAGE ntoskrnl.exe!RtlGetSetBootStatusData + 10F 8063E0A0 21 Bytes [90, 8B, FF, 55, 8B, EC, 51, ...]
PAGE ntoskrnl.exe!RtlTimeToElapsedTimeFields + 15 8063E0B6 3 Bytes CALL 8050AB7E \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!RtlTimeToElapsedTimeFields + 9C 8063E13D 1 Byte [8D]
PAGE ntoskrnl.exe!RtlTimeToElapsedTimeFields + 9C 8063E13D 208 Bytes [8D, 45, FC, 50, 8D, 47, 10, ...]
PAGE ntoskrnl.exe!RtlTimeToElapsedTimeFields + 16D 8063E20E 58 Bytes [55, 8B, EC, FF, 75, 08, E8, ...]
PAGE ntoskrnl.exe!RtlTimeToElapsedTimeFields + 1A8 8063E249 54 Bytes [74, 02, 33, C0, 5D, C2, 04, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwAdjustGroupsToken + 8 8063F7C7 39 Bytes JMP 89F633FF
PAGE ntoskrnl.exe!ZwAdjustGroupsToken + 30 8063F7EF 86 Bytes [00, 64, A1, 24, 01, 00, 00, ...]
PAGE ntoskrnl.exe!ZwAdjustGroupsToken + 87 8063F846 39 Bytes [4D, FC, FF, EB, 26, 90, 90, ...]
PAGE ntoskrnl.exe!ZwAdjustGroupsToken + AF 8063F86E 12 Bytes [8B, 7D, 18, 80, 7D, 0C, 00, ...]
PAGE ntoskrnl.exe!ZwAdjustGroupsToken + BC 8063F87B 105 Bytes [00, 00, 00, 8B, 03, 89, 45, ...]
PAGE ...
PAGE ntoskrnl.exe!SeFilterToken + 24 8063FBE0 22 Bytes [00, 8B, 45, 1C, 89, 30, 8B, ...]
PAGE ntoskrnl.exe!SeFilterToken + 3C 8063FBF8 70 Bytes [8B, 45, 14, 3B, C6, 74, 08, ...]
PAGE ntoskrnl.exe!SeFilterToken + 83 8063FC3F 78 Bytes CALL 805D3F55 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!SeFilterToken + D2 8063FC8E 81 Bytes [75, 20, FF, 75, 1C, FF, 75, ...]
PAGE ntoskrnl.exe!SeFilterToken + 124 8063FCE0 57 Bytes [CC, CC, CC, CC, CC, CC, CC, ...]
PAGE ...
PAGE ntoskrnl.exe!ZwAccessCheckByTypeResultList + B 8064000B 3 Bytes [75, 2C, FF]
PAGE ntoskrnl.exe!ZwAccessCheckByTypeResultList + F 8064000F 33 Bytes [28, FF, 75, 24, FF, 75, 20, ...]
PAGE ntoskrnl.exe!ZwAccessCheckByTypeResultList + 31 80640031 134 Bytes [CC, CC, CC, CC, CC, CC, CC, ...]
PAGE ntoskrnl.exe!SeAssignSecurityEx + 5B 806400BB 74 Bytes [8B, FF, 55, 8B, EC, 81, EC, ...]
PAGE ntoskrnl.exe!SeAssignSecurityEx + A6 80640106 95 Bytes [00, 89, B5, 20, FE, FF, FF, ...]
PAGE ntoskrnl.exe!SeAssignSecurityEx + 106 80640166 5 Bytes [FF, 74, 18, 0F, B7]
PAGE ntoskrnl.exe!SeAssignSecurityEx + 10C 8064016C 13 Bytes [83, C1, 08, 89, 9D, 5C, FE, ...]
PAGE ntoskrnl.exe!SeAssignSecurityEx + 11A 8064017A 6 Bytes [FF, 89, 85, 6C, FE, FF] {DEC DWORD [ECX-0x1937b]}
PAGE ...
PAGE ntoskrnl.exe!SeAuditHardLinkCreation + 4 806409AF 35 Bytes [EC, 81, EC, 08, 02, 00, 00, ...]
PAGE ntoskrnl.exe!SeAuditHardLinkCreation + 28 806409D3 41 Bytes [FF, 03, 00, 00, 00, 0F, 94, ...]
PAGE ntoskrnl.exe!SeAuditHardLinkCreation + 52 806409FD 64 Bytes [45, F0, 85, C0, 8B, C8, 75, ...]
PAGE ntoskrnl.exe!SeAuditHardLinkCreation + 93 80640A3E 66 Bytes [FF, 8D, 04, 80, 89, BC, 85, ...]
PAGE ntoskrnl.exe!SeAuditHardLinkCreation + D6 80640A81 34 Bytes [8D, 04, 80, 6A, 08, 5F, 03, ...]
PAGE ...
PAGE ntoskrnl.exe!SeDeleteObjectAuditAlarm + 1C 80641ACF 45 Bytes [40, 68, FF, 30, FF, 75, 0C, ...]
PAGE ntoskrnl.exe!SeDeleteObjectAuditAlarm + 4A 80641AFD 248 Bytes [55, 8B, EC, 51, 8B, 45, 1C, ...]
PAGE ntoskrnl.exe!SeDeleteObjectAuditAlarm + 143 80641BF6 39 Bytes [5E, 5F, 5B, C9, C2, 18, 00, ...]
PAGE ntoskrnl.exe!SeDeleteObjectAuditAlarm + 16B 80641C1E 99 Bytes [9D, 45, 13, 3B, 4D, 0C, 73, ...]
PAGE ntoskrnl.exe!SeDeleteObjectAuditAlarm + 1CF 80641C82 47 Bytes [EC, 8B, 45, 20, 8B, 4D, 28, ...]
PAGE ...
PAGE ntoskrnl.exe!SeAuditingHardLinkEvents + 12 806420BB 28 Bytes [04, 33, C0, EB, 12, 84, ED, ...]
PAGE ntoskrnl.exe!SeAuditingHardLinkEvents + 2F 806420D8 7 Bytes [74, 28, 38, 15, B8, AE, 69]
PAGE ntoskrnl.exe!SeAuditingHardLinkEvents + 37 806420E0 39 Bytes [74, 05, 38, 55, 08, 75, 0D, ...]
PAGE ntoskrnl.exe!SeAuditingHardLinkEvents + 5F 80642108 53 Bytes [CC, CC, CC, CC, CC, 90, 90, ...]
PAGE ntoskrnl.exe!SeAuditingHardLinkEventsWithContext + 2C 8064213E 5 Bytes [74, 1D, 80, 7D, 08]
PAGE ntoskrnl.exe!SeAuditingHardLinkEventsWithContext + 32 80642144 139 Bytes [FF, 75, 10, 0F, 94, C0, 50, ...]
PAGE ntoskrnl.exe!ZwAccessCheckByTypeResultListAndAuditAlarm + 3F 806421D0 103 Bytes [CC, CC, CC, CC, CC, 90, 90, ...]
PAGE ntoskrnl.exe!ZwDeleteObjectAuditAlarm + 7 80642238 15 Bytes CALL 804E2EA3 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwDeleteObjectAuditAlarm + 17 80642248 5 Bytes [8A, 80, 40, 01, 00]
PAGE ntoskrnl.exe!ZwDeleteObjectAuditAlarm + 1D 8064224E 9 Bytes [88, 45, E0, 38, 5D, 10, 0F, ...]
PAGE ntoskrnl.exe!ZwDeleteObjectAuditAlarm + 29 8064225A 39 Bytes CALL 8057398D \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!ZwDeleteObjectAuditAlarm + 51 80642282 43 Bytes [45, D0, 8B, 40, 68, 8B, 30, ...]
PAGE ...
PAGE ntoskrnl.exe!SeOpenObjectForDeleteAuditAlarm + 2B 8064239A 93 Bytes [00, 56, 8B, 75, 18, 8B, 4E, ...]
PAGE ntoskrnl.exe!SeOpenObjectForDeleteAuditAlarm + 89 806423F8 21 Bytes [39, 5D, 14, 74, 71, 8B, 7E, ...]
PAGE ntoskrnl.exe!SeOpenObjectForDeleteAuditAlarm + 9F 8064240E 32 Bytes CALL 804E5AE9 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!SeOpenObjectForDeleteAuditAlarm + C0 8064242F 154 Bytes [48, 02, F6, C1, 10, 74, 0B, ...]
PAGE ntoskrnl.exe!SeOpenObjectForDeleteAuditAlarm + 15B 806424CA 32 Bytes [3B, C3, 89, 45, E4, 74, 03, ...]
PAGE ...
PAGE ntoskrnl.exe!SeImpersonateClient + 2 80642928 64 Bytes JMP 8058145A \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!SeImpersonateClient + 43 80642969 8 Bytes [64, 00, 00, 00, 89, 9D, 74, ...]
PAGE ntoskrnl.exe!SeImpersonateClient + 4C 80642972 64 Bytes [FF, 89, 9D, 60, FF, FF, FF, ...]
PAGE ntoskrnl.exe!SeImpersonateClient + 8D 806429B3 100 Bytes [8D, 85, 34, FF, FF, FF, 89, ...]
PAGE ntoskrnl.exe!SeImpersonateClient + F2 80642A18 28 Bytes [FF, 01, 8D, 85, 40, FF, FF, ...]
PAGE ...
PAGE ntoskrnl.exe!SeUnregisterLogonSessionTerminatedRoutine + 7D 80642D3D 7 Bytes [6A, 00, 56, E8, A1, E4, F0]
PAGE ntoskrnl.exe!SeUnregisterLogonSessionTerminatedRoutine + 85 80642D45 21 Bytes [33, C0, EB, 2D, 8B, CF, E8, ...]
PAGE ntoskrnl.exe!SeUnregisterLogonSessionTerminatedRoutine + 9B 80642D5B 41 Bytes [00, 75, 13, 8D, 48, 34, 39, ...]
PAGE ntoskrnl.exe!SeMarkLogonSessionForTerminationNotification 80642D87 4 Bytes [8B, FF, 55, 8B]
PAGE ntoskrnl.exe!SeMarkLogonSessionForTerminationNotification + 6 80642D8D 43 Bytes [0D, 40, AF, 69, 80, 53, 56, ...]
PAGE ntoskrnl.exe!SeMarkLogonSessionForTerminationNotification + 32 80642DB9 6 Bytes [8B, 36, 85, F6, 74, 1D] {MOV ESI, [ESI]; TEST ESI, ESI; JZ 0x23}
PAGE ntoskrnl.exe!SeMarkLogonSessionForTerminationNotification + 39 80642DC0 41 Bytes [07, 3B, 46, 04, 75, 08, 8B, ...]
PAGE ntoskrnl.exe!SeMarkLogonSessionForTerminationNotification + 63 80642DEA 74 Bytes [80, D4, 00, 00, 00, 75, 13, ...]
PAGE ...
PAGE ntoskrnl.exe!SeSetSecurityDescriptorInfoEx + 2 80643091 49 Bytes [55, 8B, EC, 8B, 45, 14, 83, ...]
PAGE ntoskrnl.exe!SeSetSecurityDescriptorInfoEx + 34 806430C3 33 Bytes [90, CC, CC, CC, CC, CC, CC, ...]
PAGE ntoskrnl.exe!SeTokenIsAdmin + 7 806430E6 25 Bytes [08, 8B, 80, 88, 00, 00, 00, ...]
PAGE ntoskrnl.exe!SeTokenIsAdmin + 21 80643100 179 Bytes [CC, CC, CC, CC, CC, CC, 90, ...]
PAGE ntoskrnl.exe!SeTokenIsAdmin + D5 806431B4 40 Bytes [FF, 64, A1, 24, 01, 00, 00, ...]
PAGE ntoskrnl.exe!SeTokenIsAdmin + FE 806431DD 27 Bytes [90, CC, CC, CC, CC, CC, CC, ...]
PAGE ntoskrnl.exe!SeTokenIsAdmin + 11A 806431F9 7 Bytes [8B, FF, 55, 8B, EC, 51, 53] {MOV EDI, EDI; PUSH EBP; MOV EBP, ESP; PUSH ECX; PUSH EBX}
PAGE ...
PAGE ntoskrnl.exe!WmiQueryTrace + 1C 80645EDF 3 Bytes [5D, C2, 04]
PAGE ntoskrnl.exe!WmiQueryTrace + 20 80645EE3 65 Bytes [90, CC, CC, CC, CC, CC, CC, ...]
PAGE ntoskrnl.exe!WmiStopTrace + 36 80645F25 32 Bytes CALL 805EA598 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!WmiStopTrace + 57 80645F46 21 Bytes [71, 50, 89, 75, F4, 74, 07, ...]
PAGE ntoskrnl.exe!WmiStopTrace + 6D 80645F5C 49 Bytes CALL 80649A43 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!WmiStopTrace + 9F 80645F8E 56 Bytes [83, C9, FF, F0, 0F, C1, 08, ...]
PAGE ntoskrnl.exe!WmiStopTrace + D8 80645FC7 41 Bytes [F0, 0F, C1, 08, 8B, 45, FC, ...]
PAGE ...
PAGE ntoskrnl.exe!WmiUpdateTrace + 7 80646113 37 Bytes CALL 804E2EA3 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!WmiUpdateTrace + 2D 80646139 29 Bytes JMP 8064677B \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!WmiUpdateTrace + 4B 80646157 14 Bytes [00, 8B, 4D, E0, 3B, CB, 0F, ...]
PAGE ntoskrnl.exe!WmiUpdateTrace + 5A 80646166 82 Bytes [8B, 41, 50, 89, 45, D0, 8B, ...]
PAGE ntoskrnl.exe!WmiUpdateTrace + AF 806461BB 41 Bytes [EB, 10, 85, 45, DC, 74, 07, ...]
PAGE ...
PAGE ntoskrnl.exe!WmiFlushTrace + 1C 806467AB 142 Bytes CALL 805EA598 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!WmiQueryTraceInformation + 1E 8064683A 14 Bytes [B5, 2C, FF, FF, FF, 8B, 55, ...]
PAGE ntoskrnl.exe!WmiQueryTraceInformation + 2D 80646849 28 Bytes [FF, 89, 7D, FC, 3B, F7, 74, ...]
PAGE ntoskrnl.exe!WmiQueryTraceInformation + 4A 80646866 15 Bytes [6A, 04, 59, 39, 4D, 10, 74, ...]
PAGE ntoskrnl.exe!WmiQueryTraceInformation + 5A 80646876 1 Byte [00]
PAGE ntoskrnl.exe!WmiQueryTraceInformation + 5A 80646876 16 Bytes [00, 00, 3B, D7, 75, 0A, B8, ...] {ADD [EAX], AL; CMP EDX, EDI; JNZ 0x10; MOV EAX, 0xc0000030; JMP 0x3c1}
PAGE ...
PAGE ntoskrnl.exe!WmiStartTrace + E 80646CB9 102 Bytes [3B, F7, 89, 7D, FC, 89, 7D, ...]
PAGE ntoskrnl.exe!WmiStartTrace + 75 80646D20 9 Bytes [3B, C7, 7C, 06, 56, E8, 65, ...]
PAGE ntoskrnl.exe!WmiStartTrace + 7F 80646D2A 87 Bytes [5B, 5F, 5E, C9, C2, 04, 00, ...]
PAGE ntoskrnl.exe!IoWMIAllocateInstanceIds + 40 80646D82 125 Bytes [F8, 33, DB, F3, A7, 74, 44, ...]
PAGE ntoskrnl.exe!IoWMIAllocateInstanceIds + BE 80646E00 104 Bytes [45, 10, 83, 20, 00, 33, C0, ...]
PAGE ntoskrnl.exe!IoWMISuggestInstanceName + 40 80646E69 172 Bytes CALL 8059BFB3 \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
PAGE ntoskrnl.exe!IoWMISuggestInstanceName + ED 80646F16 33 Bytes [00, C0, 0F, 85, F5, 00, 00, ...]
PAGE ntoskrnl.exe!IoWMISuggestInstanceName + 10F 80646F38 86 Bytes [75, F0, 8D, 45, E4, 57, 6A, ...]
PAGE ntoskrnl.exe!IoWMISuggestInstanceName + 166 80646F8F 1 Byte [45]
PAGE ntoskrnl.exe!IoWMISuggestInstanceName + 166 80646F8F 94 Bytes [45, 10, 56, 66, 89, 1E, 66, ...]
PAGE ...
PAGE ntoskrnl.exe!IoWMIQueryAllDataMultiple + 66 806470E0 7 Bytes [4D, FC, 5F, 5E, E8, 81, 2B]
PAGE ntoskrnl.exe!IoWMIQueryAllDataMultiple + 6E 806470E8 31 Bytes [FF, C9, C2, 10, 00, CC, CC, ...]
PAGE ntoskrnl.exe!IoWMIQuerySingleInstanceMultiple + C 80647108 183 Bytes [80, 8B, 55, 08, 53, 8B, 5D, ...]
PAGE ntoskrnl.exe!IoWMISetSingleInstance + 41 806471C0 32 Bytes [FB, F3, AB, 21, 43, 10, 83, ...]
PAGE ntoskrnl.exe!IoWMISetSingleInstance + 62 806471E1 89 Bytes [06, 66, 89, 43, 40, 0F, B7, ...]
PAGE ntoskrnl.exe!IoWMISetSingleInstance + BC 8064723B 43 Bytes [EB, 05, BF, 9A, 00, 00, C0, ...]
PAGE ntoskrnl.exe!IoWMISetSingleItem + 10 80647267 91 Bytes [B7, 06, 83, C0, 4D, 57, 83, ...]
PAGE ntoskrnl.exe!IoWMISetSingleItem + 6C 806472C3 401 Bytes [43, 44, 0F, B7, 0E, 8B, 76, ...]
PAGE ntoskrnl.exe!IoWMIExecuteMethod + 11E 80647455 99 Bytes [C0, 8B, 45, 14, 5E, 5B, C9, ...]
PAGE ntoskrnl.exe!IoWMIExecuteMethod + 182 806474B9 60 Bytes [10, 00, 00, 6A, 00, E8, 42, ...]
PAGE ntoskrnl.exe!IoWMIExecuteMethod + 1BF 806474F6 158 Bytes [86, F4, 00, 00, 00, 83, C0, ...]
PAGE ntoskrnl.exe!IoWMIExecuteMethod + 25E 80647595 196 Bytes [C9, FF, F0, 0F, C1, 0B, 6A, ...]
PAGE ntoskrnl.exe!IoWMIExecuteMethod + 323 8064765A 201 Bytes [74, 14, 6A, 01, FF, 75, 08, ...]
PAGE ...
? spgc.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F832F8AC 5 Bytes JMP 82E704E0
.text aevcsccl.SYS F828F384 1 Byte [20]
.text aevcsccl.SYS F828F384 37 Bytes [20, 00, 00, 68, 00, 00, 00, ...]
.text aevcsccl.SYS F828F3AA 24 Bytes [00, 00, 20, 00, 00, E0, 00, ...]
.text aevcsccl.SYS F828F3C4 3 Bytes [00, 00, 00]
.text aevcsccl.SYS F828F3C9 1 Byte [00]
.text ...
init C:\WINDOWS\System32\Drivers\sunkfilt.sys entry point in "init" section [0xF89C7300]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 82F6A1F8
Device \Driver\sptd \Device\987101746 spgc.sys
Device \Driver\usbuhci \Device\USBPDO-0 82E71498
Device \Driver\PCI_PNP1746 \Device\00000044 spgc.sys
Device \Driver\usbuhci \Device\USBPDO-1 82E71498
Device \Driver\usbuhci \Device\USBPDO-2 82E71498
Device \Driver\usbuhci \Device\USBPDO-3 82E71498
Device \Driver\usbehci \Device\USBPDO-4 82E301F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 82FDA1F8
Device \Driver\Cdrom \Device\CdRom0 82E241F8
Device \Driver\usbstor \Device\00000072 82D2B1F8
Device \Driver\Cdrom \Device\CdRom1 82E241F8
Device \Driver\atapi \Device\Ide\IdePort0 [F84D1B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [F84D1B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [F84D1B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort2 [F84D1B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [F84D1B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort3 [F84D1B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-17 [F84D1B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\usbstor \Device\00000073 82D2B1F8
Device \Driver\Cdrom \Device\CdRom2 82E241F8
Device \Driver\usbstor \Device\00000074 82D2B1F8
Device \Driver\usbstor \Device\00000075 82D2B1F8
Device \Driver\usbstor \Device\00000076 82D2B1F8
Device \Driver\usbstor \Device\00000079 82D2B1F8
Device \Driver\usbuhci \Device\USBFDO-0 82E71498
Device \Driver\usbstor \Device\0000007a 82D2B1F8
Device \Driver\usbuhci \Device\USBFDO-1 82E71498
Device \Driver\usbuhci \Device\USBFDO-2 82E71498
Device \Driver\usbuhci \Device\USBFDO-3 82E71498
Device \Driver\usbehci \Device\USBFDO-4 82E301F8
Device \Driver\Ftdisk \Device\FtControl 82FDA1F8
Device \Driver\aevcsccl \Device\Scsi\aevcsccl1 82E1E340
Device \Driver\aevcsccl \Device\Scsi\aevcsccl1Port4Path0Target0Lun0 82E1E340
Device \FileSystem\Cdfs \Cdfs 82D0A1F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xCD 0x1B 0xC1 0x27 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x84 0x8D 0xAF 0x70 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xFA 0x0E 0xA6 0x6B ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xCD 0x1B 0xC1 0x27 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x84 0x8D 0xAF 0x70 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xFA 0x0E 0xA6 0x6B ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xCD 0x1B 0xC1 0x27 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x84 0x8D 0xAF 0x70 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xFA 0x0E 0xA6 0x6B ...

---- EOF - GMER 1.0.15 ----
Towel
Regular Member
 
Posts: 59
Joined: March 13th, 2005, 2:49 am

Re: BankerFox.A popup and weird lgfldrotssd.exe application

Unread postby melboy » August 9th, 2010, 2:54 pm

Hi

======Security center information======

AV: Norton AntiVirus (outdated)
Antivirus/Firewall Check:

Norton AntiVirus 2004 (Symantec Corporation)

This won't be helping you at all. I presume it's not been updated in a long while. You need an up to date antivirus that can receive the latest definitions. You need to either purchase a current subscription for Norton and update it to the latest version, or, I can give you some recommendations for free antivirus software if you wish - Let me know in your next post.



ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: Image
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed make sure you first copy the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic.
  • Now click on: Image (Selecting Uninstall application on close if you so wish)
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: BankerFox.A popup and weird lgfldrotssd.exe application

Unread postby Towel » August 10th, 2010, 12:43 am

Sure, it would be great to hear your recommendations on some free anti-virus software. Thanks! Below is my log scan:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=b05e19a4d0916749911c763e1e9341f4
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-08-10 04:02:31
# local_time=2010-08-09 08:02:31 (-0800, Pacific Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 113728 113728 0 0
# compatibility_mode=3586 16769001 100 100 54807402 705727555 0 73538755
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=67954
# found=1
# cleaned=0
# scan_time=2198
C:\Documents and Settings\Owner\Local Settings\Application Data\ukvmvpwfl\lgfldrotssd.vir.exe Win32/Adware.SpywareProtect2009 application 00000000000000000000000000000000 I
Towel
Regular Member
 
Posts: 59
Joined: March 13th, 2005, 2:49 am

Re: BankerFox.A popup and weird lgfldrotssd.exe application

Unread postby melboy » August 10th, 2010, 1:03 pm

Hi

Good - Read the instructions below carefully first.



OTM

Download OTM by Old Timer and save it to your Desktop.
  • Double-click OTM.exe to run it.
  • Paste the following code under the Image area. Do not include the word Code.
    Code: Select all
    :Files
    C:\Documents and Settings\Owner\Local Settings\Application Data\ukvmvpwfl
    
    :Commands
    [purity]
    [emptytemp]
    [Reboot]
    

    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large Image button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.


    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

    ========================

    After reboot by OTM:

    Remove Norton

    Visit this page, look to STEP 3 and follow 1-4 to run the Norton Removal tool.

    ==============================

    After Norton has been removed:

    Antivirus

    Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

    1) Antivir PersonalEdition Classic - Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
    2) avast!Free Antivirus - Anti-virus program for Windows. The home edition is freeware for non-commercial users.
    3) Microsoft Security Essentials - Free anti-malware solution that helps protect against viruses, spyware, and other malicious software

    [Please note that trial pay is not needed to get any product for free.]

    It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts, system instability and false virus alerts.

    ===================================

    After Installing an anti-virus of your choice:

    Malwarebytes' Anti-Malware (MBAM)

    As you have Malwarebytes' Anti-Malware installed on your computer. Could you please do a scan using these settings:

    • Open Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Check for Updates
    • After the update have been completed, Select the Scanner tab.
    • Select Perform Quick scan, then click on Scan
    • When done, you will be prompted. Click OK. If Items are found, then click on Show Results
    • Check all items then click on Remove Selected
    • After it has removed the items, Notepad will open. Please post this log in your next reply.

      The log can also be found here:
      1. C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
      2. Or via the Logs tab when the application is started.

    Note: MBAM may ask to reboot your computer so it can continue with the removal process, please do so immediately.
    Failure to reboot will prevent MBAM from removing all the malware.



    Re-run - RSIT (Random's System Information Tool)
    You should still have this program on your desktop.

    • Double click on RSIT.exe to run it.
    • Click Continue at the disclaimer screen.
      RSIT will start running. When done... ONLY the "C:\RSIT\log.txt"...will be reproduced. (it will be maximized)
    • Please post ONLY the "log.txt", file contents in your next reply.




    In your next reply:
    1. RSIT log.txt
    2. MBAM log
    3. OTM log
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: BankerFox.A popup and weird lgfldrotssd.exe application

Unread postby Towel » August 11th, 2010, 1:15 am

Hello, here are my logs:

RSIT log.txt
Logfile of random's system information tool 1.08 (written by random/random)
Run by Owner at 2010-08-10 21:12:40
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 166 GB (87%) free of 191 GB
Total RAM: 511 MB (30% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:13:01 PM, on 8/10/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\zHotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\HDAudPropShortcut.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\Desktop\RSIT.exe
C:\Program Files\trend micro\Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [D-Link Wireless G WUA-1340] C:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 7885475359
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7718 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3477034509-3013108683-1553488708-1003Core.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3477034509-3013108683-1553488708-1003UA.job
C:\WINDOWS\tasks\MP Scheduled Scan.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll [2008-07-28 882416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-06-19 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
CNavExtBho Class - C:\Program Files\Norton AntiVirus\NavShExt.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-08-08 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-08-08 79648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
SingleInstance Class - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll [2008-07-28 160496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll [2008-07-28 882416]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"CHotkey"=C:\WINDOWS\zHotkey.exe [2003-07-29 515584]
"ShowWnd"=C:\WINDOWS\ShowWnd.exe [2003-09-19 36864]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2003-10-31 32768]
"High Definition Audio Property Page Shortcut"=C:\WINDOWS\system32\HDAudPropShortcut.exe [2004-03-17 61952]
"mmtask"=c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe [2004-01-26 53248]
"SunKistEM"=C:\Program Files\eMachines Bay Reader\shwiconem.exe [2004-03-11 135168]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2004-06-13 339968]
"WinampAgent"=C:\Program Files\Winamp\winampa.exe []
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2008-10-25 31072]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2002-02-15 77824]
"D-Link Wireless G WUA-1340"=C:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe [2007-08-27 1662976]
"ANIWZCS2Service"=C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe [2007-01-19 49152]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2010-06-19 35760]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-06-09 976832]
"MSSE"=c:\Program Files\Microsoft Security Essentials\msseces.exe [2010-06-01 1093208]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"Aim6"= []
"MsnMsgr"=C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2009-07-26 3883856]
"Messenger (Yahoo!)"=C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [2008-11-05 4347120]
"Google Update"=C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-05 136176]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2004-06-06 344064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MsMpSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\AIM6\aim6.exe"="C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe"="C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe:*:Enabled:Google Talk Plugin"
"C:\Documents and Settings\Owner\Local Settings\Temp\7zS17.tmp\SymNRT.exe"="C:\Documents and Settings\Owner\Local Settings\Temp\7zS17.tmp\SymNRT.exe:*:Enabled:Norton Removal Tool"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"

======List of files/folders created in the last 1 months======

2010-08-10 19:33:52 ----N---- C:\WINDOWS\system32\MpSigStub.exe
2010-08-10 19:22:48 ----D---- C:\WINDOWS\LastGood
2010-08-10 19:22:39 ----D---- C:\Program Files\Microsoft Security Essentials
2010-08-10 18:25:54 ----D---- C:\_OTM
2010-08-09 09:18:37 ----ASH---- C:\hiberfil.sys
2010-08-08 11:11:03 ----A---- C:\WINDOWS\system32\javaws.exe
2010-08-08 11:11:03 ----A---- C:\WINDOWS\system32\deployJava1.dll
2010-08-08 11:11:02 ----A---- C:\WINDOWS\system32\javaw.exe
2010-08-08 11:11:02 ----A---- C:\WINDOWS\system32\java.exe
2010-08-07 11:38:20 ----D---- C:\Program Files\trend micro
2010-08-07 11:38:19 ----D---- C:\rsit
2010-08-07 11:22:42 ----D---- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2010-08-07 11:22:34 ----A---- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2010-08-07 11:22:31 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-08-07 11:22:31 ----A---- C:\WINDOWS\system32\drivers\mbam.sys
2010-08-07 11:22:30 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-08-02 21:44:53 ----D---- C:\Program Files\HJT
2010-08-02 21:32:58 ----D---- C:\WINDOWS\pss
2010-08-02 20:49:35 ----A---- C:\WINDOWS\ntbtlog.txt
2010-08-02 20:34:59 ----HDC---- C:\WINDOWS\$NtUninstallKB2286198$
2010-07-16 12:40:52 ----D---- C:\Documents and Settings\Owner\Application Data\Mozilla
2010-07-13 18:57:28 ----HDC---- C:\WINDOWS\$NtUninstallKB2229593$

======List of files/folders modified in the last 1 months======

2010-08-10 21:12:57 ----D---- C:\WINDOWS\system32\CatRoot2
2010-08-10 21:12:45 ----D---- C:\WINDOWS\Prefetch
2010-08-10 20:27:54 ----D---- C:\WINDOWS\Temp
2010-08-10 20:08:57 ----SD---- C:\WINDOWS\Tasks
2010-08-10 19:33:52 ----D---- C:\WINDOWS\system32
2010-08-10 19:22:55 ----SHD---- C:\WINDOWS\Installer
2010-08-10 19:22:48 ----HD---- C:\WINDOWS\inf
2010-08-10 19:22:48 ----D---- C:\WINDOWS\system32\drivers
2010-08-10 19:22:48 ----D---- C:\WINDOWS
2010-08-10 19:22:45 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2010-08-10 19:22:39 ----RD---- C:\Program Files
2010-08-10 19:16:19 ----D---- C:\Program Files\Common Files
2010-08-10 19:15:42 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-08-10 18:44:05 ----HD---- C:\WINDOWS\$hf_mig$
2010-08-09 19:16:11 ----SD---- C:\WINDOWS\Downloaded Program Files
2010-08-08 14:23:19 ----SHD---- C:\RECYCLER
2010-08-08 11:15:21 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2010-08-08 11:14:36 ----D---- C:\Program Files\Common Files\Adobe
2010-08-08 11:13:19 ----D---- C:\Program Files\Adobe
2010-08-08 10:08:50 ----D---- C:\Program Files\Java
2010-08-08 10:00:19 ----D---- C:\WINDOWS\WinSxS
2010-08-07 11:46:13 ----HDC---- C:\WINDOWS\$NtUninstallKB893756$
2010-08-07 10:58:26 ----RASH---- C:\boot.ini
2010-08-07 10:58:26 ----A---- C:\WINDOWS\win.ini
2010-08-07 10:58:26 ----A---- C:\WINDOWS\system.ini
2010-08-02 20:52:44 ----D---- C:\Documents and Settings
2010-08-02 20:35:03 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-07-26 22:30:35 ----A---- C:\WINDOWS\system32\shell32.dll
2010-07-25 19:07:31 ----D---- C:\WINDOWS\network diagnostic
2010-07-13 18:57:36 ----A---- C:\WINDOWS\imsins.BAK
2010-07-13 18:54:36 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 ohci1394;OHCI Compliant IEEE 1394 Host Controller; C:\WINDOWS\System32\DRIVERS\ohci1394.sys [2008-04-13 61696]
R0 PxHelp20;PxHelp20; C:\WINDOWS\System32\Drivers\PxHelp20.sys [2007-03-07 43528]
R0 sptd;sptd; C:\WINDOWS\System32\Drivers\sptd.sys [2008-04-10 717296]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 MpFilter;Microsoft Malware Protection Driver; C:\WINDOWS\system32\DRIVERS\MpFilter.sys [2010-03-25 151216]
R2 ANIO;ANIO Service; \??\C:\WINDOWS\system32\ANIO.SYS []
R2 ASCTRM;ASCTRM; C:\WINDOWS\system32\drivers\ASCTRM.sys [2002-02-15 8552]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys [2004-01-16 12970]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 ati2mtag;ati2mtag; C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [2004-06-13 747520]
R3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\System32\DRIVERS\e100b325.sys [2004-02-10 154112]
R3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\HdAudio.sys [2004-03-17 113664]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\System32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HSF_DP;HSF_DP; C:\WINDOWS\System32\DRIVERS\HSF_DP.sys [2003-11-13 1042816]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\System32\DRIVERS\HSFHWBS2.sys [2003-11-13 210304]
R3 MxlW2k;MxlW2k; C:\WINDOWS\system32\drivers\MxlW2k.sys [2002-02-15 28352]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 RT73;D-Link USB Wireless LAN Card Driver; C:\WINDOWS\System32\DRIVERS\Dr71WU.sys [2007-07-28 451456]
R3 SunkFilt;Alcor Micro Corp - 9360; \??\C:\WINDOWS\System32\Drivers\sunkfilt.sys []
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 winachsf;winachsf; C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys [2003-11-13 679808]
S3 a69nhyzp;a69nhyzp; C:\WINDOWS\system32\drivers\a69nhyzp.sys []
S3 Bridge;MAC Bridge; C:\WINDOWS\System32\DRIVERS\bridge.sys [2008-04-13 71552]
S3 BridgeMP;MAC Bridge Miniport; C:\WINDOWS\System32\DRIVERS\bridge.sys [2008-04-13 71552]
S3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2004-06-06 730653]
S3 SunkFilt39;Alcor Micro Corp - 3239; \??\C:\WINDOWS\System32\Drivers\sunkfilt39.sys []
S3 Sunkfiltp;HP && Alcor Micro Corp for Phison; \??\C:\WINDOWS\System32\Drivers\sunkfiltp.sys []
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\System32\DRIVERS\wanatw4.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\System32\Ati2evxx.exe [2004-06-13 376832]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-08-08 153376]
R2 MsMpSvc;Microsoft Antimalware Service; c:\Program Files\Microsoft Security Essentials\MsMpEng.exe [2010-03-25 17904]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\System32\wdfmgr.exe [2005-01-28 38912]
R2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S2 ANIWZCSdService;ANIWZCSd Service; C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe [2007-01-19 49152]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2008-10-25 65888]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]

-----------------EOF-----------------


MBAM log
Malwarebytes' Anti-Malware 1.46
http://www.malwarebytes.org

Database version: 4417

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/10/2010 9:10:37 PM
mbam-log-2010-08-10 (21-10-37).txt

Scan type: Quick scan
Objects scanned: 143419
Time elapsed: 5 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


OTM log
All processes killed
========== FILES ==========
C:\Documents and Settings\Owner\Local Settings\Application Data\ukvmvpwfl folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Owner
->Temp folder emptied: 20501925 bytes
->Temporary Internet Files folder emptied: 20454990 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 755 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 32768 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 39.00 mb


OTM by OldTimer - Version 3.1.15.0 log created on 08102010_182554

Files moved on Reboot...
C:\Documents and Settings\Owner\Local Settings\Temp\~DF2CBC.tmp moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\~DF2CC7.tmp moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\~DF33F1.tmp moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\~DF36DD.tmp moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\~DF38B5.tmp moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\~DF39A7.tmp moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\9PD0RSVP\viewtopic[1].htm moved successfully.

Registry entries deleted on Reboot...
Towel
Regular Member
 
Posts: 59
Joined: March 13th, 2005, 2:49 am

Re: BankerFox.A popup and weird lgfldrotssd.exe application

Unread postby melboy » August 11th, 2010, 8:06 am

Hi

Good job!

Your log now appears to be clean. Congratulations!
This is my general post for when your logs show no more signs of malware ;) - Please let me know if you still are having problems with your computer and what these problems are. If everything is running fine, please continue with the instructions below.


OTM by OldTimer

You should still have this on your desktop.

  • Double-click OTM.exe
  • Click the CleanUp! button
  • Select Yes when the Begin cleanup Process? Prompt appears
  • If you are prompted to Reboot during the cleanup, select Yes
  • The tool will delete itself once it finishes, if not delete it by yourself


========================================


General Security and Computer Health
Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.

Clear Infected System Restore Points

  • Turn System Restore off
  • On the Desktop, right click on the My Computer icon.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
    Restart your computer
    -
  • Turn System Restore on
  • On the Desktop, right click on the My Computer icon.
  • Click Properties.
  • Click the System Restore tab.
  • Uncheck Turn off System Restore on all drives.
  • Click Apply
  • Click each drive in turn where system restore is not required and click Settings
    Note: System restore is only needed on drives with an operating system installed
  • For each drive without an operating system, check Turn off system restore on this drive, click Yes then click OK.
Note: only do this once, and not on a regular basis


  • Make sure that you keep your antivirus updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
    Uninstall Tools for Major Antivirus Products
  • Security Updates for Windows, Internet Explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
    Note: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.
  • Update Non-Microsoft Programs
    Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.


Recommended Programs

I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.

  • WinPatrol
    As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.
  • Malwarebytes' Anti-Malware
    As you already have Malwarebytes' Anti-Malware on board I would keep it regularly updated and run regular quick scans with it. (TIP: Cleaning out temp files can reduce scanning times.)
    Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. The Full version includes a number of features, including a built in protection monitor that blocks malicious processes before they even start.
  • Hosts File
    For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.
  • Use an alternative Internet Browser
    Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:
    Firefox
    Opera
  • Install and use a firewall with outbound protection
    The Windows firewall only monitors incoming traffic, NOT outgoing. Using a software firewall in its default configuration to replace the Windows firewall greatly reduces the risk of your computer being hacked. Make sure your firewall is always enabled while your computer is connected to the internet.
    Note: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.
    Suggestions:

[Please note that trial pay is not needed to get any product for free.]




Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date.

Also please read this great article by Tony Klein So How Did I Get Infected In First Place

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Happy surfing and stay clean!
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: BankerFox.A popup and weird lgfldrotssd.exe application

Unread postby Towel » August 11th, 2010, 11:56 pm

Thanks for all of your help and patience! I appreciate it. It was very easy to follow everything step by step. I will follow your suggestions and be more careful. I think we can close this thread now. Thanks again for providing the help!
Towel
Regular Member
 
Posts: 59
Joined: March 13th, 2005, 2:49 am

Re: BankerFox.A popup and weird lgfldrotssd.exe application

Unread postby melboy » August 12th, 2010, 2:45 am

You're most welcome! :)
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 378 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware