Please help! That nasty Sirefef got me.

Solved
By Phasmos
May 20, 2012
  1. If anyone here (like the amazing Broni, for instance) can save my poor old computer from the havoc this demonic bit of code is wreaking, I'll be immensely grateful. Getting online is a horrible effort now, and who knows who is watching my every move?

    I should probably assume that all my passwords and card numbers have been compromised, as well...? :oops:

    Please, can someone help me get rid of this damn thing?? Thanks in advance...

    - Christian
  2. Broni

    Broni Malware Annihilator Posts: 45,188   +242

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
  3. Phasmos

    Phasmos Newcomer, in training Topic Starter Posts: 53

    Hi Broni!

    Thanks for your reply. Here are the logs you've requested. First, a little background, to make sense of what may seem like an inconclusive scan: Over the past few days, I've downloaded and run about a dozen antivirus and anti-malware/adware programs to try to get rid of this pest, including Avast (which, for the first day or two, kept informing me about every 5 minutes that it was successfully blocking rootkits and Trojans from at least 2 variants of Sirefef, though now it no longer does so... which leads me to believe that it has been bypassed or compromised somehow), MSE, TDSSkiller, and Combofix, among other things. The last thing I ran was called HitmanPro36, which identified and deleted a Trojan package.

    There is still an active presence at work here, though, as Firefox takes at least 5 minutes to start, the cursor drags or freezes entirely for seconds at a time, and my desktop icons keep being inexplicably rearranged despite the Avast doo-hickey which insists that my "system is secured." Also, my firewall has been deactivated, and any attempt to restart it gets an error message stating that it cannot be activated due to "an unidentified problem."

    In addition, I get two weird registry errors upon startup that say "Windows cannot locate the file "□□". This may be the result of my trying to clean up the registry manually before I realized what was actually happening, though I can't find any such file and thus can't delete it. I don't know what to do about this, either, but I’m not certain that it is related to the problem at hand.

    Everything is running UNBELIEVABLY SLOWLY. It’s taken me hours to simply cut and paste this message into the window, and your server keeps timing out before my post can get thru. This is maddening.

    Anyway, since that Hitman thing deleted the visible Trojan hit, Malwarebytes scan results appear to be clean, despite the obvious problems which are still evident. GMER scan worked, but DDS would not run at all (though I don’t believe I have any scripting protection running). The command line window opens for 1 second and then simply disappears.

    MALWAREBYTES RESULTS:

    Malwarebytes Anti-Malware 1.60.0.1800
    www.malwarebytes.org

    Database version: v2012.05.20.07

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 7.0.5730.11
    Ann :: HOME1 [administrator]

    5/21/2012 10:24:30 PM
    mbam-log-2012-05-21 (22-24-30).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 250039
    Time elapsed: 29 minute(s), 38 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
  4. Phasmos

    Phasmos Newcomer, in training Topic Starter Posts: 53

    GMER RESULTS (Pt. 1):

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-05-22 05:22:40
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST380011A rev.8.16
    Running: ph4w7t0b.exe; Driver: C:\DOCUME~1\Ann\LOCALS~1\Temp\pxtdipow.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xF769ADF8]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xF7727A5A]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0xF769B85E]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xF76C7D5D]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xF76A02E4]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xF76A0330]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xF76A0422]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xF76C7711]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xF76A0252]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xF76A0374]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xF76A029A]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xF76A03DC]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xF769AE44]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xF76C8423]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xF76C86D9]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xF769D9A8]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xF76C828E]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xF76C80F9]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xF7727B34]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xF769AAD6]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xF769AE90]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xF769DD1C]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xF769BB02]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xF76A030E]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xF76A0352]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xF76A0446]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xF76C7A6D]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xF76A0278]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xF769D518]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xF76A03AE]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xF76A02C2]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xF769D74C]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xF76A0400]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xF7727CA0]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xF76C7F74]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xF769B9CE]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xF76C7DC6]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xF7731B68]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xF76C6D84]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xF769AEDC]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xF769AF28]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xF769AB46]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xF769ACEA]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xF76C852A]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xF769AC92]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xF769AD5A]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwTerminateProcess [0xF7727D60]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xF769AF74]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0xF7727BE0]

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xF773DD92]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Kernel code sections - GMER 1.0.15 ----

    PAGE ntoskrnl.exe!ZwReplyWaitReceivePortEx + 3CC 8056BB88 4 Bytes CALL F769C19F \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xF90D9340, 0x121A5F, 0xF8000020]
    .text win32k.sys!EngFreeUserMem + 674 BF8098E2 5 Bytes JMP F769F180 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngFreeUserMem + 35D0 BF80C83E 5 Bytes JMP F769F07C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngDeleteSurface + 45 BF8138D6 5 Bytes JMP F769F036 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!BRUSHOBJ_pvAllocRbrush + 11D3 BF81C540 5 Bytes JMP F769E724 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngSetLastError + 79A8 BF8240B0 5 Bytes JMP F769DF84 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngCreateBitmap + F9C BF828A1A 5 Bytes JMP F769F2EA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngUnmapFontFileFD + 2C50 BF831465 5 Bytes JMP F769F4F2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngUnmapFontFileFD + B687 BF839E9C 5 Bytes JMP F769EF3C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!FONTOBJ_pxoGetXform + C2CF BF85173B 5 Bytes JMP F769DE66 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!XLATEOBJ_iXlate + F17 BF85BC5A 5 Bytes JMP F769E7E6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!XLATEOBJ_iXlate + 3581 BF85E2C4 5 Bytes JMP F769E384 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!XLATEOBJ_iXlate + 360C BF85E34F 5 Bytes JMP F769E562 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngCreatePalette + 88 BF85F5C2 5 Bytes JMP F769DE4E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngCreatePalette + 5457 BF864991 5 Bytes JMP F769F0BA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngGetCurrentCodePage + 4128 BF873CC4 5 Bytes JMP F769E51C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngGetLastError + 1606 BF890F01 5 Bytes JMP F769E7FE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngGradientFill + 26EE BF8944AC 5 Bytes JMP F769F232 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngStretchBltROP + 583 BF894F84 5 Bytes JMP F769F450 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngCopyBits + 3857 BF89C32B 5 Bytes JMP F769E70C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngCopyBits + 4DEC BF89D8C0 5 Bytes JMP F769DFF4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngEraseSurface + A9DB BF8C1E40 5 Bytes JMP F769E104 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngFillPath + 1517 BF8CA2A2 5 Bytes JMP F769E1AC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngFillPath + 1797 BF8CA522 5 Bytes JMP F769E2E4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngDeleteSemaphore + 3B3E BF8EBEF7 5 Bytes JMP F769DD52 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngDeleteSemaphore + CB46 BF8F4EFF 5 Bytes JMP F769E73C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngCreateClip + 1A2D BF9136C2 5 Bytes JMP F769DF22 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngCreateClip + 2601 BF914296 5 Bytes JMP F769E0B0 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngCreateClip + 4F7A BF916C0F 5 Bytes JMP F769E67C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngPlgBlt + 194D BF946CFD 5 Bytes JMP F769F3A8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text C:\WINDOWS\System32\nv4_disp.dll section is writeable [0xBF012380, 0x25BA81, 0xF8000020]
  5. Phasmos

    Phasmos Newcomer, in training Topic Starter Posts: 53

    GMER RESULTS (Pt. 2):

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\System32\svchost.exe[188] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
    .text C:\WINDOWS\System32\svchost.exe[188] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\System32\svchost.exe[188] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
    .text C:\WINDOWS\System32\svchost.exe[188] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\System32\svchost.exe[188] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
    .text C:\WINDOWS\System32\svchost.exe[188] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
    .text C:\WINDOWS\System32\svchost.exe[188] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
    .text C:\WINDOWS\System32\svchost.exe[188] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
    .text C:\WINDOWS\System32\svchost.exe[188] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
    .text C:\WINDOWS\System32\svchost.exe[188] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
    .text C:\WINDOWS\System32\svchost.exe[188] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
    .text C:\WINDOWS\System32\svchost.exe[188] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
    .text C:\WINDOWS\System32\svchost.exe[188] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
    .text C:\WINDOWS\System32\svchost.exe[188] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\System32\svchost.exe[188] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
    .text C:\WINDOWS\System32\svchost.exe[188] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\System32\svchost.exe[188] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC
    .text C:\Program Files\Java\jre6\bin\jqs.exe[428] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
    .text C:\Program Files\Java\jre6\bin\jqs.exe[428] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\Java\jre6\bin\jqs.exe[428] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
    .text C:\Program Files\Java\jre6\bin\jqs.exe[428] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\Java\jre6\bin\jqs.exe[428] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014
    .text C:\Program Files\Java\jre6\bin\jqs.exe[428] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804
    .text C:\Program Files\Java\jre6\bin\jqs.exe[428] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08
    .text C:\Program Files\Java\jre6\bin\jqs.exe[428] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C
    .text C:\Program Files\Java\jre6\bin\jqs.exe[428] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10
    .text C:\Program Files\Java\jre6\bin\jqs.exe[428] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8
    .text C:\Program Files\Java\jre6\bin\jqs.exe[428] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC
    .text C:\Program Files\Java\jre6\bin\jqs.exe[428] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600
    .text C:\Program Files\Java\jre6\bin\jqs.exe[428] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003A0804
    .text C:\Program Files\Java\jre6\bin\jqs.exe[428] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003A0A08
    .text C:\Program Files\Java\jre6\bin\jqs.exe[428] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003A0600
    .text C:\Program Files\Java\jre6\bin\jqs.exe[428] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003A01F8
    .text C:\Program Files\Java\jre6\bin\jqs.exe[428] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003A03FC
    .text C:\WINDOWS\System32\svchost.exe[472] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
    .text C:\WINDOWS\System32\svchost.exe[472] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\System32\svchost.exe[472] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
    .text C:\WINDOWS\System32\svchost.exe[472] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\System32\svchost.exe[472] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
    .text C:\WINDOWS\System32\svchost.exe[472] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
    .text C:\WINDOWS\System32\svchost.exe[472] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
    .text C:\WINDOWS\System32\svchost.exe[472] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
    .text C:\WINDOWS\System32\svchost.exe[472] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
    .text C:\WINDOWS\System32\svchost.exe[472] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
    .text C:\WINDOWS\System32\svchost.exe[472] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
    .text C:\WINDOWS\System32\svchost.exe[472] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
    .text C:\WINDOWS\System32\svchost.exe[472] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
    .text C:\WINDOWS\System32\svchost.exe[472] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\System32\svchost.exe[472] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
    .text C:\WINDOWS\System32\svchost.exe[472] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\System32\svchost.exe[472] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003A0804
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003A0A08
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003A0600
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003A01F8
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[508] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003A03FC
    .text C:\WINDOWS\System32\smss.exe[600] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\csrss.exe[672] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\csrss.exe[672] KERNEL32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\winlogon.exe[696] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000701F8
    .text C:\WINDOWS\system32\winlogon.exe[696] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\winlogon.exe[696] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000703FC
    .text C:\WINDOWS\system32\winlogon.exe[696] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\winlogon.exe[696] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
    .text C:\WINDOWS\system32\winlogon.exe[696] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
    .text C:\WINDOWS\system32\winlogon.exe[696] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
    .text C:\WINDOWS\system32\winlogon.exe[696] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
    .text C:\WINDOWS\system32\winlogon.exe[696] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
    .text C:\WINDOWS\system32\winlogon.exe[696] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
    .text C:\WINDOWS\system32\winlogon.exe[696] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
    .text C:\WINDOWS\system32\winlogon.exe[696] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
    .text C:\WINDOWS\system32\winlogon.exe[696] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
    .text C:\WINDOWS\system32\winlogon.exe[696] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\system32\winlogon.exe[696] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
    .text C:\WINDOWS\system32\winlogon.exe[696] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\system32\winlogon.exe[696] USER32.dll!UnhookWinEvent 7E4318AC
  6. Phasmos

    Phasmos Newcomer, in training Topic Starter Posts: 53

    GMER RESULTS (Pt. 3):

    5 Bytes JMP 002C03FC
    .text C:\WINDOWS\system32\services.exe[740] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
    .text C:\WINDOWS\system32\services.exe[740] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\services.exe[740] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
    .text C:\WINDOWS\system32\services.exe[740] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\services.exe[740] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
    .text C:\WINDOWS\system32\services.exe[740] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
    .text C:\WINDOWS\system32\services.exe[740] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
    .text C:\WINDOWS\system32\services.exe[740] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
    .text C:\WINDOWS\system32\services.exe[740] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
    .text C:\WINDOWS\system32\services.exe[740] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
    .text C:\WINDOWS\system32\services.exe[740] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
    .text C:\WINDOWS\system32\services.exe[740] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
    .text C:\WINDOWS\system32\services.exe[740] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
    .text C:\WINDOWS\system32\services.exe[740] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\system32\services.exe[740] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
    .text C:\WINDOWS\system32\services.exe[740] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\system32\services.exe[740] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC
    .text C:\WINDOWS\system32\lsass.exe[752] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
    .text C:\WINDOWS\system32\lsass.exe[752] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\lsass.exe[752] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
    .text C:\WINDOWS\system32\lsass.exe[752] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\lsass.exe[752] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
    .text C:\WINDOWS\system32\lsass.exe[752] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
    .text C:\WINDOWS\system32\lsass.exe[752] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
    .text C:\WINDOWS\system32\lsass.exe[752] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
    .text C:\WINDOWS\system32\lsass.exe[752] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
    .text C:\WINDOWS\system32\lsass.exe[752] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
    .text C:\WINDOWS\system32\lsass.exe[752] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
    .text C:\WINDOWS\system32\lsass.exe[752] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
    .text C:\WINDOWS\system32\lsass.exe[752] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
    .text C:\WINDOWS\system32\lsass.exe[752] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\system32\lsass.exe[752] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
    .text C:\WINDOWS\system32\lsass.exe[752] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\system32\lsass.exe[752] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC
    .text C:\WINDOWS\system32\svchost.exe[908] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
    .text C:\WINDOWS\system32\svchost.exe[908] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[908] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
    .text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
    .text C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
    .text C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
    .text C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
    .text C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
    .text C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
    .text C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
    .text C:\WINDOWS\system32\svchost.exe[908] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
    .text C:\WINDOWS\system32\svchost.exe[908] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
    .text C:\WINDOWS\system32\svchost.exe[908] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\system32\svchost.exe[908] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
    .text C:\WINDOWS\system32\svchost.exe[908] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\system32\svchost.exe[908] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC
    .text C:\Program Files\Bonjour\mDNSResponder.exe[932] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
    .text C:\Program Files\Bonjour\mDNSResponder.exe[932] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\Bonjour\mDNSResponder.exe[932] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
    .text C:\Program Files\Bonjour\mDNSResponder.exe[932] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\Bonjour\mDNSResponder.exe[932] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014
    .text C:\Program Files\Bonjour\mDNSResponder.exe[932] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804
    .text C:\Program Files\Bonjour\mDNSResponder.exe[932] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08
    .text C:\Program Files\Bonjour\mDNSResponder.exe[932] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C
    .text C:\Program Files\Bonjour\mDNSResponder.exe[932] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10
    .text C:\Program Files\Bonjour\mDNSResponder.exe[932] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8
    .text C:\Program Files\Bonjour\mDNSResponder.exe[932] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC
    .text C:\Program Files\Bonjour\mDNSResponder.exe[932] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600
    .text C:\Program Files\Bonjour\mDNSResponder.exe[932] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003A0804
    .text C:\Program Files\Bonjour\mDNSResponder.exe[932] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003A0A08
    .text C:\Program Files\Bonjour\mDNSResponder.exe[932] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003A0600
    .text C:\Program Files\Bonjour\mDNSResponder.exe[932] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003A01F8
    .text C:\Program Files\Bonjour\mDNSResponder.exe[932] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003A03FC
    .text C:\WINDOWS\system32\svchost.exe[984] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
    .text C:\WINDOWS\system32\svchost.exe[984] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[984] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
    .text C:\WINDOWS\system32\svchost.exe[984] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
    .text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
    .text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
    .text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
    .text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
    .text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
    .text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
    .text C:\WINDOWS\system32\svchost.exe[984] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
    .text C:\WINDOWS\system32\svchost.exe[984] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
    .text C:\WINDOWS\system32\svchost.exe[984] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\system32\svchost.exe[984] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
    .text C:\WINDOWS\system32\svchost.exe[984] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\system32\svchost.exe[984] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC
    .text C:\WINDOWS\System32\svchost.exe[1080] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
    .text C:\WINDOWS\System32\svchost.exe[1080] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\System32\svchost.exe[1080] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
    .text C:\WINDOWS\System32\svchost.exe[1080] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\System32\svchost.exe[1080] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
    .text C:\WINDOWS\System32\svchost.exe[1080] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
    .text C:\WINDOWS\System32\svchost.exe[1080] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
    .text C:\WINDOWS\System32\svchost.exe[1080] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
    .text C:\WINDOWS\System32\svchost.exe[1080] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
    .text C:\WINDOWS\System32\svchost.exe[1080] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
    .text C:\WINDOWS\System32\svchost.exe[1080] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
    .text C:\WINDOWS\System32\svchost.exe[1080] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
    .text C:\WINDOWS\System32\svchost.exe[1080] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
    .text C:\WINDOWS\System32\svchost.exe[1080] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\System32\svchost.exe[1080] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
    .text C:\WINDOWS\System32\svchost.exe[1080] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\System32\svchost.exe[1080] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC
    .text C:\WINDOWS\System32\svchost.exe[1152] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
    .text C:\WINDOWS\System32\svchost.exe[1152] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\System32\svchost.exe[1152] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
    .text C:\WINDOWS\System32\svchost.exe[1152] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
    .text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
    .text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
    .text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
    .text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
    .text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
    .text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
    .text C:\WINDOWS\System32\svchost.exe[1152] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
    .text C:\WINDOWS\System32\svchost.exe[1152] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
    .text C:\WINDOWS\System32\svchost.exe[1152] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\System32\svchost.exe[1152] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
    .text C:\WINDOWS\System32\svchost.exe[1152] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\System32\svchost.exe[1152] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1204] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001601F8
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1204] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1204] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001603FC
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1204] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1204] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00451014
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1204] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00450804
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1204] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00450A08
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1204] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00450C0C
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1204] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00450E10
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1204] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 004501F8
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1204] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 004503FC
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1204] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00450600
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1204] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00460804
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1204] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00460A08
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1204] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00460600
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1204] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 004601F8
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1204] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 004603FC
    .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1264] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
    .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1264] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1264] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
    .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1264] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1264] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014
    .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1264] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804
    .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1264] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08
    .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1264] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C
    .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1264] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10
    .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1264] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8
    .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1264] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC
    .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1264] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600
    .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1264] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003A0804
    .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1264] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003A0A08
    .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1264] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003A0600
    .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1264] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003A01F8
    .text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[1264] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003A03FC
    .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1280] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001601F8
    .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1280] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1280] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001603FC
    .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1280] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1280] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 006C1014
    .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1280] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 006C0804
    .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1280] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 006C0A08
    .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1280] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 006C0C0C
    .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1280] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 006C0E10
    .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1280] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 006C01F8
    .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1280] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 006C03FC
    .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1280] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 006C0600
    .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1280] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 006D0804
    .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1280] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 006D0A08
    .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1280] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 006D0600
    .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1280] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 006D01F8
    .text C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1280] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 006D03FC
  7. Phasmos

    Phasmos Newcomer, in training Topic Starter Posts: 53

    GMER RESULTS (Pt. 4):

    .text C:\WINDOWS\system32\svchost.exe[1304] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
    .text C:\WINDOWS\system32\svchost.exe[1304] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[1304] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
    .text C:\WINDOWS\system32\svchost.exe[1304] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
    .text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
    .text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
    .text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
    .text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
    .text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
    .text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
    .text C:\WINDOWS\system32\svchost.exe[1304] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
    .text C:\WINDOWS\system32\svchost.exe[1304] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
    .text C:\WINDOWS\system32\svchost.exe[1304] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\system32\svchost.exe[1304] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
    .text C:\WINDOWS\system32\svchost.exe[1304] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\system32\svchost.exe[1304] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC
    .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1460] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1460] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
    .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1460] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\AVAST Software\Avast\avastUI.exe[1528] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\AVAST Software\Avast\avastUI.exe[1528] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\Explorer.EXE[1600] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
    .text C:\WINDOWS\Explorer.EXE[1600] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\Explorer.EXE[1600] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
    .text C:\WINDOWS\Explorer.EXE[1600] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\Explorer.EXE[1600] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C1014
    .text C:\WINDOWS\Explorer.EXE[1600] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C0804
    .text C:\WINDOWS\Explorer.EXE[1600] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\Explorer.EXE[1600] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C0C0C
    .text C:\WINDOWS\Explorer.EXE[1600] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0E10
    .text C:\WINDOWS\Explorer.EXE[1600] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\Explorer.EXE[1600] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C03FC
    .text C:\WINDOWS\Explorer.EXE[1600] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C0600
    .text C:\WINDOWS\Explorer.EXE[1600] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002D0804
    .text C:\WINDOWS\Explorer.EXE[1600] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002D0A08
    .text C:\WINDOWS\Explorer.EXE[1600] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002D0600
    .text C:\WINDOWS\Explorer.EXE[1600] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002D01F8
    .text C:\WINDOWS\Explorer.EXE[1600] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002D03FC
    .text C:\WINDOWS\system32\spoolsv.exe[1660] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
    .text C:\WINDOWS\system32\spoolsv.exe[1660] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\spoolsv.exe[1660] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
    .text C:\WINDOWS\system32\spoolsv.exe[1660] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\spoolsv.exe[1660] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
    .text C:\WINDOWS\system32\spoolsv.exe[1660] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
    .text C:\WINDOWS\system32\spoolsv.exe[1660] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
    .text C:\WINDOWS\system32\spoolsv.exe[1660] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
    .text C:\WINDOWS\system32\spoolsv.exe[1660] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
    .text C:\WINDOWS\system32\spoolsv.exe[1660] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
    .text C:\WINDOWS\system32\spoolsv.exe[1660] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
    .text C:\WINDOWS\system32\spoolsv.exe[1660] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
    .text C:\WINDOWS\system32\spoolsv.exe[1660] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
    .text C:\WINDOWS\system32\spoolsv.exe[1660] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\system32\spoolsv.exe[1660] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
    .text C:\WINDOWS\system32\spoolsv.exe[1660] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\system32\spoolsv.exe[1660] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC
    .text C:\WINDOWS\system32\ctfmon.exe[1740] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000A01F8
    .text C:\WINDOWS\system32\ctfmon.exe[1740] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\ctfmon.exe[1740] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000A03FC
    .text C:\WINDOWS\system32\ctfmon.exe[1740] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\ctfmon.exe[1740] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C1014
    .text C:\WINDOWS\system32\ctfmon.exe[1740] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C0804
    .text C:\WINDOWS\system32\ctfmon.exe[1740] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\system32\ctfmon.exe[1740] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C0C0C
    .text C:\WINDOWS\system32\ctfmon.exe[1740] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0E10
    .text C:\WINDOWS\system32\ctfmon.exe[1740] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\system32\ctfmon.exe[1740] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C03FC
    .text C:\WINDOWS\system32\ctfmon.exe[1740] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C0600
    .text C:\WINDOWS\system32\ctfmon.exe[1740] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002D0804
    .text C:\WINDOWS\system32\ctfmon.exe[1740] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002D0A08
    .text C:\WINDOWS\system32\ctfmon.exe[1740] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002D0600
    .text C:\WINDOWS\system32\ctfmon.exe[1740] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002D01F8
    .text C:\WINDOWS\system32\ctfmon.exe[1740] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002D03FC
    .text C:\WINDOWS\System32\MsPMSPSv.exe[1832] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8
    .text C:\WINDOWS\System32\MsPMSPSv.exe[1832] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\System32\MsPMSPSv.exe[1832] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC
    .text C:\WINDOWS\System32\MsPMSPSv.exe[1832] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\System32\MsPMSPSv.exe[1832] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00381014
    .text C:\WINDOWS\System32\MsPMSPSv.exe[1832] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00380804
    .text C:\WINDOWS\System32\MsPMSPSv.exe[1832] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00380A08
    .text C:\WINDOWS\System32\MsPMSPSv.exe[1832] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00380C0C
    .text C:\WINDOWS\System32\MsPMSPSv.exe[1832] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00380E10
    .text C:\WINDOWS\System32\MsPMSPSv.exe[1832] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003801F8
    .text C:\WINDOWS\System32\MsPMSPSv.exe[1832] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003803FC
    .text C:\WINDOWS\System32\MsPMSPSv.exe[1832] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00380600
    .text C:\WINDOWS\System32\MsPMSPSv.exe[1832] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00390804
    .text C:\WINDOWS\System32\MsPMSPSv.exe[1832] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00390A08
    .text C:\WINDOWS\System32\MsPMSPSv.exe[1832] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00390600
    .text C:\WINDOWS\System32\MsPMSPSv.exe[1832] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003901F8
    .text C:\WINDOWS\System32\MsPMSPSv.exe[1832] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003903FC
    .text C:\WINDOWS\System32\CTsvcCDA.exe[1848] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8
    .text C:\WINDOWS\System32\CTsvcCDA.exe[1848] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\System32\CTsvcCDA.exe[1848] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC
    .text C:\WINDOWS\System32\CTsvcCDA.exe[1848] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\System32\CTsvcCDA.exe[1848] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00380804
    .text C:\WINDOWS\System32\CTsvcCDA.exe[1848] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00380A08
    .text C:\WINDOWS\System32\CTsvcCDA.exe[1848] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00380600
    .text C:\WINDOWS\System32\CTsvcCDA.exe[1848] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003801F8
    .text C:\WINDOWS\System32\CTsvcCDA.exe[1848] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003803FC
    .text C:\WINDOWS\System32\CTsvcCDA.exe[1848] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014
    .text C:\WINDOWS\System32\CTsvcCDA.exe[1848] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804
    .text C:\WINDOWS\System32\CTsvcCDA.exe[1848] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08
    .text C:\WINDOWS\System32\CTsvcCDA.exe[1848] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C
    .text C:\WINDOWS\System32\CTsvcCDA.exe[1848] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10
    .text C:\WINDOWS\System32\CTsvcCDA.exe[1848] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8
    .text C:\WINDOWS\System32\CTsvcCDA.exe[1848] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC
    .text C:\WINDOWS\System32\CTsvcCDA.exe[1848] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600
    .text C:\Program Files\iTunes\iTunesHelper.exe[2028] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001601F8
    .text C:\Program Files\iTunes\iTunesHelper.exe[2028] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\iTunes\iTunesHelper.exe[2028] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001603FC
    .text C:\Program Files\iTunes\iTunesHelper.exe[2028] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\iTunes\iTunesHelper.exe[2028] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003F1014
    .text C:\Program Files\iTunes\iTunesHelper.exe[2028] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003F0804
    .text C:\Program Files\iTunes\iTunesHelper.exe[2028] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003F0A08
    .text C:\Program Files\iTunes\iTunesHelper.exe[2028] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003F0C0C
    .text C:\Program Files\iTunes\iTunesHelper.exe[2028] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003F0E10
    .text C:\Program Files\iTunes\iTunesHelper.exe[2028] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003F01F8
    .text C:\Program Files\iTunes\iTunesHelper.exe[2028] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003F03FC
    .text C:\Program Files\iTunes\iTunesHelper.exe[2028] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003F0600
    .text C:\Program Files\iTunes\iTunesHelper.exe[2028] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00470804
    .text C:\Program Files\iTunes\iTunesHelper.exe[2028] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00470A08
    .text C:\Program Files\iTunes\iTunesHelper.exe[2028] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00470600
    .text C:\Program Files\iTunes\iTunesHelper.exe[2028] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 004701F8
    .text C:\Program Files\iTunes\iTunesHelper.exe[2028] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 004703FC
    .text C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe[2136] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001601F8
    .text C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe[2136] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe[2136] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001603FC
    .text C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe[2136] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe[2136] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003F1014
    .text C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe[2136] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003F0804
    .text C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe[2136] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003F0A08
    .text C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe[2136] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003F0C0C
    .text C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe[2136] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003F0E10
    .text C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe[2136] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003F01F8
    .text C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe[2136] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003F03FC
    .text C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe[2136] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003F0600
    .text C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe[2136] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00480804
    .text C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe[2136] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00480A08
    .text C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe[2136] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00480600
    .text C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe[2136] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 004801F8
    .text C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe[2136] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 004803FC
  8. Phasmos

    Phasmos Newcomer, in training Topic Starter Posts: 53

    GMER RESULTS (Pt. 5):

    .text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[2176] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001601F8
    .text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[2176] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[2176] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001603FC
    .text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[2176] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[2176] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003F0804
    .text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[2176] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003F0A08
    .text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[2176] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003F0600
    .text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[2176] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003F01F8
    .text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[2176] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003F03FC
    .text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[2176] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00491014
    .text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[2176] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00490804
    .text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[2176] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00490A08
    .text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[2176] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00490C0C
    .text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[2176] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00490E10
    .text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[2176] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 004901F8
    .text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[2176] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 004903FC
    .text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[2176] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00490600
    .text C:\Program Files\iPod\bin\iPodService.exe[2552] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
    .text C:\Program Files\iPod\bin\iPodService.exe[2552] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\iPod\bin\iPodService.exe[2552] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
    .text C:\Program Files\iPod\bin\iPodService.exe[2552] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\iPod\bin\iPodService.exe[2552] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014
    .text C:\Program Files\iPod\bin\iPodService.exe[2552] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804
    .text C:\Program Files\iPod\bin\iPodService.exe[2552] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08
    .text C:\Program Files\iPod\bin\iPodService.exe[2552] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C
    .text C:\Program Files\iPod\bin\iPodService.exe[2552] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10
    .text C:\Program Files\iPod\bin\iPodService.exe[2552] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8
    .text C:\Program Files\iPod\bin\iPodService.exe[2552] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC
    .text C:\Program Files\iPod\bin\iPodService.exe[2552] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600
    .text C:\Program Files\iPod\bin\iPodService.exe[2552] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003A0804
    .text C:\Program Files\iPod\bin\iPodService.exe[2552] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003A0A08
    .text C:\Program Files\iPod\bin\iPodService.exe[2552] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003A0600
    .text C:\Program Files\iPod\bin\iPodService.exe[2552] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003A01F8
    .text C:\Program Files\iPod\bin\iPodService.exe[2552] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003A03FC
    .text C:\WINDOWS\system32\wscntfy.exe[3004] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
    .text C:\WINDOWS\system32\wscntfy.exe[3004] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\wscntfy.exe[3004] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
    .text C:\WINDOWS\system32\wscntfy.exe[3004] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\wscntfy.exe[3004] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002D0804
    .text C:\WINDOWS\system32\wscntfy.exe[3004] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002D0A08
    .text C:\WINDOWS\system32\wscntfy.exe[3004] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002D0600
    .text C:\WINDOWS\system32\wscntfy.exe[3004] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002D01F8
    .text C:\WINDOWS\system32\wscntfy.exe[3004] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002D03FC
    .text C:\WINDOWS\system32\wscntfy.exe[3004] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E1014
    .text C:\WINDOWS\system32\wscntfy.exe[3004] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E0804
    .text C:\WINDOWS\system32\wscntfy.exe[3004] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0A08
    .text C:\WINDOWS\system32\wscntfy.exe[3004] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E0C0C
    .text C:\WINDOWS\system32\wscntfy.exe[3004] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0E10
    .text C:\WINDOWS\system32\wscntfy.exe[3004] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E01F8
    .text C:\WINDOWS\system32\wscntfy.exe[3004] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E03FC
    .text C:\WINDOWS\system32\wscntfy.exe[3004] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E0600
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3408] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001601F8
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3408] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3408] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001603FC
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3408] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3408] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 006A1014
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3408] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 006A0804
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3408] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 006A0A08
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3408] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 006A0C0C
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3408] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 006A0E10
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3408] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 006A01F8
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3408] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 006A03FC
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3408] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 006A0600
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3408] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 006B0804
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3408] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 006B0A08
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3408] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 006B0600
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3408] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 006B01F8
    .text C:\Program Files\Mozilla Firefox\firefox.exe[3408] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 006B03FC
    .text C:\Documents and Settings\Ann\Desktop\ph4w7t0b.exe[3916] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Documents and Settings\Ann\Desktop\ph4w7t0b.exe[3916] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\WINDOWS\system32\services.exe[740] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 005E0002
    IAT C:\WINDOWS\system32\services.exe[740] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 005E0000
    IAT C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1280] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [010F2F20] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1280] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [010F2C90] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1280] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [010F2CF0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe[1280] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [010F2CC0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1460] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [64C8F6A0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software)
    IAT C:\Program Files\AVAST Software\Avast\avastUI.exe[1528] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [64C8F6A0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software)
    IAT C:\WINDOWS\Explorer.EXE[1600] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [01D32F20] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\Explorer.EXE[1600] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [01D32C90] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\Explorer.EXE[1600] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [01D32CF0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
    IAT C:\WINDOWS\Explorer.EXE[1600] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [01D32CC0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
    AttachedDevice \FileSystem\Ntfs \Ntfs ScreenNT.sys (Drive monitor./Quick Heal Technologies (P) Ltd.)

    Device \FileSystem\Fastfat \FatCdrom aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

    Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
    AttachedDevice \FileSystem\Fastfat \Fat ScreenNT.sys (Drive monitor./Quick Heal Technologies (P) Ltd.)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
    Reg HKLM\SOFTWARE\Classes\.m10@ Money.LegacyDoc10
    Reg HKLM\SOFTWARE\Classes\.m11@ Money.LegacyDoc11
    Reg HKLM\SOFTWARE\Classes\.m12@ Money.LegacyDoc12
    Reg HKLM\SOFTWARE\Classes\.mbf@ MoneyBackup.Document
    Reg HKLM\SOFTWARE\Classes\.mn1@ Money.LegacyDoc1
    Reg HKLM\SOFTWARE\Classes\.mn2@ Money.LegacyDoc2
    Reg HKLM\SOFTWARE\Classes\.mn3@ Money.LegacyDoc3
    Reg HKLM\SOFTWARE\Classes\.mn4@ Money.LegacyDoc4
    Reg HKLM\SOFTWARE\Classes\.mn5@ Money.LegacyDoc5
    Reg HKLM\SOFTWARE\Classes\.mn6@ Money.LegacyDoc6
    Reg HKLM\SOFTWARE\Classes\.mn7@ Money.LegacyDoc7
    Reg HKLM\SOFTWARE\Classes\.mn8@ Money.LegacyDoc8
    Reg HKLM\SOFTWARE\Classes\.mn9@ Money.LegacyDoc9
    Reg HKLM\SOFTWARE\Classes\.mny@ Money.Document
    Reg HKLM\SOFTWARE\Classes\.mny\Money.Document
    Reg HKLM\SOFTWARE\Classes\.mny\Money.Document\ShellNew
    Reg HKLM\SOFTWARE\Classes\.mny\Money.Document\ShellNew@
    Reg HKLM\SOFTWARE\Classes\.ofx@ ofx.Document
    Reg HKLM\SOFTWARE\Classes\.ofx@Content Type text/ofx
    Reg HKLM\SOFTWARE\Classes\.qif@ qif.Document
    Reg HKLM\SOFTWARE\Classes\.qif@Content Type text/qif
    Reg HKLM\SOFTWARE\Classes\autoform.AutoFormData@ AutoFormData Object
    Reg HKLM\SOFTWARE\Classes\autoform.AutoFormData\Clsid
    Reg HKLM\SOFTWARE\Classes\autoform.AutoFormData\Clsid@ {C959374E-9BAA-4413-8CE9-EB5B11A7F009}
    Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.CddbCredit@ CddbCredit Class
    Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.CddbCredit\CLSID
    Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.CddbCredit\CLSID@ {bfe639ee-762e-46c4-ae7c-3c34ccc317ff}
    Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.CddbCredit\CurVer
    Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.CddbCredit\CurVer@ CDDBControlWinamp5.CddbCredit.1
    Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.CddbCredit.1@ CddbCredit Class
    Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.CddbCredit.1\CLSID
    Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.CddbCredit.1\CLSID@ {bfe639ee-762e-46c4-ae7c-3c34ccc317ff}
    Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.CddbDisc.1@ CddbDisc Class
    Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.CddbDisc.1\CLSID
    Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.CddbDisc.1\CLSID@ {c2e21ac1-675c-4cae-ba0c-98d25a5e5b84}
    Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.CddbFullName.1@ CddbFullName Class
    Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.CddbFullName.1\CLSID
    Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.CddbFullName.1\CLSID@ {f1110c60-736a-4d58-8e2a-4935dfcf9ac7}
    Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.CDDBWinamp5Control@ CDDBWinamp5Control Class
    Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.CDDBWinamp5Control\CLSID
    Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.CDDBWinamp5Control\CLSID@ {f2e9891e-0ce2-40bc-a6df-ed87c817b83d}
    Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.CDDBWinamp5Control\CurVer
    Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.CDDBWinamp5Control\CurVer@ CDDBControlWinamp5.CDDBWinamp5Control.1
    Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.CDDBWinamp5Control.1@ CDDBWinamp5Control Class
    Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.CDDBWinamp5Control.1\CLSID
    Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.CDDBWinamp5Control.1\CLSID@ {f2e9891e-0ce2-40bc-a6df-ed87c817b83d}
    Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.CDDBWinamp5Control.1\Insertable
    Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.FullName@ CddbFullName Class
    Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.FullName\CLSID
    Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.FullName\CLSID@ {f1110c60-736a-4d58-8e2a-4935dfcf9ac7}
    Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.FullName\CurVer
    Reg HKLM\SOFTWARE\Classes\CDDBControlWinamp5.FullName\CurVer@ CDDBControlWinamp5.CddbFullName.1
    Reg HKLM\SOFTWARE\Classes\CDDBUIControlWinamp5.CddbWinamp5UI@ CddbWinamp5UI Class
    Reg HKLM\SOFTWARE\Classes\CDDBUIControlWinamp5.CddbWinamp5UI\CLSID
    Reg HKLM\SOFTWARE\Classes\CDDBUIControlWinamp5.CddbWinamp5UI\CLSID@ {0dabacb1-1a16-4082-a610-3d0b3a2a94fc}
    Reg HKLM\SOFTWARE\Classes\CDDBUIControlWinamp5.CddbWinamp5UI\CurVer
    Reg HKLM\SOFTWARE\Classes\CDDBUIControlWinamp5.CddbWinamp5UI\CurVer@ CDDBUIControlWinamp5.CddbWinamp5UI.1
    Reg HKLM\SOFTWARE\Classes\CDDBUIControlWinamp5.CddbWinamp5UI.1@ CddbWinamp5UI Class
    Reg HKLM\SOFTWARE\Classes\CDDBUIControlWinamp5.CddbWinamp5UI.1\CLSID
    Reg HKLM\SOFTWARE\Classes\CDDBUIControlWinamp5.CddbWinamp5UI.1\CLSID@ {0dabacb1-1a16-4082-a610-3d0b3a2a94fc}
    Reg HKLM\SOFTWARE\Classes\ChrtCtl.ChrtCtl@ MSN Money Charting
    Reg HKLM\SOFTWARE\Classes\ChrtCtl.ChrtCtl\CurVer
    Reg HKLM\SOFTWARE\Classes\ChrtCtl.ChrtCtl\CurVer@ ChrtCtl.ChrtCtl.1
    Reg HKLM\SOFTWARE\Classes\ChrtCtl.ChrtCtl.1@ MSN Money Charting
    Reg HKLM\SOFTWARE\Classes\ChrtCtl.ChrtCtl.1\CLSID
    Reg HKLM\SOFTWARE\Classes\ChrtCtl.ChrtCtl.1\CLSID@ {3DC2E31C-371A-4bd3-9A27-CDF57CE604CF}
    Reg HKLM\SOFTWARE\Classes\CLSID\{2ACB497D-6CFC-7594-BB39-CCC260AF5B5A}\InProcServer32@ %SystemRoot%\system32\SHELL32.dll
    Reg HKLM\SOFTWARE\Classes\CLSID\{2ACB497D-6CFC-7594-BB39-CCC260AF5B5A}\InProcServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{356792C4-73BF-2C52-49B8-91546A661B05}\CLSID@ Standard Picture
    Reg HKLM\SOFTWARE\Classes\CLSID\{356792C4-73BF-2C52-49B8-91546A661B05}\InprocServer32@ oleaut32.dll
    Reg HKLM\SOFTWARE\Classes\CLSID\{356792C4-73BF-2C52-49B8-91546A661B05}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{356792C4-73BF-2C52-49B8-91546A661B05}\InprocServer32@InprocServer32 )N3N1HH2g(@=z?VnZA8KWP_REDISTS>M5KDYSUnf(HA*L[xeX)y?lj^'G5k-g(=,}?Vrk!(lShared>M5KDYSUnf(HA*L[xeX)y?
    Reg HKLM\SOFTWARE\Classes\CLSID\{356792C4-73BF-2C52-49B8-91546A661B05}\ProgID@ StdPicture
    Reg HKLM\SOFTWARE\Classes\CLSID\{5A1FAA41-5586-A147-6396-912BC0718A72}\InprocServer32@ C:\WINDOWS\system32\quartz.dll
    Reg HKLM\SOFTWARE\Classes\CLSID\{5A1FAA41-5586-A147-6396-912BC0718A72}\InprocServer32@ThreadingModel Both
    Reg HKLM\SOFTWARE\Classes\CLSID\{6802E635-CB18-F544-790D-700BAC51E508}\InprocServer32@ C:\WINDOWS\System32\upnp.dll
    Reg HKLM\SOFTWARE\Classes\CLSID\{6802E635-CB18-F544-790D-700BAC51E508}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{6802E635-CB18-F544-790D-700BAC51E508}\ProgID@ UPnP.DescriptionDocument.1
    Reg HKLM\SOFTWARE\Classes\CLSID\{6802E635-CB18-F544-790D-700BAC51E508}\TypeLib@ {DB3442A7-A2E9-4A59-9CB5-F5C1A5D901E5}
    Reg HKLM\SOFTWARE\Classes\CLSID\{6802E635-CB18-F544-790D-700BAC51E508}\VersionIndependentProgID@ UPnP.DescriptionDocument
    Reg HKLM\SOFTWARE\Classes\CLSID\{DE2BDEC9-7FE4-55BB-F709-162A2FF71EEC}\InProcServer32@ %SystemRoot%\system32\SHELL32.dll
    Reg HKLM\SOFTWARE\Classes\CLSID\{DE2BDEC9-7FE4-55BB-F709-162A2FF71EEC}\InProcServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\Director.Playlists@ CPlaylists Object
    Reg HKLM\SOFTWARE\Classes\Director.Playlists\CLSID
    Reg HKLM\SOFTWARE\Classes\Director.Playlists\CLSID@ {AE4FC5BE-6248-4EB0-9918-BCB1D2B878B3}
    Reg HKLM\SOFTWARE\Classes\Director.Playlists\CurVer
    Reg HKLM\SOFTWARE\Classes\Director.Playlists\CurVer@ Director.Playlists.1
    Reg HKLM\SOFTWARE\Classes\Director.Playlists.1@ CPlaylists Object
    Reg HKLM\SOFTWARE\Classes\Director.Playlists.1\CLSID
    Reg HKLM\SOFTWARE\Classes\Director.Playlists.1\CLSID@ {AE4FC5BE-6248-4EB0-9918-BCB1D2B878B3}
    Reg HKLM\SOFTWARE\Classes\Director.SupportLibrary@ CSupportLibrary Object
    Reg HKLM\SOFTWARE\Classes\Director.SupportLibrary\CLSID
    Reg HKLM\SOFTWARE\Classes\Director.SupportLibrary\CLSID@ {AECAFA59-4D60-49B1-9037-81248A79F3A4}
    Reg HKLM\SOFTWARE\Classes\Director.SupportLibrary\CurVer
    Reg HKLM\SOFTWARE\Classes\Director.SupportLibrary\CurVer@ Director.SupportLibrary.1
    Reg HKLM\SOFTWARE\Classes\Director.SupportLibrary.1@ CSupportLibrary Object
    Reg HKLM\SOFTWARE\Classes\Director.SupportLibrary.1\CLSID
    Reg HKLM\SOFTWARE\Classes\Director.SupportLibrary.1\CLSID@ {AECAFA59-4D60-49B1-9037-81248A79F3A4}
    Reg HKLM\SOFTWARE\Classes\Director.Tracks@ CTracks Object
    Reg HKLM\SOFTWARE\Classes\Director.Tracks\CLSID
    Reg HKLM\SOFTWARE\Classes\Director.Tracks\CLSID@ {372D1C09-EBAF-477C-82F4-426173BD61C3}
    Reg HKLM\SOFTWARE\Classes\Director.Tracks\CurVer
    Reg HKLM\SOFTWARE\Classes\Director.Tracks\CurVer@ Director.Tracks.1
    Reg HKLM\SOFTWARE\Classes\Director.Tracks.1@ CTracks Object
    Reg HKLM\SOFTWARE\Classes\Director.Tracks.1\CLSID
    Reg HKLM\SOFTWARE\Classes\Director.Tracks.1\CLSID@ {372D1C09-EBAF-477C-82F4-426173BD61C3}
  9. Phasmos

    Phasmos Newcomer, in training Topic Starter Posts: 53

    GMER RESULTS (Pt. 6):

    Reg HKLM\SOFTWARE\Classes\FlashFactory.FlashFactory@ Macromedia Flash Factory Object
    Reg HKLM\SOFTWARE\Classes\FlashFactory.FlashFactory\CLSID
    Reg HKLM\SOFTWARE\Classes\FlashFactory.FlashFactory\CLSID@ {D27CDB70-AE6D-11cf-96B8-444553540000}
    Reg HKLM\SOFTWARE\Classes\FlashFactory.FlashFactory\CurVer
    Reg HKLM\SOFTWARE\Classes\FlashFactory.FlashFactory\CurVer@ FlashFactory.FlashFactory.1
    Reg HKLM\SOFTWARE\Classes\FlashFactory.FlashFactory.1@ Macromedia Flash Factory Object
    Reg HKLM\SOFTWARE\Classes\FlashFactory.FlashFactory.1\CLSID
    Reg HKLM\SOFTWARE\Classes\FlashFactory.FlashFactory.1\CLSID@ {D27CDB70-AE6D-11cf-96B8-444553540000}
    Reg HKLM\SOFTWARE\Classes\FndrCtl.FndrCtl@ MSN Money Screener
    Reg HKLM\SOFTWARE\Classes\FndrCtl.FndrCtl\CurVer
    Reg HKLM\SOFTWARE\Classes\FndrCtl.FndrCtl\CurVer@ FndrCtl.FndrCtl.1
    Reg HKLM\SOFTWARE\Classes\FndrCtl.FndrCtl.1@ MSN Money Screener
    Reg HKLM\SOFTWARE\Classes\FndrCtl.FndrCtl.1\CLSID
    Reg HKLM\SOFTWARE\Classes\FndrCtl.FndrCtl.1\CLSID@ {7F4824E8-21D1-4a62-BD34-AB670833DFB6}
    Reg HKLM\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper@ Macromedia Flash Paper
    Reg HKLM\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\CLSID
    Reg HKLM\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\CLSID@ {D27CDB6E-AE6D-11cf-96B8-444553540000}
    Reg HKLM\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\DefaultIcon
    Reg HKLM\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\DefaultIcon@ C:\PROGRA~1\MOZILL~1\FIREFOX.EXE,1
    Reg HKLM\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell
    Reg HKLM\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell\open
    Reg HKLM\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell\open\command
    Reg HKLM\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell\open\command@ C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1"
    Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanner@ WiFiScanner Class
    Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanner\CLSID
    Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanner\CLSID@ {86D0C901-A1EC-48F7-BADC-09FEA70E91E2}
    Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanner\CurVer
    Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanner\CurVer@ Microsoft.MapPoint.WiFiScanner.1
    Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanner.1@ WiFiScanner Class
    Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanner.1\CLSID
    Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanner.1\CLSID@ {86D0C901-A1EC-48F7-BADC-09FEA70E91E2}
    Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanResult@ WiFiScanResult Class
    Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanResult\CLSID
    Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanResult\CLSID@ {3AE61C81-BE5B-4297-BA1C-2B2A629A2256}
    Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanResult\CurVer
    Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanResult\CurVer@ Microsoft.MapPoint.WiFiScanResult.1
    Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanResult.1@ WiFiScanResult Class
    Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanResult.1\CLSID
    Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanResult.1\CLSID@ {3AE61C81-BE5B-4297-BA1C-2B2A629A2256}
    Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanResults10@ WiFiScanResults Class
    Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanResults10\CLSID
    Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanResults10\CLSID@ {46157CA5-442D-4CFF-84C0-6A4DF834E6F3}
    Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanResults10\CurVer
    Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanResults10\CurVer@ Microsoft.MapPoint.WiFiScanResults10.1
    Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanResults10.1@ WiFiScanResults Class
    Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanResults10.1\CLSID
    Reg HKLM\SOFTWARE\Classes\Microsoft.MapPoint.WiFiScanResults10.1\CLSID@ {46157CA5-442D-4CFF-84C0-6A4DF834E6F3}
    Reg HKLM\SOFTWARE\Classes\money@ URL:Money Protocol
    Reg HKLM\SOFTWARE\Classes\money@EditFlags 2
    Reg HKLM\SOFTWARE\Classes\money@URL Protocol
    Reg HKLM\SOFTWARE\Classes\money\Shell
    Reg HKLM\SOFTWARE\Classes\money\Shell\Open
    Reg HKLM\SOFTWARE\Classes\money\Shell\Open\Command
    Reg HKLM\SOFTWARE\Classes\money\Shell\Open\Command@ c:\program files\microsoft money 2006\MNYCoreFiles\MSMoney.exe -url:%1
    Reg HKLM\SOFTWARE\Classes\Money.Document@ Microsoft Money file
    Reg HKLM\SOFTWARE\Classes\Money.Document\DefaultIcon
    Reg HKLM\SOFTWARE\Classes\Money.Document\DefaultIcon@ "c:\program files\microsoft money 2006\MNYCoreFiles\MSMoney.EXE",0
    Reg HKLM\SOFTWARE\Classes\Money.Document\Shell
    Reg HKLM\SOFTWARE\Classes\Money.Document\Shell@ Open
    Reg HKLM\SOFTWARE\Classes\Money.Document\Shell\Open
    Reg HKLM\SOFTWARE\Classes\Money.Document\Shell\Open\Command
    Reg HKLM\SOFTWARE\Classes\Money.Document\Shell\Open\Command@ "c:\program files\microsoft money 2006\MNYCoreFiles\MSMoney.EXE" "%1"
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc1@ Microsoft Money v1 backup.
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc1@NoOpen This is a Money v1 file. Use the file command in Money v1 to open it.
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc1\DefaultIcon
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc1\DefaultIcon@ "c:\program files\microsoft money 2006\MNYCoreFiles\MSMoney.EXE",0
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc10@ Microsoft Money 2002 backup.
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc10@NoOpen This is a Money 2002 file. Use the file command in Money 2002 to open it.
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc10\DefaultIcon
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc10\DefaultIcon@ "c:\program files\microsoft money 2006\MNYCoreFiles\MSMoney.EXE",0
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc11@ Microsoft Money 2003 backup.
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc11@NoOpen This is a Money 2003 file. Use the file command in Money 2003 to open it.
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc11\DefaultIcon
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc11\DefaultIcon@ "c:\program files\microsoft money 2006\MNYCoreFiles\MSMoney.EXE",0
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc12@ Microsoft Money 2004 backup.
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc12@NoOpen This is a Money 2004 file. Use the file command in Money 2004 to open it.
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc12\DefaultIcon
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc12\DefaultIcon@ "c:\program files\microsoft money 2006\MNYCoreFiles\MSMoney.EXE",0
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc14@ Microsoft Money 2005 backup.
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc14@NoOpen This is a Money 2005 file. Use the file command in Money 2005 to open it.
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc14\DefaultIcon
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc14\DefaultIcon@ "c:\program files\microsoft money 2006\MNYCoreFiles\MSMoney.EXE",0
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc2@ Microsoft Money v2 backup.
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc2@NoOpen This is a Money v2 file. Use the file command in Money v2 to open it.
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc2\DefaultIcon
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc2\DefaultIcon@ "c:\program files\microsoft money 2006\MNYCoreFiles\MSMoney.EXE",0
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc3@ Microsoft Money v3 backup.
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc3@NoOpen This is a Money v3 file. Use the file command in Money v3 to open it.
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc3\DefaultIcon
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc3\DefaultIcon@ "c:\program files\microsoft money 2006\MNYCoreFiles\MSMoney.EXE",0
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc4@ Microsoft Money '95 backup.
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc4@NoOpen This is a Money '95 file. Use the file command in Money '95 to open it.
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc4\DefaultIcon
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc4\DefaultIcon@ "c:\program files\microsoft money 2006\MNYCoreFiles\MSMoney.EXE",0
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc5@ Microsoft Money '97 backup.
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc5@NoOpen This is a Money '97 file. Use the file command in Money '97 to open it.
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc5\DefaultIcon
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc5\DefaultIcon@ "c:\program files\microsoft money 2006\MNYCoreFiles\MSMoney.EXE",0
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc6@ Microsoft Money '98 backup.
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc6@NoOpen This is a Money '98 file. Use the file command in Money '98 to open it.
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc6\DefaultIcon
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc6\DefaultIcon@ "c:\program files\microsoft money 2006\MNYCoreFiles\MSMoney.EXE",0
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc7@ Microsoft Money '99 backup.
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc7@NoOpen This is a Money '99 file. Use the file command in Money '99 to open it.
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc7\DefaultIcon
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc7\DefaultIcon@ "c:\program files\microsoft money 2006\MNYCoreFiles\MSMoney.EXE",0
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc8@ Microsoft Money 2000 backup.
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc8@NoOpen This is a Money 2000 file. Use the file command in Money 2000 to open it.
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc8\DefaultIcon
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc8\DefaultIcon@ "c:\program files\microsoft money 2006\MNYCoreFiles\MSMoney.EXE",0
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc9@ Microsoft Money 2001 backup.
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc9@NoOpen This is a Money 2001 file. Use the file command in Money 2001 to open it.
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc9\DefaultIcon
    Reg HKLM\SOFTWARE\Classes\Money.LegacyDoc9\DefaultIcon@ "c:\program files\microsoft money 2006\MNYCoreFiles\MSMoney.EXE",0
    Reg HKLM\SOFTWARE\Classes\MoneyBackup.Document@ Microsoft Money backup File
    Reg HKLM\SOFTWARE\Classes\MoneyBackup.Document\DefaultIcon
    Reg HKLM\SOFTWARE\Classes\MoneyBackup.Document\DefaultIcon@ "c:\program files\microsoft money 2006\MNYCoreFiles\MSMoney.EXE",0
    Reg HKLM\SOFTWARE\Classes\MoneyBackup.Document\Shell
    Reg HKLM\SOFTWARE\Classes\MoneyBackup.Document\Shell@ Open
    Reg HKLM\SOFTWARE\Classes\MoneyBackup.Document\Shell\Open
    Reg HKLM\SOFTWARE\Classes\MoneyBackup.Document\Shell\Open\Command
    Reg HKLM\SOFTWARE\Classes\MoneyBackup.Document\Shell\Open\Command@ "c:\program files\microsoft money 2006\MNYCoreFiles\MSMoney.EXE" "%1"
    Reg HKLM\SOFTWARE\Classes\ofx.Document@
  10. Phasmos

    Phasmos Newcomer, in training Topic Starter Posts: 53

    GMER RESULTS (Pt. 7):

    Open Financial Exchange File
    Reg HKLM\SOFTWARE\Classes\ofx.Document@EditFlags 65792
    Reg HKLM\SOFTWARE\Classes\ofx.Document\DefaultIcon
    Reg HKLM\SOFTWARE\Classes\ofx.Document\DefaultIcon@ "c:\program files\microsoft money 2006\MNYCoreFiles\MSMoney.EXE",0
    Reg HKLM\SOFTWARE\Classes\ofx.Document\Shell
    Reg HKLM\SOFTWARE\Classes\ofx.Document\Shell\Open
    Reg HKLM\SOFTWARE\Classes\ofx.Document\Shell\Open\Command
    Reg HKLM\SOFTWARE\Classes\ofx.Document\Shell\Open\Command@ "c:\program files\microsoft money 2006\MNYCoreFiles\mnyimprt.exe" %1
    Reg HKLM\SOFTWARE\Classes\PortMgr.AxTaskList@ AxTaskList Class
    Reg HKLM\SOFTWARE\Classes\PortMgr.AxTaskList\CLSID
    Reg HKLM\SOFTWARE\Classes\PortMgr.AxTaskList\CLSID@ {656FAD09-4DE3-4c34-9600-0928C855FD7A}
    Reg HKLM\SOFTWARE\Classes\PortMgr.AxTaskList\CurVer
    Reg HKLM\SOFTWARE\Classes\PortMgr.AxTaskList\CurVer@ PortMgr.AxTaskList.1
    Reg HKLM\SOFTWARE\Classes\PortMgr.AxTaskList.1@ AxTaskList Class
    Reg HKLM\SOFTWARE\Classes\PortMgr.AxTaskList.1\CLSID
    Reg HKLM\SOFTWARE\Classes\PortMgr.AxTaskList.1\CLSID@ {656FAD09-4DE3-4c34-9600-0928C855FD7A}
    Reg HKLM\SOFTWARE\Classes\PortMgr.PortfolioManager@ PortfolioManager Class
    Reg HKLM\SOFTWARE\Classes\PortMgr.PortfolioManager\CLSID
    Reg HKLM\SOFTWARE\Classes\PortMgr.PortfolioManager\CLSID@ {C287744F-F58B-4923-97F4-8E365EB60075}
    Reg HKLM\SOFTWARE\Classes\PortMgr.PortfolioManager\CurVer
    Reg HKLM\SOFTWARE\Classes\PortMgr.PortfolioManager\CurVer@ PortMgr.PortfolioManager.1
    Reg HKLM\SOFTWARE\Classes\PortMgr.PortfolioManager.1@ PortfolioManager Class
    Reg HKLM\SOFTWARE\Classes\PortMgr.PortfolioManager.1\CLSID
    Reg HKLM\SOFTWARE\Classes\PortMgr.PortfolioManager.1\CLSID@ {C287744F-F58B-4923-97F4-8E365EB60075}
    Reg HKLM\SOFTWARE\Classes\qif.Document@ Quicken Import File
    Reg HKLM\SOFTWARE\Classes\qif.Document@EditFlags 256
    Reg HKLM\SOFTWARE\Classes\qif.Document\DefaultIcon
    Reg HKLM\SOFTWARE\Classes\qif.Document\DefaultIcon@ "c:\program files\microsoft money 2006\MNYCoreFiles\MSMoney.EXE",0
    Reg HKLM\SOFTWARE\Classes\qif.Document\Shell
    Reg HKLM\SOFTWARE\Classes\qif.Document\Shell\Open
    Reg HKLM\SOFTWARE\Classes\qif.Document\Shell\Open\Command
    Reg HKLM\SOFTWARE\Classes\qif.Document\Shell\Open\Command@ "c:\program files\microsoft money 2006\MNYCoreFiles\mnyimprt.exe" %1
    Reg HKLM\SOFTWARE\Classes\QlistCtl.QlistCtl@ MSN Money QuickList
    Reg HKLM\SOFTWARE\Classes\QlistCtl.QlistCtl\CurVer
    Reg HKLM\SOFTWARE\Classes\QlistCtl.QlistCtl\CurVer@ QlistCtl.QlistCtl.1
    Reg HKLM\SOFTWARE\Classes\QlistCtl.QlistCtl.1@ MSN Money QuickList
    Reg HKLM\SOFTWARE\Classes\QlistCtl.QlistCtl.1\CLSID
    Reg HKLM\SOFTWARE\Classes\QlistCtl.QlistCtl.1\CLSID@ {89A9F739-8F34-40e1-BCD3-62BABEAD3C6F}
    Reg HKLM\SOFTWARE\Classes\refdb.helper@ Chelper Object
    Reg HKLM\SOFTWARE\Classes\refdb.helper\CLSID
    Reg HKLM\SOFTWARE\Classes\refdb.helper\CLSID@ {7CD1F456-8BDA-45ED-BC11-4B7340E05315}
    Reg HKLM\SOFTWARE\Classes\refdb.helper\CurVer
    Reg HKLM\SOFTWARE\Classes\refdb.helper\CurVer@ refdb.helper.1
    Reg HKLM\SOFTWARE\Classes\refdb.helper.1@ Chelper Object
    Reg HKLM\SOFTWARE\Classes\refdb.helper.1\CLSID
    Reg HKLM\SOFTWARE\Classes\refdb.helper.1\CLSID@ {7CD1F456-8BDA-45ED-BC11-4B7340E05315}
    Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash@ Shockwave Flash Object
    Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CLSID
    Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CLSID@ {D27CDB6E-AE6D-11cf-96B8-444553540000}
    Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CurVer
    Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CurVer@ ShockwaveFlash.ShockwaveFlash.9
    Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1@ Shockwave Flash Object
    Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\CLSID
    Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\CLSID@ {D27CDB6E-AE6D-11cf-96B8-444553540000}
    Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3@ Shockwave Flash Object
    Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\CLSID
    Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\CLSID@ {D27CDB6E-AE6D-11cf-96B8-444553540000}
    Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4@ Shockwave Flash Object
    Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\CLSID
    Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\CLSID@ {D27CDB6E-AE6D-11cf-96B8-444553540000}
    Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5@ Shockwave Flash Object
    Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5\CLSID
    Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5\CLSID@ {D27CDB6E-AE6D-11cf-96B8-444553540000}
    Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6@ Shockwave Flash Object
    Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6\CLSID
    Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6\CLSID@ {D27CDB6E-AE6D-11cf-96B8-444553540000}
    Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7@ Shockwave Flash Object
    Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\CLSID
    Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\CLSID@ {D27CDB6E-AE6D-11cf-96B8-444553540000}
    Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.8@ Shockwave Flash Object
    Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.8\CLSID
    Reg HKLM\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.8\CLSID@ {D27CDB6E-AE6D-11cf-96B8-444553540000}
    Reg HKLM\SOFTWARE\Classes\Surfboard.SurfShim15.View@ Surfboard Shim Doc Object View
    Reg HKLM\SOFTWARE\Classes\Surfboard.SurfShim15.View\BrowseInPlace
    Reg HKLM\SOFTWARE\Classes\Surfboard.SurfShim15.View\BrowseInPlace@
    Reg HKLM\SOFTWARE\Classes\Surfboard.SurfShim15.View\CLSID
    Reg HKLM\SOFTWARE\Classes\Surfboard.SurfShim15.View\CLSID@ {1ff1dc5d-d5c9-479b-be9b-5ef8fee7fb0c}
    Reg HKLM\SOFTWARE\Classes\Surfboard.SurfShim15.View\DocObject
    Reg HKLM\SOFTWARE\Classes\Surfboard.SurfShim15.View\DocObject@
    Reg HKLM\SOFTWARE\Classes\wareo\shell
    Reg HKLM\SOFTWARE\Classes\wareo\shell\open
    Reg HKLM\SOFTWARE\Classes\warep\shell
    Reg HKLM\SOFTWARE\Classes\warep\shell\open
    Reg HKLM\SOFTWARE\Classes\warez@ URL:Warez protocol
    Reg HKLM\SOFTWARE\Classes\warez@URL Protocol
    Reg HKLM\SOFTWARE\Classes\warez\shell
    Reg HKLM\SOFTWARE\Classes\warez\shell\open
    Reg HKLM\SOFTWARE\Classes\warez.DocHostUIHandler@ Implements DocHostUIHandler
    Reg HKLM\SOFTWARE\Classes\warez.DocHostUIHandler\Clsid
    Reg HKLM\SOFTWARE\Classes\warez.DocHostUIHandler\Clsid@ {3F2BBC05-40DF-11D2-9455-00104BC936FF}
    Reg HKLM\SOFTWARE\Classes\warezo@ URL:Warez Of1
    Reg HKLM\SOFTWARE\Classes\warezo@URL Protocol
    Reg HKLM\SOFTWARE\Classes\warezo\shell
    Reg HKLM\SOFTWARE\Classes\warezo\shell\open
    Reg HKLM\SOFTWARE\Classes\warezp@ URL:Warez Of2
    Reg HKLM\SOFTWARE\Classes\warezp@URL Protocol
    Reg HKLM\SOFTWARE\Classes\warezp\shell
    Reg HKLM\SOFTWARE\Classes\warezp\shell\open
    Reg HKLM\SOFTWARE\Classes\warezq@ URL:Warez_Query protocol
    Reg HKLM\SOFTWARE\Classes\warezq@URL Protocol
    Reg HKLM\SOFTWARE\Classes\warezq\shell
    Reg HKLM\SOFTWARE\Classes\warezq\shell\open
    Reg HKLM\SOFTWARE\Classes\Winamp\shell
    Reg HKLM\SOFTWARE\Classes\Winamp\shell\WinampMTPHandler
    Reg HKLM\SOFTWARE\Classes\Winamp\shell\WinampMTPHandler@command C:\Program Files\Winamp\winamp.exe
    Reg HKLM\SOFTWARE\Classes\WordPerfect.Document@ WordPerfect Document
    Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\CLSID
    Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\CLSID@ {A25250CA-50C1-11D3-8EA3-0090271BECDD}
    Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\CurVer
    Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\CurVer@ WP10Doc
    Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\DefaultIcon
    Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\DefaultIcon@ C:\Program Files\Corel\WordPerfect Office 2002\Programs\pficon100.dll,-5121
    Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell
    Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell@ open
    Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell\open
    Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell\open@ &Open
    Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell\open\command
    Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell\open\command@ "C:\Program Files\Corel\WordPerfect Office 2002\Programs\wpwin10.exe" "%1"
    Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell\print
    Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell\print@ &Print
    Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell\print\command
    Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell\print\command@ "C:\Program Files\Corel\WordPerfect Office 2002\Programs\wpwin10.exe" /ddeex /smin :
    Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell\print\ddeexec
    Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell\print\ddeexec@ FileOpen("%1") PrintFullDoc() CloseNoSave(1)
    Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell\print\ddeexec\application
    Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell\print\ddeexec\application@ WPWin10_Macros
    Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell\print\ddeexec\topic
    Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell\print\ddeexec\topic@ Commands
    Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell\printto
    Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell\printto\command
    Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell\printto\command@ "C:\Program Files\Corel\WordPerfect Office 2002\Programs\wpwin10.exe" /ddeex /smin :
    Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell\printto\ddeexec
    Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell\printto\ddeexec@ PrintTo("%1";"%2";"%3";"%4")
    Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell\printto\ddeexec\application
    Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell\printto\ddeexec\application@ WPWin10_Macros
    Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell\printto\ddeexec\topic
    Reg HKLM\SOFTWARE\Classes\WordPerfect.Document\shell\printto\ddeexec\topic@ Commands
    Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{729CBF0D-CC25-0FCA-ECE2-2C2D9014B1D4}
    Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{729CBF0D-CC25-0FCA-ECE2-2C2D9014B1D4}@naefhjfecjgklgmlbhknefccfpnp 0x69 0x61 0x6E 0x63 ...
    Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{729CBF0D-CC25-0FCA-ECE2-2C2D9014B1D4}@oagipbnkbecbjjigpkkfoobcddbebp 0x6A 0x61 0x6E 0x63 ...
    Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{729CBF0D-CC25-0FCA-ECE2-2C2D9014B1D4}@gboldljabahbhalinijnhgpnbkeibloinjbjcbinihkinh 0x6B 0x61 0x63 0x66 ...
    Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{729CBF0D-CC25-0FCA-ECE2-2C2D9014B1D4}@bbmleofpghcbcapeejehbfheehpkfnkgneaj 0x6A 0x63 0x61 0x64 ...
    Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{729CBF0D-CC25-0FCA-ECE2-2C2D9014B1D4}@oagipbnkbecbjjigpkkfnoecgmmlmf 0x6B 0x61 0x6B 0x63 ...
    Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{729CBF0D-CC25-0FCA-ECE2-2C2D9014B1D4}@naefhjfecjgklgmlbhlnpehokide 0x6A 0x61 0x6B 0x63 ...
    Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{729CBF0D-CC25-0FCA-ECE2-2C2D9014B1D4}@oaclclemhekndgiilhohbjppdknolm 0x6C 0x61 0x63 0x66 ...
    Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{729CBF0D-CC25-0FCA-ECE2-2C2D9014B1D4}@oadlgliikfiaeogpflmecopdhmahmp 0x66 0x62 0x61 0x64 ...
    Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{729CBF0D-CC25-0FCA-ECE2-2C2D9014B1D4}@pahlmkjkeljkjgfdkiojhgadjjeglmfl 0x64 0x62 0x6C 0x63 ...

    ---- EOF - GMER 1.0.15 ----


    I could not get DDS to run at all. The command line window opens for 1 second and then simply disappears.
  11. Broni

    Broni Malware Annihilator Posts: 45,188   +242

    First of all you should never run Combofix on your own.
    Then, playing with registry is a very bad idea as well. You can make things even worse.

    Download Bootkit Remover to your desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.

    ===================================================================

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.
  12. Phasmos

    Phasmos Newcomer, in training Topic Starter Posts: 53

    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

    Size Device Name MBR Status
    --------------------------------------------
    74 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...
  13. Phasmos

    Phasmos Newcomer, in training Topic Starter Posts: 53

    Tried to run the ASWmbr scan, but the comp. shut down halfway through, with a message that read:

    "A problem has been detected and Windows has been shut down to prevent damage to your computer."

    It goes on to mention some "Technical Information," which read as follows:

    -------------------------------------------------------------------------------------------------------------------
    *** STOP: 0x0000008E (0xC0000005, 0xF76BE827, 0xF75C55F0, 0x00000000)
    *** aswSnx.SYS - Address F76BE827 base at F7682000, DateStamp 4f56a5e5
    Beginning dump of physical memory
    Physical memory dump complete.
    -------------------------------------------------------------------------------------------------------------------

    Should I try to run ASWmbr again?
     
  14. Broni

    Broni Malware Annihilator Posts: 45,188   +242

    Please download and run ListParts by Farbar (for 32-bit system) to your desktop.

    Please download and run ListParts64 by Farbar (for 64-bit system) to your desktop.

    Click on Scan button.

    Scan result will open in Notepad.
    Post it in your next reply.
  15. Phasmos

    Phasmos Newcomer, in training Topic Starter Posts: 53

    Here is the result:

    ListParts by Farbar Version: 12-03-2012 03
    Ran by Ann (administrator) on 22-05-2012 at 13:11:35
    Windows XP (X86)
    Running From: C:\Documents and Settings\Ann\Desktop
    Language: 0409
    ************************************************************

    ========================= Memory info ======================

    Percentage of memory in use: 84%
    Total physical RAM: 255 MB
    Available physical RAM: 39.74 MB
    Total Pagefile: 617.32 MB
    Available Pagefile: 311.47 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 2002.9 MB

    ======================= Partitions =========================

    2 Drive c: () (Fixed) (Total:74.5 GB) (Free:14 GB) NTFS ==>[Drive with boot components (Windows XP)]
    4 Drive f: (Chris's Big) (Removable) (Total:1.87 GB) (Free:0.55 GB) FAT

    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 74 GB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 74 GB 32 KB
    ======================================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C NTFS Partition 74 GB Healthy System (partition with boot components)
    ======================================================================================================

    ****** End Of Log ******
  16. Phasmos

    Phasmos Newcomer, in training Topic Starter Posts: 53

    BTW, whatever we're doing must be having some effect -- the computer is running faster already!
  17. Broni

    Broni Malware Annihilator Posts: 45,188   +242

    Hmm...we didn't really fix anything yet :)

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
  18. Phasmos

    Phasmos Newcomer, in training Topic Starter Posts: 53

    Well, maybe we've caught the bugger napping... ;D

    Ok, running TDSSkiller... stand by for results...
  19. Phasmos

    Phasmos Newcomer, in training Topic Starter Posts: 53

    13:21:34.0609 2076 TDSS rootkit removing tool 2.7.36.0 May 21 2012 16:40:16
    13:21:36.0093 2076 ============================================================
    13:21:36.0093 2076 Current date / time: 2012/05/22 13:21:36.0093
    13:21:36.0093 2076 SystemInfo:
    13:21:36.0093 2076
    13:21:36.0093 2076 OS Version: 5.1.2600 ServicePack: 3.0
    13:21:36.0093 2076 Product type: Workstation
    13:21:36.0093 2076 ComputerName: HOME1
    13:21:36.0187 2076 UserName: Ann
    13:21:36.0187 2076 Windows directory: C:\WINDOWS
    13:21:36.0187 2076 System windows directory: C:\WINDOWS
    13:21:36.0187 2076 Processor architecture: Intel x86
    13:21:36.0187 2076 Number of processors: 1
    13:21:36.0187 2076 Page size: 0x1000
    13:21:36.0187 2076 Boot type: Normal boot
    13:21:36.0187 2076 ============================================================
    13:21:49.0937 2076 Drive \Device\Harddisk0\DR0 - Size: 0x12A05F2000 (74.51 Gb), SectorSize: 0x200, Cylinders: 0x25FE, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
    13:21:50.0687 2076 Drive \Device\Harddisk1\DR2 - Size: 0x77700000 (1.87 Gb), SectorSize: 0x200, Cylinders: 0xF3, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
    13:21:50.0687 2076 ============================================================
    13:21:50.0687 2076 \Device\Harddisk0\DR0:
    13:21:50.0703 2076 MBR partitions:
    13:21:50.0703 2076 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x94FE97E
    13:21:50.0703 2076 \Device\Harddisk1\DR2:
    13:21:50.0718 2076 MBR partitions:
    13:21:50.0718 2076 \Device\Harddisk1\DR2\Partition0: MBR, Type 0x6, StartLBA 0x80, BlocksNum 0x3BB780
    13:21:50.0718 2076 ============================================================
    13:21:50.0953 2076 C: <-> \Device\Harddisk0\DR0\Partition0
    13:21:50.0953 2076 ============================================================
    13:21:50.0953 2076 Initialize success
    13:21:50.0953 2076 ============================================================
    13:22:04.0921 2216 ============================================================
    13:22:04.0921 2216 Scan started
    13:22:04.0921 2216 Mode: Manual;
    13:22:04.0921 2216 ============================================================
    13:22:05.0640 2216 Aavmker4 (473f97edc5a5312f3665ab2921196c0c) C:\WINDOWS\system32\drivers\Aavmker4.sys
    13:22:05.0640 2216 Aavmker4 - ok
    13:22:05.0656 2216 Abiosdsk - ok
    13:22:05.0687 2216 abp480n5 - ok
    13:22:05.0812 2216 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    13:22:06.0015 2216 ACPI - ok
    13:22:06.0093 2216 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    13:22:06.0093 2216 ACPIEC - ok
    13:22:06.0109 2216 adpu160m - ok
    13:22:06.0203 2216 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    13:22:06.0250 2216 aec - ok
    13:22:06.0359 2216 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
    13:22:06.0406 2216 AFD - ok
    13:22:06.0468 2216 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
    13:22:06.0500 2216 agp440 - ok
    13:22:06.0500 2216 Aha154x - ok
    13:22:06.0531 2216 aic78u2 - ok
    13:22:06.0546 2216 aic78xx - ok
    13:22:06.0609 2216 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
    13:22:06.0687 2216 Alerter - ok
    13:22:06.0750 2216 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
    13:22:06.0765 2216 ALG - ok
    13:22:06.0781 2216 AliIde - ok
    13:22:06.0796 2216 amsint - ok
    13:22:06.0984 2216 Apple Mobile Device (7ef47644b74ebe721cc32211d3c35e76) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    13:22:07.0046 2216 Apple Mobile Device - ok
    13:22:07.0062 2216 AppMgmt - ok
    13:22:07.0093 2216 asc - ok
    13:22:07.0109 2216 asc3350p - ok
    13:22:07.0125 2216 asc3550 - ok
    13:22:07.0203 2216 ASPI32 (5b01af89d16d562825c4db4530f20cbb) C:\WINDOWS\system32\drivers\ASPI32.sys
    13:22:07.0218 2216 ASPI32 - ok
    13:22:07.0390 2216 aspnet_state (776acefa0ca9df0faa51a5fb2f435705) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
    13:22:07.0578 2216 aspnet_state - ok
    13:22:07.0640 2216 aswFsBlk (0ae43c6c411254049279c2ee55630f95) C:\WINDOWS\system32\drivers\aswFsBlk.sys
    13:22:07.0656 2216 aswFsBlk - ok
    13:22:07.0734 2216 aswMon2 (8c30b7ddd2f1d8d138ebe40345af2b11) C:\WINDOWS\system32\drivers\aswMon2.sys
    13:22:07.0781 2216 aswMon2 - ok
    13:22:07.0812 2216 AswRdr (da12626fd9a67f4e917e2f2fbe1e1764) C:\WINDOWS\system32\drivers\AswRdr.sys
    13:22:07.0828 2216 AswRdr - ok
    13:22:08.0078 2216 aswSnx (dcb199b967375753b5019ec15f008f53) C:\WINDOWS\system32\drivers\aswSnx.sys
    13:22:08.0375 2216 aswSnx - ok
    13:22:08.0765 2216 aswSP (b32873e5a1443c0a1e322266e203bf10) C:\WINDOWS\system32\drivers\aswSP.sys
    13:22:08.0906 2216 aswSP - ok
    13:22:08.0953 2216 aswTdi (6ff544175a9180c5d88534d3d9c9a9f7) C:\WINDOWS\system32\drivers\aswTdi.sys
    13:22:08.0968 2216 aswTdi - ok
    13:22:09.0031 2216 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    13:22:09.0031 2216 AsyncMac - ok
    13:22:09.0156 2216 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    13:22:09.0187 2216 atapi - ok
    13:22:09.0203 2216 Atdisk - ok
    13:22:09.0265 2216 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    13:22:09.0312 2216 Atmarpc - ok
    13:22:09.0390 2216 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
    13:22:09.0437 2216 AudioSrv - ok
    13:22:09.0500 2216 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    13:22:09.0500 2216 audstub - ok
    13:22:09.0656 2216 avast! Antivirus (4041d31508a2a084dfb42c595854090f) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    13:22:09.0703 2216 avast! Antivirus - ok
    13:22:09.0750 2216 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    13:22:09.0750 2216 Beep - ok
    13:22:09.0937 2216 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
    13:22:10.0609 2216 BITS - ok
    13:22:10.0812 2216 Bonjour Service (db5bea73edaf19ac68b2c0fad0f92b1a) C:\Program Files\Bonjour\mDNSResponder.exe
    13:22:10.0937 2216 Bonjour Service - ok
    13:22:11.0031 2216 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
    13:22:11.0062 2216 Browser - ok
    13:22:11.0078 2216 BW2NDIS5 - ok
    13:22:11.0125 2216 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    13:22:11.0156 2216 cbidf2k - ok
    13:22:11.0218 2216 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
    13:22:11.0218 2216 CCDECODE - ok
    13:22:11.0234 2216 cd20xrnt - ok
    13:22:11.0296 2216 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    13:22:11.0296 2216 Cdaudio - ok
    13:22:11.0375 2216 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    13:22:11.0390 2216 Cdfs - ok
    13:22:11.0453 2216 Cdr4_xp (bf79e659c506674c0497cc9c61f1a165) C:\WINDOWS\system32\drivers\Cdr4_xp.sys
    13:22:11.0468 2216 Cdr4_xp - ok
    13:22:11.0484 2216 Cdralw2k (2c41cd49d82d5fd85c72d57b6ca25471) C:\WINDOWS\system32\drivers\Cdralw2k.sys
    13:22:11.0500 2216 Cdralw2k - ok
    13:22:11.0546 2216 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    13:22:11.0562 2216 Cdrom - ok
    13:22:11.0703 2216 cdudf_xp (cfd81f2140193fc7f1812e6d6eaf6795) C:\WINDOWS\system32\drivers\cdudf_xp.sys
    13:22:11.0812 2216 cdudf_xp - ok
    13:22:11.0828 2216 Changer - ok
    13:22:11.0875 2216 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
    13:22:11.0890 2216 CiSvc - ok
    13:22:11.0937 2216 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
    13:22:11.0953 2216 ClipSrv - ok
    13:22:12.0171 2216 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    13:22:12.0468 2216 clr_optimization_v2.0.50727_32 - ok
    13:22:12.0640 2216 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    13:22:12.0843 2216 clr_optimization_v4.0.30319_32 - ok
    13:22:12.0859 2216 CmdIde - ok
    13:22:12.0875 2216 COMSysApp - ok
    13:22:12.0906 2216 Cpqarray - ok
    13:22:12.0968 2216 Creative Service for CDROM Access (3c8b6609712f4ff78e521f6dcfc4032b) C:\WINDOWS\System32\CTsvcCDA.exe
    13:22:12.0984 2216 Creative Service for CDROM Access - ok
    13:22:13.0109 2216 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
    13:22:13.0125 2216 CryptSvc - ok
    13:22:13.0156 2216 dac2w2k - ok
    13:22:13.0171 2216 dac960nt - ok
    13:22:13.0375 2216 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
    13:22:13.0562 2216 DcomLaunch - ok
    13:22:13.0578 2216 DgiVecp - ok
    13:22:13.0671 2216 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
    13:22:13.0718 2216 Dhcp - ok
    13:22:13.0781 2216 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    13:22:13.0812 2216 Disk - ok
    13:22:13.0828 2216 dmadmin - ok
    13:22:14.0171 2216 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    13:22:14.0515 2216 dmboot - ok
    13:22:14.0593 2216 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    13:22:14.0640 2216 dmio - ok
    13:22:14.0687 2216 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    13:22:14.0687 2216 dmload - ok
    13:22:14.0781 2216 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
    13:22:14.0796 2216 dmserver - ok
    13:22:14.0875 2216 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    13:22:14.0890 2216 DMusic - ok
    13:22:14.0953 2216 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
    13:22:14.0984 2216 Dnscache - ok
    13:22:15.0078 2216 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
    13:22:15.0125 2216 Dot3svc - ok
    13:22:15.0156 2216 dpti2o - ok
    13:22:15.0187 2216 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    13:22:15.0187 2216 drmkaud - ok
    13:22:15.0250 2216 dvd43llh (1fc1eed3ea0c3a0ecf8a95b97e1b4831) C:\WINDOWS\system32\DRIVERS\dvd43llh.sys
    13:22:15.0265 2216 dvd43llh - ok
    13:22:15.0328 2216 dvd_2K (677829f7010768eeeed8d0083e510dab) C:\WINDOWS\system32\drivers\dvd_2K.sys
    13:22:15.0359 2216 dvd_2K - ok
    13:22:15.0453 2216 E100B (98ed0bea10477b0f252cca35eb50f838) C:\WINDOWS\system32\DRIVERS\e100b325.sys
    13:22:15.0531 2216 E100B - ok
    13:22:15.0578 2216 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
    13:22:15.0593 2216 EapHost - ok
    13:22:15.0656 2216 EMLSS (de58b034f27f45a615c0c28e8c66be3c) C:\WINDOWS\system32\drivers\emltdi.sys
    13:22:15.0718 2216 EMLSS - ok
    13:22:15.0765 2216 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
    13:22:15.0796 2216 ERSvc - ok
    13:22:15.0890 2216 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
    13:22:16.0000 2216 Eventlog - ok
    13:22:16.0156 2216 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\System32\es.dll
    13:22:16.0250 2216 EventSystem - ok
    13:22:16.0359 2216 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    13:22:16.0421 2216 Fastfat - ok
    13:22:16.0500 2216 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
    13:22:16.0578 2216 FastUserSwitchingCompatibility - ok
    13:22:16.0640 2216 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    13:22:16.0656 2216 Fdc - ok
    13:22:16.0703 2216 FilterService (a75ddc492d2d1d6558ad8003a4adb73a) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys
    13:22:16.0750 2216 FilterService - ok
    13:22:16.0796 2216 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    13:22:16.0812 2216 Fips - ok
    13:22:16.0828 2216 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    13:22:16.0843 2216 Flpydisk - ok
    13:22:16.0953 2216 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    13:22:17.0015 2216 FltMgr - ok
    13:22:17.0187 2216 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
    13:22:17.0218 2216 FontCache3.0.0.0 - ok
    13:22:17.0281 2216 FsUsbExDisk (cbe5f69a5e5b918225f420ba748f3742) C:\WINDOWS\system32\FsUsbExDisk.SYS
    13:22:17.0296 2216 FsUsbExDisk - ok
    13:22:17.0343 2216 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    13:22:17.0343 2216 Fs_Rec - ok
    13:22:17.0421 2216 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    13:22:17.0468 2216 Ftdisk - ok
    13:22:17.0484 2216 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
    13:22:17.0515 2216 gameenum - ok
    13:22:17.0562 2216 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
    13:22:17.0562 2216 GEARAspiWDM - ok
    13:22:17.0625 2216 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    13:22:17.0656 2216 Gpc - ok
    13:22:17.0718 2216 gupdate - ok
    13:22:17.0750 2216 gupdatem - ok
    13:22:17.0765 2216 gusvc - ok
    13:22:17.0875 2216 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
    13:22:17.0984 2216 helpsvc - ok
    13:22:18.0031 2216 HidServ - ok
    13:22:18.0078 2216 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    13:22:18.0093 2216 HidUsb - ok
    13:22:18.0156 2216 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
    13:22:18.0187 2216 hkmsvc - ok
    13:22:18.0203 2216 hpn - ok
    13:22:18.0265 2216 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
    13:22:18.0296 2216 HPZid412 - ok
    13:22:18.0312 2216 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
    13:22:18.0328 2216 HPZipr12 - ok
    13:22:18.0390 2216 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
    13:22:18.0406 2216 HPZius12 - ok
    13:22:18.0515 2216 HSFHWBS2 (96fae6dc24574b1cb08dcf9d984a5be4) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
    13:22:18.0593 2216 HSFHWBS2 - ok
    13:22:19.0046 2216 HSF_DP (2efa8dd8b0270a3a7202ce5f4da465b1) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
    13:22:19.0484 2216 HSF_DP - ok
    13:22:19.0625 2216 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    13:22:19.0734 2216 HTTP - ok
    13:22:19.0781 2216 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
    13:22:19.0843 2216 HTTPFilter - ok
    13:22:19.0859 2216 i2omgmt - ok
    13:22:19.0875 2216 i2omp - ok
    13:22:19.0953 2216 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    13:22:19.0968 2216 i8042prt - ok
    13:22:20.0140 2216 IDriverT (1cf03c69b49acb70c722df92755c0c8c) C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    13:22:20.0234 2216 IDriverT - ok
    13:22:20.0687 2216 idsvc (c01ac32dc5c03076cfb852cb5da5229c) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
    13:22:21.0000 2216 idsvc - ok
    13:22:21.0046 2216 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    13:22:21.0062 2216 Imapi - ok
    13:22:21.0187 2216 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
    13:22:21.0250 2216 ImapiService - ok
    13:22:21.0281 2216 ini910u - ok
    13:22:21.0343 2216 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
    13:22:21.0359 2216 IntelIde - ok
    13:22:21.0421 2216 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    13:22:21.0453 2216 intelppm - ok
    13:22:21.0484 2216 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    13:22:21.0500 2216 ip6fw - ok
    13:22:21.0562 2216 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    13:22:21.0578 2216 IpFilterDriver - ok
    13:22:21.0609 2216 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    13:22:21.0609 2216 IpInIp - ok
    13:22:21.0703 2216 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    13:22:21.0765 2216 IpNat - ok
    13:22:22.0171 2216 iPod Service (57edb35ea2feca88f8b17c0c095c9a56) C:\Program Files\iPod\bin\iPodService.exe
    13:22:22.0484 2216 iPod Service - ok
    13:22:22.0546 2216 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    13:22:22.0578 2216 IPSec - ok
    13:22:22.0625 2216 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    13:22:22.0625 2216 IRENUM - ok
    13:22:22.0687 2216 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    13:22:22.0703 2216 isapnp - ok
    13:22:22.0953 2216 JavaQuickStarterService (381b25dc8e958d905b33130d500bbf29) C:\Program Files\Java\jre6\bin\jqs.exe
    13:22:23.0000 2216 JavaQuickStarterService - ok
    13:22:23.0078 2216 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    13:22:23.0093 2216 Kbdclass - ok
    13:22:23.0203 2216 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    13:22:23.0265 2216 kmixer - ok
    13:22:23.0359 2216 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    13:22:23.0390 2216 KSecDD - ok
    13:22:23.0484 2216 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
    13:22:23.0531 2216 lanmanserver - ok
    13:22:23.0640 2216 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
    13:22:23.0718 2216 lanmanworkstation - ok
    13:22:23.0734 2216 lbrtfdc - ok
    13:22:23.0796 2216 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
    13:22:23.0812 2216 LmHosts - ok
    13:22:23.0906 2216 lvpopflt (01f0e010acb61472163e9d02d3ff531a) C:\WINDOWS\system32\DRIVERS\lvpopflt.sys
    13:22:23.0953 2216 lvpopflt - ok
    13:22:24.0015 2216 LVPr2Mon (c57c48fb9ae3efb9848af594e3123a63) C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys
    13:22:24.0046 2216 LVPr2Mon - ok
    13:22:24.0187 2216 LVPrcSrv (5c7b88695ce461d8bda4fe0c0e57e71d) C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    13:22:24.0250 2216 LVPrcSrv - ok
    13:22:24.0390 2216 LVRS (87ecce893d8aec5a9337b917742d339c) C:\WINDOWS\system32\DRIVERS\lvrs.sys
    13:22:24.0484 2216 LVRS - ok
    13:22:27.0046 2216 LVUVC (291f69b3dda0f033d2490c5ba5179f7c) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
    13:22:29.0375 2216 LVUVC - ok
    13:22:29.0781 2216 mdmxsdk (aeb54ef22cb7c7e3f405f69f048d696c) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
    13:22:29.0781 2216 mdmxsdk - ok
    13:22:29.0843 2216 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
    13:22:29.0859 2216 Messenger - ok
    13:22:29.0906 2216 mmc_2K (9b90303a9c9405a6ce1466ff4aa20fdd) C:\WINDOWS\system32\drivers\mmc_2K.sys
    13:22:29.0937 2216 mmc_2K - ok
    13:22:29.0984 2216 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    13:22:29.0984 2216 mnmdd - ok
    13:22:30.0265 2216 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\System32\mnmsrvc.exe
    13:22:30.0281 2216 mnmsrvc - ok
    13:22:30.0328 2216 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    13:22:30.0343 2216 Modem - ok
    13:22:30.0390 2216 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    13:22:30.0406 2216 Mouclass - ok
    13:22:30.0484 2216 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    13:22:30.0484 2216 mouhid - ok
    13:22:30.0531 2216 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    13:22:30.0546 2216 MountMgr - ok
    13:22:30.0578 2216 mraid35x - ok
    13:22:30.0593 2216 MREMP50 - ok
    13:22:30.0609 2216 MREMPR5 - ok
    13:22:30.0625 2216 MRENDIS5 - ok
    13:22:30.0640 2216 MRESP50 - ok
    13:22:30.0765 2216 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    13:22:30.0843 2216 MRxDAV - ok
    13:22:31.0062 2216 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    13:22:31.0234 2216 MRxSmb - ok
    13:22:31.0281 2216 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\System32\msdtc.exe
    13:22:31.0296 2216 MSDTC - ok
    13:22:31.0343 2216 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    13:22:31.0343 2216 Msfs - ok
    13:22:31.0359 2216 MSIServer - ok
    13:22:31.0421 2216 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    13:22:31.0421 2216 MSKSSRV - ok
    13:22:31.0437 2216 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    13:22:31.0453 2216 MSPCLOCK - ok
    13:22:31.0484 2216 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    13:22:31.0484 2216 MSPQM - ok
    13:22:31.0546 2216 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    13:22:31.0562 2216 mssmbios - ok
    13:22:31.0609 2216 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
    13:22:31.0609 2216 MSTEE - ok
    13:22:31.0718 2216 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
    13:22:31.0765 2216 Mup - ok
    13:22:31.0828 2216 mv2 (f9a20fba803ac99579cb6dc14b8e5ca4) C:\WINDOWS\system32\DRIVERS\mv2.sys
    13:22:31.0828 2216 mv2 - ok
    13:22:31.0906 2216 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
    13:22:31.0937 2216 NABTSFEC - ok
    13:22:32.0093 2216 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
    13:22:32.0203 2216 napagent - ok
    13:22:32.0328 2216 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    13:22:32.0406 2216 NDIS - ok
    13:22:32.0468 2216 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
    13:22:32.0468 2216 NdisIP - ok
    13:22:32.0531 2216 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    13:22:32.0531 2216 NdisTapi - ok
    13:22:32.0562 2216 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    13:22:32.0578 2216 Ndisuio - ok
    13:22:32.0625 2216 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    13:22:32.0671 2216 NdisWan - ok
    13:22:32.0734 2216 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
    13:22:32.0750 2216 NDProxy - ok
    13:22:32.0812 2216 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    13:22:32.0828 2216 NetBIOS - ok
    13:22:32.0906 2216 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    13:22:32.0968 2216 NetBT - ok
    13:22:33.0062 2216 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
    13:22:33.0125 2216 NetDDE - ok
    13:22:33.0140 2216 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
    13:22:33.0140 2216 NetDDEdsdm - ok
    13:22:33.0187 2216 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\System32\lsass.exe
    13:22:33.0203 2216 Netlogon - ok
    13:22:33.0296 2216 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
    13:22:33.0375 2216 Netman - ok
    13:22:33.0578 2216 NetTcpPortSharing (d22cd77d4f0d63d1169bb35911bff12d) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
    13:22:33.0687 2216 NetTcpPortSharing - ok
    13:22:33.0828 2216 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
    13:22:33.0921 2216 Nla - ok
    13:22:34.0000 2216 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    13:22:34.0015 2216 Npfs - ok
    13:22:34.0265 2216 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    13:22:34.0484 2216 Ntfs - ok
    13:22:34.0546 2216 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\System32\lsass.exe
    13:22:34.0546 2216 NtLmSsp - ok
    13:22:34.0750 2216 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
    13:22:34.0921 2216 NtmsSvc - ok
    13:22:34.0953 2216 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    13:22:34.0968 2216 Null - ok
    13:22:35.0640 2216 nv (71dbdc08df86b80511e72953fa1ad6b0) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    13:22:36.0203 2216 nv - ok
    13:22:36.0562 2216 NVSvc (5ed834603c36414b579979b3a9c90f54) C:\WINDOWS\system32\nvsvc32.exe
    13:22:36.0609 2216 NVSvc - ok
    13:22:36.0687 2216 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    13:22:36.0703 2216 NwlnkFlt - ok
    13:22:36.0750 2216 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    13:22:36.0781 2216 NwlnkFwd - ok
    13:22:36.0859 2216 OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
    13:22:36.0875 2216 OMCI - ok
    13:22:36.0937 2216 OnlineNT (fe3f910425349894f2f158312d2b4931) C:\WINDOWS\system32\drivers\OnlineNT.sys
    13:22:36.0953 2216 OnlineNT - ok
    13:22:37.0500 2216 P16X (e433c553d00d76fbc616294b60a7a530) C:\WINDOWS\system32\drivers\P16X.sys
    13:22:37.0921 2216 P16X - ok
    13:22:38.0359 2216 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    13:22:38.0390 2216 Parport - ok
    13:22:38.0453 2216 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    13:22:38.0453 2216 PartMgr - ok
    13:22:38.0531 2216 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    13:22:38.0531 2216 ParVdm - ok
    13:22:38.0593 2216 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    13:22:38.0609 2216 PCI - ok
    13:22:38.0625 2216 PCIDump - ok
    13:22:38.0687 2216 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    13:22:38.0703 2216 PCIIde - ok
    13:22:38.0781 2216 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    13:22:38.0828 2216 Pcmcia - ok
    13:22:38.0843 2216 PDCOMP - ok
    13:22:38.0859 2216 PDFRAME - ok
    13:22:38.0875 2216 PDRELI - ok
    13:22:38.0890 2216 PDRFRAME - ok
    13:22:38.0906 2216 perc2 - ok
    13:22:38.0937 2216 perc2hib - ok
    13:22:39.0015 2216 PfModNT (2f5532f9b0f903b26847da674b4f55b2) C:\WINDOWS\System32\PfModNT.sys
    13:22:39.0031 2216 PfModNT - ok
    13:22:39.0125 2216 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
    13:22:39.0140 2216 PlugPlay - ok
    13:22:39.0218 2216 Pml Driver HPZ12 (9d84376931440f3679beef2a414fa493) C:\WINDOWS\system32\HPZipm12.exe
    13:22:39.0265 2216 Pml Driver HPZ12 - ok
    13:22:39.0328 2216 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
    13:22:39.0343 2216 PolicyAgent - ok
    13:22:39.0421 2216 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    13:22:39.0453 2216 PptpMiniport - ok
    13:22:39.0468 2216 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
    13:22:39.0484 2216 Processor - ok
    13:22:39.0515 2216 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
    13:22:39.0515 2216 ProtectedStorage - ok
    13:22:39.0562 2216 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    13:22:39.0593 2216 PSched - ok
    13:22:39.0656 2216 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    13:22:39.0656 2216 Ptilink - ok
    13:22:39.0765 2216 pwd_2k (d8b90616a8bd53de281dbdb664c0984a) C:\WINDOWS\system32\drivers\pwd_2k.sys
    13:22:39.0812 2216 pwd_2k - ok
    13:22:39.0890 2216 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    13:22:39.0906 2216 PxHelp20 - ok
    13:22:39.0921 2216 ql1080 - ok
    13:22:39.0937 2216 Ql10wnt - ok
    13:22:39.0968 2216 ql12160 - ok
    13:22:39.0968 2216 ql1240 - ok
    13:22:39.0984 2216 ql1280 - ok
    13:22:40.0062 2216 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    13:22:40.0078 2216 RasAcd - ok
    13:22:40.0156 2216 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
    13:22:40.0203 2216 RasAuto - ok
    13:22:40.0265 2216 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    13:22:40.0281 2216 Rasl2tp - ok
    13:22:40.0406 2216 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
    13:22:40.0500 2216 RasMan - ok
    13:22:40.0531 2216 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    13:22:40.0546 2216 RasPppoe - ok
    13:22:40.0578 2216 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    13:22:40.0593 2216 Raspti - ok
    13:22:40.0703 2216 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    13:22:40.0781 2216 Rdbss - ok
    13:22:40.0812 2216 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    13:22:40.0812 2216 RDPCDD - ok
    13:22:40.0921 2216 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
    13:22:40.0968 2216 RDPWD - ok
    13:22:41.0093 2216 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
    13:22:41.0187 2216 RDSessMgr - ok
    13:22:41.0250 2216 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    13:22:41.0281 2216 redbook - ok
    13:22:41.0359 2216 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
    13:22:41.0375 2216 RemoteAccess - ok
    13:22:41.0453 2216 RemotePCmirror (2e397936292792a4ba413a397c9f0727) C:\WINDOWS\system32\DRIVERS\RemotePCmirror.sys
    13:22:41.0468 2216 RemotePCmirror - ok
    13:22:41.0515 2216 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
    13:22:41.0515 2216 ROOTMODEM - ok
    13:22:41.0609 2216 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\System32\locator.exe
    13:22:41.0640 2216 RpcLocator - ok
    13:22:41.0843 2216 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
    13:22:41.0859 2216 RpcSs - ok
    13:22:41.0968 2216 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\System32\rsvp.exe
    13:22:42.0031 2216 RSVP - ok
    13:22:42.0109 2216 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
    13:22:42.0109 2216 SamSs - ok
    13:22:42.0218 2216 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
    13:22:42.0250 2216 SCardSvr - ok
    13:22:42.0390 2216 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
    13:22:42.0468 2216 Schedule - ok
    13:22:42.0531 2216 ScreenNT (02f5d6a6ea2ed4dd9a866644db6683c2) C:\WINDOWS\system32\drivers\ScreenNT.sys
    13:22:42.0531 2216 ScreenNT - ok
    13:22:42.0593 2216 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    13:22:42.0609 2216 Secdrv - ok
    13:22:42.0656 2216 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
    13:22:42.0671 2216 seclogon - ok
    13:22:42.0750 2216 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
    13:22:42.0765 2216 SENS - ok
    13:22:42.0828 2216 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    13:22:42.0843 2216 serenum - ok
    13:22:42.0890 2216 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    13:22:42.0921 2216 Serial - ok
    13:22:42.0984 2216 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    13:22:43.0000 2216 Sfloppy - ok
    13:22:43.0109 2216 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
    13:22:43.0125 2216 ShellHWDetection - ok
    13:22:43.0140 2216 Simbad - ok
    13:22:43.0171 2216 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
    13:22:43.0187 2216 SLIP - ok
    13:22:43.0250 2216 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
    13:22:43.0250 2216 SONYPVU1 - ok
    13:22:43.0265 2216 Sparrow - ok
    13:22:43.0328 2216 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    13:22:43.0328 2216 splitter - ok
    13:22:43.0406 2216 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
    13:22:43.0437 2216 Spooler - ok
    13:22:43.0484 2216 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    13:22:43.0515 2216 sr - ok
    13:22:43.0609 2216 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
    13:22:43.0671 2216 srservice - ok
    13:22:43.0859 2216 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
    13:22:43.0984 2216 Srv - ok
    13:22:44.0093 2216 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
    13:22:44.0125 2216 SSDPSRV - ok
    13:22:44.0296 2216 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
    13:22:44.0453 2216 stisvc - ok
    13:22:44.0671 2216 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
    13:22:44.0750 2216 streamip - ok
    13:22:44.0796 2216 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    13:22:44.0796 2216 swenum - ok
    13:22:44.0859 2216 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    13:22:44.0890 2216 swmidi - ok
    13:22:44.0906 2216 SwPrv - ok
    13:22:44.0921 2216 symc810 - ok
    13:22:44.0937 2216 symc8xx - ok
    13:22:44.0953 2216 sym_hi - ok
    13:22:44.0984 2216 sym_u3 - ok
    13:22:45.0046 2216 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    13:22:45.0078 2216 sysaudio - ok
    13:22:45.0218 2216 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
    13:22:45.0296 2216 SysmonLog - ok
    13:22:45.0406 2216 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
    13:22:45.0500 2216 TapiSrv - ok
    13:22:45.0687 2216 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    13:22:45.0812 2216 Tcpip - ok
    13:22:45.0859 2216 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    13:22:45.0859 2216 TDPIPE - ok
    13:22:45.0906 2216 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    13:22:45.0921 2216 TDTCP - ok
    13:22:45.0968 2216 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    13:22:45.0984 2216 TermDD - ok
    13:22:46.0187 2216 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
    13:22:46.0296 2216 TermService - ok
    13:22:46.0312 2216 TfFsMon - ok
    13:22:46.0328 2216 TfNetMon - ok
    13:22:46.0343 2216 TfSysMon - ok
    13:22:46.0453 2216 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
    13:22:46.0468 2216 Themes - ok
    13:22:46.0500 2216 TosIde - ok
    13:22:46.0578 2216 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
    13:22:46.0640 2216 TrkWks - ok
    13:22:46.0781 2216 UdfReadr_xp (4e75005b74be901c30f2636df40b0c15) C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
    13:22:46.0843 2216 UdfReadr_xp - ok
    13:22:46.0890 2216 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    13:22:46.0921 2216 Udfs - ok
    13:22:46.0937 2216 ultra - ok
    13:22:47.0187 2216 UnlockerDriver5 (bb879dcfd22926efbeb3298129898cbb) C:\Program Files\Unlocker\UnlockerDriver5.sys
    13:22:47.0296 2216 UnlockerDriver5 - ok
    13:22:47.0484 2216 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    13:22:47.0640 2216 Update - ok
    13:22:47.0796 2216 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
    13:22:47.0875 2216 upnphost - ok
    13:22:47.0937 2216 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
    13:22:47.0953 2216 UPS - ok
    13:22:48.0015 2216 USBAAPL (eafe1e00739afe6c51487a050e772e17) C:\WINDOWS\system32\Drivers\usbaapl.sys
    13:22:48.0046 2216 USBAAPL - ok
    13:22:48.0140 2216 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
    13:22:48.0171 2216 usbaudio - ok
    13:22:48.0218 2216 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    13:22:48.0234 2216 usbccgp - ok
    13:22:48.0296 2216 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    13:22:48.0312 2216 usbehci - ok
    13:22:48.0359 2216 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    13:22:48.0390 2216 usbhub - ok
    13:22:48.0421 2216 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    13:22:48.0421 2216 usbprint - ok
    13:22:48.0453 2216 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    13:22:48.0484 2216 usbscan - ok
    13:22:48.0531 2216 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    13:22:48.0546 2216 USBSTOR - ok
    13:22:48.0578 2216 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    13:22:48.0578 2216 usbuhci - ok
    13:22:48.0656 2216 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
    13:22:48.0703 2216 usbvideo - ok
    13:22:48.0765 2216 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    13:22:48.0781 2216 VgaSave - ok
    13:22:48.0796 2216 ViaIde - ok
    13:22:48.0843 2216 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    13:22:48.0859 2216 VolSnap - ok
    13:22:49.0031 2216 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
    13:22:49.0125 2216 VSS - ok
    13:22:49.0234 2216 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
    13:22:49.0312 2216 W32Time - ok
    13:22:49.0406 2216 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    13:22:49.0421 2216 Wanarp - ok
    13:22:49.0437 2216 WDICA - ok
    13:22:49.0515 2216 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    13:22:49.0546 2216 wdmaud - ok
    13:22:49.0609 2216 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
    13:22:49.0656 2216 WebClient - ok
    13:22:49.0921 2216 winachsf (b3133dc158e59e80f5498484b0c2d558) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
    13:22:50.0140 2216 winachsf - ok
    13:22:50.0875 2216 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
    13:22:51.0015 2216 winmgmt - ok
    13:22:51.0296 2216 WMDM PMSP Service (581176f60885aef8f78c6e38dcc3cdf9) C:\WINDOWS\System32\MsPMSPSv.exe
    13:22:51.0328 2216 WMDM PMSP Service - ok
    13:22:51.0484 2216 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
    13:22:51.0531 2216 WmdmPmSN - ok
    13:22:51.0953 2216 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\System32\wbem\wmiapsrv.exe
    13:22:52.0046 2216 WmiApSrv - ok
    13:22:53.0484 2216 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
    13:22:53.0859 2216 WMPNetworkSvc - ok
    13:22:54.0359 2216 WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
    13:22:54.0750 2216 WPFFontCache_v0400 - ok
    13:22:55.0046 2216 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
    13:22:55.0062 2216 WS2IFSL - ok
    13:22:55.0156 2216 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
    13:22:55.0250 2216 wscsvc - ok
    13:22:55.0296 2216 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
    13:22:55.0296 2216 WSTCODEC - ok
    13:22:55.0359 2216 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
    13:22:55.0375 2216 wuauserv - ok
    13:22:55.0453 2216 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    13:22:55.0468 2216 WudfPf - ok
    13:22:55.0531 2216 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    13:22:55.0562 2216 WudfRd - ok
    13:22:55.0609 2216 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
    13:22:55.0718 2216 WudfSvc - ok
    13:22:56.0156 2216 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
    13:22:56.0406 2216 WZCSVC - ok
    13:22:56.0593 2216 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
    13:22:56.0656 2216 xmlprov - ok
    13:22:56.0718 2216 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
    13:22:57.0312 2216 \Device\Harddisk0\DR0 - ok
    13:22:57.0359 2216 MBR (0x1B8) (66d0b28c8b44e531d0c19f436252abaa) \Device\Harddisk1\DR2
    13:22:57.0359 2216 \Device\Harddisk1\DR2 - ok
    13:22:57.0390 2216 Boot (0x1200) (f95778b872473d3b9c204ded9bfa7c3d) \Device\Harddisk0\DR0\Partition0
    13:22:57.0390 2216 \Device\Harddisk0\DR0\Partition0 - ok
    13:22:57.0406 2216 Boot (0x1200) (f25cbd15a4003c49a2d624b42d47bdd5) \Device\Harddisk1\DR2\Partition0
    13:22:57.0406 2216 \Device\Harddisk1\DR2\Partition0 - ok
    13:22:57.0406 2216 ============================================================
    13:22:57.0406 2216 Scan finished
    13:22:57.0406 2216 ============================================================
    13:22:57.0437 2224 Detected object count: 0
    13:22:57.0437 2224 Actual detected object count: 0
  20. Broni

    Broni Malware Annihilator Posts: 45,188   +242

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  21. Phasmos

    Phasmos Newcomer, in training Topic Starter Posts: 53

    OK, downloading the new Combofix. I have to leave for work in about 15 minutes, do you think it best to wait and run it after I get home tonight? I'd hate to start it up and have to leave it running. Is it typically a quick scan?
  22. Broni

    Broni Malware Annihilator Posts: 45,188   +242

    You better run it later.
  23. Phasmos

    Phasmos Newcomer, in training Topic Starter Posts: 53

    Gotcha. OK, thanks for the quick reply and awesome assistance. I hope the computer isn't so sluggish when I fire it up after work... :p
    Anyway, like I said, its definitely running much faster after that "STOP" episode a little while ago. Maybe we stunned the Trojan sucker somehow... Avast is giving useful information again, too (such as asking if I wanted to open ListParts in the "sandbox" first) -- it was in a coma for a while there.
    More later! And THANKS!!
  24. Phasmos

    Phasmos Newcomer, in training Topic Starter Posts: 53

    Well, I finally ran Combofix, but the same thing that happened the first time happened again: nothing. I got as far as a screen that said "Scan typically takes 10 minutes, but badly infected machines couldtake twice as long" or something to that effect. Five hours later, nothing had changed.

    Also, when I booted the computer up, it seemed to crash - I got a message saying "Windows has encountered a serious problem." This was followed by "Windows has recovered from a serious problem" and a log which read:

    Error signature:
    BCCode 1000008e BCP1: C0000005 BCP2: F76BE827 BCP3: F75C55F0
    BCP4: 00000000 OSVer: 5_1_2600 SP: 3_0 Product: 768_1

    Don't know if this is useful to you, but that's what I've experienced most recently. Seems like things are becoming unstable, despite the "normal" computing speed I achieve after the virus has its way with the machine. (Much of this abberant behavior disappears when I unplug the modem, naturally... I guess if the thing can't communicate, it goes off to hide and sulk somewhere.)

    What's next? :/
  25. Broni

    Broni Malware Annihilator Posts: 45,188   +242

    From my instructions...



Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.